CN111314323B - DDOS (distributed denial of service) accurate identification method based on application layer - Google Patents
DDOS (distributed denial of service) accurate identification method based on application layer Download PDFInfo
- Publication number
- CN111314323B CN111314323B CN202010071583.2A CN202010071583A CN111314323B CN 111314323 B CN111314323 B CN 111314323B CN 202010071583 A CN202010071583 A CN 202010071583A CN 111314323 B CN111314323 B CN 111314323B
- Authority
- CN
- China
- Prior art keywords
- users
- user
- access
- ddos
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Complex Calculations (AREA)
Abstract
The invention discloses a DDOS (distributed denial of service) accurate identification method based on an application layer, which comprises the steps of calculating the use frequency of resources; counting to obtain a normal access user IP white list, and judging an abnormal access user; counting the probability of abnormal access users in all the access users; calculating the total information entropy of all access users, the information entropy of the IP white list of the normal access users and the information entropy of the abnormal access users; by contrast, the non-authentic accessing user simulated by the DDOS through the thread is determined. According to the method, the original fuzzy prediction mode is split into more detailed and visual data conclusions through the calculation of the information source, so that the DDOS is accurately identified, the accuracy is improved, and the possibility of misjudgment is reduced, so that the DDOS is identified more efficiently.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a DDOS (distributed denial of service) accurate identification method based on an application layer.
Background
Computer network information security is particularly important for internet companies. The initial network attack generally adopts a single one-to-one attack mode, but the mode is difficult to work due to the fact that the processing capacity of the current computer network is expanded by many times than that of the past. Therefore, a new attack mode, namely DDOS (distributed denial of service attack) is derived. The system can control a plurality of machines at different places to attack one or more targets at the same time, and has larger attack scale than before.
A webpage is very blocked when being accessed by a large number of users, the page opening speed is slower and slower, a large number of pages which need to occupy a large amount of CPU performance and are continuously accessed by a large number of unreal users can be simulated by DDOS through threads, so that server resources are seriously wasted until the network is jammed, and normal access is stopped, so that how to judge DDOS is particularly important for the technical and information safety of an Internet company. Many of the identification methods commonly used today, such as checking whether there are a large number of useless packets on the web site background server, whether there is an abnormal surge in network traffic or whether there are a large number of access source addresses, are not efficient, but they take much time and only can be roughly identified.
Disclosure of Invention
The technical problem solved by the invention is as follows: the existing DDOS recognition method takes much time and can only roughly recognize the DDOS and is not very efficient.
The technical scheme is as follows: in order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a DDOS accurate identification method based on an application layer comprises the following steps:
s1: calculating resource use frequency;
s2: counting to obtain a normal access user IP white list, and judging an abnormal access user;
s3: counting the probability of abnormal access users in all the access users;
s4: calculating the total information entropy of all access users, the information entropy of the IP white list of normal access users and the information entropy of abnormal access users;
s5: by contrast, the non-authentic accessing user simulated by the DDOS through the thread is determined.
Preferably, in step S1, the method for calculating the resource usage frequency according to the weight value includes:
F=G/W
in the formula: f is the resource use frequency;
g is the total resource amount of the server;
w is a weight value.
Preferably, in step S2, the normal user IP white list is obtained through access statistics of the daily users.
Preferably, the resource usage frequency of the normal accessing user is always within a reasonable range of the total resource amount of the server, and if the normal accessing user is continuously abnormal, the normal accessing user is temporarily set as the abnormal accessing user and marked as i.
Preferably, in step S3, the users with all access are set as a set V, and the probability P of the abnormal access user i appearing in the set V is counted by the white list of normal users IP and the number of the abnormal access users i.
Preferably, in step S4, the information entropy result is calculated by substituting the probability P into Shannon' S formula:
in the formula: i is an abnormal access user;
p is the probability of i occurring.
Has the advantages that: compared with the prior art, the invention has the following advantages:
according to the method, the original fuzzy prediction mode is split into more detailed and visual data conclusions through the calculation of the information source, so that the DDOS is accurately identified, the accuracy is improved, and the possibility of misjudgment is reduced, so that the DDOS is identified more efficiently.
Drawings
FIG. 1 is a schematic structural diagram of a DDOS precise identification method based on an application layer;
Detailed Description
The present invention will be further illustrated with reference to the following specific examples, which are carried out in the light of the technical solutions of the present invention, and it should be understood that these examples are only intended to illustrate the present invention and are not intended to limit the scope of the present invention.
The method for accurately identifying the DDOS based on the application layer comprises the following steps:
step S1: calculating the resource use frequency;
each page resource consumption has a weight (weight), which is the weight for dynamic resources
Entropy=-(P(F0.8)log(F0.8)+P(F0.7)log(F0.7)+P(F0.9)log(F0.9)
+…P(F0.8)log(F0.8))
Is relatively high. The invention can calculate the resource use frequency of the user access according to the weight value, and the method comprises the following steps:
F=G/W
in the formula: f is the resource use frequency;
g is the total resource amount of the server;
w is a weight value.
S2: counting to obtain a normal access user IP white list, and judging an abnormal access user;
based on the fact that the IP addresses of the current broadband users are in a large number of intranet, and the condition that a large number of normal users share the IP exists, the method obtains the IP white list of the normal users through access statistics of daily users so as to reduce misjudgment to the maximum extent.
The resource use frequency of the normal access user is determined to be within a reasonable range of the total resource amount of the server, and if the resource use frequency is continuously abnormal, the normal access user is temporarily set as an abnormal access user and is marked as i.
S3: counting the probability of abnormal access users in all the access users;
and setting all accessed users as a set V, and counting the probability P of the abnormal access users i in the set V through the IP white list of the normal users and the number of the abnormal access users i.
S4: calculating the total information entropy of all the access users, the information entropy of the IP white list of the normal access users and the information entropy of the abnormal access users by utilizing a Shannon formula;
substituting the probability P into the following Shannon formula to calculate the information entropy result:
in the formula: i is an abnormal access user;
p is the probability of i occurring.
Suppose that all the visiting user sets V have { V0.8, V0.7, V0.9, V0.4, V0.3, V1.0, V0.8}, and the value after V is the resource use frequency. Where v0.4 and v0.3 are iP white lists of normal users, and the rest of resource usage frequency is abnormal visiting user i with continuous abnormality, so the value of probability P is 0.71428571.
The total information entropy calculation result of the set V by substituting the probability P into the information entropy formula is as follows:
Entropy=-(P(F0.8)log(F0.8)+P(F0.7)log(F0.7)+P(F0.9)log(F0.9)
+…P(F0.8)log(F0.8))
the entropy of the information of the IP white list of the normal access user is calculated as follows:
Entropy=-(P(F0.4)log(F0.4)+P(F0.3)log(F0.3))
the entropy of the information of the abnormal access user i is calculated as follows:
Entropy=-(P(F0.8)log(F0.8)+P(F0.7)log(F0.7)+P(F0.9)log(F0.9)+P(F1.0)log(F1.0)
+P(F0.8)log(F0.8))
s5: by contrast, the non-authentic accessing user of the DDOS through thread simulation is determined.
Because what symbols are sent by an information source are uncertain generally, and the symbols can be measured according to the probability of occurrence and the uncertainty (f), the method divides an original fuzzy prediction mode into more detailed and visual data conclusions through the Shannon information entropy calculation formula according to the information entropy theory of the father C.E.Shannon of the information theory through the calculation of the information, and therefore accurate identification is achieved.
The uncertainty function f is proposed to be a decreasing function of the probability P in the information theory proposed by Shannon; the uncertainty arising from two independent symbols should be equal to the sum of the respective uncertainties, i.e., f (P1, P2) ═ f (P1) + f (P2), which is referred to as additivity. The function f satisfying both of these conditions is a logarithmic function, i.e.However, these are already taken into account in the information entropy formula.
The method obtains the total information entropy of the set V and the information entropy of the normal access user iP white list through calculation, and finally, the temporarily set value of the information entropy of the abnormal access user i can be compared to determine which is the non-real access user simulated by the DDOS through the thread. Through testing, the original fuzzy prediction mode is divided into more detailed and visual data conclusions through the calculation of the information source, the accuracy is improved, and meanwhile the possibility of misjudgment is reduced, so that the DDOS is distinguished efficiently.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and amendments can be made without departing from the principle of the present invention, and these modifications and amendments should also be considered as the protection scope of the present invention.
Claims (1)
1. A DDOS accurate identification method based on an application layer is characterized by comprising the following steps:
s1: calculating resource use frequency; calculating the resource use frequency according to the weight value, wherein the method comprises the following steps:
F=G/W
in the formula: f is the resource use frequency;
g is the total resource amount of the server;
w is a weighted value;
s2: counting to obtain a normal access user IP white list, and judging an abnormal access user; obtaining a normal user IP white list through access statistics of daily users;
s3: counting the probability of abnormal access users in all the access users; the resource use frequency of the normal access user is determined to be within a reasonable range of the total resource amount of the server, and if the normal access user is continuously abnormal, the normal access user is temporarily set as an abnormal access user and is marked as i; setting all accessed users as a set V, and counting the probability P of the abnormal access users i in the set V through a normal user IP white list and the number of the abnormal access users i;
s4: calculating the total information entropy of all access users, the information entropy of the IP white list of the normal access users and the information entropy of the abnormal access users; substituting the probability P into a Shannon formula to calculate an information entropy result:
in the formula: i is an abnormal access user;
p is the probability of occurrence of i;
s5: by contrast, the non-authentic accessing user of the DDOS through thread simulation is determined.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010071583.2A CN111314323B (en) | 2020-01-21 | 2020-01-21 | DDOS (distributed denial of service) accurate identification method based on application layer |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010071583.2A CN111314323B (en) | 2020-01-21 | 2020-01-21 | DDOS (distributed denial of service) accurate identification method based on application layer |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111314323A CN111314323A (en) | 2020-06-19 |
CN111314323B true CN111314323B (en) | 2022-07-26 |
Family
ID=71146976
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010071583.2A Active CN111314323B (en) | 2020-01-21 | 2020-01-21 | DDOS (distributed denial of service) accurate identification method based on application layer |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111314323B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112351006B (en) * | 2020-10-27 | 2022-04-26 | 杭州安恒信息技术股份有限公司 | Website access attack interception method and related components |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9197657B2 (en) * | 2012-09-27 | 2015-11-24 | Hewlett-Packard Development Company, L.P. | Internet protocol address distribution summary |
CN106685899B (en) * | 2015-11-09 | 2020-10-30 | 创新先进技术有限公司 | Method and device for identifying malicious access |
CN105939361B (en) * | 2016-06-23 | 2019-06-07 | 杭州迪普科技股份有限公司 | Defend the method and device of CC attack |
CN106330906B (en) * | 2016-08-23 | 2019-11-01 | 上海海事大学 | A kind of ddos attack detection method under big data environment |
CN108173812B (en) * | 2017-12-07 | 2021-05-07 | 东软集团股份有限公司 | Method, device, storage medium and equipment for preventing network attack |
CN110324339B (en) * | 2019-07-02 | 2021-10-08 | 光通天下网络科技股份有限公司 | DDoS attack detection method and device based on information entropy and electronic equipment |
-
2020
- 2020-01-21 CN CN202010071583.2A patent/CN111314323B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN111314323A (en) | 2020-06-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220255817A1 (en) | Machine learning-based vnf anomaly detection system and method for virtual network management | |
US20180336353A1 (en) | Risk scores for entities | |
Zhao et al. | Malicious Domain Names Detection Algorithm Based on N‐Gram | |
US8751417B2 (en) | Trouble pattern creating program and trouble pattern creating apparatus | |
US20060119486A1 (en) | Apparatus and method of detecting network attack situation | |
US10079770B2 (en) | Junk information filtering method and apparatus | |
CN103139007A (en) | Method and system for detecting application server performance | |
CN107493277A (en) | The online method for detecting abnormality of big data platform based on maximum information coefficient | |
CN110324323A (en) | A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system | |
CN107276851B (en) | Node abnormity detection method and device, network node and console | |
WO2022042194A1 (en) | Block detection method and apparatus for login device, server, and storage medium | |
CN110460608B (en) | Situation awareness method and system including correlation analysis | |
CN109257393A (en) | XSS attack defence method and device based on machine learning | |
Ul Banna et al. | Data‐driven disturbance source identification for power system oscillations using credibility search ensemble learning | |
CN110633211A (en) | Multi-interface testing method, device, server and medium | |
CN111314323B (en) | DDOS (distributed denial of service) accurate identification method based on application layer | |
CN115150206A (en) | Intrusion detection safety early warning system and method for information safety | |
CN114362994B (en) | Multilayer different-granularity intelligent aggregation railway system operation behavior safety risk identification method | |
CN107231383A (en) | The detection method and device of CC attacks | |
Patil et al. | SS-DDoS:: spark-based DDoS attacks classification approach | |
CN112532625A (en) | Network situation awareness evaluation data updating method and device and readable storage medium | |
CN110493217B (en) | Distributed situation perception method and system | |
CN106874423A (en) | search control method and system | |
CN110442801A (en) | A kind of determination method and device of the concern user of object event | |
Pan et al. | An anomaly detection method for system logs using Venn-Abers predictors |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |