CN111131126A - Attack detection method and device - Google Patents
Attack detection method and device Download PDFInfo
- Publication number
- CN111131126A CN111131126A CN201811272018.1A CN201811272018A CN111131126A CN 111131126 A CN111131126 A CN 111131126A CN 201811272018 A CN201811272018 A CN 201811272018A CN 111131126 A CN111131126 A CN 111131126A
- Authority
- CN
- China
- Prior art keywords
- client
- address
- dns
- data
- condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides an attack detection method and apparatus. The attack detection device acquires DNS data by using the DNS probe, analyzes the DNS data, further inquires whether the client IP address associated with the DNS data has alarm information or not under the condition that the analysis result has abnormal characteristics, and performs APT alarm under the condition that the client IP address has the alarm information. According to the method and the system, the DNS data are analyzed, and meanwhile, the safety analysis is carried out on the corresponding client IP address, so that the detection capability of the APT attack can be effectively improved.
Description
Technical Field
The present disclosure relates to the field of information security, and in particular, to an attack detection method and apparatus.
Background
The APT (Advanced Persistent Threat) attack does not mainly aim at destroying the availability and reliability of a target system, aims at stealing high-value data, data and files, and has definite target and long-term behavior concealment.
The network hidden channel is an important way for an APT attacker to bypass a network security policy to transmit data, and a Domain Name System (DNS) is a common means for implementing the application layer hidden channel.
Covert channels of the DNS protocol can be classified into class 2: the first category utilizes recursive domain name resolution of DNS. An attacker registers a domain Name and sets its NS (Name Server) as a Server of the blind channel. The hidden channel client requests any DNS recursive server for the sub-domain name in the domain, and can realize communication with the server; the other is that the client communicates directly with the covert channel server through a UDP (User Datagram Protocol) 53 port.
Disclosure of Invention
The inventor finds through research that the DNS protocol is hardly blocked by firewall policies due to the important role of DNS in network operation. The DNS hidden channel client side which carries out domain name recursive resolution only needs to request a local DNS server, and does not need to directly communicate with the other side of the channel, so that the difficulty of making an access control strategy is greatly increased. Currently, effective monitoring management is carried out on DNS messages less frequently, and APT attack using a DNS hidden channel cannot be detected.
Therefore, the scheme capable of effectively detecting the APT attack is provided.
In accordance with an aspect of one or more embodiments of the present disclosure, there is provided an attack detection method including: acquiring DNS data by using a Domain Name System (DNS) probe; analyzing the DNS data; under the condition that the analysis result has abnormal characteristics, further inquiring whether a client IP address associated with the DNS data has alarm information; and performing Advanced Persistent Threat (APT) alarm under the condition that the IP address of the client has alarm information.
In some embodiments, the above method further comprises: under the condition that the IP address of the client does not have the alarm information, further inquiring whether the IP address of the client is added with a first identifier or not; and under the condition that the first identification is not added to the client IP address, adding the first identification to the client IP address.
In some embodiments, the above method further comprises: and under the condition that the client IP address is added with a first identifier, converting the first identifier into a second identifier so as to perform security investigation.
In some embodiments, the above method further comprises: under the condition that the analysis result has no abnormal characteristic, performing statistical analysis on the connection characteristic of the DNS data; further inquiring whether alarm information exists in the IP address of the client associated with the DNS data or not under the condition that the statistical analysis value is larger than a preset threshold; and carrying out APT alarm under the condition that the IP address of the client has alarm information.
In some embodiments, the exception characteristic comprises at least one of a packet format parsing exception, a pointer not at the end of a user datagram protocol, UDP, payload when parsed, and an encoded domain name including a forward pointer.
In some embodiments, the connection characteristics include at least one of a number of labels for the requested domain name, an amount of data stored for the requested domain name, a number of binary data for the requested domain name, a resource record data size for the DNS reply message, and a number of canonical name CNAME records for the DNS reply message.
In accordance with another aspect of one or more embodiments of the present disclosure, there is provided an attack detection apparatus including: a data acquisition module configured to acquire DNS data using a domain name system DNS probe; a resolution module configured to resolve the DNS data; the first query module is configured to further query whether alarm information exists in a client IP address associated with the DNS data or not when the abnormal characteristics exist in a resolution result; and the alarm module is configured to perform APT (advanced persistent threat) alarm under the condition that the IP address of the client has alarm information.
In some embodiments, the above apparatus further comprises: the second query module is configured to further query whether the client IP address is added with the first identifier or not under the condition that the client IP address does not have the alarm information; the identification management module is configured to add a first identification to the client IP address under the condition that the client IP address is not added with the first identification.
In some embodiments, the identity management module is further configured to convert the first identity to a second identity for security clearance if the client IP address has been added with the first identity.
In some embodiments, the above apparatus further comprises: the statistical analysis module is configured to perform statistical analysis on the connection characteristics of the DNS data under the condition that the analysis result has no abnormal characteristics; an identification module configured to determine whether the statistical analysis value is greater than a predetermined threshold; the first query module is further configured to further query whether alarm information exists in the client IP address associated with the DNS data in the case that the statistical analysis value is greater than a predetermined threshold.
In some embodiments, the exception characteristic comprises at least one of a packet format parsing exception, a pointer not at the end of a user datagram protocol, UDP, payload when parsed, and an encoded domain name including a forward pointer.
In some embodiments, the connection characteristics include at least one of a number of labels for the requested domain name, an amount of data stored for the requested domain name, a number of binary data for the requested domain name, a resource record data size for the DNS reply message, and a number of canonical name CNAME records for the DNS reply message.
In accordance with another aspect of one or more embodiments of the present disclosure, there is provided an attack detection apparatus including: a memory configured to store instructions; a processor coupled to the memory, the processor configured to perform a method according to any of the embodiments described above based on instructions stored in the memory.
According to another aspect of one or more embodiments of the present disclosure, there is provided a computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions, which when executed by a processor, implement a method as described above in relation to any one of the embodiments.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and for those skilled in the art, other drawings can be obtained according to the drawings without inventive exercise.
FIG. 1 is an exemplary flow chart of an attack detection method according to one embodiment of the present disclosure;
FIG. 2 is an exemplary flow chart of an attack detection method according to another embodiment of the present disclosure;
FIG. 3 is an exemplary block diagram of an attack detection apparatus according to an embodiment of the present disclosure;
FIG. 4 is an exemplary block diagram of an attack detection apparatus according to another embodiment of the present disclosure;
fig. 5 is an exemplary block diagram of an attack detection apparatus according to still another embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is an exemplary flowchart of an attack detection method according to an embodiment of the present disclosure. In some embodiments, the method steps of the present embodiment may be performed by an attack detection apparatus.
At step 101, DNS data is obtained using a DNS probe.
For example, all UDP 53 traffic is monitored using a DNS probe.
At step 102, the DNS data is resolved.
In step 103, in the case that the abnormal characteristic exists in the resolution result, further querying whether alarm information exists in the client IP address associated with the DNS data.
In some embodiments, the exception characteristic includes at least one of a packet format parsing exception, a pointer at completion of parsing not at the end of the UDP payload, and an encoded domain name containing a forward pointer.
It should be noted that, the IP direct connection type DNS tunnel packet is not a real DNS protocol packet, and a format abnormality usually occurs when performing DNS protocol analysis. Even if some attackers avoid the situation of format abnormality during analysis by adopting modes of data injection or forward pointers and the like, other abnormal characteristics are added, including that the pointers are not positioned at the end of the UDP load after the analysis is finished, or forward pointers exist, and the abnormal characteristics can be used as the basis for judging suspicious DNS tunnel messages.
It should be noted that, the APT attack has certain associated steps, and the DNS tunnel packet cannot be established by null. Therefore, if the alarm information related to the request IP of the suspicious DNS tunnel message exists, the possibility of APT attack is high.
In step 104, in case of the alarm information existing in the IP address of the client, an APT alarm is performed.
In the attack detection method provided by the embodiment of the disclosure, the detection capability of the APT attack can be effectively improved by analyzing the DNS data and simultaneously performing security analysis on the corresponding client IP address.
Fig. 2 is an exemplary flowchart of an attack detection method according to another embodiment of the present disclosure. In some embodiments, the method steps of the present embodiment may be performed by an attack detection apparatus.
At step 201, DNS data is acquired using a DNS probe.
At step 202, the DNS data is resolved.
In step 203, it is determined whether the analysis result has an abnormal feature.
If the analysis result has abnormal features, executing step 204; if the analysis result does not have the abnormal feature, step 209 is executed.
At step 204, a query is made as to whether alert information exists for the client IP address associated with the DNS data.
In case of the alarm information existing in the IP address of the client, step 205 is executed; in case the client IP address does not have the alert information, step 206 is performed.
At step 205, an APT alert is performed.
At step 206, a query is made as to whether the client IP address is added with the first identification.
In case the client IP address is not added with the first identity, step 207 is performed; in case the client IP address has been added with the first identity, step 208 is performed.
In step 207, a first identification is added to the client IP address.
A first identification is added to the client IP address indicating that a security risk may exist at present, but the anomaly may be only an accidental event. The first identifier is added only for marking and no alarm processing is carried out. For example, the first identifier may be a yellow label.
At step 208, the first identification of the client IP address is translated to a second identification for security clearance.
And under the condition that the abnormal condition repeatedly occurs, converting the identifier of the IP address of the client into a second identifier so as to indicate that the IP is a suspicious IP and needs to be manually checked. For example, the second identifier may be a red label.
At step 209, a statistical analysis is performed on the connection characteristics of the DNS data.
In some embodiment values, the connection characteristic includes at least one of a number of labels for the requested domain Name, an amount of data stored for the requested domain Name, a number of binary data for the requested domain Name, a resource record data size for the DNS reply message, and a number of CNAME (Canonical Name) records for the DNS reply message.
It should be noted that the domain name DNS tunnel needs to transmit a control command and sensitive data, and there is a certain deviation from the normal DNS data packet in terms of connection characteristics. Therefore, the extracted part of features is compared with feature statistics of normal DNS data packets, and if the deviation is more, the part of features belongs to suspicious DNS tunnel messages.
At step 210, it is determined whether the statistical analysis value is greater than a predetermined threshold.
In case the statistical analysis value is greater than the predetermined threshold, step 211 is executed; in the event that the statistical analysis value is not greater than the predetermined threshold, step 212 is performed.
In step 211, the client IP address associated with the DNS data is queried for the presence of alert information.
In case of the alarm information existing in the IP address of the client, step 205 is executed; in case no alert information exists for the client IP address, step 212 is performed.
In step 212, the flow ends.
Fig. 3 is an exemplary block diagram of an attack detection apparatus according to an embodiment of the present disclosure. As shown in fig. 3, the attack detection apparatus includes a data acquisition module 31, a parsing module 32, a first query module 33, and an alarm module 34.
The data acquisition module 31 is configured to acquire DNS data using a DNS probe.
The resolution module 32 is configured to resolve the DNS data.
The first query module 33 is configured to further query whether there is alarm information in the client IP address associated with the DNS data in case of an abnormal feature in the result of the resolution.
In some embodiments, the exception characteristic includes at least one of a packet format parsing exception, a pointer not at the end of a user datagram protocol, UDP, payload when parsed, and an encoded domain name containing a forward pointer.
The alert module 34 is configured to perform an APT alert in the presence of alert information for the client IP address.
In the attack detection device provided by the above embodiment of the present disclosure, by analyzing DNS data and performing security analysis on the IP address of the corresponding client, the detection capability of the APT attack can be effectively improved.
Fig. 4 is an exemplary block diagram of an attack detection apparatus according to another embodiment of the present disclosure. Fig. 4 differs from fig. 3 in that in the embodiment shown in fig. 4, the attack detection apparatus further includes a second query module 35 and an identity management module 36.
The second query module 35 is configured to further query whether the client IP address is added with the first identifier in case the client IP address does not have the alarm information.
The identity management module 36 is configured to add the first identity to the client IP address in the event that the client IP address is not added with the first identity.
A first identification is added to the client IP address indicating that a security risk may exist at present, but the anomaly may be only an accidental event. The first identifier is added only for marking and no alarm processing is carried out. For example, the first identifier may be a yellow label.
Furthermore, the identity management module 36 is further configured to convert the first identity into a second identity for security checking in case the client IP address has been added with the first identity.
And under the condition that the abnormal condition repeatedly occurs, converting the identifier of the IP address of the client into a second identifier so as to indicate that the IP is a suspicious IP and needs to be manually checked. For example, the second identifier may be a red label.
In some embodiments, as shown in fig. 4, the attack detection apparatus further includes a statistical analysis module 37 and an identification module 38.
The statistical analysis module 37 is configured to perform statistical analysis on the connection characteristics of the DNS data in the case where the analysis result does not have the abnormal characteristics.
In some embodiments, the connection characteristics include at least one of a number of labels for the requested domain name, an amount of data stored for the requested domain name, a number of binary data for the requested domain name, a resource record data size for the DNS reply message, and a number of CNAME records for the DNS reply message.
The identification module 38 is configured to statistically analyze whether the value is greater than a predetermined threshold.
The first query module 33 is further configured to query whether there is alarm information for the client IP address associated with the DNS data in case the statistical analysis value is larger than a predetermined threshold.
Fig. 5 is an exemplary block diagram of an attack detection apparatus according to still another embodiment of the present disclosure. As shown in fig. 5, the attack detection apparatus includes a memory 51 and a processor 52.
The memory 51 is used for storing instructions, the processor 52 is coupled to the memory 51, and the processor 52 is configured to execute the method according to any one of the embodiments in fig. 1 or fig. 2 based on the instructions stored in the memory.
As shown in fig. 5, the attack detection apparatus further includes a communication interface 53 for information interaction with other devices. Meanwhile, the device also comprises a bus 54, and the processor 52, the communication interface 53 and the memory 51 are communicated with each other through the bus 54.
The memory 51 may comprise a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 51 may also be a memory array. The storage 51 may also be partitioned and the blocks may be combined into virtual volumes according to certain rules.
Further, the processor 52 may be a central processing unit CPU, or may be an application specific integrated circuit ASIC, or one or more integrated circuits configured to implement embodiments of the present disclosure.
The present disclosure also relates to a computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions, and the instructions, when executed by a processor, implement a method according to any one of the embodiments shown in fig. 1 or fig. 2.
In some embodiments, the functional unit modules described above may be implemented as a general purpose Processor, a Programmable Logic Controller (PLC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable Logic device, discrete gate or transistor Logic, discrete hardware components, or any suitable combination thereof for performing the functions described in this disclosure.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The description of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (14)
1. An attack detection method, comprising:
acquiring DNS data by using a Domain Name System (DNS) probe;
analyzing the DNS data;
under the condition that the analysis result has abnormal characteristics, further inquiring whether a client IP address associated with the DNS data has alarm information;
and performing Advanced Persistent Threat (APT) alarm under the condition that the IP address of the client has alarm information.
2. The method of claim 1, further comprising:
under the condition that the IP address of the client does not have the alarm information, further inquiring whether the IP address of the client is added with a first identifier or not;
and under the condition that the first identification is not added to the client IP address, adding the first identification to the client IP address.
3. The method of claim 2, further comprising:
and under the condition that the client IP address is added with a first identifier, converting the first identifier into a second identifier so as to perform security investigation.
4. The method according to any one of claims 1-3, further comprising:
under the condition that the analysis result has no abnormal characteristic, performing statistical analysis on the connection characteristic of the DNS data;
further inquiring whether alarm information exists in the IP address of the client associated with the DNS data or not under the condition that the statistical analysis value is larger than a preset threshold;
and carrying out APT alarm under the condition that the IP address of the client has alarm information.
5. The method of claim 1, wherein,
the abnormal characteristics comprise at least one of abnormal data packet format analysis, that a pointer is not at the end of a User Datagram Protocol (UDP) load when the analysis is finished and that a coded domain name contains a forward pointer.
6. The method of claim 4, wherein,
the connection characteristics include at least one of a number of labels of the requested domain name, an amount of data stored for the requested domain name, a number of binary data included in the requested domain name, a resource record data size of the DNS reply message, and a number of canonical name CNAME records included in the DNS reply message.
7. An attack detection apparatus comprising:
a data acquisition module configured to acquire DNS data using a domain name system DNS probe;
a resolution module configured to resolve the DNS data;
the first query module is configured to further query whether alarm information exists in a client IP address associated with the DNS data or not when the abnormal characteristics exist in a resolution result;
and the alarm module is configured to perform APT (advanced persistent threat) alarm under the condition that the IP address of the client has alarm information.
8. The apparatus of claim 7, further comprising:
the second query module is configured to further query whether the client IP address is added with the first identifier or not under the condition that the client IP address does not have the alarm information;
the identification management module is configured to add a first identification to the client IP address under the condition that the client IP address is not added with the first identification.
9. The apparatus of claim 8, wherein,
the identity management module is further configured to convert the first identity into a second identity for security clearance if the client IP address has been added with the first identity.
10. The apparatus of any of claims 7-9, further comprising:
the statistical analysis module is configured to perform statistical analysis on the connection characteristics of the DNS data under the condition that the analysis result has no abnormal characteristics;
an identification module configured to determine whether the statistical analysis value is greater than a predetermined threshold;
the first query module is further configured to further query whether alarm information exists in the client IP address associated with the DNS data in the case that the statistical analysis value is greater than a predetermined threshold.
11. The apparatus of claim 7, wherein,
the abnormal characteristics comprise at least one of abnormal data packet format analysis, that a pointer is not at the end of a User Datagram Protocol (UDP) load when the analysis is finished and that a coded domain name contains a forward pointer.
12. The apparatus of claim 10, wherein,
the connection characteristics include at least one of a number of labels of the requested domain name, an amount of data stored for the requested domain name, a number of binary data included in the requested domain name, a resource record data size of the DNS reply message, and a number of canonical name CNAME records included in the DNS reply message.
13. An attack detection apparatus comprising:
a memory configured to store instructions;
a processor coupled to the memory, the processor configured to perform implementing the method of any of claims 1-6 based on instructions stored by the memory.
14. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions which, when executed by a processor, implement the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811272018.1A CN111131126B (en) | 2018-10-30 | 2018-10-30 | Attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811272018.1A CN111131126B (en) | 2018-10-30 | 2018-10-30 | Attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111131126A true CN111131126A (en) | 2020-05-08 |
| CN111131126B CN111131126B (en) | 2022-02-08 |
Family
ID=70484321
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811272018.1A Active CN111131126B (en) | 2018-10-30 | 2018-10-30 | Attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131126B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111600865A (en) * | 2020-05-11 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Abnormal communication detection method and device, electronic equipment and storage medium |
| CN111726352A (en) * | 2020-06-17 | 2020-09-29 | 杭州安恒信息技术股份有限公司 | Method, apparatus, computer device and medium for visually monitoring probe status |
| CN112202712A (en) * | 2020-08-26 | 2021-01-08 | 广东网堤信息安全技术有限公司 | Service recovery method based on distributed health state detection in cloud protection field |
| CN112887310A (en) * | 2021-01-27 | 2021-06-01 | 华南理工大学 | Method, device and medium for improving network attack risk assessment efficiency |
| CN114095274A (en) * | 2021-12-10 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Attack studying and judging method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
| US20150229668A1 (en) * | 2012-11-07 | 2015-08-13 | Trusteer, Ltd. | DEFENSE AGAINST DNS DoS ATTACK |
| CN106992955A (en) * | 2016-01-20 | 2017-07-28 | 深圳市中电智慧信息安全技术有限公司 | APT fire walls |
| CN108632224A (en) * | 2017-03-23 | 2018-10-09 | 中兴通讯股份有限公司 | A kind of APT attack detection methods and device |
-
2018
- 2018-10-30 CN CN201811272018.1A patent/CN111131126B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150229668A1 (en) * | 2012-11-07 | 2015-08-13 | Trusteer, Ltd. | DEFENSE AGAINST DNS DoS ATTACK |
| CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| CN106992955A (en) * | 2016-01-20 | 2017-07-28 | 深圳市中电智慧信息安全技术有限公司 | APT fire walls |
| CN108632224A (en) * | 2017-03-23 | 2018-10-09 | 中兴通讯股份有限公司 | A kind of APT attack detection methods and device |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111600865A (en) * | 2020-05-11 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Abnormal communication detection method and device, electronic equipment and storage medium |
| CN111600865B (en) * | 2020-05-11 | 2022-06-07 | 杭州安恒信息技术股份有限公司 | Abnormal communication detection method and device, electronic equipment and storage medium |
| CN111726352A (en) * | 2020-06-17 | 2020-09-29 | 杭州安恒信息技术股份有限公司 | Method, apparatus, computer device and medium for visually monitoring probe status |
| CN111726352B (en) * | 2020-06-17 | 2023-05-26 | 杭州安恒信息技术股份有限公司 | Method, device, computer equipment and medium for visualizing monitoring probe state |
| CN112202712A (en) * | 2020-08-26 | 2021-01-08 | 广东网堤信息安全技术有限公司 | Service recovery method based on distributed health state detection in cloud protection field |
| CN112887310A (en) * | 2021-01-27 | 2021-06-01 | 华南理工大学 | Method, device and medium for improving network attack risk assessment efficiency |
| CN114095274A (en) * | 2021-12-10 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Attack studying and judging method and device |
| CN114095274B (en) * | 2021-12-10 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Attack studying and judging method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111131126B (en) | 2022-02-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111131126B (en) | Attack detection method and device | |
| CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
| WO2018113594A1 (en) | Method and device for defending dns attack and storage medium | |
| Morris et al. | Deterministic intrusion detection rules for MODBUS protocols | |
| US9124621B2 (en) | Security alert prioritization | |
| CN102624706B (en) | Method for detecting DNS (domain name system) covert channels | |
| EP2850781B1 (en) | Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic | |
| CN106936791B (en) | Method and device for intercepting malicious website access | |
| TW201703465A (en) | Network anomaly detection | |
| TW201603529A (en) | Packet logging | |
| CN112019516B (en) | Access control method, device, equipment and storage medium for shared file | |
| CN103152325B (en) | Prevent the method by sharing mode access the Internet and device | |
| CN109561097B (en) | Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language | |
| US20240146753A1 (en) | Automated identification of false positives in dns tunneling detectors | |
| US9385993B1 (en) | Media for detecting common suspicious activity occurring on a computer network using firewall data and reports from a network filter device | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN114301700B (en) | Method, device, system and storage medium for adjusting network security defense scheme | |
| CN114157501B (en) | Parameter analysis method and device based on TianRui database | |
| CN110022319B (en) | Attack data security isolation method and device, computer equipment and storage equipment | |
| CN112966260A (en) | Data security agent system and method based on domestic trusted computing platform | |
| CN115017502A (en) | Flow processing method and protection system | |
| CN109756483B (en) | Safety protection method aiming at MELASEC protocol | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN114338233A (en) | Network attack detection method and system based on flow analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |