CN111740999A - DDOS attack identification method, system and related device - Google Patents
DDOS attack identification method, system and related device Download PDFInfo
- Publication number
- CN111740999A CN111740999A CN202010574443.7A CN202010574443A CN111740999A CN 111740999 A CN111740999 A CN 111740999A CN 202010574443 A CN202010574443 A CN 202010574443A CN 111740999 A CN111740999 A CN 111740999A
- Authority
- CN
- China
- Prior art keywords
- probability
- suspected attack
- access request
- initial
- network access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a DDOS attack identification method, which comprises the following steps: acquiring a network access request, wherein the initial suspected attack probability of the network access request is 0; comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence; if any limiting parameter comparison fails, giving the probability corresponding to the limiting parameter to the initial suspected attack probability; counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities; judging whether the suspected attack probability is larger than an attack threshold value; if so, the network access request is marked as a network attack. The method and the device enhance the identification capability of the network access request, improve the identification accuracy of the network access request, and are favorable for better maintaining the stability of the website and the page. The application also provides a DDOS attack recognition system, a computer readable storage medium and a terminal, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a DDOS attack identification method, system, and related apparatus.
Background
Distributed initiative of service attack, DDOS for short, can cause many computers to be attacked at the same time, making the target of attack unable to be used normally, and Distributed denial of service attack has occurred many times, resulting in many large websites unable to be operated, which not only affects the normal use of users, but also causes great economic loss.
The existing technology roughly identifies through access traffic, namely when the traffic is too large, DDOS attack can be basically determined. However, in many cases, the network access traffic is too large and not necessarily DDOS attack, for example, the social public opinion hotspot topic causes a sudden increase in access traffic, so how to accurately identify DDOS attack behavior for web application is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a DDOS attack identification method, a DDOS attack identification system, a computer readable storage medium and a terminal, which can improve the malicious attack identification capability of a network access request.
In order to solve the technical problem, the application provides an identification method of DDOS attack, and the specific technical scheme is as follows:
acquiring a network access request, wherein the initial suspected attack probability of the network access request is 0;
comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
if any one of the limiting parameters fails to pass the comparison, giving the probability corresponding to the limiting parameter to the initial suspected attack probability;
counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
judging whether the suspected attack probability is larger than an attack threshold value;
if so, marking the network access request as a network attack.
Optionally, before acquiring the network access request, the method further includes:
and acquiring the access request limiting parameter list, wherein the access request limiting parameter list comprises a maximum request amount per second, a single IP maximum request amount per second, a link list and an IP white list.
Optionally, comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence includes:
judging whether the maximum request quantity per second of the network access request exceeds a first threshold value;
if so, giving a first probability value to the initial suspected attack probability to obtain a first initial suspected attack probability, and judging whether the url corresponding to the network access request exists in the link list or not;
if the url corresponding to the network access request exists in the link list, setting a preset request value as a first percentage, and otherwise, setting the preset request value as a second percentage;
judging whether the percentage of the url request number per second to the total request number per second is larger than the preset request value;
if so, giving a second probability value to the initial suspected attack probability to obtain a second initial suspected attack probability;
judging whether the IP address of the network access request is positioned in the IP white list or not;
if so, ending the identification;
if not, giving a third probability value corresponding to the IP white list to the initial suspected attack probability to obtain a third initial suspected attack probability;
judging whether the request times per second of the IP address is larger than the maximum request quantity per second of the single IP;
if so, giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes:
and counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability and the fourth initial suspected attack probability to obtain the suspected attack probability.
Optionally, the IP address of the network access request does not exist in the IP whitelist, and the method further includes:
executing an agent pool identification process on the network access request to obtain an agent identification suspected attack probability, and endowing the agent identification suspected attack probability to the initial suspected attack probability to obtain a fifth initial suspected attack probability;
then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes:
and counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability, the fourth initial suspected attack probability and the fifth initial suspected attack probability to obtain suspected attack probabilities.
Optionally, executing an agent pool identification process on the network access request, and obtaining a suspected attack probability of an agent identification includes:
judging whether the IP address of the network access request exists in an agent pool or not;
if so, giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
if not, judging whether the first initial suspected attack probability and the second initial suspected attack probability are both 0;
if the first initial suspected attack probability and the second initial suspected attack probability are both 0, adding the IP address into the agent pool;
if the first initial suspected attack probability and the second initial suspected attack probability are not both 0, judging whether the IP address opens an agent port;
if so, giving a sixth probability value corresponding to the agent port to the initial suspected attack probability to obtain a sixth initial suspected attack probability;
if not, judging whether the IP address request head comprises an agent end parameter or not;
and if so, adding a seventh probability value corresponding to the agent end parameter and the sixth initial suspected attack probability to obtain an agent identification suspected attack probability.
Optionally, if the suspected attack probability is smaller than the attack threshold, the method further includes:
judging whether the suspected attack probability is larger than a suspected threshold value;
and if so, manually detecting the network access request.
The present application further provides a DDOS attack recognition system, including:
the system comprises an acquisition module, a judgment module and a processing module, wherein the acquisition module is used for acquiring a network access request, and the initial suspected attack probability of the network access request is 0;
the comparison module is used for comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
a probability assignment module, configured to assign a probability corresponding to a limiting parameter to the initial suspected attack probability if any of the limiting parameters fails to pass the comparison;
the probability calculation module is used for counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
the identification module is used for judging whether the suspected attack probability is greater than an attack threshold value;
and the attack confirmation module is used for marking the network access request as a network attack when the judgment result of the identification module is yes.
Optionally, the method further includes:
and the parameter acquisition module is used for acquiring the access request limiting parameter list, wherein the access request limiting parameter list comprises a maximum request quantity per second, a single IP maximum request quantity per second, a link list and an IP white list.
The present application also provides a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the identification method as described above.
The present application further provides a terminal, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the identification method when calling the computer program in the memory.
The application provides a DDOS attack identification method, which comprises the following steps: acquiring a network access request, wherein the initial suspected attack probability of the network access request is 0; comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence; if any one of the limiting parameters fails to pass the comparison, giving the probability corresponding to the limiting parameter to the initial suspected attack probability; counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities; judging whether the suspected attack probability is larger than an attack threshold value; if so, marking the network access request as a network attack.
According to the method and the device, the network access requests are compared one by utilizing the limiting parameters, so that the identification capability of the network access requests is further enhanced, the identification accuracy of the network access requests is improved, the problem that false identification is easily caused when network attacks are identified only according to the network flow is avoided, and the method and the device are favorable for better maintaining the stability of websites and pages. The application also provides a DDOS attack recognition system, a computer readable storage medium and a terminal, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a DDOS attack identification method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an identification system for DDOS attack according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a DDOS attack identification method provided in an embodiment of the present application, and a specific technical solution of the DDOS attack identification method provided in the present application is as follows:
s101: acquiring a network access request;
the step aims to obtain a network access request, including an HTTP request and the like, and the initial suspected attack probability of the network access request is 0.
Further, generally before this step is performed, the access request restriction parameter list may be obtained, and the access request restriction parameter list may include a maximum request amount per second, a maximum request amount per second per IP, a link list, an IP white list, and the like.
S102: comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
the step is intended to compare each item of data of the network access request with the restriction parameters in the access request restriction parameter list one by one, and there is no specific limitation on which restriction parameters are included in the access request restriction parameter list, which may include, but is not limited to, a maximum request amount per second per IP, a link list, an IP white list, and so on. Secondly, since there are a plurality of limiting parameters and there may be a certain correlation between the limiting parameters, the comparison sequence may be optimized to improve the detection efficiency. It is understood that different restriction parameters may have different alignment sequences.
S103: if any one of the limiting parameters fails to pass the comparison, giving the probability corresponding to the limiting parameter to the initial suspected attack probability;
and if any one limiting parameter comparison fails, adding the probability corresponding to the limiting parameter to the initial suspected attack probability. Of course, the probabilities corresponding to different limiting parameters may be the same or different. The probability corresponding to each limiting parameter is not specifically limited herein.
It should be noted that, since the comparison processes of the respective limiting parameters are independent, after each comparison, if the comparison fails, the probability corresponding to the limiting parameter is assigned to the initial suspected attack probability.
S104: counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
since each limiting parameter has a corresponding initial suspected attack probability after comparison, all the initial suspected attack probabilities need to be added to obtain a total suspected attack probability. Of course, if the comparison of a certain limiting parameter passes, the initial suspected attack probability is still 0.
S105: judging whether the suspected attack probability is larger than an attack threshold value; if yes, entering S106;
s106: and marking the network access request as a network attack.
Finally, whether the suspected attack probability is larger than the attack threshold is judged, and how to set the attack threshold and the value thereof are not particularly limited, and a person skilled in the art can make corresponding setting according to actual application or a network attack rule. And when the suspected attack probability is larger than the attack threshold value, confirming that the network access request is the network attack. Since the present embodiment is directed to comparing multiple restriction parameters, if the network access request is in a situation where the comparison of multiple restriction parameters fails at the same time, it means that the more feature points that the network access request conforms to the network attack, that is, the higher the possibility that the network access request is the network attack.
Further, on the basis of this embodiment, if the suspected attack probability is smaller than the attack threshold, it may be further determined whether the suspected attack probability is larger than the suspected threshold. If the value is greater than the suspected threshold, the network access request may be manually detected. For example, if the attack threshold is 80% and the suspected threshold is 60%, if the suspected attack probability is 75% through the addition calculation of each initial suspected attack probability, although the suspected attack probability is not directly judged by the attack threshold, since the suspected attack probability is closer to 80% and greater than the suspected threshold, it is obvious that if the suspected attack probability is not sufficiently safe for the network attack, manual detection may be performed, or detection may be performed by focusing on the network access request continuously, or other methods may be used. Therefore, by setting the suspected threshold, some network access requests with higher risks can be detected and paid attention to while the detected network access requests are ensured to be network attacks, and the network security protection capability is further improved.
According to the embodiment of the application, the network access requests are compared one by utilizing the limiting parameters, so that the identification capability of the network access requests is further enhanced, the identification accuracy of the network access requests is improved, the problem that false identification is easily caused when network attacks are identified only according to the size of network flow is avoided, and the stability of websites and pages can be better maintained
As to the following description about the previous embodiment S102, taking the maximum request amount per second of the limiting parameters, the maximum request amount per second of the single IP, the link list and the IP white list as examples, that is, comparing the network access request with the limiting parameters in the access request limiting parameter list one by one in a preset comparison order includes:
s201: judging whether the maximum request quantity per second of the network access request exceeds a first threshold value; if yes, entering S202;
s202: giving a first probability value to the initial suspected attack probability to obtain a first initial suspected attack probability, and judging whether a url corresponding to the network access request exists in the link list or not; if yes, entering S203;
s203: setting a preset request value as a first percentage, otherwise, setting the preset request value as a second percentage;
the first percentage and the second percentage are not particularly limited herein, but the first percentage should be larger than the second percentage.
S204: judging whether the percentage of the url request number per second to the total request number per second is larger than the preset request value; if yes, go to S205;
s205: giving a second probability value to the initial suspected attack probability to obtain a second initial suspected attack probability;
s206: judging whether the IP address of the network access request is positioned in the IP white list or not; if yes, entering S207; if not, the step S208 is entered;
s207: finishing the identification;
s208: giving a third probability value corresponding to the IP white list to the initial suspected attack probability to obtain a third initial suspected attack probability;
s209: judging whether the request times per second of the IP address is larger than the maximum request quantity per second of the single IP; if yes, entering S210;
s210: and giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability.
Then, when the previous embodiment is executed in S104, the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability and the fourth initial suspected attack probability should be counted to obtain the suspected attack probability.
In this embodiment, the comparison process between the network access request and the restriction parameter is described by taking the restriction parameter as the maximum request amount per second, the maximum request amount per second of a single IP, the link list and the IP white list as examples, and based on this, a person skilled in the art may also use other restriction parameters or use other comparison orders, and on the premise of not departing from the core idea of the present application, all of them should be within the protection scope of the present application.
Based on the above embodiment, as a preferred embodiment, when the judgment of S206 is no, the following steps may be further performed, and the following processes are independent from the processes of S208 to S210 in the previous embodiment, and the specific processes are as follows:
executing an agent pool identification process on the network access request to obtain an agent identification suspected attack probability, and endowing the agent identification suspected attack probability to the initial suspected attack probability to obtain a fifth initial suspected attack probability;
then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes:
and counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability, the fourth initial suspected attack probability and the fifth initial suspected attack probability to obtain suspected attack probabilities.
Specifically, the step of performing an agent pool identification process on the network access request to obtain the suspected attack probability of the agent identification may include the following steps:
s301: judging whether the IP address of the network access request exists in an agent pool or not; if yes, entering S302: if not, entering S303;
s302: a step of giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
this step also performs the step corresponding to S210 in the previous embodiment.
S303: judging whether the first initial suspected attack probability and the second initial suspected attack probability are both 0; if yes, entering S304: if not, the process goes to S305;
s304: adding the IP address to the proxy pool;
s305: judging whether the proxy port is opened by the IP address; if yes, entering S306: if not, entering S307;
s306: giving a sixth probability value corresponding to the agent port to the initial suspected attack probability to obtain a sixth initial suspected attack probability;
s307: judging whether the IP address request head comprises an agent end parameter or not; if yes, entering S308;
s308: and adding a seventh probability value corresponding to the agent terminal parameter and the sixth initial suspected attack probability to obtain an agent identification suspected attack probability.
The embodiment aims to perform proxy judgment on the network access request, and since the network access request is accessed by using proxy service many times, proxy access is not required to be adopted in normal access behavior actually. The suspected attack probability of the network access request based on the agent is high. And the subsequent process of judging the proxy port and the proxy end parameters of the IP address further determines the possibility that the network access request is a network attack, and each item is included, which means that the possibility that the network access request is a network attack is higher. The number of the agent ports and the agent-side parameters is not particularly limited, and the agent ports and the agent-side parameters may be multiple, for example, the agent ports may include 80 ports, 8080 ports, and the like, and the agent-side parameters may include an x _ forward _ for parameter, a Proxy _ connection parameter, and the like, and similarly, each multiple agent port includes one agent port, and the corresponding initial suspected attack probability is higher. And the suspected probabilities corresponding to different ports or different proxy parameters may be the same or different.
One specific application of the present application is described in detail below:
1, presetting a batch of limiting parameters including the maximum request number per second (Max _ A), the maximum request number per second (Max _ IP) of a single IP, a white list IP list L1 and a frequently used link list L2;
2, running a program, accessing an HTTP request, and setting the initial suspected attack probability P to be 0;
and 3, immediately counting the network access request amount per second, and judging whether the current request amount per second exceeds a preset threshold value Max _ A. When the request amount per second exceeds Max _ A, counting whether the url corresponding to the network access request is in a link list L2; when the url corresponding to the network access request is in L2, setting the usage threshold Pu of the current url to 70%, and otherwise setting Pu to 50%; when the request amount per second does not exceed Max _ A, executing step 5;
4, judging whether the percentage of the current url request number per second to the total request number per second is greater than Pu, if so, judging the suspected attack probability P to be P + 20%, and continuing to judge the request mode of the request, if so, judging P to be P + 10%, if so, judging P to be P + 5%; if the percentage of the current url request number per second to the total request number per second is less than Pu, no operation is performed;
since the network access request is usually post and get, delete or update, and the network attack is usually delete or update, the probability of suspected attack is higher when the network access request is delete or update.
5 judging whether the IP of the network access request is in a white list L1, and if the IP is in an L1, directly ending the checking program; when the IP is not in L1, execution continues downward.
6, judging whether the current request IP is in the proxy pool, and jumping to the step 8 when the IP is in the proxy pool and P is P + 30%; when the IP is not in the proxy pool, the downward execution is continued.
7, judging whether P is equal to 0, when P is equal to 0, adding the IP into an agent IP identification queue, wherein the queue can identify whether the IP is an agent IP or not, and if so, the agent IP can add the current IP into an agent pool; when P is not equal to 0, firstly, judging whether the IP opens two proxy ports of 80 and 8080 ports, if yes, P is equal to P + 5%;
then judging whether the IP request head contains an x _ forward _ for parameter, if so, P is P + 10%; and finally, judging whether the IP request header contains a Proxy _ connection parameter or not, and if so, P is P + 15%.
8, judging whether the request times per second of the current IP is greater than Max _ IP, and if so, determining that P is P + 20%; otherwise, the execution is continued
9, carrying out statistical comparison on the parameters and the values of the request, and counting the proportion Pp of the request with the same parameters in the current URL request per second, wherein when Pp is greater than 80%, P is P + 20%; when Pp < ═ 80%, continue to execute next.
10, judging whether P is more than or equal to 80%, and if P > is 80%, marking the request as suspected DDOS attack; otherwise, the request is marked as a normal request.
And 11, returning a marking result and finishing the verification.
In the following, a DDOS attack recognition system provided by an embodiment of the present application is introduced, and the recognition system described below and the DDOS attack recognition method described above may be referred to correspondingly.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an identification system for DDOS attack provided in an embodiment of the present application, and the present application further provides an identification system for DDOS attack, including:
an obtaining module 100, configured to obtain a network access request, where an initial suspected attack probability of the network access request is 0;
a comparison module 200, configured to compare the network access request with the restriction parameters in the access request restriction parameter list one by one in a preset comparison order;
a probability assignment module 300, configured to assign a probability corresponding to a limiting parameter to the initial suspected attack probability if any of the limiting parameters fails to pass the comparison;
a probability calculation module 400, configured to count a sum of all initial suspected attack probabilities to obtain a suspected attack probability;
an identifying module 500, configured to determine whether the suspected attack probability is greater than an attack threshold;
and the attack confirmation module 600 is configured to mark the network access request as a network attack when the identification module determines that the network access request is a network attack.
Based on the above embodiment, as a preferred embodiment, the method further includes:
and the parameter acquisition module is used for acquiring the access request limiting parameter list, wherein the access request limiting parameter list comprises a maximum request quantity per second, a single IP maximum request quantity per second, a link list and an IP white list.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides a terminal, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the terminal may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system provided by the embodiment, the description is relatively simple because the system corresponds to the method provided by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A DDOS attack recognition method is characterized by comprising the following steps:
acquiring a network access request, wherein the initial suspected attack probability of the network access request is 0;
comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
if any one of the limiting parameters fails to pass the comparison, giving the probability corresponding to the limiting parameter to the initial suspected attack probability;
counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
judging whether the suspected attack probability is larger than an attack threshold value;
if so, marking the network access request as a network attack.
2. The identification method of claim 1, wherein prior to obtaining the network access request, further comprising:
and acquiring the access request limiting parameter list, wherein the access request limiting parameter list comprises a maximum request amount per second, a single IP maximum request amount per second, a link list and an IP white list.
3. The method according to claim 2, wherein comparing the network access request with the restricted parameters in the access request restricted parameter list one by one in a preset comparison order comprises:
judging whether the maximum request quantity per second of the network access request exceeds a first threshold value;
if so, giving a first probability value to the initial suspected attack probability to obtain a first initial suspected attack probability, and judging whether the url corresponding to the network access request exists in the link list or not;
if the url corresponding to the network access request exists in the link list, setting a preset request value as a first percentage, and otherwise, setting the preset request value as a second percentage;
judging whether the percentage of the url request number per second to the total request number per second is larger than the preset request value;
if so, giving a second probability value to the initial suspected attack probability to obtain a second initial suspected attack probability;
judging whether the IP address of the network access request is positioned in the IP white list or not;
if so, ending the identification;
if not, giving a third probability value corresponding to the IP white list to the initial suspected attack probability to obtain a third initial suspected attack probability;
judging whether the request times per second of the IP address is larger than the maximum request quantity per second of the single IP;
if so, giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes:
and counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability and the fourth initial suspected attack probability to obtain the suspected attack probability.
4. The method of claim 3, wherein the IP address of the network access request is not on the IP whitelist, further comprising:
executing an agent pool identification process on the network access request to obtain an agent identification suspected attack probability, and endowing the agent identification suspected attack probability to the initial suspected attack probability to obtain a fifth initial suspected attack probability;
then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes:
and counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability, the fourth initial suspected attack probability and the fifth initial suspected attack probability to obtain suspected attack probabilities.
5. The method of claim 4, wherein performing an agent pool identification process on the network access request to obtain the suspected attack probability of the agent identification comprises:
judging whether the IP address of the network access request exists in an agent pool or not;
if so, giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
if not, judging whether the first initial suspected attack probability and the second initial suspected attack probability are both 0;
if the first initial suspected attack probability and the second initial suspected attack probability are both 0, adding the IP address into the agent pool;
if the first initial suspected attack probability and the second initial suspected attack probability are not both 0, judging whether the IP address opens an agent port;
if so, giving a sixth probability value corresponding to the agent port to the initial suspected attack probability to obtain a sixth initial suspected attack probability;
if not, judging whether the IP address request head comprises an agent end parameter or not;
and if so, adding a seventh probability value corresponding to the agent end parameter and the sixth initial suspected attack probability to obtain an agent identification suspected attack probability.
6. The method of claim 1, wherein if the suspected attack probability is less than an attack threshold, further comprising:
judging whether the suspected attack probability is larger than a suspected threshold value;
and if so, manually detecting the network access request.
7. A DDOS attack recognition system, comprising:
the system comprises an acquisition module, a judgment module and a processing module, wherein the acquisition module is used for acquiring a network access request, and the initial suspected attack probability of the network access request is 0;
the comparison module is used for comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
a probability assignment module, configured to assign a probability corresponding to a limiting parameter to the initial suspected attack probability if any of the limiting parameters fails to pass the comparison;
the probability calculation module is used for counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
the identification module is used for judging whether the suspected attack probability is greater than an attack threshold value;
and the attack confirmation module is used for marking the network access request as a network attack when the judgment result of the identification module is yes.
8. The identification system of claim 7, further comprising:
and the parameter acquisition module is used for acquiring the access request limiting parameter list, wherein the access request limiting parameter list comprises a maximum request quantity per second, a single IP maximum request quantity per second, a link list and an IP white list.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the identification method according to any one of claims 1 to 6.
10. A terminal, characterized in that it comprises a memory in which a computer program is stored and a processor which, when it calls the computer program in the memory, implements the steps of the identification method according to any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010574443.7A CN111740999B (en) | 2020-06-22 | 2020-06-22 | DDOS attack identification method, system and related device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010574443.7A CN111740999B (en) | 2020-06-22 | 2020-06-22 | DDOS attack identification method, system and related device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111740999A true CN111740999A (en) | 2020-10-02 |
CN111740999B CN111740999B (en) | 2022-11-25 |
Family
ID=72650465
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010574443.7A Active CN111740999B (en) | 2020-06-22 | 2020-06-22 | DDOS attack identification method, system and related device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111740999B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112671743A (en) * | 2020-12-17 | 2021-04-16 | 杭州安恒信息技术股份有限公司 | DDoS intrusion detection method based on flow self-similarity and related device |
CN113518064A (en) * | 2021-03-23 | 2021-10-19 | 杭州安恒信息技术股份有限公司 | Defense method and device for challenging black hole attack, computer equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100115621A1 (en) * | 2008-11-03 | 2010-05-06 | Stuart Gresley Staniford | Systems and Methods for Detecting Malicious Network Content |
CN104580203A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Website malicious program detection method and device |
US20160127406A1 (en) * | 2014-09-12 | 2016-05-05 | Level 3 Communications, Llc | Identifying a potential ddos attack using statistical analysis |
CN106254368A (en) * | 2016-08-24 | 2016-12-21 | 杭州迪普科技有限公司 | The detection method of Web vulnerability scanning and device |
CN108282468A (en) * | 2018-01-03 | 2018-07-13 | 北京交通大学 | A kind of application layer ddos attack detection method and device |
-
2020
- 2020-06-22 CN CN202010574443.7A patent/CN111740999B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100115621A1 (en) * | 2008-11-03 | 2010-05-06 | Stuart Gresley Staniford | Systems and Methods for Detecting Malicious Network Content |
US20160127406A1 (en) * | 2014-09-12 | 2016-05-05 | Level 3 Communications, Llc | Identifying a potential ddos attack using statistical analysis |
CN104580203A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Website malicious program detection method and device |
CN106254368A (en) * | 2016-08-24 | 2016-12-21 | 杭州迪普科技有限公司 | The detection method of Web vulnerability scanning and device |
CN108282468A (en) * | 2018-01-03 | 2018-07-13 | 北京交通大学 | A kind of application layer ddos attack detection method and device |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112671743A (en) * | 2020-12-17 | 2021-04-16 | 杭州安恒信息技术股份有限公司 | DDoS intrusion detection method based on flow self-similarity and related device |
CN113518064A (en) * | 2021-03-23 | 2021-10-19 | 杭州安恒信息技术股份有限公司 | Defense method and device for challenging black hole attack, computer equipment and storage medium |
CN113518064B (en) * | 2021-03-23 | 2023-04-07 | 杭州安恒信息技术股份有限公司 | Defense method and device for challenging black hole attack, computer equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN111740999B (en) | 2022-11-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110417778B (en) | Access request processing method and device | |
CN111740999B (en) | DDOS attack identification method, system and related device | |
CN110650117B (en) | Cross-site attack protection method, device, equipment and storage medium | |
KR100745044B1 (en) | Apparatus and method for protecting access of phishing site | |
CN110798488B (en) | Web application attack detection method | |
CN111726364B (en) | Host intrusion prevention method, system and related device | |
CN103379099A (en) | Hostile attack identification method and system | |
CN109413016B (en) | Rule-based message detection method and device | |
CN107426136B (en) | Network attack identification method and device | |
CN102957664A (en) | Method and device for identifying phishing websites | |
CN109547427B (en) | Blacklist user identification method and device, computer equipment and storage medium | |
CN112953938A (en) | Network attack defense method and device, electronic equipment and readable storage medium | |
CN112751804B (en) | Method, device and equipment for identifying counterfeit domain name | |
CN112668005A (en) | Webshell file detection method and device | |
CN113472798B (en) | Method, device, equipment and medium for backtracking and analyzing network data packet | |
CN111131166B (en) | User behavior prejudging method and related equipment | |
CN111488621A (en) | Method and system for detecting falsified webpage, electronic equipment and storage medium | |
CN105653941A (en) | Heuristic detection method and system for phishing website | |
CN112671736A (en) | Attack flow determination method, device, equipment and storage medium | |
JP2005316779A (en) | Unauthorized access detector, detection rule generation device, detection rule generation method, and detection rule generation program | |
CN113141332A (en) | Command injection identification method, system, equipment and computer storage medium | |
CN113852625B (en) | Weak password monitoring method, device, equipment and storage medium | |
CN112948831A (en) | Application program risk identification method and device | |
CN112351009A (en) | Network security protection method and device, electronic equipment and readable storage medium | |
CN112688944B (en) | Local area network security state detection method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |