CN111163114A - Method and apparatus for detecting network attacks - Google Patents

Abstract

Described herein is a method for detecting a network attack, comprising: acquiring a current HTTPS data stream aiming at an access site within a preset time period; extracting characteristics of multiple dimensions of the current HTTPS data stream according to data transmitted in a plaintext mode in the current HTTPS data stream; determining a classification value for each respective dimension of the plurality of dimensions of features, the classification value representing whether the current HTTPS data flow is an anomalous data flow in the respective dimension; and determining whether the network attack aiming at the access station occurs in the preset time period according to the classification value of the features of the plurality of dimensions.

Description

Method and apparatus for detecting network attacks

Technical Field

The present disclosure relates to the field of network security, and in particular, to a method and apparatus for detecting network attacks.

Background

A CC attack (Challenge black hole) is a special application layer attack method for network services as a kind of DDoS (Distributed Denial of service) attack. An attacker continuously sends a large number of requests to a victim host through a proxy server or broiler chickens, so that server resources are exhausted until the downtime collapses, and the purpose of rejecting service is achieved.

Further, in recent years, as the security requirements of users are increased, more and more network services switch their own services from plaintext HTTP (HyperText Transfer Protocol) to encrypted HTTPs (HyperText Transfer Protocol over secure session Layer). The HTTPS ensures the security of the transmission process through transmission encryption and identity authentication. Meanwhile, the CC attack based on HTTPS is also on a rapid growth trend, and because the server needs to consume more resources for authentication, encryption and decryption, the CC attack based on HTTPS is lower in cost and more harmful.

Disclosure of Invention

Because the current mainstream detection system needs to analyze the message content, the HTTPS server to be protected is required to upload the certificate and the private key to the detection system, and the detection system decrypts and further analyzes the message based on the certificate and the private key, thereby triggering detection alarm and protection. However, this has many problems, such as: the user needs to provide the certificate and the private key used by the server to the detection system, so that the configuration is troublesome and the maintainability is poor; the communication content of the client and the server is visible to the detection system in a plaintext, and the confidentiality principle of HTTPS is lost; the detection system consumes a lot of resources to decrypt/encrypt, which may cause network performance degradation.

In view of the above, the present disclosure provides methods and apparatus for detecting cyber attacks, which desirably overcome some or all of the above-referenced deficiencies and possibly others.

According to a first aspect of the present disclosure, there is provided a method for detecting a network attack, comprising: acquiring a current HTTPS data stream aiming at an access site within a preset time period; extracting characteristics of multiple dimensions of the current HTTPS data stream according to data transmitted in a plaintext mode in the current HTTPS data stream; determining a classification value for each respective dimension of the plurality of dimensions of features, the classification value representing whether the current HTTPS data flow is an anomalous data flow in the respective dimension; and determining whether the network attack aiming at the access station occurs in the preset time period according to the classification value of the features of the plurality of dimensions.

According to a second aspect of the present disclosure, there is provided an apparatus for detecting a network attack, comprising: an acquisition module configured to acquire a current HTTPS data stream for an access site within a predetermined time period; an extraction module configured to extract features of multiple dimensions of the current HTTPS data stream from data transmitted in clear text in the current HTTPS data stream; a classification module configured to determine a classification value for each respective dimension of the plurality of dimensions of features, the classification value representing whether the current HTTPS data flow is an anomalous data flow in the respective dimension; a determination module configured to determine whether a network attack against the visiting station has occurred within the predetermined period of time based on the classification values of the features of the plurality of dimensions.

In some embodiments, the predetermined period of time has a length of time greater than or equal to a length of time of a unit time window, and the extracting features of the plurality of dimensions of the stream of hypertext transfer security protocol data is performed on a per unit time window basis.

In some embodiments, the features of the plurality of dimensions include at least two selected from: the HTTPS request amount or number of connections per unit time window; information entropy of a source IP (Internet Protocol) address or a source port number of each unit time window; duration of data flow over the HTTPS connection per unit time window; the rate of packets on the HTTPS connection per unit time window; the growth rate of the HTTPS request amount or the number of connections of adjacent unit time windows; a distribution vector of interval time of data packets on the HTTPS connection of each unit time window; a packet length distribution vector of packets in the HTTPS data stream for each unit time window; a distribution vector of a transport layer encryption protocol in the HTTPS data stream of each unit time window; a distribution vector of the encryption suites to be selected in the HTTPS data stream per unit time window; distribution vector of extension fields in HTTPS data stream per unit time window.

In some embodiments, the classification module is configured to: in response to the characteristic of the corresponding dimension being one of an amount of HTTPS requests or a number of connections per unit time window, an entropy of information of a source IP address or a source port number, a duration of data flow over the HTTPS connection, a rate of data packets over the HTTPS connection, then: determining a mutation point at which the value of the feature of the corresponding dimension is mutated according to the maximum baseline value of the feature of the corresponding dimension, wherein the current value of the feature of the corresponding dimension at the mutation point is greater than the maximum baseline value of the feature of the corresponding dimension; determining a cumulative sum of differences of a current value of the feature of the respective dimension and a maximum baseline value of the feature of the respective dimension at a break point within the predetermined time period; in response to the cumulative sum being greater than a feature threshold, determining a classification value for a feature of the respective dimension as a value representing the current HTTPS data flow as an anomalous data flow in the respective dimension.

In some embodiments, the classification module is configured to obtain the maximum baseline value by: acquiring historical HTTPS data flow aiming at the access site; for each corresponding statistical period in a plurality of statistical periods, acquiring a sum of a mean value and a standard deviation of the feature of the historical HTTPS data stream in the corresponding statistical period as a first baseline value of the feature of the corresponding statistical period; selecting a maximum value of the first baseline values as a maximum baseline value from the first baseline values of the plurality of features of the plurality of statistical periods.

In some embodiments, the classification module is configured to obtain the feature threshold by: for each corresponding statistical period in a plurality of statistical periods, acquiring a difference between an average value and a standard deviation of the feature of the historical HTTPS data stream in the corresponding statistical period as a second baseline value of the feature of the corresponding statistical period; selecting a minimum value of second baseline values from the second baseline values of the plurality of features of the plurality of statistical periods as a minimum baseline value; determining a sum of a difference between the maximum baseline value and the minimum baseline value and a maximum baseline value as the feature threshold.

In some embodiments, the classification module is configured to, in response to the characteristic of the corresponding dimension being one of a distribution vector of interval times of packets on HTTPS connections per unit time window, a packet length distribution vector of packets in HTTPS data flows, a distribution vector of transport layer encryption protocol in HTTPS data flows, a distribution vector of an alternative encryption suite in HTTPS data flows, a distribution vector of an extension field in HTTPS data flows, then: determining a difference value between a vector representing the feature of the respective dimension and a threshold vector representing a threshold value for the feature of the respective dimension; determining a classification value for the feature of the respective dimension as a value representing that the current HTTPS data flow is an anomalous data flow in the respective dimension if the discrepancy value is greater than a discrepancy threshold value.

In some embodiments, the value of each element term in the threshold vector is the maximum baseline value for that element term, the classification module being configured to determine the maximum baseline value for that element term by: acquiring historical HTTPS data flow aiming at the access site; for each respective statistical period of a plurality of statistical periods, obtaining a sum of a mean value and a standard deviation of the element items in a vector of features of historical HTTPS data streams representing the respective dimension for the respective statistical period as a first baseline value of the element items for the respective statistical period; selecting a maximum value of the first baseline values of the element term from a plurality of first baseline values of the element term for the plurality of statistical periods as a maximum baseline value for the element term.

In some embodiments, the classification module is configured to: determining Euclidean distance or cosine similarity between the vector representing the feature of the corresponding dimension and the threshold vector as the difference value.

In some embodiments, the classification module is configured to: in response to the respective dimension being characterized by a rate of increase in the number of HTTPS requests or connections per unit time window of proximity, then: when the growth rate is greater than a growth rate threshold, determining a classification value for the feature of the respective dimension as a value representing that the current HTTPS data flow is an anomalous data flow in the respective dimension.

According to a third aspect of the present disclosure, there is provided a computing device comprising a processor; and a memory configured to have computer-executable instructions stored thereon that, when executed by the processor, perform any of the methods described above.

According to a fourth aspect of the present disclosure, there is provided a computer-readable storage medium storing computer-executable instructions that, when executed, perform any of the methods described above.

According to the method and the device for detecting the network attack, disclosed by the disclosure, under the condition that the HTTPS message is not required to be decrypted, the attack aiming at a specific access site, particularly the HTTPSCC attack, is detected by utilizing the characteristics of multiple dimensions, so that on one hand, the leakage of network data is avoided, the safety of network communication is ensured, on the other hand, the accuracy and the sensitivity of detection can be greatly improved, and the problems of false report and small flow missing report are avoided.

These and other advantages of the present disclosure will become apparent from and elucidated with reference to the embodiments described hereinafter.

Drawings

Embodiments of the present disclosure will now be described in more detail and with reference to the accompanying drawings, in which:

fig. 1 illustrates an exemplary application scenario in which a technical solution according to an embodiment of the present disclosure may be implemented;

FIG. 2 illustrates a schematic flow chart diagram of a method for detecting a network attack in accordance with one embodiment of the present disclosure;

FIG. 3 illustrates a schematic diagram of a handshake process of a transport layer encryption protocol;

FIG. 4 illustrates a schematic diagram of a method for determining classification values of features of respective dimensions according to one embodiment of the present disclosure;

FIG. 5 illustrates a schematic diagram of a method for determining classification values of features of respective dimensions according to another embodiment of the present disclosure;

FIG. 6 illustrates an exemplary logical architecture diagram of a method for detecting a network attack according to one embodiment of the present disclosure;

FIG. 7 illustrates an exemplary block diagram of an apparatus for detecting cyber attacks according to one embodiment of the present disclosure;

fig. 8 illustrates an example system that includes an example computing device that represents one or more systems and/or devices that may implement the various techniques described herein.

Detailed Description

The following description provides specific details for a thorough understanding and enabling description of various embodiments of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these details. In some instances, well-known structures and functions have not been shown or described in detail to avoid unnecessarily obscuring the description of the embodiments of the disclosure. The terminology used in the present disclosure is to be understood in its broadest reasonable manner, even though it is being used in conjunction with a particular embodiment of the present disclosure.

First, some terms referred to in the embodiments of the present application are explained to facilitate understanding by those skilled in the art.

Distributed Denial of Service (DDoS) attacks are a network attack that is used to crash a server. The nature of DDoS attack is that a large number of requests that look legal are sent to a server by using distributed clients, so that a large number of resources of the server are consumed or occupied for a long time, and the purpose of enabling the server to refuse to provide services to legal users is achieved. There are many DDoS attack modes, which can be mainly divided into two categories: resource consuming and bandwidth congestion. Resource consumption type DDoS attack means that a reasonable service request is utilized to occupy excessive service resources, so that a service request of a legal user cannot be responded; the bandwidth congestion type DDoS attack means that massive data packets are sent to a server in a short time, the bandwidth of an uplink of a data center is blocked, and normal business flow is reduced suddenly, so that the purpose of service denial is achieved.

Euclidean distance: namely the Euclidean Metric (Euclidean Metric), also known as the Euclidean distance. Is a commonly used definition of distance, which refers to the true distance between two points in m-dimensional space, or the natural length of a vector (i.e., the distance of a point from the origin). The euclidean distance in two and three dimensions is the actual distance between two points. m is a positive integer.

Cosine similarity: the similarity between two vectors is measured by measuring the cosine of the angle between the two vectors. If the directions of the two vectors are the same, the cosine similarity value of the two vectors is 1; if the included angle of the two vectors is 90 degrees, the cosine similarity value of the two vectors is 0; if the directions of the two vectors are opposite, the cosine similarity has a value of-1.

Information entropy: the uncertainty of the description variable can be used for measuring the dispersion of the value set of the measurement variable, so that the chaos degree of the value of the variable is reflected. The more ordered and concentrated the elements in a set, the smaller the entropy of the information, and the more unordered and dispersed the elements in a set, the larger the entropy of the information.

Integrated learning: refers to an algorithm that combines multiple weakly supervised models in order to obtain a better and more comprehensive strongly supervised model. The potential idea of ensemble learning is that even if one weak classifier gets wrong prediction, other weak classifiers can correct the error.

SSL: SSL (Secure Sockets Layer) is a security protocol that provides security and data integrity for network communications. SSL encrypts the network connection between the transport layer and the application layer.

TLS: TLS (Transport Layer Security) is a successor of SSL and is a Security protocol that provides Security and data integrity for network communications, and encrypts network connections between the Transport Layer and the application Layer.

TCP: TCP (Transmission Control Protocol) is a connection-oriented, reliable transport layer communication Protocol based on a byte stream.

Fig. 1 illustrates an exemplary application scenario 100 in which a technical solution according to an embodiment of the present disclosure may be implemented. As shown in fig. 1, the application scenario 100 includes: a cluster of service request senders 110, a traffic processing server 120 and a detection system 130, and a network 140. The service request sender cluster 110 comprises a number of user terminal devices. The user terminal device may include, but is not limited to, a cell phone, a tablet computer, a desktop computer, and the like. The business processing servers 120 are communicatively coupled to the service request sender cluster 110 via a network 140 and are configured to receive and process business service requests from service request senders. The business process server 120 may, for example, host one or more visiting sites (e.g., common web sites), with different visiting sites having different URLs (Uniform Resource locators). Each user terminal device is provided with one or more clients for communicating with the access site on the service processing server. Clients on a portion of the devices in the service request sender cluster 110 may send large-scale network data streams to the traffic processing server 120. The detection system 130 is configured to detect a network data flow sent to the service processing server 120, determine whether a DDoS attack exists, and particularly determine whether a CC attack for a specific access site exists, and send out alarm information when detecting that an attack exists.

As an example, the detection system 130 may make a 100% copy of the network data stream sent to the traffic processing server 120 and then detect the copied data stream. For example, the service processing server 120 is accessed to the network 140 through a network switch, and the network data stream sent to the service processing server 120 reaches the service processing server through the network switch, so that an optical splitter may be connected in parallel at the network switch, and the data stream flowing through the network switch is 100% copied through the optical splitter, and the detection system may acquire the copied data stream for detection. In some examples, the detection system may unpack packets in the replicated data stream according to a network protocol stack specification to select an HTTPS data stream from the replicated data stream.

Further, the SNI field of the HTTPS handshake phase carries information about the visited site (i.e., the URL described above). Sni (server Name indication), an extension option of the SSL/TLS protocol, is located in the extension field under which the hostname of the server it is connecting to is told by the client at the beginning of the handshake process. Accordingly, an HTTPS data stream for a specific access site may be acquired from the selected HTTPS data stream based on the SNI field.

The business process server 120 may include, but is not limited to, at least one of: PCs and other various servers. The detection system 130 may include, but is not limited to, at least one of: mobile phones, tablet computers, notebook computers, desktop PCs, digital televisions, and the like. The network 140 may be, for example, a Wide Area Network (WAN), a Local Area Network (LAN), a wireless network, a public telephone network, an intranet, or any other type of network known to those skilled in the art.

It should also be noted that the scenario described above is only one example in which the embodiments of the present disclosure may be implemented, and is not limiting. As an example, the detection system may be integrated with a business process server, or the functionality of the detection system may be implemented directly on the business process server.

Fig. 2 illustrates a schematic flow chart diagram of a method 200 for detecting a network attack in accordance with one embodiment of the present disclosure. The method 200 may be implemented, for example, on the detection system 130 of fig. 1. As shown in fig. 2, the method 200 may include the following steps.

In step 201, a current HTTPS data stream for an access station within a predetermined time period is obtained. As an example, as described above, a 100% replication may be performed on a data flow flowing through a network switch communicatively coupled to the access station, then a data packet in the replicated data flow may be unpacked according to a network protocol stack specification, so as to select an HTTPS data flow from the replicated data flow, and finally, an HTTPS data flow for the access station may be obtained from the selected HTTPS data flow based on the SNI field included in the data packet of the selected HTTPS data flow. The predetermined time period may be any time period, and may be set according to actual needs (for example, needs for detection accuracy).

In step 202, extracting features of multiple dimensions of the current HTTPS data stream according to data transmitted in a plaintext manner in the current HTTPS data stream. In some embodiments, the length of time of the predetermined period of time is greater than or equal to the length of time of a unit time window on which the extraction of features of the HTTPS data stream is performed. As an example, the predetermined time period may be 30 minutes, each unit time window is 2 minutes, and then the features may be extracted for 30 minutes of data streams in units of 2 minutes. For example, the 2-minute unit time window may be used as a sliding time window, and the features of the plurality of dimensions are extracted by sliding from the 1 st minute to the 30 th minute over a period of 30 minutes until the extraction is finished. The unit of the sliding time window can be determined as desired, for example, it can likewise be determined as 2 minutes.

It should be noted that in the HTTPS protocol, when in the SSL/TLS handshake process where the client asks for and verifies a certificate containing a public key from the server and both parties negotiate to generate a "traffic key and encryption algorithm", most of the traffic at this stage is done in the clear except for the small number of random number keys that occur. FIG. 3 illustrates a schematic diagram of a transport layer encryption protocol (SSL/TLS) handshake process. As shown in fig. 3, the client initiates a request, i.e., a ClientHello message, which contains information such as version information of the transport layer encryption protocol, a candidate list of encryption suites, a candidate list of reduction algorithms, a random number, an extension field, and the like. Then, the server responds to the client request and returns a ServerHello message and the certificate of the server. The client verifies whether the server is legal or not according to the certificate returned by the server, and determines the version of the used transport layer encryption protocol. The client sends change _ cipher _ spec to inform the server that the subsequent communication adopts the negotiated communication key and encryption algorithm to carry out encryption communication. The server verifies the correctness of the data and the key, and after the data and the key are verified, the server also sends change _ cipher _ spec to inform the client that the subsequent communication is encrypted and communicated by adopting a negotiated key and algorithm; the client verifies the data and the key sent by the server, and the handshake is completed if the verification is passed. It should be noted that there may be multiple HTTPS connections or multiple such handshaking procedures within the predetermined time period described above and within each unit time window mentioned below.

It can be seen that the information transmitted in clear text includes at least version information of the transport layer encryption protocol (e.g., SSL/TLS version), extension fields of the transport layer encryption protocol (e.g., the above-mentioned TLS extension option), encryption suite, etc., and information that HTTPS cannot encrypt, such as header information of TCP/IP, length of data included, time interval of data packet, etc. The attack detection by using the data transmitted in the plaintext mode avoids the need of decrypting the message in the conventional attack detection, and therefore avoids the need of a detection system for a server certificate and a private key, for example, and the security of network data is guaranteed.

In some embodiments, the features of the plurality of dimensions include at least two selected from: the HTTPS request amount or number of connections per unit time window; the information entropy of the source IP address or source port number of each unit time window; duration of data flow over the HTTPS connection per unit time window; the rate of packets on the HTTPS connection per unit time window; the growth rate of the HTTPS request amount or the number of connections of adjacent unit time windows; a distribution vector of interval time of data packets on the HTTPS connection of each unit time window; a packet length distribution vector of packets in the HTTPS data stream for each unit time window; a distribution vector of a transport layer encryption protocol in the HTTPS data stream of each unit time window; a distribution vector of the encryption suites to be selected in the HTTPS data stream per unit time window; distribution vector of extension fields in HTTPS data stream per unit time window. It should be noted that the distribution vector described herein is typically a multidimensional vector, which includes a plurality of element terms. For example, an m-dimensional vector typically includes m element terms, with m being a positive integer.

The HTTPS request quantity refers to the number of ClientHello sent when a client requests to establish connection, and the HTTPS connection quantity refers to the number of quadruplets (source IP, source port, destination IP and destination port). Measurements of large amounts of network data show that real network traffic has statistically self-similarity, i.e. long correlation properties, which is broken when a DDos attack, in particular a CC attack, occurs. Whether the network attack occurs or not can be detected to a large extent by counting the fluctuation range of the HTTPS request quantity/the connection quantity in each unit time window.

The information entropy can describe variable uncertainty, and can measure the dispersion of a tested set to reflect the chaos degree of a system. When a DDos attack (particularly a CC attack) occurs, since the uncertainty of the source IP address greatly increases due to the distributed source IP address (i.e., the information entropy of the source IP address increases), the attack characteristics can be reflected to a certain extent by calculating the information entropy of the source IP address of the data stream in each unit time window. In addition, in order to improve attack efficiency, an attacker may have a plurality of ports in a single IP address, and the entropy of the source port number information also reflects attack characteristics to a certain extent. Taking S consecutive source IP address packets counted in a unit time window as an example, for a set of S number of samples (i.e., source IP addresses), if

The number of occurrences of sample i is

Wherein N is the number of IP addresses; the entropy of the information of the source IP address of the set of samples is

. The entropy of the information of the source port number is calculated in a similar manner.

The duration of a data flow on each HTTPS connection refers to the time that it takes to disconnect from establishing the connection. The purpose of an attacker is to cause the exhaustion of server resources by continuously sending a large number of requests, the connection duration of the attacker is longer than that of a normal user, and the attack characteristics can be reflected to a certain extent by analyzing the change rule of the stream duration in the data stream. There may be multiple HTTPS connections per unit time window, in which case the duration of a data flow on an HTTPS connection per unit time window is the average of the flow durations of the data flows on the multiple HTTPS connections.

The rate of packets on each HTTPS connection is the transmission rate of packets (i.e., the number of packets per unit time). Packet rates of the attack traffic and the normal traffic are different to a certain extent, and attack characteristics can be reflected to a certain extent by analyzing the packet rate change rule in the data stream. There may be multiple HTTPS connections per unit time window, in which case the rate of packets on the HTTPS connections per unit time window is the average of the rates of packets on the multiple HTTPS connections.

Aiming at the characteristic that the HTTPS request quantity/the connection quantity suddenly increases when a DDos attack (particularly CC attack) occurs, the increasing rate of the HTTPS request quantity or the connection quantity of the adjacent unit time window is introduced, so that false alarm caused by normal increase of the HTTPS request quantity/the connection quantity can be eliminated, and the sudden increase condition of the request quantity (namely the excessive increasing rate) when the attack occurs can be sensed. The rate of increase of the HTTPS request amount or the number of connections of the adjacent unit time window may be obtained by calculating a first request amount or the number of connections of the first unit time window and a second request amount or the number of connections of the adjacent second unit time window, respectively, and then calculating a difference between the second request amount or the number of connections and the first request amount or the number of connections and dividing the difference by a time difference between the second unit time window and the first unit time window.

Normally the packet length fluctuates within a certain range, while there is aggregation, typically a fixed size, in the attack. If the packet length distribution ratio has large fluctuation, the data flow has abnormity to a certain extent. Therefore, analyzing the packet length distribution vector of the packets in the HTTPS data stream per unit time window may reflect the attack characteristics to some extent. The value range of the packet length may be divided into a plurality of packet length sections, the plurality of packet length sections may be the same or different, each element item in the packet length distribution vector corresponds to one packet length section, and the value of each element item is the number of data packets whose length in the data stream corresponds to the packet length section. As an example, taking all the packet length intervals as 150 bytes as an example, the value range of 0-1500 bytes of the packet length may be divided into 10 packet length intervals according to 150 bytes, that is, the packet length distribution vector includes 10 element entries. The 1 st element item of the packet length distribution vector corresponds to 0-150 bytes of the packet length interval, the value of the 1 st element item of the packet length distribution vector is the number of the data packets with the packet length of 0-150 bytes, the 2 nd element item of the packet length distribution vector corresponds to 300 bytes of the packet length interval, the value of the 2 nd element item of the packet length distribution vector is the number of the data packets with the packet length of 150 bytes and 300 bytes, and so on. The 10 th element of the packet length distribution vector corresponds to the 1350-.

Due to the variability of normal user behaviors, the difference of time differences between adjacent data packets arriving at a server on the HTTPS connection is large, an attacker mostly adopts a script mode to automatically send requests, and the time intervals of the data packets are uniform, so that the distribution vector of the interval time of the data packets on the HTTPS connection of each unit time window can reflect the attack characteristics to a certain extent. As an example, a distribution vector of interval times of packets on HTTPS connections per unit time window may be constructed in a similar manner to the above packet length distribution vector. As an example, the value range of the interval time may be divided into a plurality of interval time intervals, which may be the same or different, each element item in the distribution vector of the interval time corresponds to one interval time interval, and the value of each element item is the number of interval times of the interval time in the data stream, which is in the corresponding interval time interval.

The major transport layer encryption protocols currently are TLS1.0, TLS1.1, TLS1.2, SSL2.0, and SSL3.0, with TLS1.2 being the most used. The SSL/TLS versions adopted by the attack traffic and the normal traffic are different to a certain extent, an attacker tends to use an SSL/TLS component with a reduced version to save resources, and the attack characteristics can be reflected to a certain extent by analyzing the distribution vector of the transport layer encryption protocol in the HTTPS data stream of each unit time window. As an example, each element item in the distribution vector of the transport layer encryption protocol may refer to one encryption protocol, and a value of each element item may be a number of the corresponding encryption protocol.

The encryption suite refers to a combination of encryption algorithms used by a server and a client in SSL communication. In the initial stage of the SSL handshake, the client sends the encryption suite list supported by the client to the server. The server selects one suite from the multiple suites as much as possible according to the configuration of the server, and the suite is used as an encryption mode to be used later. These algorithms include: authentication algorithms, key exchange algorithms, symmetric algorithms, digest algorithms, and the like. The number and types of encryption suites adopted by the attack traffic and the normal traffic are different to a certain extent, and an attacker tends to use a simpler encryption algorithm and fewer encryption suites to achieve the purpose of attack with the lowest resource consumption. By analyzing the distribution vector of the optional encryption suite in the HTTPS data stream per unit time window, the attack characteristics can be reflected to some extent. As an example, each element item in the distribution vector of the alternative encryption suites may refer to one type of encryption suite, and a value of each element item may be a number of the corresponding encryption suites.

Extension fields (Extensions) are mainly used to declare support of the protocol for some new functions or to carry extra data needed in the handshake in progress, such as the above-described extension options like SNI. The TLS extension field allows the protocol to add additional functionality without changing its basic behavior. The expanded fields adopted by the attack traffic and the normal traffic are different to a certain extent, and the attack characteristics can be reflected to a certain extent by analyzing the distribution vector of the expanded fields in the HTTPS data stream of each unit time window. As an example, each element item in the distribution vector of the alternative encryption suite may refer to one expansion option, and a value of each element item may be a number of corresponding expansion options.

The inventors have found that the above-described features of clear text transmission are well suited for use in detecting DDoS attacks directed at an access site. By comprehensively judging whether the current HTTPS data stream is an attack data stream or not by utilizing the characteristics of multiple dimensions, the detection accuracy can be greatly improved, and the detection error caused by the characteristics of a single dimension can be avoided.

At step 203, a classification value of the feature of each respective dimension of the plurality of dimensions is determined, the classification value indicating whether the current HTTPS data flow is an anomalous data flow in the respective dimension. As an example, a classification value of 1 may indicate that the current HTTPS data flow is an abnormal data flow in the corresponding dimension, and a classification value of 0 indicates that the current HTTPS data flow is not an abnormal data flow in the corresponding dimension. Of course, the values of the classification values are not limiting.

As an example, if the feature of the corresponding dimension is a growth rate of an HTTPS request amount or a connection number of adjacent unit time windows, when the growth rate is greater than a growth rate threshold, the classification value for the feature of the corresponding dimension is determined as a value 1 indicating that the HTTPS data flow is an abnormal data flow in the corresponding dimension.

In step 204, it is determined whether a network attack on the visiting station occurs within the predetermined time period according to the classification value of the features of the plurality of dimensions. In some embodiments, a weighted sum of the classification values of the features of the plurality of dimensions is first determined, and then if the weighted sum is greater than a weighted sum threshold, it is determined that a cyber attack against the visiting site has occurred within the predetermined period of time. In calculating the weighted sum, the weights given to the classification values of the features of the respective dimensions may be the same or different, and are set in advance as necessary.

Whether the network attack occurs is determined through a weighted voting mode, on one hand, the judgment results obtained through the characteristics of multiple dimensions can be effectively combined, on the other hand, different weights can be set for the characteristics of different dimensions, for example, the weight of the characteristic which better reflects the abnormal data flow is improved, the action of the characteristics of the dimensions in the determination process is strengthened, the false alarm rate is reduced, and the accuracy of detecting the network attack is improved.

As an example, if the features of the multiple dimensions are respectively the amount of HTTPS requests per unit time window (class value 1, weight 0.3), the entropy of the information of the source IP address per unit time window (class value 1, weight 0.2), the duration of the data stream on the HTTPS connections per unit time window (class value 0, weight 0.4), and the rate of the data packets on the HTTPS connections per unit time window (class value 1, weight 0.1), the weighted sum of the class values of the features of the multiple dimensions is 1 × 0.3+1 × 0.2+ 0.4+1 × 0.1= 0.6. Assuming that the weighted sum threshold value at this time is 0.5, it can be determined that a network attack against the access station has occurred within the predetermined time period.

In some embodiments, an ensemble learning manner may be adopted, and whether a network attack occurs is comprehensively determined by determining whether data streams are abnormal according to the features of the multiple dimensions through the multiple classification models and then summarizing the classification results of the multiple dimensions.

According to the technical scheme described by the embodiment of the disclosure, under the condition that the HTTPS message is not required to be decrypted, the attack aiming at a specific access site, especially the HTTPS CC attack, is detected by utilizing the characteristics of multiple dimensions, so that on one hand, the leakage of network data is avoided, the safety of network communication is ensured, on the other hand, the accuracy and the sensitivity of detection can be greatly improved, and the problems of false report and small flow rate missing report are avoided.

Fig. 4 illustrates a schematic diagram of a method 400 for determining classification values of features of respective dimensions according to one embodiment of the present disclosure. The method is adapted to be used when the corresponding dimension is characterized by one of an amount of HTTPS requests or a number of connections per unit time window, an entropy of information of a source IP address or a source port number, a duration of data flow over the HTTPS connection, a rate of data packets over the HTTPS connection. The method may be used to implement step 203 in the method 200 described with reference to fig. 2. As shown in fig. 4, the method includes the following steps.

In step 401, a mutation point at which a value of the feature of the corresponding dimension has a mutation is determined according to the maximum baseline value of the feature of the corresponding dimension, and a current value of the feature of the corresponding dimension at the mutation point is greater than the baseline value of the feature of the corresponding dimension. The maximum baseline value refers to the upper limit of the normal fluctuation range of the value of the corresponding feature, and similarly, the minimum baseline value refers to the lower limit of the normal fluctuation range of the value of the corresponding feature.

In some embodiments, the maximum baseline value and the minimum baseline value may be determined from historical HTTPS data streams obtained for the visited site. The historical HTTPS data stream may be historically cached on the detection system or on a storage device linked to the detection system as the data stream for the visited site is received. For example, the historical HTTPS data streams may be data streams within a particular time period prior to the current HTTPS data stream, such as within 7 days prior to the current HTTPS data stream. In other embodiments, the maximum baseline value and the minimum baseline value may also be determined as needed and empirically, which is not limiting.

Optionally, the historical HTTPS data stream may also be a processed data stream obtained by performing at least one of noise reduction processing and bad value removal processing on a historical data stream for the visited station.

The process of noise reduction processing may include: according to the access station of the preset destination, deleting the traffic of which the destination address is not the access station from the data stream. In addition, network promiscuous traffic (e.g., traffic of a non-HTTPS protocol) may be removed from the data flow, and DDoS attack traffic may be removed from the data flow.

The process of removing bad values may include: suspicious values, which may be error or attack traffic, are removed from the data stream, thereby increasing adaptation speed. Specifically, in a set of n data repeatedly tested, the residual error

Is a maximum of the absolute value of

When the confidence interval p =0.99 or p =0.95, that is, the significance level α =1-p =0.01 or 0.05, if v satisfies the following formula, it can be determined that v satisfies the following formula

As outliers:

where δ is the standard deviation found experimentally, G (α, n) is a table of critical values for the Charles criterion

Then, the data stream can continue to be deburred by the above-mentioned method until the data stream is deburred

Until now.

It should be understood that the historical HTTPS data stream is continuously updated over time, for example, the current HTTPS data stream described above (optionally after being subjected to noise reduction processing and bad value removal processing) becomes part of the historical HTTPS data stream for the next predetermined period of time, so that the thresholds for the features of the various dimensions are recalculated based on the updated historical HTTPS data stream. In this way, dynamic thresholds of different dimensions can be established for each visiting site, and the dynamic thresholds can be made adaptive to the business scenario of each visiting site.

As an example of determining the maximum baseline value and the minimum baseline value, historical HTTPS data streams for the visiting site may be obtained first. Then, for each respective statistical period of a plurality of statistical periods, an average of said features of the historical HTTPS data stream over said respective statistical period is obtained

And standard deviation of

As a first baseline value of said feature of said respective statistical period

(ii) a Selecting a maximum value of a first baseline value from the first baseline values of the plurality of features of the plurality of statistical cycles as a maximum baseline value

. In this connection, it is possible to use,

where x represents the value of the feature for the corresponding dimension of the HTTPS data stream, i represents the index of the value of the feature, i is a positive integer, n is the total number of values of the feature acquired, and Σ is the summation sign. Similarly, for each respective statistical period of a plurality of statistical periods, an average of the characteristics of the historical HTTPS data stream over the respective statistical period is taken

And standard deviation of

As a second baseline value of said feature of said respective statistical period

(ii) a Selecting a minimum value of second baseline values from the second baseline values of the plurality of features of the plurality of statistical cycles as a minimum baseline value

。

Taking the example of a number of statistical cycles of 7 days, 1 day per statistical cycle, and 1 minute per unit time window, the corresponding dimension is characterized by 1440 values in 1 day, since there are 1440 minutes in 1 day. In this case, the calculation may be performedThe respective dimension is characterized by a mean and standard deviation of 1440 values per day, then the sum of the mean and standard deviation is taken as the first baseline value and the difference of the mean and standard deviation is taken as the second baseline value. Then the maximum value of the 7 first baseline values within 7 days is taken as the maximum baseline value

Taking the minimum value of 7 second baseline values in 7 days as the minimum baseline value

。

The mutation point is likewise in units of a unit time window, i.e. has the same time length as the unit time window, for example 1 minute. Assuming that the feature of the corresponding dimension is an amount of HTTPS requests per unit time window, as an example, when a current value of the feature of the corresponding dimension is 1000 (i.e., 1000 HTTPS requests) at an nth unit time window and a baseline value of the feature of the corresponding dimension is 800, the nth unit time window is the mutation point.

At step 402, a cumulative sum of differences of a current value of the feature of the respective dimension and a maximum baseline value of the feature of the respective dimension at a break point within the predetermined time period is determined. As an example, the difference between the current value and the maximum baseline value at the first mutation point may be obtained when the first mutation point is detected. When a second mutation point is detected, the difference between the current value and the maximum baseline value at the second mutation point is obtained, and then the sum of the difference at the second mutation point and the difference at the first mutation point is obtained. And when the third mutation point is detected, acquiring the third mutation point. And so on until the sum of the differences at all mutation points is obtained as the cumulative sum. Of course, the real-time accumulation method is only an example, and the difference between the current value at a mutation point and the maximum baseline value can be cached every time a mutation point is detected until all mutation points are detected, and then the accumulated sum of the differences can be calculated. In some embodiments, the difference between the current value and the maximum baseline value at a preset number of break points within the predetermined period of time may also be accumulated as the accumulated sum. The preset number may be determined as needed, and may be determined, for example, as 5. Using the difference between the current value and the maximum baseline value at a preset number of break points may avoid false detections due to improper settings (e.g., too long) for a predetermined period of time.

In step 403, in response to the cumulative sum being greater than a feature threshold, determining a classification value for the feature of the respective dimension as a value representing that the current HTTPS data flow is an abnormal data flow in the respective dimension. As described above, a classification value of 1 may indicate that the current HTTPS data flow is an abnormal data flow in the corresponding dimension. As an example, in response to the cumulative sum being greater than a feature threshold, a classification value for a feature of the respective dimension is determined to be 1.

In some embodiments, the characteristic threshold may be determined as desired. As an example, the sum of the difference between the maximum baseline value and the minimum baseline value and the maximum baseline value may be determined as the feature threshold. As an example, the characteristic threshold may be expressed as

Wherein the difference between the maximum baseline value and the minimum baseline value

Represents the maximum normal fluctuation range of the value of the feature. Superimposing the maximum baseline value over the maximum normal fluctuation range is sufficient to distinguish between normal traffic and attack traffic, and is well suited as the characteristic threshold described herein.

By the method for determining the classification value of the feature of the corresponding dimension, provided by the embodiment of the disclosure, the difference between the normal flow and the abnormal flow is amplified by using the ideas of accumulation and algorithm, whether the feature of the corresponding dimension is the feature of the abnormal data flow (potential attack data flow) can be determined more accurately, and the precision of attack detection is further improved.

Fig. 5 illustrates a schematic diagram of a method 500 for determining classification values of features of respective dimensions according to one embodiment of the present disclosure. The method is adapted to be used when the characteristic of the corresponding dimension is one of a distribution vector of interval time of packets on an HTTPS connection per unit time window, a packet length distribution vector of packets in an HTTPS data flow, a distribution vector of a transport layer encryption protocol in an HTTPS data flow, a distribution vector of an alternative encryption suite in an HTTPS data flow, and a distribution vector of an extension field in an HTTPS data flow. The method may be used to implement step 203 in the method 200 described with reference to fig. 2. As shown in fig. 5, the method includes the following steps.

In step 501, a difference value between a vector representing the feature of the respective dimension and a threshold vector representing a threshold value of the feature of the respective dimension is determined. The threshold vector may be determined according to actual needs or experience. The vector representing the feature of the corresponding dimension is specifically one of a distribution vector of interval time of packets on the HTTPS connection in each unit time window, a packet length distribution vector of packets in the HTTPS data stream, a distribution vector of a transport layer encryption protocol in the HTTPS data stream, a distribution vector of an encryption suite to be selected in the HTTPS data stream, and a distribution vector of an extension field in the HTTPS data stream.

In some embodiments, the value of each element term in the threshold vector is the maximum baseline value for that element term. By way of example, similar to determining the maximum baseline value in step 401 described above with reference to fig. 4, the maximum baseline value for the element term may be determined in the following manner: acquiring historical HTTPS data flow aiming at the access site; for each respective statistical period of a plurality of statistical periods, obtaining an average of the element terms over the respective statistical period in a vector of features of a historical HTTPS data stream representing the respective dimension

And standard deviation of

As the sum of the element terms of the corresponding statistical periodA first baseline value; selecting a maximum value of the first baseline values of the element terms from a plurality of first baseline values of the element terms of the plurality of statistical cycles as a maximum baseline value for the element terms

. In this connection, it is possible to use,

where x denotes the value of the element entry in the vector representing the feature of the corresponding dimension in the HTTPS data stream, i denotes the index of the value of the element entry, i is a positive integer, n is the total number of values of the element entry (i.e., the total number of vectors representing the feature of the corresponding dimension), and Σ is the summation symbol.

Taking the example that the number of the plurality of statistical cycles is 7 days, each statistical cycle may be 1 day, and each unit time window is 1 minute, since there are 1440 minutes in 1 day, there are 1440 vectors representing features of the corresponding dimension in 1 day, that is, there are 1440 values of the element terms. In this case, the mean and standard deviation of 1440 of the element terms may be calculated, and then the sum of the mean and standard deviation may be used as the first baseline value of the element terms. Then the maximum value of the 7 first baseline values of the element term within 7 days is taken as the maximum baseline value for the element term

。

In step 502, in response to the discrepancy value being greater than a discrepancy threshold value, a classification value for the feature of the respective dimension is determined as a value representing that the HTTPS data flow is an anomalous data flow in the respective dimension. The difference threshold may be determined as desired or empirically, and its value is not limiting.

In some embodiments, a euclidean distance or a cosine similarity between the vector representing the features of the respective dimension and the threshold vector may be determined as the disparity value. Of course, this is not limiting and any algorithm or metric that can measure the difference between vectors is contemplated.

As described above, a classification value of 1 may indicate that the current HTTPS data flow is an abnormal data flow in the corresponding dimension. As an example, in response to the disparity value being greater than a disparity threshold, a classification value for a feature of the respective dimension is determined to be 1.

By the method for determining the classification value of the feature of the corresponding dimension, provided by the embodiment of the disclosure, whether the feature of the corresponding dimension is the feature of an abnormal data stream (a potential attack data stream) can be determined more accurately by considering the difference between the feature of the corresponding dimension represented in the form of a vector and the threshold vector of the threshold value representing the feature of the corresponding dimension, so that the accuracy of attack detection is improved.

It should be noted that step 203 in method 200 described with reference to fig. 2 need not be implemented using methods 400 and 500 mentioned above. As an example, after the number of packets per packet length section within the unit time window (i.e., the value of each element term in the above-mentioned packet length distribution vector) is obtained, the weighted average of all packet length sections may be calculated based on calculating the number of packets per packet length section. As an example, a weighted average

Can be expressed as

Wherein, in the step (A),

indicating the corresponding packet-length interval,

indicating the number of packets of the corresponding packet length field. Then comparing the weighted average with a maximum baseline value and a minimum baseline value of the weighted average of the packet length intervals in the historical data stream, and if the weighted average is greater than the maximum baseline value or less than the minimum baseline value, determining the classification value of the weighted average as representing the current timeThe former HTTPS data flow is the value of the exception data flow. The maximum and minimum baseline values may be determined empirically or in a manner similar to that described above for determining the maximum and minimum baseline values.

Fig. 6 illustrates an exemplary logical architecture diagram of a method for detecting a network attack according to one embodiment of the present disclosure. As an example, the logic architecture may be implemented in the detection system described with reference to fig. 1. The logic architecture can comprise the following logic modules: the device comprises a data source module, a real-time detection module and an off-line calculation module.

The data source module is configured to parse the data packet in the received data stream according to the network protocol stack, as described with reference to step 201 in fig. 2, and then output the data in the data packet to the real-time detection module and the offline calculation module in real time.

The real-time detection module can comprise an ultra-large flow alarm module, a multi-dimensional feature extraction module and a multi-feature combined detection module. The ultra-large flow alarm module is used for judging whether the data flow has an ultra-large request amount, if so, the data flow directly alarms without passing through subsequent detection logic, a data link is shortened, and timeliness is improved. The multidimensional feature extraction module is configured to perform multi-dimensional extraction on the change of the real-time traffic component, for example, extract the HTTPS request amount or connection number per unit time window, the information entropy of the source IP address or source port number per unit time window, and so on, as described with reference to step 202 in fig. 2. The extraction result of the multidimensional feature extraction module may be combined with the analysis result of the offline calculation module (such as the dynamic threshold value described in step 401 above), and the multi-feature joint detection module comprehensively determines whether a network attack occurs, and if so, alarms, such as the content described with reference to steps 203 and 204 in fig. 2.

The off-line calculation module comprises a baseline data acquisition module, a baseline off-line calculation module and a noise and bad value reduction module. The baseline data acquisition module is used for acquiring baseline data of historical traffic, for example, acquiring data streams of each visited site for 7 days. The baseline offline calculation module extracts features of multiple dimensions from the data stream of approximately 7 days, and performs multi-level noise reduction, bad value removal processing and the like on the features of multiple dimensions through the noise reduction and bad value removal module, and finally calculates the above-mentioned maximum baseline value, minimum baseline value, related threshold values and the like according to the extracted features and stores the calculated maximum baseline value, minimum baseline value, related threshold values and the like in a background database for the real-time detection module to call in a correlated manner, as described with reference to step 401 in fig. 4 and step 501 in fig. 5. It should be noted that if the current HTTP data stream is judged to be attack traffic, the current HTTP data stream may be marked while alarming, so that the noise reduction and bad value removal module may refer to the next time when performing multi-level noise reduction, bad value removal processing, and the like on the multi-dimensional features of the historical traffic.

Fig. 7 illustrates an exemplary block diagram of an apparatus 700 for detecting a network attack according to one embodiment of the present disclosure. As shown in fig. 7, the apparatus 700 includes an obtaining module 701, an extracting module 702, a classifying module 703 and a determining module 704.

The acquisition module 701 is configured to acquire a current HTTPS data stream for an access station within a predetermined time period. The predetermined time period may be any time period, and may be set according to actual needs (for example, needs for detection accuracy).

The extraction module 702 is configured to extract features of multiple dimensions of the current HTTPS data stream from data transmitted in clear text in the current HTTPS data stream. In some embodiments, the length of time of the predetermined period of time is greater than or equal to the length of time of a unit time window on which the extraction of features of the HTTPS data stream is performed. In some embodiments, the features of the plurality of dimensions include at least two selected from: the HTTPS request amount or number of connections per unit time window; the information entropy of the source IP address or source port number of each unit time window; duration of data flow over the HTTPS connection per unit time window; the rate of packets on the HTTPS connection per unit time window; the growth rate of the HTTPS request amount or the number of connections of adjacent unit time windows; a distribution vector of interval time of data packets on the HTTPS connection of each unit time window; a packet length distribution vector of packets in the HTTPS data stream for each unit time window; a distribution vector of a transport layer encryption protocol in the HTTPS data stream of each unit time window; a distribution vector of the encryption suites to be selected in the HTTPS data stream per unit time window; distribution vector of extension fields in HTTPS data stream per unit time window. It should be noted that the distribution vector described herein is typically a multidimensional vector, which includes a plurality of element terms. For example, an m-dimensional vector typically includes m element terms, with m being a positive integer.

The classification module 703 is configured to determine a classification value for each respective dimension of the plurality of dimensions of features, the classification value representing whether the current HTTPS data flow is an anomalous data flow in the respective dimension.

In some embodiments, if the respective dimension is characterized by a rate of increase of the number of HTTPS requests or connections per adjacent unit time window, the classification module is configured to: when the growth rate is greater than a growth rate threshold, determining a classification value for the feature of the respective dimension as a value representing that the HTTPS data flow is an anomalous data flow in the respective dimension.

In some embodiments, if the corresponding dimension is characterized by one of an amount of HTTPS requests or a number of connections per unit time window, an entropy of information of a source IP address or a source port number, a duration of data flow over the HTTPS connection, a rate of packets over the HTTPS connection, the classification module 703 is configured to: determining a mutation point at which the value of the feature of the corresponding dimension is mutated according to the maximum baseline value of the feature of the corresponding dimension, wherein the current value of the feature of the corresponding dimension at the mutation point is greater than the maximum baseline value of the feature of the corresponding dimension; determining a cumulative sum of differences of a current value of the feature of the respective dimension and a maximum baseline value of the feature of the respective dimension at a break point within the predetermined time period; in response to the cumulative sum being greater than a feature threshold, determining a classification value for a feature of the respective dimension as a value representing the current HTTPS data flow as an anomalous data flow in the respective dimension.

In some embodiments, in response to the characteristic of the corresponding dimension being one of a distribution vector of interval times of packets on HTTPS connections per unit time window, a packet length distribution vector of packets in HTTPS data flow, a distribution vector of transport layer encryption protocol in HTTPS data flow, a distribution vector of alternative encryption suites in HTTPS data flow, a distribution vector of extension fields in HTTPS data flow, then the classification module 703 is configured to: determining a difference value between a vector representing the feature of the respective dimension and a threshold vector representing a threshold value for the feature of the respective dimension; determining a classification value for the feature of the respective dimension as a value representing that the current HTTPS data flow is an anomalous data flow in the respective dimension if the discrepancy value is greater than a discrepancy threshold value.

The determining module 704 is configured to determine whether a network attack against the visiting station has occurred within the predetermined time period according to the classification value of the features of the plurality of dimensions. In some embodiments, the determining module 704 is configured to first determine a weighted sum of the classification values of the features of the plurality of dimensions, and then determine that a cyber attack against the visiting site has occurred within the predetermined time period if the weighted sum is greater than a weighted sum threshold.

Fig. 8 illustrates an example system 800 that includes an example computing device 810 that represents one or more systems and/or devices that can implement the various techniques described herein. Computing device 810 may be, for example, a server of a service provider, a device associated with a server, a system on a chip, and/or any other suitable computing device or computing system. The device 700 for detecting network attacks described above with respect to fig. 7 may take the form of a computing device 810. Alternatively, the apparatus 700 for detecting network attacks may be implemented as a computer program in the form of an attack detection application 816.

The example computing device 810 as illustrated includes a processing system 811, one or more computer-readable media 812, and one or more I/O interfaces 813 communicatively coupled to each other. Although not shown, computing device 810 may also include a system bus or other data and command transfer system that couples the various components to one another. A system bus can include any one or combination of different bus structures, such as a memory bus or memory controller, a peripheral bus, a universal serial bus, and/or a processor or local bus that utilizes any of a variety of bus architectures. Various other examples are also contemplated, such as control and data lines.

The processing system 811 represents functionality to perform one or more operations using hardware. Thus, the processing system 811 is illustrated as including hardware elements 814 that may be configured as processors, functional blocks, and so forth. This may include implementation in hardware as an application specific integrated circuit or other logic device formed using one or more semiconductors. The hardware elements 814 are not limited by the materials from which they are formed or the processing mechanisms employed therein. For example, a processor may be comprised of semiconductor(s) and/or transistors (e.g., electronic Integrated Circuits (ICs)). In such a context, processor-executable instructions may be electronically-executable instructions.

The computer-readable medium 812 is illustrated as including memory/storage 815. Memory/storage 815 represents memory/storage capacity associated with one or more computer-readable media. The memory/storage 815 may include volatile media (such as Random Access Memory (RAM)) and/or nonvolatile media (such as Read Only Memory (ROM), flash memory, optical disks, magnetic disks, and so forth). The memory/storage 815 may include fixed media (e.g., RAM, ROM, a fixed hard drive, etc.) as well as removable media (e.g., flash memory, a removable hard drive, an optical disk, and so forth). The computer-readable medium 812 may be configured in various other ways as further described below.

One or more I/O interfaces 813 represent functionality that allows a user to enter commands and information to computing device 810, and optionally also allows information to be presented to the user and/or other components or devices using various input/output devices. Examples of input devices include a keyboard, a cursor control device (e.g., a mouse), a microphone (e.g., for voice input), a scanner, touch functionality (e.g., capacitive or other sensors configured to detect physical touch), a camera (e.g., motion that may not involve touch may be detected as gestures using visible or invisible wavelengths such as infrared frequencies), and so forth. Examples of output devices include a display device (e.g., a monitor or projector), speakers, a printer, a network card, a haptic response device, and so forth. Accordingly, the computing device 810 may be configured in various ways to support user interaction, as described further below.

Computing device 810 also includes attack detection application 816. The attack detection application 816 may be, for example, a software instance of the device 700 for detecting network attacks and implement the techniques described herein in combination with other elements in the computing device 810.

Various techniques may be described herein in the general context of software hardware elements or program modules. Generally, these modules include routines, programs, objects, elements, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The terms "module," "functionality," and "component" as used herein generally represent software, firmware, hardware, or a combination thereof. The features of the techniques described herein are platform-independent, meaning that the techniques may be implemented on a variety of computing platforms having a variety of processors.

An implementation of the described modules and techniques may be stored on or transmitted across some form of computer readable media. Computer readable media can include a variety of media that can be accessed by computing device 810. By way of example, and not limitation, computer-readable media may comprise "computer-readable storage media" and "computer-readable signal media".

"computer-readable storage medium" refers to a medium and/or device, and/or a tangible storage apparatus, capable of persistently storing information, as opposed to mere signal transmission, carrier wave, or signal per se. Accordingly, computer-readable storage media refers to non-signal bearing media. Computer-readable storage media include hardware such as volatile and nonvolatile, removable and non-removable media and/or storage devices implemented in a method or technology suitable for storage of information such as computer-readable instructions, data structures, program modules, logic elements/circuits or other data. Examples of computer readable storage media may include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical storage, hard disks, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or other storage devices, tangible media, or an article of manufacture suitable for storing the desired information and accessible by a computer.

"computer-readable signal medium" refers to a signal-bearing medium configured to transmit instructions to hardware of computing device 810, such as via a network. Signal media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave, data signal or other transport mechanism. Signal media also includes any information delivery media. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media.

As previously described, the hardware element 814 and the computer-readable medium 812 represent instructions, modules, programmable device logic, and/or fixed device logic implemented in hardware form that may be used in some embodiments to implement at least some aspects of the techniques described herein. The hardware elements may include integrated circuits or systems-on-chips, Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), Complex Programmable Logic Devices (CPLDs), and other implementations in silicon or components of other hardware devices. In this context, a hardware element may serve as a processing device that performs program tasks defined by instructions, modules, and/or logic embodied by the hardware element, as well as a hardware device for storing instructions for execution, such as the computer-readable storage medium described previously.

Combinations of the foregoing may also be used to implement the various techniques and modules described herein. Thus, software, hardware, or program modules and other program modules may be implemented as one or more instructions and/or logic embodied on some form of computer-readable storage medium and/or by one or more hardware elements 814. Computing device 810 may be configured to implement particular instructions and/or functions corresponding to software and/or hardware modules. Thus, implementing modules as modules executable by computing device 810 as software may be implemented at least partially in hardware, for example, using computer-readable storage media of a processing system and/or hardware elements 814. The instructions and/or functions may be executable/operable by one or more articles of manufacture (e.g., one or more computing devices 810 and/or processing systems 811) to implement the techniques, modules, and examples described herein.

In various implementations, computing device 810 may assume a variety of different configurations. For example, computing device 810 may be implemented as a computer-like device including a personal computer, desktop computer, multi-screen computer, laptop computer, netbook, and so forth. The computing device 810 may also be implemented as a mobile device-like device including mobile devices such as mobile telephones, portable music players, portable gaming devices, tablet computers, multi-screen computers, and the like. Computing device 810 may also be implemented as a television-like device that includes devices with or connected to a generally larger screen in a casual viewing environment. These devices include televisions, set-top boxes, game consoles, and the like.

The techniques described herein may be supported by these various configurations of computing device 810 and are not limited to specific examples of the techniques described herein. Functionality may also be implemented in whole or in part on the "cloud" 820 through the use of a distributed system, such as through a platform 822 as described below.

Cloud 820 includes and/or is representative of a platform 822 for resources 824. The platform 822 abstracts underlying functionality of hardware (e.g., servers) and software resources of the cloud 820. Resources 824 may include applications and/or data that may be used when computer processing is performed on a server remote from computing device 810. Resources 824 may also include services provided over the internet and/or over a subscriber network such as a cellular or Wi-Fi network.

The platform 822 may abstract resources and functions to connect the computing device 810 with other computing devices. The platform 822 may also serve to abstract the hierarchy of resources to provide a corresponding level of hierarchy encountered for the requirements of the resources 824 implemented via the platform 822. Thus, in interconnected device embodiments, implementation of functions described herein may be distributed throughout the system 800. For example, the functionality may be implemented in part on the computing device 810 and through the platform 822 that abstracts the functionality of the cloud 820.

It will be appreciated that embodiments of the disclosure have been described with reference to different functional units for clarity. However, it will be apparent that the functionality of each functional unit may be implemented in a single unit, in a plurality of units or as part of other functional units without departing from the disclosure. For example, functionality illustrated to be performed by a single unit may be performed by a plurality of different units. Thus, references to specific functional units are only to be seen as references to suitable units for providing the described functionality rather than indicative of a strict logical or physical structure or organization. Thus, the present disclosure may be implemented in a single unit or may be physically and functionally distributed between different units and circuits.

It will be understood that, although the terms first, second, third, etc. may be used herein to describe various devices, elements, components or sections, these devices, elements, components or sections should not be limited by these terms. These terms are only used to distinguish one device, element, component or section from another device, element, component or section.

Although the present disclosure has been described in connection with some embodiments, it is not intended to be limited to the specific form set forth herein. Rather, the scope of the present disclosure is limited only by the accompanying claims. Additionally, although individual features may be included in different claims, these may possibly advantageously be combined, and the inclusion in different claims does not imply that a combination of features is not feasible and/or advantageous. The order of features in the claims does not imply any specific order in which the features must be worked. Furthermore, in the claims, the word "comprising" does not exclude other elements, and the indefinite article "a" or "an" does not exclude a plurality. Reference signs in the claims are provided merely as a clarifying example and shall not be construed as limiting the scope of the claims in any way.

Claims (15)

1. A method for detecting a network attack, comprising:

acquiring a current hypertext transfer security protocol data stream aiming at an access site in a preset time period;

extracting characteristics of multiple dimensions of the current hypertext transfer security protocol data stream according to data transmitted in a plaintext mode in the current hypertext transfer security protocol data stream;

determining a classification value for each respective dimension of the plurality of dimensions of features, the classification value indicating whether the current HTTP data stream is an abnormal data stream in the respective dimension;

and determining whether the network attack aiming at the access station occurs in the preset time period according to the classification value of the features of the plurality of dimensions.

2. The method of claim 1, wherein a length of time of the predetermined period of time is greater than or equal to a length of time of a unit time window, and the extracting features of the plurality of dimensions of the hypertext transfer security protocol data stream is based on the unit time window.

3. The method of claim 2, wherein the features of the plurality of dimensions comprise at least two selected from:

the HTTP request amount or the connection number of each unit time window;

the information entropy of the source internet protocol address or source port number of each unit time window;

the duration of the data stream on the HTTP connection per unit time window;

the rate of packets on the HTTP per unit time window connection;

the growth rate of the hypertext transfer security protocol request quantity or the connection number of the adjacent unit time window;

the distribution vector of the interval time of the data packet connected with the hypertext transfer security protocol connection of each unit time window;

a packet length distribution vector of a data packet in the hypertext transfer security protocol data stream of each unit time window;

the distribution vector of the transport layer encryption protocol in the hypertext transfer security protocol data stream of each unit time window;

a distribution vector of the encryption suites for selection in the hypertext transfer security protocol data stream of each unit time window;

a distribution vector of extension fields in the hypertext transfer security protocol data stream per unit time window.

4. The method of claim 2 or 3, wherein, in response to the characteristic of the respective dimension being one of a hypertext transfer security protocol request amount or a number of connections per unit time window, an entropy of information of a source internet protocol address or a source port number, a duration of data flow on a hypertext transfer security protocol connection, a rate of data packets on a hypertext transfer security protocol connection, determining a classification value for the characteristic of each respective dimension of the plurality of dimensions comprises:

determining a mutation point at which the value of the feature of the corresponding dimension is mutated according to the maximum baseline value of the feature of the corresponding dimension, wherein the current value of the feature of the corresponding dimension at the mutation point is greater than the maximum baseline value of the feature of the corresponding dimension;

determining a cumulative sum of differences of a current value of the feature of the respective dimension and a maximum baseline value of the feature of the respective dimension at a break point within the predetermined time period;

in response to the cumulative sum being greater than a feature threshold, determining a classification value for a feature of the respective dimension as a value representing that the current Hypertext transfer Security protocol data flow is an abnormal data flow in the respective dimension.

5. The method of claim 4, wherein the maximum baseline value is obtained by:

acquiring a historical hypertext transfer security protocol data stream for the visited site;

for each corresponding statistical period in a plurality of statistical periods, obtaining a sum of a mean value and a standard deviation of the characteristic of the historical HTTP data stream in the corresponding statistical period as a first baseline value of the characteristic of the corresponding statistical period;

selecting a maximum value of the first baseline values as a maximum baseline value from the first baseline values of the plurality of features of the plurality of statistical periods.

6. The method of claim 5, wherein the feature threshold may be obtained by:

for each corresponding statistical period in a plurality of statistical periods, obtaining a difference between an average value and a standard deviation of the characteristic of the historical hypertext transfer security protocol data stream in the corresponding statistical period, and using the difference as a second baseline value of the characteristic of the corresponding statistical period;

selecting a minimum value of second baseline values from the second baseline values of the plurality of features of the plurality of statistical periods as a minimum baseline value;

determining a sum of a difference between the maximum baseline value and the minimum baseline value and a maximum baseline value as the feature threshold.

7. The method of claim 2 or 3, wherein determining the classification value for the feature of each respective dimension of the plurality of dimensions in response to one of a distribution vector of inter-time of packets on a HTTP connection per unit time window, a packet length distribution vector of packets in a HTTP data stream, a distribution vector of transport layer encryption protocol in a HTTP data stream, a distribution vector of an alternative encryption suite in a HTTP data stream, a distribution vector of an extension field in a HTTP data stream comprises:

determining a difference value between a vector representing the feature of the respective dimension and a threshold vector representing a threshold value for the feature of the respective dimension;

if the difference value is greater than a difference threshold value, determining the classification value of the feature for the corresponding dimension as a value representing that the current HTTP data stream is an abnormal data stream in the corresponding dimension.

8. The method of claim 7, wherein the value of each element term in the threshold vector is the maximum baseline value for the element term, the maximum baseline value for the element term being determined by:

acquiring a historical hypertext transfer security protocol data stream for the visited site;

for each corresponding statistical period of a plurality of statistical periods, obtaining a sum of a mean value and a standard deviation of the element items in a vector of features representing the corresponding dimension of a historical hypertext transfer security protocol data stream in the corresponding statistical period as a first baseline value of the element items of the corresponding statistical period;

selecting a maximum value of the first baseline values of the element term from a plurality of first baseline values of the element term for the plurality of statistical periods as a maximum baseline value for the element term.

9. The method of claim 7, wherein determining a disparity value between the vector representing the feature of the respective dimension and a threshold vector representing a threshold value of the feature of the respective dimension comprises:

determining Euclidean distance or cosine similarity between the vector representing the feature of the corresponding dimension and the threshold vector as the difference value.

10. The method of claim 2 or 3, wherein, in response to the feature of the respective dimension being a rate of increase of a hypertext transfer security protocol request quantity or a number of connections of adjacent unit time windows, determining a classification value for the feature of each respective dimension of the plurality of dimensions comprises:

when the growth rate is greater than a growth rate threshold, determining the classification value for the feature of the corresponding dimension as a value representing that the current HTTP data stream is an abnormal data stream in the corresponding dimension.

11. The method of claim 1, wherein determining whether a cyber attack on the visiting station has occurred within the predetermined period of time according to the classification values of the features of the plurality of dimensions comprises:

determining a weighted sum of classification values of features of the plurality of dimensions;

in response to the weighted sum being greater than a weighted sum threshold, determining that a network attack against the visiting station has occurred within the predetermined period of time.

12. An apparatus for detecting a network attack, comprising:

an obtaining module configured to obtain a current hypertext transfer security protocol data stream for an access site within a predetermined time period;

an extraction module configured to extract features of multiple dimensions of the current HyperText Transport Security protocol data stream from plaintext data within the current HyperText Transport Security protocol data stream;

a classification module configured to determine a classification value for each respective dimension of the plurality of dimensions of features, the classification value representing whether the current Hypertext transfer Security protocol data stream is an anomalous data stream in the respective dimension;

a determination module configured to determine whether a network attack against the visiting station has occurred within the predetermined period of time based on the classification values of the features of the plurality of dimensions.

13. The device of claim 12, wherein the determination module is configured to:

determining a weighted sum of classification values of features of the plurality of dimensions;

in response to the weighted sum being greater than a weighted sum threshold, determining that a network attack against the visiting station has occurred within the predetermined period of time.

14. A computing device, comprising:

a memory configured to store computer-executable instructions;

a processor configured to perform the method of any one of claims 1-11 when the computer-executable instructions are executed by the processor.

15. A computer-readable storage medium storing computer-executable instructions that, when executed, perform the method of any one of claims 1-11.

Images