CN111740999B - DDOS attack identification method, system and related device - Google Patents
DDOS attack identification method, system and related device Download PDFInfo
- Publication number
- CN111740999B CN111740999B CN202010574443.7A CN202010574443A CN111740999B CN 111740999 B CN111740999 B CN 111740999B CN 202010574443 A CN202010574443 A CN 202010574443A CN 111740999 B CN111740999 B CN 111740999B
- Authority
- CN
- China
- Prior art keywords
- probability
- suspected attack
- initial
- attack probability
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a DDOS attack identification method, which comprises the following steps: acquiring a network access request, wherein the initial suspected attack probability of the network access request is 0; comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence; if any limiting parameter comparison fails, giving the probability corresponding to the limiting parameter to the initial suspected attack probability; counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities; judging whether the suspected attack probability is larger than an attack threshold value; if so, the network access request is marked as a network attack. The method and the device enhance the identification capability of the network access request, improve the identification accuracy of the network access request, and are favorable for better maintaining the stability of the website and the page. The application also provides a DDOS attack recognition system, a computer readable storage medium and a terminal, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a DDOS attack identification method, system, and related apparatus.
Background
Distributed initiative of service attack, referred to as DDOS for short, is a Distributed denial of service attack, which can make many computers under attack at the same time, so that the target of the attack cannot be used normally, and the Distributed denial of service attack has occurred many times, resulting in many large websites being unable to operate, which not only affects the normal use of users, but also causes great economic loss.
The existing technology roughly identifies through access traffic, namely when the traffic is too large, DDOS attack can be basically determined. However, network access traffic is too large and is not necessarily DDOS attack, for example, access traffic is increased dramatically due to social public opinion hot topics, and therefore how to accurately identify DDOS attack behaviors for web applications is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a DDOS attack identification method, a DDOS attack identification system, a computer readable storage medium and a terminal, which can improve the malicious attack identification capability of a network access request.
In order to solve the technical problem, the application provides an identification method of DDOS attack, and the specific technical scheme is as follows:
acquiring a network access request, wherein the initial suspected attack probability of the network access request is 0;
comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
if any one of the limiting parameters fails to pass the comparison, giving the probability corresponding to the limiting parameter to the initial suspected attack probability;
counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
judging whether the suspected attack probability is larger than an attack threshold value;
if so, marking the network access request as a network attack.
Optionally, before acquiring the network access request, the method further includes:
and acquiring the access request limiting parameter list, wherein the access request limiting parameter list comprises a maximum request amount per second, a single IP maximum request amount per second, a link list and an IP white list.
Optionally, comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence includes:
judging whether the maximum request quantity per second of the network access request exceeds a first threshold value;
if so, giving a first probability value to the initial suspected attack probability to obtain a first initial suspected attack probability, and judging whether the url corresponding to the network access request exists in the link list or not;
if the url corresponding to the network access request exists in the link list, setting a preset request value as a first percentage, and otherwise, setting the preset request value as a second percentage;
judging whether the percentage of the url request number per second to the total request number per second is larger than the preset request value;
if so, giving a second probability value to the initial suspected attack probability to obtain a second initial suspected attack probability;
judging whether the IP address of the network access request is in the IP white list or not;
if so, ending the identification;
if not, giving a third probability value corresponding to the IP white list to the initial suspected attack probability to obtain a third initial suspected attack probability;
judging whether the request times per second of the IP address is larger than the maximum request quantity per second of the single IP;
if so, giving a fourth probability value corresponding to the maximum request quantity of the single IP per second to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes:
and counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability and the fourth initial suspected attack probability to obtain the suspected attack probability.
Optionally, the IP address of the network access request does not exist in the IP whitelist, and the method further includes:
executing an agent pool identification process on the network access request to obtain an agent identification suspected attack probability, and endowing the agent identification suspected attack probability to the initial suspected attack probability to obtain a fifth initial suspected attack probability;
then, the counting the sum of all the initial suspected attack probabilities, and obtaining the suspected attack probability includes:
and counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability, the fourth initial suspected attack probability and the fifth initial suspected attack probability to obtain suspected attack probabilities.
Optionally, executing an agent pool identification process on the network access request, and obtaining a suspected attack probability of an agent identification includes:
judging whether the IP address of the network access request exists in an agent pool or not;
if so, giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
if not, judging whether the first initial suspected attack probability and the second initial suspected attack probability are both 0;
if the first initial suspected attack probability and the second initial suspected attack probability are both 0, adding the IP address into the agent pool;
if the first initial suspected attack probability and the second initial suspected attack probability are not both 0, judging whether the IP address opens an agent port;
if so, giving a sixth probability value corresponding to the agent port to the initial suspected attack probability to obtain a sixth initial suspected attack probability;
if not, judging whether the IP address request head comprises an agent end parameter or not;
and if so, adding a seventh probability value corresponding to the agent end parameter and the sixth initial suspected attack probability to obtain an agent identification suspected attack probability.
Optionally, if the suspected attack probability is smaller than the attack threshold, the method further includes:
judging whether the suspected attack probability is larger than a suspected threshold value or not;
and if so, manually detecting the network access request.
The present application further provides a DDOS attack recognition system, including:
the system comprises an acquisition module, a judgment module and a processing module, wherein the acquisition module is used for acquiring a network access request, and the initial suspected attack probability of the network access request is 0;
the comparison module is used for comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
a probability assignment module, configured to assign a probability corresponding to a limiting parameter to the initial suspected attack probability if any of the limiting parameters fails to pass the comparison;
the probability calculation module is used for counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
the identification module is used for judging whether the suspected attack probability is greater than an attack threshold value;
and the attack confirmation module is used for marking the network access request as a network attack when the judgment result of the identification module is yes.
Optionally, the method further includes:
and the parameter acquisition module is used for acquiring the access request limiting parameter list, and the access request limiting parameter list comprises the maximum request amount per second, the single IP maximum request amount per second, a link list and an IP white list.
The present application also provides a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the identification method as described above.
The present application further provides a terminal, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the identification method when calling the computer program in the memory.
The application provides a DDOS attack identification method, which comprises the following steps: acquiring a network access request, wherein the initial suspected attack probability of the network access request is 0; comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence; if any one of the limiting parameters fails to pass the comparison, giving the probability corresponding to the limiting parameter to the initial suspected attack probability; counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities; judging whether the suspected attack probability is larger than an attack threshold value or not; if so, marking the network access request as a network attack.
According to the method and the device, the network access requests are compared one by utilizing the limiting parameters, so that the identification capability of the network access requests is further enhanced, the identification accuracy of the network access requests is improved, the problem that false identification is easily caused when network attacks are identified only according to the network flow is avoided, and the method and the device are favorable for better maintaining the stability of websites and pages. The application also provides a DDOS attack recognition system, a computer readable storage medium and a terminal, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an identification method for DDOS attack according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an identification system for DDOS attack according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a DDOS attack identification method provided in an embodiment of the present application, and a specific technical solution of the DDOS attack identification method provided in the present application is as follows:
s101: acquiring a network access request;
the step aims to obtain a network access request, including an HTTP request and the like, and the initial suspected attack probability of the network access request is 0.
Further, generally before this step is performed, the access request restriction parameter list may be obtained, and the access request restriction parameter list may include a maximum request amount per second, a maximum request amount per second per IP, a link list, an IP white list, and the like.
S102: comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
the step is intended to compare each item of data of the network access request with the restriction parameters in the access request restriction parameter list one by one, and there is no specific limitation on which restriction parameters are included in the access request restriction parameter list, which may include, but is not limited to, a maximum request amount per second per IP, a link list, an IP white list, and so on. Secondly, since there are a plurality of limiting parameters and there may be a certain correlation between the limiting parameters, the comparison sequence may be optimized to improve the detection efficiency. It is understood that different restriction parameters may have different alignment sequences.
S103: if any one of the limiting parameters fails to pass the comparison, giving the probability corresponding to the limiting parameter to the initial suspected attack probability;
and if any one limiting parameter comparison fails, adding the probability corresponding to the limiting parameter to the initial suspected attack probability. Of course, the probabilities corresponding to different limiting parameters may be the same or different. The probability corresponding to each limiting parameter is not particularly limited.
It should be noted that, since the comparison processes of the respective limiting parameters are independent, after each comparison, if the comparison fails, the probability corresponding to the limiting parameter is assigned to the initial suspected attack probability.
S104: counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
since each limiting parameter has a corresponding initial suspected attack probability after comparison, all the initial suspected attack probabilities need to be added to obtain a total suspected attack probability. Of course, if the comparison of a certain limiting parameter passes, the initial suspected attack probability is still 0.
S105: judging whether the suspected attack probability is larger than an attack threshold value; if yes, entering S106;
s106: and marking the network access request as a network attack.
And finally, judging whether the suspected attack probability is greater than an attack threshold value, wherein no specific limitation is imposed on how to set the attack threshold value and the value of the attack threshold value, and a person skilled in the art can set the attack probability correspondingly according to actual application or a network attack rule. And when the suspected attack probability is larger than the attack threshold value, confirming that the network access request is the network attack. Since the present embodiment is directed to comparing multiple restriction parameters, if the network access request is in a situation where the comparison of multiple restriction parameters fails at the same time, it means that the more feature points that the network access request conforms to the network attack, that is, the higher the possibility that the network access request is the network attack.
Further, on the basis of this embodiment, if the suspected attack probability is smaller than the attack threshold, it may be further determined whether the suspected attack probability is larger than the suspected threshold. If the value is greater than the suspected threshold, the network access request may be manually detected. For example, if the attack threshold is 80% and the suspected threshold is 60%, if the suspected attack probability obtained by adding the initial suspected attack probabilities is 75%, although the suspected attack probability does not meet the direct determination of the attack threshold, since the suspected attack probability is closer to 80% and greater than the suspected threshold, it is obvious that if the suspected attack probability is not sufficiently safe enough for the network attack, manual detection may be performed, or detection may be performed by continuously paying attention to the network access request, or other methods may be used. Therefore, by setting the suspected threshold, some network access requests with higher risks can be detected and paid attention to while the detected network access requests are ensured to be network attacks, and the network security protection capability is further improved.
According to the embodiment of the application, the network access requests are compared one by utilizing the limiting parameters, so that the identification capability of the network access requests is further enhanced, the identification accuracy of the network access requests is improved, the problem that false identification is easily caused when network attacks are identified only according to the size of network flow is avoided, and the stability of websites and pages can be better maintained
As to the following S102 in the previous embodiment, and taking the maximum request amount per second as the limiting parameter, the maximum request amount per second for a single IP, the link list and the IP white list as examples for detailed description, that is, comparing the network access request with the limiting parameters in the access request limiting parameter list one by one in a preset comparison order includes:
s201: judging whether the maximum request quantity per second of the network access request exceeds a first threshold value; if yes, entering S202;
s202: giving a first probability value to the initial suspected attack probability to obtain a first initial suspected attack probability, and judging whether a url corresponding to the network access request exists in the link list or not; if yes, entering S203;
s203: setting a preset request value as a first percentage, otherwise, setting the preset request value as a second percentage;
the first percentage and the second percentage are not particularly limited herein, but the first percentage should be larger than the second percentage.
S204: judging whether the percentage of the url request number per second to the total request number per second is larger than the preset request value; if yes, entering S205;
s205: giving a second probability value to the initial suspected attack probability to obtain a second initial suspected attack probability;
s206: judging whether the IP address of the network access request is positioned in the IP white list or not; if yes, entering S207; if not, the step S208 is entered;
s207: finishing the identification;
s208: giving a third probability value corresponding to the IP white list to the initial suspected attack probability to obtain a third initial suspected attack probability;
s209: judging whether the request times per second of the IP address is larger than the maximum request quantity per second of the single IP; if yes, entering S210;
s210: and giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability.
Then, the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability and the fourth initial suspected attack probability should be counted when S104 in the previous embodiment is executed correspondingly, so as to obtain the suspected attack probability.
In this embodiment, the comparison process between the network access request and the restriction parameter is described by taking the restriction parameter as the maximum request amount per second, the maximum request amount per second of a single IP, the link list and the IP white list as examples, and based on this, a person skilled in the art may also use other restriction parameters or use other comparison orders, and on the premise of not departing from the core idea of the present application, all of them should be within the protection scope of the present application.
Based on the above embodiment, as a preferred embodiment, when the judgment of S206 is no, the following steps may be further performed, and the following processes are independent from the processes of S208 to S210 in the previous embodiment, and the specific processes are as follows:
executing an agent pool identification process on the network access request to obtain an agent identification suspected attack probability, and endowing the agent identification suspected attack probability to the initial suspected attack probability to obtain a fifth initial suspected attack probability;
then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes:
and counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability, the fourth initial suspected attack probability and the fifth initial suspected attack probability to obtain suspected attack probabilities.
Specifically, the step of performing an agent pool identification process on the network access request to obtain the suspected attack probability of the agent identification may include the following steps:
s301: judging whether the IP address of the network access request exists in an agent pool or not; if yes, entering S302: if not, entering S303;
s302: a step of giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
this step also performs the step corresponding to S210 in the previous embodiment.
S303: judging whether the first initial suspected attack probability and the second initial suspected attack probability are both 0; if yes, entering S304: if not, the process goes to S305;
s304: adding the IP address to the proxy pool;
s305: judging whether the proxy port is opened by the IP address; if yes, entering S306: if not, entering S307;
s306: giving a sixth probability value corresponding to the agent port to the initial suspected attack probability to obtain a sixth initial suspected attack probability;
s307: judging whether the IP address request head comprises an agent end parameter or not; if yes, entering S308;
s308: and adding a seventh probability value corresponding to the agent terminal parameter and the sixth initial suspected attack probability to obtain an agent identification suspected attack probability.
The embodiment aims to perform proxy judgment on the network access request, and since the network access request is accessed by using proxy service many times, proxy access is not required to be adopted in normal access behavior actually. The suspected attack probability of the network access request based on the agent is high. And the subsequent process of judging the proxy port and the proxy end parameters of the IP address further determines the possibility that the network access request is a network attack, and each item is included, which means that the possibility that the network access request is a network attack is higher. The number of the agent ports and the agent-side parameters is not particularly limited, and the agent ports and the agent-side parameters may be multiple, for example, the agent ports may include 80 ports, 8080 ports, and the like, and the agent-side parameters may include an x _ forward _ for parameter, a Proxy _ connection parameter, and the like, and similarly, each multiple agent port includes one agent port, and the corresponding initial suspected attack probability is higher. And the suspected probabilities corresponding to different ports or different proxy parameters may be the same or different.
One specific application of the present application is described in detail below:
1, presetting a batch of limiting parameters including the maximum request number per second (Max _ A), the maximum request number per second (Max _ IP) of a single IP, a white list IP list L1 and a frequently used link list L2;
2, running a program, accessing an HTTP request, and setting an initial suspected attack probability P =0;
and 3, immediately counting the network access request amount per second, and judging whether the current request amount per second exceeds a preset threshold value Max _ A. When the request amount per second exceeds Max _ A, counting whether the url corresponding to the network access request is in a link list L2; when the url corresponding to the network access request is in the L2, setting the use threshold Pu =70% of the current url, and when the url is not in the L2, setting Pu =50%; when the request amount per second does not exceed Max _ A, executing step 5;
4, judging whether the percentage of the current url request number per second to the total request number per second is greater than Pu, if so, judging the suspected attack probability P = P +20%, and continuing to judge the request mode of the request, if so, judging that P = P +10%, and if so, judging that P = P +5%; if the percentage of the current url request number per second to the total request number per second is less than Pu, no operation is performed;
since the network access request is usually post and get, delete or update, and the network attack is usually delete or update, the probability of suspected attack is higher when the network access request is delete or update.
5, judging whether the IP of the network access request is in a white list L1, and if the IP is in the L1, directly ending the inspection program; when the IP is not in L1, the downward execution is continued.
6, judging whether the current request IP is in the proxy pool, and jumping to the step 8 when the IP is in the proxy pool and P = P + 30%; when the IP is not in the proxy pool, the downward execution is continued.
7, judging whether P is equal to 0, and when P =0, adding the IP into an agent IP identification queue, wherein the queue can identify whether the IP is an agent IP or not, and the agent IP can add the current IP into an agent pool; when P is not equal to 0, firstly, judging whether the IP opens two proxy ports of 80 and 8080 ports, if yes, P = P +5%;
judging whether the IP request header contains an x _ forward _ for parameter or not, if so, P = P +10%; and finally, judging whether the IP request header contains a Proxy _ connection parameter or not, and if so, P = P +15%.
8, judging whether the request times per second of the current IP is greater than Max _ IP, and if so, P = P +20%; otherwise, the execution is continued
9, carrying out statistical comparison on the parameters and values of the request, and counting the proportion Pp of the request with the same parameters in the current URL request per second, wherein when Pp is greater than 80%, P = P +20%; when Pp < =80%, the process continues to be performed.
10, judging whether P is more than or equal to 80%, and marking the request as a DDOS attack when P > = 80%; otherwise, the request is marked as a normal request.
And 11, returning a marking result and finishing the verification.
In the following, a DDOS attack recognition system provided by an embodiment of the present application is introduced, and the recognition system described below and the DDOS attack recognition method described above may be referred to correspondingly.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an identification system for DDOS attack provided in an embodiment of the present application, and the present application further provides an identification system for DDOS attack, including:
an obtaining module 100, configured to obtain a network access request, where an initial suspected attack probability of the network access request is 0;
a comparison module 200, configured to compare the network access request with the restriction parameters in the access request restriction parameter list one by one in a preset comparison order;
a probability assignment module 300, configured to assign a probability corresponding to a limiting parameter to the initial suspected attack probability if any of the limiting parameters fails to pass the comparison;
a probability calculation module 400, configured to count a sum of all initial suspected attack probabilities to obtain a suspected attack probability;
an identifying module 500, configured to determine whether the suspected attack probability is greater than an attack threshold;
and the attack confirmation module 600 is configured to mark the network access request as a network attack when the identification module determines that the network access request is a network attack.
Based on the above embodiment, as a preferred embodiment, the method further includes:
and the parameter acquisition module is used for acquiring the access request limiting parameter list, and the access request limiting parameter list comprises the maximum request amount per second, the single IP maximum request amount per second, a link list and an IP white list.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides a terminal, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the terminal may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system provided by the embodiment, the description is relatively simple because the system corresponds to the method provided by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
Claims (5)
1. A DDOS attack recognition method is characterized by comprising the following steps:
acquiring an access request limiting parameter list, wherein the access request limiting parameter list comprises a maximum request amount per second, a single IP maximum request amount per second, a link list and an IP white list;
acquiring a network access request, wherein the initial suspected attack probability of the network access request is 0;
comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
if any one of the limiting parameters fails to pass the comparison, giving the probability corresponding to the limiting parameter to the initial suspected attack probability;
counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
judging whether the suspected attack probability is larger than an attack threshold value;
if so, marking the network access request as a network attack;
the step of comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence comprises:
judging whether the maximum request quantity per second of the network access request exceeds a first threshold value;
if so, giving a first probability value to the initial suspected attack probability to obtain a first initial suspected attack probability, and judging whether the url corresponding to the network access request exists in the link list or not;
if the url corresponding to the network access request exists in the link list, setting a preset request value as a first percentage, and otherwise, setting the preset request value as a second percentage;
judging whether the percentage of the url request number per second to the total request number per second is larger than the preset request value;
if so, giving a second probability value to the initial suspected attack probability to obtain a second initial suspected attack probability;
judging whether the IP address of the network access request is positioned in the IP white list or not;
if so, ending the identification;
if not, giving a third probability value corresponding to the IP white list to the initial suspected attack probability to obtain a third initial suspected attack probability;
judging whether the request times per second of the IP address is larger than the maximum request quantity per second of the single IP;
if so, giving a fourth probability value corresponding to the maximum request quantity of the single IP per second to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes:
counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability and the fourth initial suspected attack probability to obtain suspected attack probabilities;
the IP address in response to the network access request is not present in the IP whitelist, further comprising:
executing an agent pool identification process on the network access request to obtain an agent identification suspected attack probability, and endowing the agent identification suspected attack probability to the initial suspected attack probability to obtain a fifth initial suspected attack probability;
then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes:
counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability, the fourth initial suspected attack probability and the fifth initial suspected attack probability to obtain suspected attack probabilities;
the step of executing an agent pool identification process on the network access request to obtain the suspected attack probability of the agent identification comprises the following steps:
judging whether the IP address of the network access request exists in an agent pool or not;
if so, giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability;
if not, judging whether the first initial suspected attack probability and the second initial suspected attack probability are both 0;
if the first initial suspected attack probability and the second initial suspected attack probability are both 0, adding the IP address into the agent pool;
if the first initial suspected attack probability and the second initial suspected attack probability are not both 0, judging whether the IP address opens an agent port or not;
if so, giving a sixth probability value corresponding to the agent port to the initial suspected attack probability to obtain a sixth initial suspected attack probability;
if not, judging whether the IP address request head comprises an agent end parameter or not;
and if so, adding a seventh probability value corresponding to the agent end parameter and the sixth initial suspected attack probability to obtain an agent identification suspected attack probability.
2. The method of claim 1, wherein if the suspected attack probability is less than an attack threshold, further comprising:
judging whether the suspected attack probability is larger than a suspected threshold value;
and if so, manually detecting the network access request.
3. A DDOS attack recognition system, comprising:
the system comprises an acquisition module, a judgment module and a processing module, wherein the acquisition module is used for acquiring a network access request, and the initial suspected attack probability of the network access request is 0;
the comparison module is used for comparing the network access request with the limiting parameters in the access request limiting parameter list one by one according to a preset comparison sequence;
a probability assignment module, configured to assign a probability corresponding to a limiting parameter to the initial suspected attack probability if any of the limiting parameters fails to pass the comparison;
the probability calculation module is used for counting the sum of all initial suspected attack probabilities to obtain suspected attack probabilities;
the identification module is used for judging whether the suspected attack probability is greater than an attack threshold value;
the attack confirmation module is used for marking the network access request as a network attack when the judgment result of the identification module is yes;
the system comprises a parameter acquisition module, a parameter acquisition module and a parameter selection module, wherein the parameter acquisition module is used for acquiring an access request limiting parameter list, and the access request limiting parameter list comprises a maximum request quantity per second, a single IP maximum request quantity per second, a link list and an IP white list;
the comparison module is specifically used for judging whether the maximum request quantity per second of the network access request exceeds a first threshold value; if so, giving a first probability value to the initial suspected attack probability to obtain a first initial suspected attack probability, and judging whether a url corresponding to the network access request exists in the linked list or not; if the url corresponding to the network access request exists in the link list, setting a preset request value as a first percentage, and otherwise, setting the preset request value as a second percentage; judging whether the percentage of the url request number per second to the total request number per second is larger than the preset request value; if so, giving a second probability value to the initial suspected attack probability to obtain a second initial suspected attack probability; judging whether the IP address of the network access request is positioned in the IP white list or not; if so, ending the identification; if not, giving a third probability value corresponding to the IP white list to the initial suspected attack probability to obtain a third initial suspected attack probability; judging whether the request times per second of the IP address is larger than the maximum request amount per second of the single IP; if so, giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability; then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes: counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability and the fourth initial suspected attack probability to obtain suspected attack probabilities; wherein the IP address in response to the network access request does not exist in the IP whitelist, further comprising: executing an agent pool identification process on the network access request to obtain an agent identification suspected attack probability, and endowing the agent identification suspected attack probability to the initial suspected attack probability to obtain a fifth initial suspected attack probability; then, the step of counting the sum of all the initial suspected attack probabilities to obtain the suspected attack probability includes: counting the sum of the first initial suspected attack probability, the second initial suspected attack probability, the third initial suspected attack probability, the fourth initial suspected attack probability and the fifth initial suspected attack probability to obtain suspected attack probabilities; wherein, the executing the agent pool identification process to the network access request to obtain the suspected attack probability of the agent identification comprises: judging whether the IP address of the network access request exists in an agent pool or not; if so, giving a fourth probability value corresponding to the maximum request amount per second of the single IP to the initial suspected attack probability to obtain a fourth initial suspected attack probability; if not, judging whether the first initial suspected attack probability and the second initial suspected attack probability are both 0; if the first initial suspected attack probability and the second initial suspected attack probability are both 0, adding the IP address into the agent pool; if the first initial suspected attack probability and the second initial suspected attack probability are not both 0, judging whether the IP address opens an agent port or not; if so, giving a sixth probability value corresponding to the agent port to the initial suspected attack probability to obtain a sixth initial suspected attack probability; if not, judging whether the IP address request head comprises an agent end parameter or not; and if so, adding a seventh probability value corresponding to the agent end parameter and the sixth initial suspected attack probability to obtain an agent identification suspected attack probability.
4. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the identification method according to any one of claims 1-2.
5. A terminal, characterized in that it comprises a memory in which a computer program is stored and a processor which, when it calls the computer program in the memory, carries out the steps of the identification method according to any one of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010574443.7A CN111740999B (en) | 2020-06-22 | 2020-06-22 | DDOS attack identification method, system and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010574443.7A CN111740999B (en) | 2020-06-22 | 2020-06-22 | DDOS attack identification method, system and related device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111740999A CN111740999A (en) | 2020-10-02 |
| CN111740999B true CN111740999B (en) | 2022-11-25 |
Family
ID=72650465
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010574443.7A Active CN111740999B (en) | 2020-06-22 | 2020-06-22 | DDOS attack identification method, system and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111740999B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112671743A (en) * | 2020-12-17 | 2021-04-16 | 杭州安恒信息技术股份有限公司 | DDoS intrusion detection method based on flow self-similarity and related device |
| CN113518064B (en) * | 2021-03-23 | 2023-04-07 | 杭州安恒信息技术股份有限公司 | Defense method and device for challenging black hole attack, computer equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254368A (en) * | 2016-08-24 | 2016-12-21 | 杭州迪普科技有限公司 | The detection method of Web vulnerability scanning and device |
| CN108282468A (en) * | 2018-01-03 | 2018-07-13 | 北京交通大学 | A kind of application layer ddos attack detection method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8850571B2 (en) * | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
| US9900344B2 (en) * | 2014-09-12 | 2018-02-20 | Level 3 Communications, Llc | Identifying a potential DDOS attack using statistical analysis |
| CN104580203A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Website malicious program detection method and device |
-
2020
- 2020-06-22 CN CN202010574443.7A patent/CN111740999B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254368A (en) * | 2016-08-24 | 2016-12-21 | 杭州迪普科技有限公司 | The detection method of Web vulnerability scanning and device |
| CN108282468A (en) * | 2018-01-03 | 2018-07-13 | 北京交通大学 | A kind of application layer ddos attack detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111740999A (en) | 2020-10-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108683604B (en) | Concurrent access control method, terminal device, and medium | |
| CN110417778B (en) | Access request processing method and device | |
| CN102957664B (en) | A kind of method and device identifying fishing website | |
| CN112003838B (en) | Network threat detection method, device, electronic device and storage medium | |
| CN111740999B (en) | DDOS attack identification method, system and related device | |
| CN110798488B (en) | Web application attack detection method | |
| KR100745044B1 (en) | Apparatus and method for protecting access of phishing site | |
| CN107992738B (en) | Account login abnormity detection method and device and electronic equipment | |
| CN106713579B (en) | Telephone number identification method and device | |
| CN111726364B (en) | Host intrusion prevention method, system and related device | |
| CN110035075A (en) | Detection method, device, computer equipment and the storage medium of fishing website | |
| CN109413016B (en) | Rule-based message detection method and device | |
| CN107426136B (en) | Network attack identification method and device | |
| CN109067762A (en) | A kind of recognition methods of internet of things equipment, device and equipment | |
| CN106127463A (en) | One is transferred accounts control method and terminal unit | |
| CN102891861A (en) | Client-based phishing website detecting method and device | |
| CN112751804B (en) | Method, device and equipment for identifying counterfeit domain name | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN112953938A (en) | Network attack defense method and device, electronic equipment and readable storage medium | |
| CN105653941A (en) | Heuristic detection method and system for phishing website | |
| CN103475673A (en) | Phishing website recognizing method and device and client side | |
| CN117609992A (en) | Data disclosure detection method, device and storage medium | |
| CN104615695A (en) | Malicious website detecting method and system | |
| CN111131166A (en) | User behavior prejudging method and related equipment | |
| CN104580100A (en) | Method, device and server for identifying malicious message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |