CN110958245A - Attack detection method, device, equipment and storage medium - Google Patents
Attack detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN110958245A CN110958245A CN201911205648.1A CN201911205648A CN110958245A CN 110958245 A CN110958245 A CN 110958245A CN 201911205648 A CN201911205648 A CN 201911205648A CN 110958245 A CN110958245 A CN 110958245A
- Authority
- CN
- China
- Prior art keywords
- historical
- increment
- communication
- traffic
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 41
- 238000004891 communication Methods 0.000 claims abstract description 237
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000004590 computer program Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 12
- 230000005540 biological transmission Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000003491 array Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a method, a device, equipment and a storage medium for detecting attacks. Wherein, the method comprises the following steps: determining a current communication increment and a historical communication increment according to an intranet communication data packet of target network equipment; and if the current communication increment and the historical communication increment are larger than the increment threshold, determining that the target network equipment is attacked by the distributed denial of service. According to the technical scheme of the embodiment of the invention, the network attack detection of the cross-internet data center is realized by analyzing and counting the intranet communication data packet, and based on the current communication increment and the historical communication increment, the situation that the data packet is subjected to false alarm as distributed denial of service attack due to rapid growth is avoided, the false alarm rate of the network attack is reduced, and the attack detection accuracy is improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method, a device, equipment and a storage medium for detecting attacks.
Background
With the development of economy and science and technology, computer network technology is widely applied to various fields, data in information systems becomes more and more important, and computer networks connected with the information systems are in a public state, are easy to attack and damage and threaten the safety of the information systems, so people put forward higher requirements on the safety of the computer networks. In the field of computer network security, a Distributed Denial of Service (DDoS) attack may cause occupation of network bandwidth or system resources of an information system, which may result in abnormal use of the information system.
In the prior art, a dynamic threshold value is used for detection in a DDoS attack detection method, a comparison is performed between the current total flow of a network and the total flow at a certain historical moment, and whether a DDoS attack occurs or not is determined according to a comparison result. However, in the case of crossing internet data centers, referring to fig. 1, a first internet data center 111 and a second internet data center 112 are two different internet data centers, data transmission and synchronization between the internet data centers need to send a large amount of data, which may cause a rapid increase of data traffic, and when an attacker 110 performs a distributed denial of service attack on the internet data centers, a large amount of attack data packets are sent, which may also cause a rapid increase of traffic received by the internet data centers.
Disclosure of Invention
The invention provides a method, a device, equipment and a storage medium for detecting an attack, which are used for realizing accurate detection of the attack and reducing the false alarm rate of a distributed denial of service attack.
In a first aspect, an embodiment of the present invention provides an attack detection method, where the method includes:
determining a current communication increment and a historical communication increment according to an intranet communication data packet of target network equipment;
and if the current communication increment and the historical communication increment are larger than the increment threshold, determining that the target network equipment is attacked by the distributed denial of service.
In a second aspect, an embodiment of the present invention further provides an attack detection apparatus, where the apparatus includes:
the increment determining module is used for determining a current communication increment and a historical communication increment according to an intranet communication data packet of the target network equipment;
and the attack determining module is used for determining that the target network equipment suffers from the distributed denial of service attack if the current communication increment and the historical communication increment are larger than the increment threshold.
In a third aspect, an embodiment of the present invention further provides an apparatus, where the apparatus includes:
one or more processors;
a memory for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the attack detection method according to any one of the embodiments of the present invention.
In a fourth aspect, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the attack detection method according to any one of the embodiments of the present invention.
According to the technical scheme of the embodiment of the invention, the current communication increment and the historical communication increment are determined according to the intranet communication data packet of the target network equipment, and if the current communication increment and the historical communication increment are larger than the increment threshold, the target equipment is determined to be attacked by the distributed denial of service. The communication traffic of target network equipment is obtained through statistical analysis of the intranet data packet, attack detection under the condition of crossing the internet data center is achieved, the problem that the communication data packet of the crossing internet data center is mistakenly detected as network attack due to rapid growth of the communication data packet is solved through current communication increment and historical communication increment, and the false alarm rate of distributed denial of service attack can be reduced.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:
FIG. 1 is an exemplary diagram of a distributed denial of service attack across Internet data centers in the prior art;
fig. 2 is a scene architecture diagram of a method for detecting an attack according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for detecting an attack according to an embodiment of the present invention;
fig. 4 is a flowchart of a method for detecting an attack according to a second embodiment of the present invention;
fig. 5 is a diagram illustrating an example of a data packet analysis according to a second embodiment of the present invention;
fig. 6 is a schematic structural diagram of a hash table according to a second embodiment of the present invention;
fig. 7 is a schematic structural diagram of an attack detection apparatus according to a third embodiment of the present invention;
fig. 8 is a schematic structural diagram of an apparatus according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be noted that, for convenience of description, only a part of the structures related to the present invention, not all of the structures, are shown in the drawings, and furthermore, embodiments of the present invention and features of the embodiments may be combined with each other without conflict.
Most of the internet data centers in the current enterprise are multiple, different internet data centers are located in different provinces and cities, and data interaction is carried out among the internet data centers. In this case, when the amount of data interaction between internet data centers suddenly increases, it is extremely easy to detect as a distributed denial of service by a network attack, resulting in false alarms.
In order to reduce the false alarm rate, an attack detection method is provided in an embodiment of the present invention, fig. 2 is a scene architecture diagram of the attack detection method provided in the embodiment of the present invention, referring to fig. 2, the scene framework may include a network 10 and an internet data center 14, where the internet data center includes a network device 11 and an intranet server device 12, the internet data center 14 may perform network attack detection on the network device 11 through an attack detection 13, the network 10 may include an external network and other internet data centers, when the network 10 network devices 11 send data packets, the attack detection 13 may divide the data packets into an intranet communication data packet and an extranet communication data packet, detect a network attack according to the intranet communication data packet, and solve a false alarm problem of the network attack due to a sudden flow increase in the case of crossing the internet data center.
Example one
Fig. 3 is a scene architecture diagram of an attack detection method according to an embodiment of the present invention, where the present embodiment is applicable to a situation of distributed denial of service attack detection across internet data centers, and the method may be executed by an attack detection apparatus according to an embodiment of the present invention, and the apparatus may be implemented in a hardware and/or software manner. Referring to fig. 3, a method of an embodiment of the invention includes:
The target network device may be a gateway device of an internet data center, and may be configured to receive a data packet sent through a network, where the data packet may include a data packet sent by an external network and a service data packet sent by an internal network, and the received data packet of the target network device may be forwarded to a server of the internal network.
The intranet communication data packet may be a data packet with a receiver as an internal server and a sender as an internal server, and the intranet communication data packet may be used for data exchange between different internet data centers, and further, after the attack data packet for the distributed denial of service attack is disguised, a destination address and a source address of the attack data packet may also be an intranet address, and in this case, the attack data packet may also be considered as an intranet communication data packet.
Specifically, the current communication increment and the historical communication increment may count data acquired according to the intranet communication data packet, and may be used to represent an increment of the intranet communication data packet at the current time and an increment of the intranet communication data packet compared to the historical time, where the current communication increment and the historical communication increment may be obtained by attacking attribute information of the intranet communication data packet, and may be determined according to information such as a packet number and a packet length of the intranet communication data packet, for example. According to the embodiment of the invention, the intranet communication data packet received by the target network equipment can be obtained, and the attribute information of the intranet communication data packet is counted to determine the current communication increment and the historical communication increment.
And 102, if the current communication increment and the historical communication increment are larger than the increment threshold, determining that the target network equipment suffers from the distributed denial of service attack.
The increment threshold may be a threshold set, and increment threshold values corresponding to the current communication increment and the historical communication increment may be different.
In the embodiment of the invention, the current communication increment and the historical communication increment can be respectively compared with the increment threshold, and when the current communication increment is larger than the increment threshold and the historical increment is larger than the increment threshold, the target network equipment can be determined to be attacked by the distributed denial of service. For example, the current communication increment is greater than the increment threshold, but the historical increment is not greater than the increment threshold, which may indicate that the increment of the intranet communication data packet of the internet data center compared with the historical time is within a reasonable range, which may be a sudden increase of the data packet of the internet data center caused by a newly added service, in this case, it may not be considered that the internet data center is attacked by the distributed denial of service, and the false alarm rate of attack detection may be reduced.
According to the technical scheme of the embodiment of the invention, the current communication increment and the historical communication increment are determined through analysis and statistics of the intranet data packet of the target network equipment, when the current communication increment and the historical communication increment are larger than the increment threshold value, the target network equipment can be determined to be suffering from the distributed denial of service attack, the network attack detection under the condition of crossing an internet data center is realized, the normal intranet data packet is prevented from being suddenly increased to be the distributed denial of service attack through the statistical analysis of the intranet communication data packet, the false alarm rate of the attack detection can be reduced, and the accuracy of the detection is improved.
Example two
Fig. 4 is a flowchart of an attack detection method provided in the second embodiment of the present invention, where the second embodiment of the present invention is applicable to an apparatus in an internet data center, and the second embodiment of the present invention is embodied on the basis of the foregoing embodiment of the present invention, and referring to fig. 4, the method in the second embodiment of the present invention includes:
The network data packet may be a data packet acquired by a target network device, the network data packet may be used for data Transmission and synchronization between Internet data centers, the network data packet may include Transmission Control Protocol (TCP), User Data Protocol (UDP), Internet Control Message Protocol (ICMP), and other similar data packets, the network data packet may be divided into an external communication data packet and an intranet communication data packet according to whether a sender and a receiving mode are devices in the Internet data center, and the external communication data packet may be a data packet that the sender or the receiver received by the target network device is not a device in the Internet data center.
Specifically, the intranet address may be a network address of each device in the internet data center, and the intranet address may include network addresses of devices in different internet data centers. The target network device can be configured to be in a bypass last mode, a port mirror image is configured in disconnection of the target network device to acquire a network data packet received by the target network device through a port, a destination address and a source address of the network data packet can be extracted, and the network data packet with the destination address and the source address as an intranet address is marked as an intranet communication data packet.
The discarding may refer to not processing the network packet, and may not process the network packet whose source address or destination address is not an internal address.
In the embodiment of the invention, the network data packet can be analyzed and the destination address and the source address can be obtained, whether the destination address and the source address are internal addresses can be judged, and if the destination address or the source address of the network data packet is not the internal address, the network data packet can be discarded. For example, fig. 5 is an exemplary diagram of a data packet analysis provided in the second embodiment of the present invention, referring to fig. 5, a destination address may be obtained by performing two-layer protocol analysis on a network data packet, and whether the destination address is an internal address is determined, and if the destination address is not an internal address, the network data packet may be discarded; if the source address is an internal address, the network data packet can be subjected to three-layer analysis to obtain the source address, whether the source address is the internal address or not is judged, and if the source address is not the internal address, the network data packet can be discarded.
Further, the internal address is stored in a hash table; the internal address in the hash table is hashed in advance into an index form.
The hash table may be a storage table generated by hashing according to the internal address, the internal address stored in the hash table may be subjected to hash processing, and each hash result may correspond to one internal address.
Specifically, when the internal address is stored in the hash table, the manner of determining whether the destination address and the source address of the network data packet are the internal address may be implemented by performing hash processing on the destination address and the source address, and the internal address may be searched at a corresponding position of the hash table according to a hash result of the destination address and the source address, so that the speed of searching the internal address may be increased, the speed of determining the destination address and the source address of the network data packet may be increased, and the speed of detecting the network attack may be increased. For example, fig. 6 is a schematic structural diagram of a hash table according to a second embodiment of the present invention, referring to fig. 6, the hash table may include a hash result sequence 21 and an internal address 22 stored in association with the hash result sequence, when it is determined whether a destination address and a source address are internal addresses, a hash result may be generated by performing a hash operation on the destination address and the source address, the associated internal address 22 may be searched in the hash result sequence 21 according to the hash result, if a network address of the internal address 22 is the same as the destination address or the source address, the corresponding destination address or the source address is the internal address, otherwise, the destination address and the source address are not the internal address.
And 203, discarding the intranet communication data packet when detecting that the format of the intranet communication data packet is illegal.
The format may be a data packet format specified by a general network transmission protocol, and may include a data packet format specified by a protocol such as TCP, UDP, ICMP, and the like.
Specifically, the intranet communication data packet may be analyzed to obtain packet header information, the packet header information may be compared with a preset network transmission protocol format, and if the packet header information is different from the preset network transmission protocol format, it may be determined that the format of the intranet communication data packet is illegal, and the intranet communication data packet may be lost.
And step 204, acquiring the destination address of each intranet communication data packet, and counting the attribute information of the intranet communication data packet according to the destination address to generate communication traffic.
The attribute information may be information such as a packet length and a packet number of the intranet communication data packet, the traffic amount may be determined by reflecting a total amount of data received by the target network device, and counting the attribute information of the intranet communication data packet, for example, the number of the intranet communication data packets received by the target network device over a period of time or the data amount may be counted as the traffic amount.
In the embodiment of the present invention, the communication traffic corresponding to different destination addresses may be counted, the intranet communication packets may be classified according to the destination addresses, the communication traffic of the target network device determined by the intranet communication packets in each classification may be counted, the determined communication traffic may be used as the communication traffic corresponding to each destination address, for example, the intranet communication packets having the same destination address may be counted, and attribute information such as the total number and the total data volume of the intranet communication packets may be used as the communication traffic corresponding to the destination addresses.
And step 205, acquiring a first historical traffic volume before a first period of each destination address and a second historical traffic volume before a second period of each destination address.
The first period may be a time period of a short time length, the first period may include one minute or one second, and the like, the first historical traffic may be traffic of the target network device before the short time, the second period may be a time period of a long time length, and the second historical traffic may be traffic of the target network device before the long time length, and may include traffic of the target network device before 12 hours or 24 hours.
Specifically, the destination address may store historical traffic in association with each other, and a first historical traffic amount before the first period and a second historical traffic amount before the second period may be acquired from each destination address.
Further, the time length of the second period is greater than the time length of the first period.
In the embodiment of the present invention, in order to improve the detection accuracy, the time length of the second period may be set to be longer than that of the first period, the second period may be longer than 12 hours or 24 hours, the first period may be set to be shorter than 1 minute or 1 second, and the longer the time length of the second period, the more the historical communication situation may be reflected, the shorter the time length of the first period, the more the current communication situation may be reflected, and the shorter the time length of the first period, the more the current communication situation may be reflected.
And step 206, determining a current communication increment according to the communication volume and the first historical communication volume and determining a historical communication increment according to the communication volume and the second historical communication volume aiming at each destination address.
The current communication increment may be a difference between a current data communication amount of the target network device and a previous data communication amount, and may reflect a variation of the current data communication amount of the target network device, and the historical communication increment may be a difference between a data communication amount of the target network device and a data communication amount at a longer time, and may reflect a variation of the data communication amount in a normal state of the target network device.
Specifically, the current communication increment and the historical communication increment may be determined according to the traffic volume corresponding to the destination address, the first historical traffic volume, and the second historical traffic volume, respectively, and for example, the difference between the first historical traffic volume and the traffic volume may be used as the current communication increment, and the difference between the second historical traffic volume and the traffic volume may be used as the historical communication increment.
And step 207, if the current communication increment is larger than the current increment threshold value and the historical communication increment is larger than the historical increment threshold value, determining that the target network equipment suffers from the distributed denial of service attack.
The data communication amount of each device in the internet data center can be different due to different operation services, the destination addresses of different devices for receiving the intranet communication data packet can be different, different increment thresholds can be set for each device, the increment thresholds can be stored in association with the destination addresses, the increment thresholds can include a current increment threshold and a historical increment threshold, and the values of the current increment threshold and the historical increment threshold can be different.
Specifically, the corresponding increment thresholds may be respectively obtained according to the destination addresses, the current communication increment and the historical communication increment corresponding to the destination addresses may be respectively compared with the current increment threshold and the historical increment threshold in the increment thresholds, when the current communication increment is greater than the current increment threshold and the historical communication increment is greater than the historical increment threshold, it may be determined that the target network device is under a distributed denial of service attack, and if the current communication increment is less than the current increment threshold or the historical communication increment is less than the historical increment threshold, the target network device may be considered to be operating normally.
The first history storage space may be a storage space for storing traffic, and the first history storage space may be applied in advance before use.
Specifically, traffic of the target network device may be stored in the first history storage space for a period of time, for example, the acquired traffic may be stored in the first history storage space every 1 second, the first history storage space may be fixed in size, and when the first history storage space is full, the traffic that is first stored in the first history storage space may be replaced with new traffic.
And step 209, determining the average traffic volume in the current first period when the current first period is ended, and storing the average traffic volume in the second historical storage space.
The average traffic volume may be a ratio of the traffic volume within the first period length to the first period length, and may be an average traffic volume when the target network device performs data communication during the first period.
In the embodiment of the invention, the average traffic volume of the traffic volume in the current first period can be calculated every first period, the average traffic volume can be stored in the second history storage space, the traffic volume stored in the second history storage space can be the average traffic volume in the first period, the size of the second history storage space is a fixed value, and when the second history storage space is full, the average traffic volume of the traffic volume can be replaced by the traffic volume stored in the second history storage space firstly.
The technical scheme of the embodiment of the invention includes that a network data packet of target network equipment is obtained through a bypass, the network data packet with a destination address and a source address as internal addresses is used as an intranet communication data packet, the network data packet with the destination address or the source address not as the internal addresses is discarded, format detection is carried out on the intranet communication data packet, the intranet communication data packet with an illegal format is discarded, attribute information of the intranet communication data packet is counted according to the destination address to generate communication traffic, first historical communication traffic before a first period of the destination address and second historical communication traffic before a second period are obtained, a current communication increment and a historical communication increment can be determined according to the communication traffic, the first historical communication traffic before the first period and the second historical communication traffic, and when the current communication increment is larger than a current increment threshold and the historical communication increment is larger than a historical increment threshold, the target network equipment is determined to be, traffic is stored in a first history storage space and average traffic during a first period is stored in a second history storage space. The current communication increment and the historical communication increment of the target network equipment are determined based on the intranet communication data packet, the probability that the normal communication condition is judged to be the network attack by mistake is reduced, the increment threshold value is associated with the target address, the flexibility of the threshold value for judging the network attack is higher, and the accuracy of detecting the network attack is improved. For example, if the first cycle index is i, the second cycle index is j, the packet number array is P, the traffic array is B, the current first cycle traffic is B, and the packet number is P, the current traffic increment may be represented as Δ B-B [ i-1] or Δ B-P [ i-1], and the historical traffic increment may be represented as Δ P-B [ j-1] or Δ P-P [ j-1 ].
Further, on the basis of the above embodiment of the present invention, the determining, by the intranet communication data packet, the traffic volume including a total packet number and/or a total packet length, and accordingly determining the current communication increment according to the traffic volume and the first historical traffic volume, and determining the historical communication increment according to the traffic volume and the second historical traffic volume includes: determining the difference between the total packet number and the first historical total packet number and/or the difference between the total packet length and the first historical total packet length as the current communication increment; and determining the difference between the total packet number and the second historical total packet number and/or the difference between the total packet length and the second historical total packet length as the historical communication increment.
The total packet number can be the total number of intranet communication data packets obtained by the target network device, the total packet length can be the total number of intranet communication data packet lengths obtained by the target network device and can be used for representing the total data volume received by the target network device, the first historical total packet number can be the number of intranet communication data packets obtained by the target network device before the first period, and the first historical total packet length can be the total data volume of the intranet communication data packets obtained by the target network device before the first period.
Specifically, the total number of intranet communication data packets received by the target network device may be counted, a difference between the total number and a first historical total packet number may be used as a current communication increment, a difference between the total number and a second historical total packet number may be used as a historical communication increment, a difference between the total packet length and the first historical total packet length may be used as a current communication increment, a difference between the total packet length and a second historical total packet length may be used as a historical communication increment, when the total packet number is used as a traffic of the target network device, a DDoS attack in which an attack data packet data amount is small but the attack data packet size is large may be detected, and when the total packet length is used as a traffic of the target network device, a DDoS attack in which an attack data packet data amount is small but the attack data packet data amount is large may be detected. For example, if the first cycle index is i, the second cycle index is j, the packet number array is P, the traffic array is B, the current first cycle traffic is B, and the packet number is P, then the current communication increment may be represented as Δ B ═ (B [ i-1])/B [ i-1] or Δ B ═ (B-P [ i-1])/P [ i-1], and the historical communication increment may be represented as Δ P ═ (P-B [ j-1])/B [ j-1] or Δ P ═ P [ j-1])/P [ j-1 ].
Further, on the basis of the above embodiment of the present invention, the determining, by the intranet communication data packet, the communication traffic including a total packet number and/or a total packet length, and accordingly determining a current communication increment according to the communication traffic and the first historical communication traffic, and determining a historical communication increment according to the communication traffic and the second historical communication traffic includes: determining the ratio of the difference between the total packet number and the first historical total packet number to the first historical total packet number and/or the ratio of the difference between the total packet length and the first historical total packet length to the first historical total packet length as the current communication increment; and determining the ratio of the difference between the total packet number and the second historical total packet number to the second historical total packet number, and/or the ratio of the difference between the total packet length and the second historical total packet length to the second historical total packet length as the historical communication increment.
In the embodiment of the present invention, an increase ratio of traffic compared to first historical traffic may be calculated as a current communication increment, an increase ratio of traffic to second historical traffic may be calculated as a historical communication increment, a ratio of a difference between a total packet number and a first historical total packet number to a first historical total packet number may be calculated as a current communication increment, and a ratio of a difference between the total packet number and a second historical total packet number to a second historical total packet number may be calculated as a historical communication increment. On the basis that the total packet number is used as the traffic, the total packet length of the intranet communication data packet received by the target network device can be used as the traffic, and correspondingly, the ratio of the difference between the total packet length and the first historical total packet length to the first historical total packet length can be determined as the current communication increment, and the ratio of the difference between the total packet length and the second historical total packet length to the historical communication increment.
Further, on the basis of the above embodiment of the present invention, the data structures of the first history storage space and the second history storage space are arrays, the lengths of the arrays are the first storage quantity and the second storage quantity respectively, and the first storage quantity and the second storage quantity are fixed values.
Specifically, the data structure of the first history storage space storing the first history traffic and the second history storage space storing the second history traffic may be an array, space may be applied for the first history storage space and the second history storage space first when starting to store the first traffic and the second traffic, the traffic of the target network device receiving the intranet communication data packet may be stored in the first history storage space, since the first history storage space is a storage space with a fixed size, the traffic of the first bit in the array of the first history storage space can be replaced by the newly generated traffic every first period, the next new traffic can replace the traffic of the second bit in the array of the second history storage space, and so on, the first historical traffic may be stored with the array with the first period as a cycle time by means of a circular storage. In this embodiment of the present invention, the array of the second history storage space may also be a fixed value, the average value of the traffic amount stored in the first history storage space may be calculated every first period, the calculated average traffic amount may be stored in the second history storage space, the second history storage space may be fully stored every second period, when the second period is exceeded, the average traffic amount of the first bit in the array of the second history storage space may be replaced by the newly generated average traffic amount, the period storage may be performed based on the second period time length, the existing average traffic amount in the second history storage space is replaced by the new average traffic amount every first period time length, and the position of the array where the replaced average traffic amount is located in the second history storage space gradually increases according to the number of cycles.
EXAMPLE III
Fig. 7 is a schematic structural diagram of an attack detection apparatus provided in the third embodiment of the present invention, and the attack detection apparatus provided in the third embodiment of the present invention can execute the attack detection method provided in any embodiment of the present invention, and has functional modules and beneficial effects corresponding to the execution method. Referring to fig. 7, an apparatus of an embodiment of the present invention includes: an increment determination module 301 and an attack determination module 302.
The increment determining module 301 is configured to determine a current communication increment and a historical communication increment according to an intranet communication data packet of a target network device.
An attack determination module 302, configured to determine that the target network device is attacked by the distributed denial of service attack if the current communication increment and the historical communication increment are greater than the increment threshold.
According to the technical scheme of the embodiment of the invention, the incremental communication module is used for determining the current communication increment and the historical communication increment according to the intranet information data packet of the target network equipment, and the attack determination module is used for determining that the target network equipment is attacked by the distributed denial of service according to the condition that the current communication increment and the historical communication increment are larger than the increment threshold. The method and the device realize network attack detection under the cross-internet data center, reduce false attack reports caused by normal service growth, and improve the accuracy of distributed denial of service attack detection.
Optionally, on the basis of the embodiment of the present invention, the attack detection apparatus further includes:
and the data packet acquisition module is used for acquiring a network data packet of the target network equipment through a bypass, and the network data packet with the destination address and the source address as internal addresses is an intranet communication data packet.
Optionally, on the basis of the embodiment of the present invention, the attack detection apparatus further includes:
and the data packet discarding module is used for discarding the network data packet of which the destination address or the source address is not the internal address.
Optionally, on the basis of the embodiment of the present invention, the internal address in the data packet obtaining module is stored in the hash table.
Optionally, on the basis of the embodiment of the present invention, the internal address in the hash table of the data packet obtaining module is hashed in advance to be in an index form.
Optionally, the increment determining module includes:
and the traffic acquiring unit is used for acquiring the destination address of each intranet communication data packet and counting the attribute information of the intranet communication data packet according to the destination address to generate traffic.
And a history quantity obtaining unit, configured to obtain a first history traffic quantity before a first period of each destination address and a second history traffic quantity before a second period of each destination address.
And the increment determining unit is used for determining the current communication increment according to the communication volume and the first historical communication volume and determining the historical communication increment according to the communication volume and the second historical communication volume aiming at each destination address.
Optionally, on the basis of the embodiment of the present invention, a time length of the second period in the history amount obtaining unit is greater than a time length of the first period.
Optionally, on the basis of the foregoing embodiment of the present invention, the increment determining unit includes:
and the first current determining subunit is used for determining the difference between the total packet number and the first historical total packet number and/or the difference between the total packet length and the first historical total packet length as the current communication increment.
And the first history determining subunit is used for determining the difference between the total packet number and the second history total packet number and/or the difference between the total packet length and the second history total packet length as the history communication increment.
Optionally, on the basis of the foregoing embodiment of the present invention, the increment determining unit further includes:
and the second current determining subunit is used for determining the ratio of the difference between the total packet number and the first historical total packet number to the first historical total packet number and/or the ratio of the difference between the total packet length and the first historical total packet length to the first historical total packet length as the current communication increment.
And the second history determining subunit is used for determining the ratio of the difference between the total packet number and the second history total packet number to the second history total packet number and/or the ratio of the difference between the total packet length and the second history total packet length to the second history total packet length as the history communication increment.
Optionally, on the basis of the above embodiment of the present invention, the method further includes:
and the first storage module is used for storing the communication traffic to the first history storage space.
And the second storage module is used for determining the average traffic in the current first period when the current first period is ended, and storing the average traffic into the second historical storage space.
Optionally, on the basis of the embodiment of the present invention, the data structures of the first history storage space and the second history storage space in the second storage module are arrays, the lengths of the arrays are the first storage quantity and the second storage quantity respectively, and the first storage quantity and the second storage quantity are fixed values.
Optionally, on the basis of the foregoing embodiment of the present invention, the attack determination module includes:
and the attack determining unit is used for determining that the target network equipment suffers from the distributed denial of service attack if the current communication increment is larger than the current increment threshold and the historical communication increment is larger than the historical increment threshold.
Optionally, on the basis of the above embodiment of the present invention, the method further includes:
and the data packet processing module is used for discarding the intranet communication data packet when detecting that the format of the intranet communication data packet is illegal.
Example four
Fig. 8 is a schematic structural diagram of an apparatus according to a fourth embodiment of the present invention, as shown in fig. 8, the apparatus includes a processor 40, a memory 41, an input device 42, and an output device 43; the number of processors 40 in the device may be one or more, and one processor 40 is taken as an example in fig. 8; the processor 40, the memory 41, the input device 42 and the output device 43 in the apparatus may be connected by a bus or other means, for example in fig. 8.
The memory 41, which is a computer-readable storage medium, may be used to store software programs, computer-executable programs, and modules, such as program modules corresponding to the detection method of the attack in the embodiment of the present invention (for example, the increment determination module 301 and the attack determination module 302 in the detection apparatus of the attack). The processor 40 executes various functional applications of the device and data processing by running software programs, instructions, and modules stored in the memory 41, that is, implements the attack detection method described above.
The memory 41 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 41 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 41 may further include memory located remotely from processor 40, which may be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 42 is operable to receive input numeric or character information and to generate key signal inputs relating to user settings and function controls of the apparatus. The output device 43 may include a display device such as a display screen.
EXAMPLE five
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform a method for detecting an attack, and the method includes:
determining a current communication increment and a historical communication increment according to an intranet communication data packet of target network equipment;
and if the current communication increment and the historical communication increment are larger than the increment threshold, determining that the target network equipment is attacked by the distributed denial of service.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the attack detection method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the attack detection apparatus, each included unit and each included module are only divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in more detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the claims.
Claims (16)
1. A method for detecting an attack, comprising:
determining a current communication increment and a historical communication increment according to an intranet communication data packet of target network equipment;
and if the current communication increment and the historical communication increment are larger than the increment threshold, determining that the target network equipment is attacked by the distributed denial of service.
2. The method according to claim 1, before determining the current communication increment and the historical communication increment according to the intranet communication data packet of the target network device, further comprising:
and obtaining a network data packet of the target network equipment through the bypass, wherein the network data packet with the destination address and the source address as internal addresses is an intranet communication data packet.
3. The method of claim 2, further comprising:
and discarding the network data packet of which the destination address or the source address is not the internal address.
4. The method of claim 2, wherein the internal address is stored in a hash table.
5. The method of claim 4, wherein the internal address in the hash table is hashed in advance to form an index.
6. The method according to claim 1, wherein the determining a current communication increment and a historical communication increment according to the intranet communication data packet of the target network device comprises:
acquiring a destination address of each intranet communication data packet, and counting attribute information of the intranet communication data packet according to the destination address to generate communication traffic;
acquiring first historical traffic of each destination address before a first period and second historical traffic of each destination address before a second period;
for each destination address, a current traffic delta is determined based on the traffic volume and the first historical traffic volume, and a historical traffic delta is determined based on the traffic volume and the second historical traffic volume.
7. The method of claim 6, wherein a time length of the second period is greater than a time length of the first period.
8. The method of claim 6, wherein the traffic of the intranet communication data packet comprises a total packet number and/or a total packet length, and accordingly, determining a current traffic increment according to the traffic and the first historical traffic, and determining a historical traffic increment according to the traffic and the second historical traffic comprises:
determining the difference between the total packet number and the first historical total packet number and/or the difference between the total packet length and the first historical total packet length as the current communication increment;
and determining the difference between the total packet number and the second historical total packet number and/or the difference between the total packet length and the second historical total packet length as the historical communication increment.
9. The method of claim 6, wherein the traffic of the intranet communication data packet comprises a total packet number and/or a total packet length, and accordingly, determining a current traffic increment according to the traffic and the first historical traffic, and determining a historical traffic increment according to the traffic and the second historical traffic comprises:
determining the ratio of the difference between the total packet number and the first historical total packet number to the first historical total packet number and/or the ratio of the difference between the total packet length and the first historical total packet length to the first historical total packet length as the current communication increment;
and determining the ratio of the difference between the total packet number and the second historical total packet number to the second historical total packet number, and/or the ratio of the difference between the total packet length and the second historical total packet length to the second historical total packet length as the historical communication increment.
10. The method according to claim 6, further comprising, after counting attribute information of the intranet communication packet according to the destination address to generate a traffic volume:
storing traffic to a first history storage space;
at the end of the current first period, the average traffic volume in the current first period is determined and stored in the second history storage space.
11. The method of claim 10, wherein the data structure of the first and second history storage spaces is an array, the length of the array is a first storage amount and a second storage amount, respectively, and the first storage amount and the second storage amount are constant values.
12. The method of claim 1, wherein determining that the target network device is under a distributed denial of service attack if the current traffic delta and the historical traffic delta are greater than a delta threshold comprises:
and if the current communication increment is larger than the current increment threshold value and the historical communication increment is larger than the historical increment threshold value, determining that the target network equipment suffers from the distributed denial of service attack.
13. The method of any one of claims 1-12, further comprising:
and when the format of the intranet communication data packet is detected to be illegal, discarding the intranet communication data packet.
14. An attack detection apparatus, comprising:
the increment determining module is used for determining a current communication increment and a historical communication increment according to an intranet communication data packet of the target network equipment;
and the attack determining module is used for determining that the target network equipment suffers from the distributed denial of service attack if the current communication increment and the historical communication increment are larger than the increment threshold.
15. An apparatus, characterized in that the apparatus comprises:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method of detecting an attack as claimed in any one of claims 1 to 13.
16. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of detecting an attack according to any one of claims 1 to 13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911205648.1A CN110958245B (en) | 2019-11-29 | 2019-11-29 | Attack detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911205648.1A CN110958245B (en) | 2019-11-29 | 2019-11-29 | Attack detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110958245A true CN110958245A (en) | 2020-04-03 |
| CN110958245B CN110958245B (en) | 2022-03-04 |
Family
ID=69979136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911205648.1A Active CN110958245B (en) | 2019-11-29 | 2019-11-29 | Attack detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110958245B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113518057A (en) * | 2020-04-09 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Detection method and device for distributed denial of service attack and computer equipment thereof |
| CN114338120A (en) * | 2021-12-23 | 2022-04-12 | 绿盟科技集团股份有限公司 | Segment scanning attack detection method, device, medium and electronic equipment |
| CN115118463A (en) * | 2022-06-10 | 2022-09-27 | 深信服科技股份有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160028763A1 (en) * | 2014-07-23 | 2016-01-28 | Cisco Technology, Inc. | Behavioral white labeling |
| CN105450619A (en) * | 2014-09-28 | 2016-03-30 | 腾讯科技(深圳)有限公司 | Method, device and system of protection of hostile attacks |
| CN108183917A (en) * | 2018-01-16 | 2018-06-19 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative detection method based on software defined network |
| CN108390856A (en) * | 2018-01-12 | 2018-08-10 | 北京奇艺世纪科技有限公司 | A kind of ddos attack detection method, device and electronic equipment |
| CN109617868A (en) * | 2018-12-06 | 2019-04-12 | 腾讯科技(深圳)有限公司 | A kind of detection method of DDOS attack, device and detection service device |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN111600859A (en) * | 2020-05-08 | 2020-08-28 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for detecting distributed denial of service attack |
-
2019
- 2019-11-29 CN CN201911205648.1A patent/CN110958245B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160028763A1 (en) * | 2014-07-23 | 2016-01-28 | Cisco Technology, Inc. | Behavioral white labeling |
| CN105450619A (en) * | 2014-09-28 | 2016-03-30 | 腾讯科技(深圳)有限公司 | Method, device and system of protection of hostile attacks |
| CN108390856A (en) * | 2018-01-12 | 2018-08-10 | 北京奇艺世纪科技有限公司 | A kind of ddos attack detection method, device and electronic equipment |
| CN108183917A (en) * | 2018-01-16 | 2018-06-19 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative detection method based on software defined network |
| CN109617868A (en) * | 2018-12-06 | 2019-04-12 | 腾讯科技(深圳)有限公司 | A kind of detection method of DDOS attack, device and detection service device |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN111600859A (en) * | 2020-05-08 | 2020-08-28 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for detecting distributed denial of service attack |
Non-Patent Citations (3)
| Title |
|---|
| 姜文醍等: "SDN中基于流特征的DDoS攻击与闪拥事件检测", 《重庆邮电大学学报(自然科学版)》 * |
| 宋洪涛等: "基于信息熵的分布式拒绝服务攻击协同检测系统的设计与实现", 《小型微型计算机系统》 * |
| 骆凯等: "一种基于动态阈值的突发流量异常检测方法", 《信息工程大学学报》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113518057A (en) * | 2020-04-09 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Detection method and device for distributed denial of service attack and computer equipment thereof |
| CN113518057B (en) * | 2020-04-09 | 2024-03-08 | 腾讯科技(深圳)有限公司 | Method and device for detecting distributed denial of service attack and computer equipment thereof |
| CN114338120A (en) * | 2021-12-23 | 2022-04-12 | 绿盟科技集团股份有限公司 | Segment scanning attack detection method, device, medium and electronic equipment |
| CN114338120B (en) * | 2021-12-23 | 2023-11-21 | 绿盟科技集团股份有限公司 | Method, device, medium and electronic equipment for detecting sweep attack |
| CN115118463A (en) * | 2022-06-10 | 2022-09-27 | 深信服科技股份有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110958245B (en) | 2022-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11057404B2 (en) | Method and apparatus for defending against DNS attack, and storage medium | |
| CN109005157B (en) | DDoS attack detection and defense method and system in software defined network | |
| CN110958245B (en) | Attack detection method, device, equipment and storage medium | |
| CN108965347B (en) | Distributed denial of service attack detection method, device and server | |
| US8005012B1 (en) | Traffic analysis of data flows | |
| CN106330944B (en) | Malicious system vulnerability scanner identification method and device | |
| US7596810B2 (en) | Apparatus and method of detecting network attack situation | |
| EP3905622A1 (en) | Botnet detection method and system, and storage medium | |
| US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
| US9521162B1 (en) | Application-level DDoS detection using service profiling | |
| CN109922072B (en) | Distributed denial of service attack detection method and device | |
| US8336098B2 (en) | Method and apparatus for classifying harmful packet | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN112055956A (en) | Network security | |
| CN113114694A (en) | DDoS attack detection method oriented to high-speed network packet sampling data acquisition scene | |
| US20230412591A1 (en) | Traffic processing method and protection system | |
| CN112559824A (en) | Message processing method, device and equipment | |
| CN110061998B (en) | Attack defense method and device | |
| CN111756713A (en) | Network attack identification method and device, computer equipment and medium | |
| CN107864110B (en) | Botnet main control terminal detection method and device | |
| CN108712365B (en) | DDoS attack event detection method and system based on flow log | |
| CN113765849B (en) | Abnormal network flow detection method and device | |
| CN113890746A (en) | Attack traffic identification method, device, equipment and storage medium | |
| WO2024027079A1 (en) | Domain-name reflection attack detection method and apparatus, and electronic device and storage medium | |
| CN112261019A (en) | Distributed denial of service attack detection method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221205 Address after: 31a, 15 / F, building 30, maple mall, bangrang Road, Brazil, Singapore Patentee after: Baiguoyuan Technology (Singapore) Co.,Ltd. Address before: 511400 floor 5-13, West Tower, building C, 274 Xingtai Road, Shiqiao street, Panyu District, Guangzhou City, Guangdong Province Patentee before: GUANGZHOU BAIGUOYUAN INFORMATION TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right |