CN111314323B - DDOS (distributed denial of service) accurate identification method based on application layer - Google Patents

DDOS (distributed denial of service) accurate identification method based on application layer Download PDF

Info

Publication number
CN111314323B
CN111314323B CN202010071583.2A CN202010071583A CN111314323B CN 111314323 B CN111314323 B CN 111314323B CN 202010071583 A CN202010071583 A CN 202010071583A CN 111314323 B CN111314323 B CN 111314323B
Authority
CN
China
Prior art keywords
users
user
access
ddos
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010071583.2A
Other languages
Chinese (zh)
Other versions
CN111314323A (en
Inventor
陈旋
周海
吴锐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Aijia Household Products Co Ltd
Original Assignee
Jiangsu Aijia Household Products Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Aijia Household Products Co Ltd filed Critical Jiangsu Aijia Household Products Co Ltd
Priority to CN202010071583.2A priority Critical patent/CN111314323B/en
Publication of CN111314323A publication Critical patent/CN111314323A/en
Application granted granted Critical
Publication of CN111314323B publication Critical patent/CN111314323B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Complex Calculations (AREA)

Abstract

The invention discloses a DDOS (distributed denial of service) accurate identification method based on an application layer, which comprises the steps of calculating the use frequency of resources; counting to obtain a normal access user IP white list, and judging an abnormal access user; counting the probability of abnormal access users in all the access users; calculating the total information entropy of all access users, the information entropy of the IP white list of the normal access users and the information entropy of the abnormal access users; by contrast, the non-authentic accessing user simulated by the DDOS through the thread is determined. According to the method, the original fuzzy prediction mode is split into more detailed and visual data conclusions through the calculation of the information source, so that the DDOS is accurately identified, the accuracy is improved, and the possibility of misjudgment is reduced, so that the DDOS is identified more efficiently.

Description

DDOS (distributed denial of service) accurate identification method based on application layer
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a DDOS (distributed denial of service) accurate identification method based on an application layer.
Background
Computer network information security is particularly important for internet companies. The initial network attack generally adopts a single one-to-one attack mode, but the mode is difficult to work due to the fact that the processing capacity of the current computer network is expanded by many times than that of the past. Therefore, a new attack mode, namely DDOS (distributed denial of service attack) is derived. The system can control a plurality of machines at different places to attack one or more targets at the same time, and has larger attack scale than before.
A webpage is very blocked when being accessed by a large number of users, the page opening speed is slower and slower, a large number of pages which need to occupy a large amount of CPU performance and are continuously accessed by a large number of unreal users can be simulated by DDOS through threads, so that server resources are seriously wasted until the network is jammed, and normal access is stopped, so that how to judge DDOS is particularly important for the technical and information safety of an Internet company. Many of the identification methods commonly used today, such as checking whether there are a large number of useless packets on the web site background server, whether there is an abnormal surge in network traffic or whether there are a large number of access source addresses, are not efficient, but they take much time and only can be roughly identified.
Disclosure of Invention
The technical problem solved by the invention is as follows: the existing DDOS recognition method takes much time and can only roughly recognize the DDOS and is not very efficient.
The technical scheme is as follows: in order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a DDOS accurate identification method based on an application layer comprises the following steps:
s1: calculating resource use frequency;
s2: counting to obtain a normal access user IP white list, and judging an abnormal access user;
s3: counting the probability of abnormal access users in all the access users;
s4: calculating the total information entropy of all access users, the information entropy of the IP white list of normal access users and the information entropy of abnormal access users;
s5: by contrast, the non-authentic accessing user simulated by the DDOS through the thread is determined.
Preferably, in step S1, the method for calculating the resource usage frequency according to the weight value includes:
F=G/W
in the formula: f is the resource use frequency;
g is the total resource amount of the server;
w is a weight value.
Preferably, in step S2, the normal user IP white list is obtained through access statistics of the daily users.
Preferably, the resource usage frequency of the normal accessing user is always within a reasonable range of the total resource amount of the server, and if the normal accessing user is continuously abnormal, the normal accessing user is temporarily set as the abnormal accessing user and marked as i.
Preferably, in step S3, the users with all access are set as a set V, and the probability P of the abnormal access user i appearing in the set V is counted by the white list of normal users IP and the number of the abnormal access users i.
Preferably, in step S4, the information entropy result is calculated by substituting the probability P into Shannon' S formula:
Figure BDA0002377445020000021
in the formula: i is an abnormal access user;
p is the probability of i occurring.
Has the advantages that: compared with the prior art, the invention has the following advantages:
according to the method, the original fuzzy prediction mode is split into more detailed and visual data conclusions through the calculation of the information source, so that the DDOS is accurately identified, the accuracy is improved, and the possibility of misjudgment is reduced, so that the DDOS is identified more efficiently.
Drawings
FIG. 1 is a schematic structural diagram of a DDOS precise identification method based on an application layer;
Detailed Description
The present invention will be further illustrated with reference to the following specific examples, which are carried out in the light of the technical solutions of the present invention, and it should be understood that these examples are only intended to illustrate the present invention and are not intended to limit the scope of the present invention.
The method for accurately identifying the DDOS based on the application layer comprises the following steps:
step S1: calculating the resource use frequency;
each page resource consumption has a weight (weight), which is the weight for dynamic resources
Entropy=-(P(F0.8)log(F0.8)+P(F0.7)log(F0.7)+P(F0.9)log(F0.9)
+…P(F0.8)log(F0.8))
Is relatively high. The invention can calculate the resource use frequency of the user access according to the weight value, and the method comprises the following steps:
F=G/W
in the formula: f is the resource use frequency;
g is the total resource amount of the server;
w is a weight value.
S2: counting to obtain a normal access user IP white list, and judging an abnormal access user;
based on the fact that the IP addresses of the current broadband users are in a large number of intranet, and the condition that a large number of normal users share the IP exists, the method obtains the IP white list of the normal users through access statistics of daily users so as to reduce misjudgment to the maximum extent.
The resource use frequency of the normal access user is determined to be within a reasonable range of the total resource amount of the server, and if the resource use frequency is continuously abnormal, the normal access user is temporarily set as an abnormal access user and is marked as i.
S3: counting the probability of abnormal access users in all the access users;
and setting all accessed users as a set V, and counting the probability P of the abnormal access users i in the set V through the IP white list of the normal users and the number of the abnormal access users i.
S4: calculating the total information entropy of all the access users, the information entropy of the IP white list of the normal access users and the information entropy of the abnormal access users by utilizing a Shannon formula;
substituting the probability P into the following Shannon formula to calculate the information entropy result:
Figure BDA0002377445020000031
in the formula: i is an abnormal access user;
p is the probability of i occurring.
Suppose that all the visiting user sets V have { V0.8, V0.7, V0.9, V0.4, V0.3, V1.0, V0.8}, and the value after V is the resource use frequency. Where v0.4 and v0.3 are iP white lists of normal users, and the rest of resource usage frequency is abnormal visiting user i with continuous abnormality, so the value of probability P is 0.71428571.
The total information entropy calculation result of the set V by substituting the probability P into the information entropy formula is as follows:
Entropy=-(P(F0.8)log(F0.8)+P(F0.7)log(F0.7)+P(F0.9)log(F0.9)
+…P(F0.8)log(F0.8))
the entropy of the information of the IP white list of the normal access user is calculated as follows:
Entropy=-(P(F0.4)log(F0.4)+P(F0.3)log(F0.3))
the entropy of the information of the abnormal access user i is calculated as follows:
Entropy=-(P(F0.8)log(F0.8)+P(F0.7)log(F0.7)+P(F0.9)log(F0.9)+P(F1.0)log(F1.0)
+P(F0.8)log(F0.8))
s5: by contrast, the non-authentic accessing user of the DDOS through thread simulation is determined.
Because what symbols are sent by an information source are uncertain generally, and the symbols can be measured according to the probability of occurrence and the uncertainty (f), the method divides an original fuzzy prediction mode into more detailed and visual data conclusions through the Shannon information entropy calculation formula according to the information entropy theory of the father C.E.Shannon of the information theory through the calculation of the information, and therefore accurate identification is achieved.
The uncertainty function f is proposed to be a decreasing function of the probability P in the information theory proposed by Shannon; the uncertainty arising from two independent symbols should be equal to the sum of the respective uncertainties, i.e., f (P1, P2) ═ f (P1) + f (P2), which is referred to as additivity. The function f satisfying both of these conditions is a logarithmic function, i.e.
Figure BDA0002377445020000041
However, these are already taken into account in the information entropy formula.
The method obtains the total information entropy of the set V and the information entropy of the normal access user iP white list through calculation, and finally, the temporarily set value of the information entropy of the abnormal access user i can be compared to determine which is the non-real access user simulated by the DDOS through the thread. Through testing, the original fuzzy prediction mode is divided into more detailed and visual data conclusions through the calculation of the information source, the accuracy is improved, and meanwhile the possibility of misjudgment is reduced, so that the DDOS is distinguished efficiently.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and amendments can be made without departing from the principle of the present invention, and these modifications and amendments should also be considered as the protection scope of the present invention.

Claims (1)

1. A DDOS accurate identification method based on an application layer is characterized by comprising the following steps:
s1: calculating resource use frequency; calculating the resource use frequency according to the weight value, wherein the method comprises the following steps:
F=G/W
in the formula: f is the resource use frequency;
g is the total resource amount of the server;
w is a weighted value;
s2: counting to obtain a normal access user IP white list, and judging an abnormal access user; obtaining a normal user IP white list through access statistics of daily users;
s3: counting the probability of abnormal access users in all the access users; the resource use frequency of the normal access user is determined to be within a reasonable range of the total resource amount of the server, and if the normal access user is continuously abnormal, the normal access user is temporarily set as an abnormal access user and is marked as i; setting all accessed users as a set V, and counting the probability P of the abnormal access users i in the set V through a normal user IP white list and the number of the abnormal access users i;
s4: calculating the total information entropy of all access users, the information entropy of the IP white list of the normal access users and the information entropy of the abnormal access users; substituting the probability P into a Shannon formula to calculate an information entropy result:
Figure FDA0003524857980000011
in the formula: i is an abnormal access user;
p is the probability of occurrence of i;
s5: by contrast, the non-authentic accessing user of the DDOS through thread simulation is determined.
CN202010071583.2A 2020-01-21 2020-01-21 DDOS (distributed denial of service) accurate identification method based on application layer Active CN111314323B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010071583.2A CN111314323B (en) 2020-01-21 2020-01-21 DDOS (distributed denial of service) accurate identification method based on application layer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010071583.2A CN111314323B (en) 2020-01-21 2020-01-21 DDOS (distributed denial of service) accurate identification method based on application layer

Publications (2)

Publication Number Publication Date
CN111314323A CN111314323A (en) 2020-06-19
CN111314323B true CN111314323B (en) 2022-07-26

Family

ID=71146976

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010071583.2A Active CN111314323B (en) 2020-01-21 2020-01-21 DDOS (distributed denial of service) accurate identification method based on application layer

Country Status (1)

Country Link
CN (1) CN111314323B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112351006B (en) * 2020-10-27 2022-04-26 杭州安恒信息技术股份有限公司 Website access attack interception method and related components

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9197657B2 (en) * 2012-09-27 2015-11-24 Hewlett-Packard Development Company, L.P. Internet protocol address distribution summary
CN106685899B (en) * 2015-11-09 2020-10-30 创新先进技术有限公司 Method and device for identifying malicious access
CN105939361B (en) * 2016-06-23 2019-06-07 杭州迪普科技股份有限公司 Defend the method and device of CC attack
CN106330906B (en) * 2016-08-23 2019-11-01 上海海事大学 A kind of ddos attack detection method under big data environment
CN108173812B (en) * 2017-12-07 2021-05-07 东软集团股份有限公司 Method, device, storage medium and equipment for preventing network attack
CN110324339B (en) * 2019-07-02 2021-10-08 光通天下网络科技股份有限公司 DDoS attack detection method and device based on information entropy and electronic equipment

Also Published As

Publication number Publication date
CN111314323A (en) 2020-06-19

Similar Documents

Publication Publication Date Title
US20220255817A1 (en) Machine learning-based vnf anomaly detection system and method for virtual network management
US20180336353A1 (en) Risk scores for entities
Zhao et al. Malicious Domain Names Detection Algorithm Based on N‐Gram
US8751417B2 (en) Trouble pattern creating program and trouble pattern creating apparatus
US20060119486A1 (en) Apparatus and method of detecting network attack situation
US10079770B2 (en) Junk information filtering method and apparatus
CN103139007A (en) Method and system for detecting application server performance
CN107493277A (en) The online method for detecting abnormality of big data platform based on maximum information coefficient
CN110324323A (en) A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system
CN107276851B (en) Node abnormity detection method and device, network node and console
WO2022042194A1 (en) Block detection method and apparatus for login device, server, and storage medium
CN110460608B (en) Situation awareness method and system including correlation analysis
CN109257393A (en) XSS attack defence method and device based on machine learning
Ul Banna et al. Data‐driven disturbance source identification for power system oscillations using credibility search ensemble learning
CN110633211A (en) Multi-interface testing method, device, server and medium
CN111314323B (en) DDOS (distributed denial of service) accurate identification method based on application layer
CN115150206A (en) Intrusion detection safety early warning system and method for information safety
CN114362994B (en) Multilayer different-granularity intelligent aggregation railway system operation behavior safety risk identification method
CN107231383A (en) The detection method and device of CC attacks
Patil et al. SS-DDoS:: spark-based DDoS attacks classification approach
CN112532625A (en) Network situation awareness evaluation data updating method and device and readable storage medium
CN110493217B (en) Distributed situation perception method and system
CN106874423A (en) search control method and system
CN110442801A (en) A kind of determination method and device of the concern user of object event
Pan et al. An anomaly detection method for system logs using Venn-Abers predictors

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant