CN111262851A - DDOS attack detection method and device, electronic equipment and storage medium - Google Patents
DDOS attack detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111262851A CN111262851A CN202010035576.7A CN202010035576A CN111262851A CN 111262851 A CN111262851 A CN 111262851A CN 202010035576 A CN202010035576 A CN 202010035576A CN 111262851 A CN111262851 A CN 111262851A
- Authority
- CN
- China
- Prior art keywords
- target
- suspected
- ddos attack
- attack detection
- computing node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to the technical field of IT application, and discloses a DDOS attack detection method, a DDOS attack detection device, electronic equipment and a storage medium. The method comprises the steps of acquiring flow data of a target IP flowing through an edge router corresponding to a computing node in unit time in real time; acquiring a flow baseline model corresponding to the target IP; according to the acquired flow data and a flow baseline model corresponding to the target IP, when suspected alarm occurs in the target IP within a unit time, updating a suspected alarm set maintained by the computing nodes by using a sharing mechanism of a plurality of computing nodes of a block chain network; and determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node. The invention directly deploys the computing node at the near source end for detection, and the detection result is reliable.
Description
Technical Field
The embodiment of the invention relates to the technical field of IT application, in particular to a DDOS attack detection method and device, electronic equipment and a storage medium.
Background
In the current technical scheme of a Distributed Denial of Service (DDOS) system, for DDOS attack detection from the internet of things, the network situation of an attacked target is mainly analyzed. The required data comes from Netflow logs that are output by the routers. The log is collected in a centralized way and then sent to a detection system for analysis, and belongs to the category of DFI (deep flow analysis). The detection technical scheme is that a threshold value is established for the number of packets or the flow of messages flowing into a certain IP according to the unit of each minute, and when the number of packets or the flow of a certain class is found to be abnormally increased and exceeds the threshold value, the packets or the flow is considered to be attacked by DDOS from the Internet of things. And when the attack is detected, corresponding cleaning equipment needs to be linked to clean the attack flow in drainage and other modes. The inventor finds that the generation mode of the threshold in the prior art scheme comes from experience, and practice proves that the threshold generated from experience has a large number of false reports and missing reports and cannot reflect the time sequence characteristics of network flow; whether DDOS attack detection exists can be judged within 3 minutes, and instantaneity is not high; the detection capability for low-speed attack is low; flow cleaning equipment is needed, and the cleaning process can seriously affect normal service; too high a sampling ratio of the Netflow log can cause serious distortion of data.
Disclosure of Invention
Embodiments of the present invention provide a DDOS attack detection method, an electronic device, an apparatus, and a computer-readable storage medium, which can directly deploy a computing node at a near-source end for detection, and implement secure and reliable communication among computing nodes by using a block chain technique, perform comprehensive secondary analysis on a primary detection result to form a reliable final detection result, and improve the reliability of detection.
In order to solve the above technical problem, an embodiment of the present invention provides a DDOS attack detection method, where the method includes:
acquiring flow data of a target IP flowing through the edge router corresponding to the computing node in unit time in real time;
acquiring a flow baseline model corresponding to the target IP;
determining whether the target IP is suspected to be attacked by DDOS (distributed denial of service) in unit time or not according to the acquired traffic data and a traffic baseline model corresponding to the target IP;
when the suspected alarm occurs in the target IP within unit time, updating a suspected alarm set maintained by the computing node by using a sharing mechanism of a plurality of computing nodes of the block chain network;
and determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node.
Preferably, the obtaining of the traffic baseline model corresponding to the target IP includes:
acquiring a plurality of groups of flow data flowing through the target IP at unit intervals in a first target time period;
normalizing the plurality of sets of traffic data;
and clustering the normalized multiple groups of flow data to obtain the flow baseline model.
Preferably, the determining, according to the acquired traffic data and the traffic baseline model corresponding to the target IP, whether the suspected DDOS attack is present in the target IP within a unit time includes:
when the acquired flow data can be gathered into a class with a flow baseline model corresponding to the target IP, determining that no suspected alarm occurs in the target IP within unit time;
and when the acquired flow data cannot be clustered with the flow baseline model corresponding to the target IP, determining that the target IP is suspected to be alarmed in unit time.
Preferably, when the suspected alarm occurs in the target IP within the determined unit time, updating the suspected alarm set maintained by the compute node by using a sharing mechanism of multiple compute nodes of the block chain network includes:
and broadcasting an adding suspected alarm request to the blockchain network so that other computing nodes in the blockchain network add the suspected alarm of the target IP in a suspected alarm set maintained by the other computing nodes.
Preferably, the determining, according to the updated suspected alarm set maintained by the computing node, a final DDOS attack detection result of the target IP by using a preset rule includes:
acquiring a target suspected alarm set of the target IP in a second target time period from the updated suspected alarm set maintained by the computing node;
calculating the times of occurrence of a target protocol in the target suspected alarm set;
and when the calculated times are greater than a time threshold value, determining that the target IP is attacked by the DDOS.
Preferably, the method further comprises:
when the target IP is determined to be attacked by the DDOS, a source IP which initiates the attack is obtained;
determining whether the intelligent equipment corresponding to the source IP is in the jurisdiction range of the edge router or not according to the source IP;
and when the intelligent device corresponding to the source IP is in the jurisdiction range of the edge router, sending a filtering instruction for filtering the source IP and/or the target protocol to the edge router.
Preferably, the method further comprises:
when any one of other computing nodes in the block chain network is suspected to be alarmed, receiving a broadcast of a suspected alarm adding request sent by the any one computing node;
verifying the suspected alarm adding request in the received broadcast;
and after the verification is passed, adding the suspected alarm in the received broadcast to a suspected alarm set maintained by the computing node.
In order to solve the above problem, the present invention further provides a DDOS attack detection apparatus, including:
the traffic acquisition module is used for acquiring traffic data of a target IP flowing through the edge router corresponding to the computing node in unit time in real time;
the model acquisition module is used for acquiring a flow baseline model corresponding to the target IP;
the alarm determination module is used for determining whether the target IP is suspected to have a suspected alarm of a suspected DDOS attack in unit time according to the acquired flow data and the flow baseline model corresponding to the target IP;
the updating module is used for updating a suspected alarm set maintained by the computing nodes by utilizing a plurality of computing node sharing mechanisms of the block chain network when the suspected alarm occurs in the target IP within a certain unit time;
and the alarm determination module is also used for determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node.
In order to solve the above problem, the present invention also provides an electronic device, including:
a memory storing at least one instruction; and
and the processor executes the instructions stored in the memory to realize the DDOS attack detection method.
In order to solve the above problem, the present invention further provides a computer-readable storage medium, having at least one instruction stored therein, where the at least one instruction is executed by a processor in an electronic device to implement the DDOS attack detection method described above.
The embodiment of the invention obtains the flow data of the target IP flowing through the edge router corresponding to the computing node in unit time in real time; determining a primary detection result of the target IP in unit time according to the acquired flow data and a flow baseline model corresponding to the target IP, realizing safe and reliable communication of a plurality of computing nodes by using a block chain technology, and updating a suspected alarm set maintained by the computing nodes by using a plurality of computing node sharing mechanisms of a block chain network when the suspected alarm of the target IP in unit time is determined; and determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node, thereby realizing detection result sharing, carrying out comprehensive secondary analysis on the primary detection result to form a reliable final detection result and improving the detection reliability.
Furthermore, a single computing node obtains formal alarm, and meanwhile, the address of the intelligent device which initiates the attack and a protocol corresponding to the generated alarm flow can be obtained. The computing node judges whether the intelligent device initiating the attack is in the jurisdiction range of the edge router connected with the computing node, and if so, sends a filtering instruction to the edge router connected with the computing node. Malicious traffic is handled in near-source detection and near-source, a special handling device is not needed, influence on normal business is not needed, and the method is low in cost and small in influence.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
Fig. 1 is an application environment diagram of a DDOS attack detection method according to a preferred embodiment of the present invention.
Fig. 2 is a flowchart illustrating a DDOS attack detection method according to a first preferred embodiment of the present invention;
fig. 3 is a flowchart of a refinement of S2 in fig. 2 according to an embodiment of the present invention.
Fig. 3a is a schematic diagram of a flow baseline model according to an embodiment of the present invention.
Fig. 3b is a schematic diagram of a type of aggregation of traffic data with a traffic baseline model according to an embodiment of the present invention.
Fig. 3c is a schematic diagram of the flow data being unable to be clustered with the flow baseline model according to an embodiment of the present invention.
Fig. 4 is a flowchart of a refinement of S5 in fig. 2 according to an embodiment of the present invention.
Fig. 5 is a flowchart illustrating a DDOS attack detection method according to a second preferred embodiment.
Fig. 6 is a schematic block diagram of a DDOS attack detection apparatus according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an internal structure of an electronic device implementing a DDOS attack detection method according to an embodiment of the present invention;
the objects, features and advantages of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments.
The invention relates to a Distributed Denial of Service (DDOS) attack detection method, which is characterized in that the core of the embodiment is to acquire the flow data of a target IP flowing through an edge router corresponding to a computing node in unit time in real time; determining a primary detection result of the target IP in unit time according to the acquired flow data and a flow baseline model corresponding to the target IP, realizing safe and reliable communication of a plurality of computing nodes by using a block chain technology, and updating a suspected alarm set maintained by the computing nodes by using a plurality of computing node sharing mechanisms of a block chain network when the suspected alarm of the target IP in unit time is determined; and determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node, thereby realizing detection result sharing, carrying out comprehensive secondary analysis on the primary detection result to form a reliable final detection result and improving the detection reliability. The implementation details of DDOS attack detection according to the present embodiment are specifically described below, and the following description is only provided for the convenience of understanding, and is not necessary for implementing the present embodiment.
Fig. 1 is a schematic application environment diagram of a DDOS attack detection method according to a first preferred embodiment of the present invention. The DDOS attack detection method is applied to a network architecture comprising a computing node, an edge router and an intelligent device group. And the computing nodes, the edge router and the intelligent equipment group are communicated through a network.
One computing node corresponds to one edge router, one edge router corresponds to one group of intelligent equipment groups, and each intelligent equipment group comprises a plurality of intelligent equipment.
Computing nodes include, but are not limited to: servers, computers, and the like.
The intelligent device comprises, but is not limited to, a mobile phone, a computer, a wearable device, a camera, a vehicle-mounted electronic device, a video camera and other electronic devices accessing the internet of things.
And each edge router accessed into the intelligent equipment group of the Internet of things is connected with a monitoring computing node. Each compute node mirrors traffic flowing through the corresponding edge router from the router. In this way, each computing node can count the traffic generated by all intelligent devices administered by the router.
The Internet of things equipment has unique flow characteristics due to single service. For example, a home camera is mostly a User Datagram Protocol (UDP) traffic except a small amount of TCP traffic (management information). The size of the data feature set can be generalized to be constant according to the transmission content in the data packet. Meanwhile, the number of the IPs connected to the Internet of things equipment is small, and generally does not exceed 10, so that the traffic of a single intelligent equipment flowing to a certain target host is counted and analyzed by using a single computing node to determine whether the target IP is attacked by the DDOS.
Referring to fig. 2, fig. 2 is a flowchart illustrating a DDOS attack detection method according to a first preferred embodiment of the present invention, where the flowchart is applied to a computing node, and the order of steps in the flowchart may be changed and some steps may be omitted according to different requirements.
The DDOS attack detection method is described in detail below with reference to fig. 2, and includes:
and S1, acquiring the traffic data of the target IP flowing through the edge router corresponding to the calculation node in unit time in real time.
In an embodiment of the invention, each compute node mirrors traffic flowing through the corresponding edge router from the router. Therefore, each computing node can count the traffic generated by all intelligent devices governed by the router.
Specifically, the computing node obtains a data packet of a target IP flowing through the edge router corresponding to the computing node in unit time, and the computing node obtains traffic data of the target IP flowing through the edge router corresponding to the computing node in unit time from the obtained data packet by taking a target IP and three-layer and four-layer protocols as a unit.
Further, the unit time is a time unit of the statistical flow data, for example, 30 seconds is a time unit, and so on. When the flow data is acquired in real time, the data can be acquired once every unit time, so that the DDOS attack can be detected in real time in the follow-up process, and the timeliness is improved.
Further, the acquired data packets include, but are not limited to, source IP, traffic, packet speed. The acquired traffic data is a two-dimensional vector comprising traffic and packet speed.
For example, an IP is "23.24.198.22" and the protocol is "TCP", and a feature value counted every 30 seconds in a period of time, i.e. a plurality of 2-dimensional vectors [ traffic, packet speed ], is obtained.
In this embodiment, the non-sampled network packet analysis is used directly, thereby improving the reliability of subsequent detection.
And S2, acquiring a flow baseline model corresponding to the target IP.
In this embodiment of the present invention, fig. 3 is a flowchart illustrating a refinement of S2 in fig. 2 according to this embodiment of the present invention.
The method specifically comprises the following steps:
and S21, acquiring a plurality of groups of flow data flowing through the target IP at unit intervals in a first target time period.
In the embodiment of the present invention, each set of traffic data is a two-dimensional vector including traffic and packet speed. Within a first target time period (e.g., 2 hours), multiple sets of flow data are acquired.
And S22, normalizing the multiple groups of flow data.
In the embodiment of the present invention, since the 2 dimensional units of each set of flow data are different, a dimensionless two-dimensional vector needs to be normalized to facilitate subsequent detection and calculation.
And S23, clustering the multiple groups of normalized flow data to obtain the flow baseline model.
In the embodiment of the invention, the normalized multiple groups of flow data are clustered to obtain at least one category, and the category containing the most sample data is used as a flow baseline model. That is to say a class containing a few isolated samples.
Fig. 3a is a schematic diagram of a traffic baseline model provided in the embodiment of the present invention, which is a traffic baseline model of a normal situation with a target IP of "23.24.198.22" after excluding the isolated sample category in the upper right corner of fig. 3 a.
S3, according to the acquired traffic data and the traffic baseline model corresponding to the target IP, determining whether the suspected DDOS attack alarm appears in the target IP in unit time.
In this embodiment of the present invention, the determining, according to the acquired traffic data and the traffic baseline model corresponding to the target IP, whether the target IP is suspected of having a suspected DDOS attack in unit time includes:
when the acquired flow data can be gathered into a class with a flow baseline model corresponding to the target IP, determining that no suspected alarm occurs in the target IP within unit time;
and when the acquired flow data cannot be clustered with the flow baseline model corresponding to the target IP, determining that the target IP is suspected to be alarmed in unit time.
For example, fig. 3b is a schematic diagram of a type of traffic data that can be aggregated with a traffic baseline model according to an embodiment of the present invention. The acquired flow data is represented as a sample point a, and if the sample point a is not isolated in fig. 3b, it represents that the flow represented by the sample point a belongs to normal flow data, and no suspected alarm occurs.
In the embodiment of the invention, the clustering algorithm is used for carrying out the initial detection of DDOS attack, so that the intervention of human experience can be greatly reduced, and the detection accuracy is improved.
Fig. 3c is a schematic diagram of the flow data being unable to be clustered with the flow baseline model according to an embodiment of the present invention. The acquired flow data is represented as a sample point a, and in fig. 3c, the sample point a is isolated, and the sample point a cannot be classified with the flow baseline model, which indicates that the flow represented by the sample point a does not belong to normal flow data, and a suspected alarm occurs.
And S4, when the suspected alarm occurs in the target IP within the unit time, updating the suspected alarm set maintained by the computing node by using a plurality of computing node sharing mechanisms of the block chain network.
In the embodiment of the invention, the blockchain network comprises a plurality of computing nodes, and the safe and reliable data sharing analysis among the distributed nodes is realized by utilizing a blockchain consensus mechanism and an intelligent contract. A single computing node finds that a certain IP has DDOS attack alarm from intelligent equipment, only suspected alarm is generated, and the final detection result can be obtained only by integrating and analyzing the primary detection results of all the computing nodes. That is, a single node needs to share the detection results of other nodes to realize autonomy.
A suspected alarm set A in IP unit is defined in an intelligent contract in a block chain networkip={Vt1,Vt2,Vtn}. Where the subscript tn is the meaning of the time stamp, VtnTime stamp, source IP, protocol family, traffic sum within 30 seconds, speed sum within 30 seconds }. For example, the suspected alarm set with the target IP of "23.24.198.22" is as follows:
A23.24.198.22={
[1565675160,23.34.56.9,TCP,43254525,3424],
[1565675190,23.34.56.9,ICMP,27534,563],
[1565675220,23.34.56.1,UDP,768536,24579]
}
a suspected alarm set A is maintained locally by a single computing node in a blockchain networkip。
Preferably, when it is determined that a suspected alarm occurs in the target IP within a unit time, updating the suspected alarm set maintained by the compute node by using a sharing mechanism of multiple compute nodes of the block chain network includes:
and broadcasting an adding suspected alarm request to the blockchain network so that other computing nodes in the blockchain network add the suspected alarm of the target IP in a suspected alarm set maintained by the other computing nodes.
Specifically, after a single computing node X obtains suspected alarms through a clustering algorithm, a rule for adding the suspected alarms to a set in an intelligent contract is triggered and broadcasted to the whole network. And after other nodes receive the broadcast, the adding request is verified, and the digital signature and the data format of the adding person are verified. If the verification is passed, the computing node X adds the suspected alarm to a collection A maintained locally by the computing node XipMeanwhile, other nodes update their local sets; if the verification is not passed, the computing node X does not perform any updating operation.
Preferably, the method further comprises:
when any one of the other computing nodes has a suspected alarm, receiving a broadcast of a suspected alarm adding request sent by the any computing node;
verifying the suspected alarm adding request in the received broadcast;
and after the verification is passed, adding the suspected alarm in the received broadcast to a suspected alarm set maintained by the computing node.
Similarly, when the computing node verifies the request sent by any computing node, the digital signature and the data format of any computing node are also verified.
In the above embodiment, when a single computing node in the blockchain network is suspected to be attacked, the initial detection results of all computing nodes in the blockchain network need to be integrated and analyzed, so that the updated suspected alarm set can be obtained. That is, a single node needs to share the detection results of other nodes to realize autonomy, thereby improving the reliability of detection.
S5, determining the final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node.
In the embodiment of the invention, the rule for analyzing the suspected alarm set to obtain the DDOS alarm is defined in the intelligent contract. The rule is that: and counting the times of abnormity in a time period by taking a certain protocol family of a certain target IP as granularity, and if the times exceed a preset threshold value, determining that alarm occurs. As shown in fig. 4, fig. 4 is a flowchart illustrating a refinement of S5 in fig. 2 according to an embodiment of the present invention. Step S5 specifically includes:
s51, obtaining the target suspected alarm set of the target IP in a second target time period from the updated suspected alarm set maintained by the computing node.
And S52, calculating the times of the target protocol in the target suspected alarm set.
In an embodiment of the invention, the target protocol comprises an ICMP protocol.
S53, when the calculated times are larger than the times threshold value, determining that the target IP is attacked by the DDOS.
For example, the updated 23.24.198.22 set of target suspected alarms is as follows:
[1565675160,23.34.57.1,ICMP,91316521,199931],
[1565675160,23.34.56.2,ICMP,92012211,208706],
[1565675160,164.34.76.88,TCP,43225,324],
[1565675160,23.34.26.9,ICMP,91547018,179915],
[1565675160,23.34.36.11,ICMP,89567899,198706],
[1565675160,23.34.36.12,ICMP,90612733,181538],
[1565675130,164.33.76.18,TCP,23479,132],
[1565675100,165.34.56.92,TCP,45279,235]
within 30 seconds of "1565675130-.
In this embodiment, as shown in fig. 5, fig. 5 is a flowchart illustrating a DDOS attack detection method according to a second preferred embodiment. After S5, the method further includes:
s6, when the target IP is determined to be attacked by DDOS, the source IP which initiates the attack is obtained.
In the embodiment of the invention, the source IP for initiating the attack is obtained from the target suspected alarm set.
S7, determining whether the intelligent device corresponding to the source IP is in the jurisdiction range of the edge router or not according to the source IP.
And S8, when the intelligent device corresponding to the source IP is in the jurisdiction range of the edge router, sending a filtering instruction containing the source IP and/or the target protocol to the edge router.
In the embodiment, a single computing node obtains a formal alarm, and simultaneously, an address of an intelligent device initiating an attack and a protocol corresponding to the generated alarm traffic can be obtained. The computing node judges whether the intelligent device initiating the attack is in the jurisdiction range of the edge router connected with the computing node, and if so, sends a filtering instruction to the edge router connected with the computing node. The embodiment of the invention treats the malicious traffic in the near-source detection and near-source without special treatment equipment or influence on normal business, and has low cost and small influence.
In the embodiment of the invention, when the data is acquired, the Netflow log is not used for analysis, the network data packet which is not sampled is directly used for analysis, and the computing power of a plurality of distributed nodes is used for accurate computation, so that the reliability of detection is improved.
Fig. 6 is a functional block diagram of the DDOS attack detection apparatus according to the present invention.
The DDOS attack detection apparatus 100 according to the present invention may be installed in an electronic device. According to the implemented functions, the DDOS attack detection apparatus may include a traffic obtaining module 101, a model obtaining module 102, an alarm determining module 103, and an updating module 104. A module according to the present invention, which may also be referred to as a unit, refers to a series of computer program segments that can be executed by a processor of an electronic device and that can perform a fixed function, and that are stored in a memory of the electronic device.
In the present embodiment, the functions regarding the respective modules/units are as follows:
a traffic obtaining module 101, configured to obtain traffic data of a target IP flowing through the edge router corresponding to the computing node in unit time in real time;
a model obtaining module 102, configured to obtain a traffic baseline model corresponding to the target IP;
an alarm determining module 103, configured to determine whether a suspected alarm of a suspected DDOS attack occurs to the target IP within a unit time according to the obtained traffic data and a traffic baseline model corresponding to the target IP;
an updating module 104, configured to update a suspected alarm set maintained by a computing node by using a sharing mechanism of multiple computing nodes of the block chain network when a suspected alarm occurs in the target IP within a certain unit time;
the alarm determination module 103 is further configured to determine a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node.
The module in the device provided by the application can acquire the traffic data of the target IP flowing through the edge router corresponding to the computing node in unit time in real time; determining a primary detection result of the target IP in unit time according to the acquired flow data and a flow baseline model corresponding to the target IP, realizing safe and reliable communication of a plurality of computing nodes by using a block chain technology, and updating a suspected alarm set maintained by the computing nodes by using a plurality of computing node sharing mechanisms of a block chain network when the suspected alarm of the target IP in unit time is determined; and determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node, thereby realizing detection result sharing, carrying out comprehensive secondary analysis on the primary detection result to form a reliable final detection result and improving the detection reliability. The method can achieve the same technical effects as the method embodiment in specific operation.
Fig. 7 is a schematic structural diagram of an electronic device implementing a DDOS attack detection method according to the present invention.
The electronic device 1 may comprise a processor 10, a memory 11 and a bus, and may further comprise a computer program, such as a DDOS attack detection program 12, stored in the memory 11 and executable on the processor 10. The electronic device 1 is installed with a Web firewall of a Web application.
The memory 11 includes at least one type of readable storage medium, which includes flash memory, removable hard disk, multimedia card, card-type memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, etc. The memory 11 may in some embodiments be an internal storage unit of the electronic device 1, such as a removable hard disk of the electronic device 1. The memory 11 may also be an external storage device of the electronic device 1 in other embodiments, such as a plug-in mobile hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the electronic device 1. Further, the memory 11 may also include both an internal storage unit and an external storage device of the electronic device 1. The memory 11 may be used not only to store application software installed in the electronic device 1 and various types of data, such as codes of a DDOS attack detection program, but also to temporarily store data that has been output or is to be output.
The processor 10 may be composed of an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same or different functions, including one or more Central Processing Units (CPUs), microprocessors, digital Processing chips, graphics processors, and combinations of various control chips. The processor 10 is a Control Unit (Control Unit) of the electronic device, connects various components of the whole electronic device by using various interfaces and lines, and executes various functions and processes data of the electronic device 1 by running or executing programs or modules (for example, executing a DDOS attack detection program and the like) stored in the memory 11 and calling data stored in the memory 11.
The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. The bus is arranged to enable connection communication between the memory 11 and at least one processor 10 or the like.
Fig. 7 only shows an electronic device with components, and it will be understood by a person skilled in the art that the structure shown in fig. 7 does not constitute a limitation of the electronic device 1, and may comprise fewer or more components than shown, or a combination of certain components, or a different arrangement of components.
For example, although not shown, the electronic device 1 may further include a power supply (such as a battery) for supplying power to each component, and preferably, the power supply may be logically connected to the at least one processor 10 through a power management device, so as to implement functions of charge management, discharge management, power consumption management, and the like through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The electronic device 1 may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
Further, the electronic device 1 may further include a network interface, and optionally, the network interface may include a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the electronic device 1 and other electronic devices.
Optionally, the electronic device 1 may further comprise a user interface, which may be a Display (Display), an input unit (such as a Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the electronic device 1 and for displaying a visualized user interface, among other things.
It is to be understood that the described embodiments are for purposes of illustration only and that the scope of the appended claims is not limited to such structures.
The request DDOS attack detection program 12 stored in the memory 11 of the electronic device 1 is a combination of a plurality of instructions that, when executed in the processor 10, enable:
acquiring flow data of a target IP flowing through the edge router corresponding to the computing node in unit time in real time;
acquiring a flow baseline model corresponding to the target IP;
determining whether the target IP is suspected to be attacked by DDOS (distributed denial of service) in unit time or not according to the acquired traffic data and a traffic baseline model corresponding to the target IP;
when the suspected alarm occurs in the target IP within unit time, updating a suspected alarm set maintained by the computing node by using a sharing mechanism of a plurality of computing nodes of the block chain network;
and determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node.
Specifically, the processor 11 describes the relevant steps in the embodiment corresponding to the specific implementation method of the instruction, which is not described herein again.
Further, the integrated modules/units of the electronic device 1, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. The computer-readable medium may include: any entity or device capable of carrying said computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM).
The computer-readable storage medium has stored thereon a request DDOS attack detection program executable by one or more processors to:
acquiring flow data of a target IP flowing through the edge router corresponding to the computing node in unit time in real time;
acquiring a flow baseline model corresponding to the target IP;
determining whether the target IP is suspected to be attacked by DDOS (distributed denial of service) in unit time or not according to the acquired traffic data and a traffic baseline model corresponding to the target IP;
when the suspected alarm occurs in the target IP within unit time, updating a suspected alarm set maintained by the computing node by using a sharing mechanism of a plurality of computing nodes of the block chain network;
and determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus, device and method can be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the system claims may also be implemented by one unit or means in software or hardware. The terms second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (10)
1. A DDOS attack detection method is applied to a computing node of a block chain network, and comprises the following steps:
acquiring flow data of a target IP flowing through the edge router corresponding to the computing node in unit time in real time;
acquiring a flow baseline model corresponding to the target IP;
determining whether the target IP is suspected to be attacked by DDOS (distributed denial of service) in unit time or not according to the acquired traffic data and a traffic baseline model corresponding to the target IP;
when the suspected alarm occurs in the target IP within unit time, updating a suspected alarm set maintained by the computing node by using a sharing mechanism of a plurality of computing nodes of the block chain network;
and determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node.
2. A DDOS attack detection method according to claim 1, wherein said obtaining a traffic baseline model corresponding to said target IP comprises:
acquiring a plurality of groups of flow data flowing through the target IP at unit intervals in a first target time period;
normalizing the plurality of sets of traffic data;
and clustering the normalized multiple groups of flow data to obtain the flow baseline model.
3. The DDOS attack detection method of claim 1, wherein the determining whether the suspected alarm of the suspected DDOS attack on the target IP occurs within a unit time according to the obtained traffic data and the traffic baseline model corresponding to the target IP comprises:
when the acquired flow data can be gathered into a class with a flow baseline model corresponding to the target IP, determining that no suspected alarm occurs in the target IP within unit time;
and when the acquired flow data cannot be clustered with the flow baseline model corresponding to the target IP, determining that the target IP is suspected to be alarmed in unit time.
4. A DDOS attack detection method according to claim 1, wherein said updating the suspected alarm set maintained by the compute node using a multiple compute node sharing mechanism of the blockchain network when the suspected alarm occurs in the target IP within a certain unit time comprises:
and broadcasting an adding suspected alarm request to the blockchain network so that other computing nodes in the blockchain network add the suspected alarm of the target IP in a suspected alarm set maintained by the other computing nodes.
5. A DDOS attack detection method according to claim 1, wherein said determining a final DDOS attack detection result of said target IP using a preset rule according to the updated suspected alarm set maintained by said compute node comprises:
acquiring a target suspected alarm set of the target IP in a second target time period from the updated suspected alarm set maintained by the computing node;
calculating the times of occurrence of a target protocol in the target suspected alarm set;
and when the calculated times are greater than a time threshold value, determining that the target IP is attacked by the DDOS.
6. A DDOS attack detection method according to any of claims 1 to 5, further comprising:
when the target IP is determined to be attacked by the DDOS, a source IP which initiates the attack is obtained;
determining whether the intelligent equipment corresponding to the source IP is in the jurisdiction range of the edge router or not according to the source IP;
and when the intelligent device corresponding to the source IP is in the jurisdiction range of the edge router, sending a filtering instruction for filtering the source IP and/or the target protocol to the edge router.
7. A DDOS attack detection method according to any of claims 1 to 5, further comprising:
when any one of other computing nodes of the block chain network is suspected to be alarmed, receiving a broadcast of a suspected alarm adding request sent by the any one computing node;
verifying the suspected alarm adding request in the received broadcast;
and after the verification is passed, adding the suspected alarm in the received broadcast to a suspected alarm set maintained by the computing node.
8. A DDOS attack detection apparatus, the apparatus comprising:
the traffic acquisition module is used for acquiring traffic data of a target IP flowing through the edge router corresponding to the computing node in unit time in real time;
the model acquisition module is used for acquiring a flow baseline model corresponding to the target IP;
the alarm determination module is used for determining whether the target IP is suspected to have a suspected alarm of a suspected DDOS attack in unit time according to the acquired flow data and the flow baseline model corresponding to the target IP;
the updating module is used for updating a suspected alarm set maintained by the computing nodes by utilizing a plurality of computing node sharing mechanisms of the block chain network when the suspected alarm occurs in the target IP within a certain unit time;
and the alarm determination module is also used for determining a final DDOS attack detection result of the target IP by using a preset rule according to the updated suspected alarm set maintained by the computing node.
9. An electronic device, characterized in that the electronic device comprises:
a memory storing at least one instruction; and
a processor executing instructions stored in the memory to implement the DDOS attack detection method of any of claims 1-7.
10. A computer-readable storage medium characterized by: the computer-readable storage medium has stored therein at least one instruction that is executed by a processor in an electronic device to implement the DDOS attack detection method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010035576.7A CN111262851A (en) | 2020-01-14 | 2020-01-14 | DDOS attack detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010035576.7A CN111262851A (en) | 2020-01-14 | 2020-01-14 | DDOS attack detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111262851A true CN111262851A (en) | 2020-06-09 |
Family
ID=70952139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010035576.7A Pending CN111262851A (en) | 2020-01-14 | 2020-01-14 | DDOS attack detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111262851A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111917774A (en) * | 2020-07-31 | 2020-11-10 | 平安科技(深圳)有限公司 | Anti-attack method and device for block chain, electronic equipment and medium |
| CN111988306A (en) * | 2020-08-17 | 2020-11-24 | 北京邮电大学 | Method and system for detecting DDoS attack traffic in network based on variational Bayes |
| CN112202771A (en) * | 2020-09-29 | 2021-01-08 | 中移(杭州)信息技术有限公司 | Network flow detection method, system, electronic device and storage medium |
| CN112261019A (en) * | 2020-10-13 | 2021-01-22 | 中移(杭州)信息技术有限公司 | Distributed denial of service attack detection method, device and storage medium |
| CN112887332A (en) * | 2021-03-01 | 2021-06-01 | 山西警察学院 | DDOS attack detection method under cloud environment |
| CN113067804A (en) * | 2021-03-15 | 2021-07-02 | 腾讯科技(深圳)有限公司 | Network attack detection method and device, electronic equipment and storage medium |
| CN114338067A (en) * | 2020-10-09 | 2022-04-12 | 中国移动通信有限公司研究院 | DDoS detection method, device and detection node |
| CN114615002A (en) * | 2020-12-03 | 2022-06-10 | 中国移动通信集团设计院有限公司 | Operator key infrastructure controlled identification method and system |
| CN114745142A (en) * | 2020-12-23 | 2022-07-12 | 腾讯科技(深圳)有限公司 | Abnormal flow processing method and device, computer equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262730A (en) * | 2015-09-14 | 2016-01-20 | 北京华青融天技术有限责任公司 | Monitoring method and device based on enterprise domain name safety |
| CN108616534A (en) * | 2018-04-28 | 2018-10-02 | 中国科学院信息工程研究所 | A kind of method and system for protecting internet of things equipment ddos attack based on block chain |
-
2020
- 2020-01-14 CN CN202010035576.7A patent/CN111262851A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262730A (en) * | 2015-09-14 | 2016-01-20 | 北京华青融天技术有限责任公司 | Monitoring method and device based on enterprise domain name safety |
| CN108616534A (en) * | 2018-04-28 | 2018-10-02 | 中国科学院信息工程研究所 | A kind of method and system for protecting internet of things equipment ddos attack based on block chain |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111917774A (en) * | 2020-07-31 | 2020-11-10 | 平安科技(深圳)有限公司 | Anti-attack method and device for block chain, electronic equipment and medium |
| CN111988306A (en) * | 2020-08-17 | 2020-11-24 | 北京邮电大学 | Method and system for detecting DDoS attack traffic in network based on variational Bayes |
| CN111988306B (en) * | 2020-08-17 | 2021-08-24 | 北京邮电大学 | Method and system for detecting DDoS attack traffic in network based on variational Bayes |
| CN112202771A (en) * | 2020-09-29 | 2021-01-08 | 中移(杭州)信息技术有限公司 | Network flow detection method, system, electronic device and storage medium |
| CN114338067A (en) * | 2020-10-09 | 2022-04-12 | 中国移动通信有限公司研究院 | DDoS detection method, device and detection node |
| CN112261019A (en) * | 2020-10-13 | 2021-01-22 | 中移(杭州)信息技术有限公司 | Distributed denial of service attack detection method, device and storage medium |
| CN114615002A (en) * | 2020-12-03 | 2022-06-10 | 中国移动通信集团设计院有限公司 | Operator key infrastructure controlled identification method and system |
| CN114615002B (en) * | 2020-12-03 | 2024-02-27 | 中国移动通信集团设计院有限公司 | Controlled identification method and system for key infrastructure of operator |
| CN114745142A (en) * | 2020-12-23 | 2022-07-12 | 腾讯科技(深圳)有限公司 | Abnormal flow processing method and device, computer equipment and storage medium |
| CN114745142B (en) * | 2020-12-23 | 2023-11-24 | 腾讯科技(深圳)有限公司 | Abnormal flow processing method and device, computer equipment and storage medium |
| CN112887332A (en) * | 2021-03-01 | 2021-06-01 | 山西警察学院 | DDOS attack detection method under cloud environment |
| CN113067804A (en) * | 2021-03-15 | 2021-07-02 | 腾讯科技(深圳)有限公司 | Network attack detection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111262851A (en) | DDOS attack detection method and device, electronic equipment and storage medium | |
| US11429625B2 (en) | Query engine for remote endpoint information retrieval | |
| CN111901327B (en) | Cloud network vulnerability mining method and device, electronic equipment and medium | |
| WO2019136955A1 (en) | Network anomaly detection method, apparatus and device based on portrait technology, and medium | |
| US9824195B2 (en) | Calculating consecutive matches using parallel computing | |
| CN111600850A (en) | Method, equipment and storage medium for detecting mine digging virtual currency | |
| CN112559831A (en) | Link monitoring method and device, computer equipment and medium | |
| CN114268508A (en) | Internet of things equipment secure access method, device, equipment and medium | |
| US11297082B2 (en) | Protocol-independent anomaly detection | |
| CN110572402B (en) | Internet hosting website detection method and system based on network access behavior analysis and readable storage medium | |
| CN112383513B (en) | Crawler behavior detection method and device based on proxy IP address pool and storage medium | |
| CN112507265A (en) | Method and device for anomaly detection based on tree structure and related products | |
| CN112364286A (en) | Method and device for abnormality detection based on UEBA and related product | |
| WO2023125435A1 (en) | Directional network detection method and apparatus based on tf-idf algorithm, device and medium | |
| CN115296904B (en) | Domain name reflection attack detection method and device, electronic equipment and storage medium | |
| CN115175174A (en) | Method for realizing probe equipment management and control system based on Internet of things platform | |
| CN112364285A (en) | Method and device for establishing anomaly detection model based on UEBA (unified extensible architecture), and related product | |
| CN112235148B (en) | VLAN configuration detection method, VLAN configuration detection device, electronic equipment and storage medium | |
| CN117880055B (en) | Network fault diagnosis method, device, equipment and medium based on transmission layer index | |
| CN110719260B (en) | Intelligent network security analysis method and device and computer readable storage medium | |
| CN117395082B (en) | Service processing method, electronic device and storage medium | |
| CN113596051B (en) | Detection method, detection apparatus, electronic device, medium, and computer program | |
| CN113194075B (en) | Access request processing method, device, equipment and storage medium | |
| CN116886445B (en) | Processing method and device of filtering result, storage medium and electronic equipment | |
| CN112380406B (en) | Real-time network traffic classification method based on crawler technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200609 |