CN112073402B - Traffic attack detection method and device - Google Patents
Traffic attack detection method and device Download PDFInfo
- Publication number
- CN112073402B CN112073402B CN202010892958.1A CN202010892958A CN112073402B CN 112073402 B CN112073402 B CN 112073402B CN 202010892958 A CN202010892958 A CN 202010892958A CN 112073402 B CN112073402 B CN 112073402B
- Authority
- CN
- China
- Prior art keywords
- attack
- flow
- pulse wave
- traffic
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a traffic attack detection method and a traffic attack detection device, which are applied to detection equipment, wherein the method comprises the following steps: obtaining the current flow to be detected; calculating flow attack information of the flow to be detected; judging whether the flow attack information accords with a pulse wave attack condition; and if the pulse wave attack condition is met, confirming that the flow to be detected is the pulse wave attack flow. By adopting the method, the pulse wave attack flow can be accurately detected and identified.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting a traffic attack.
Background
The traditional Distributed denial of service attack (DDoS) attack traffic is generally gradually increased, and hundreds of G attacks are more and more in recent years. Aiming at the attacks of the type in the existing network, professional DDoS attack resisting equipment and cloud cleaning are available. Particularly in 2017, a pulse wave DDoS attack appears, a hacker controls a plurality of puppet machines (broilers) to reach a peak value only in seconds, an attack mode is highly repeated, the attack mode is composed of pulses once or many times every ten minutes, the duration is hours or days, and the peak value can reach 350 Gbps.
The existing anti-attack method is roughly the following process: the network core equipment copies or samples the flow to the detection equipment for DDoS attack detection, the detection equipment reports the attack information to the management center, and the management center issues defense strategies and drainage rules to the cleaning equipment. The network core device draws the traffic to a cleaning device (also called DDoS attack resisting device) to perform cleaning operation, the cleaning device discards the attack traffic, and injects the normal traffic back to the network core device, and then the network core device forwards the normal traffic to a destination. That is to say, the method is that the flow is drained and reinjected to the cleaning equipment for processing after the attack starts, and the drainage rule is deleted after the attack is detected to be finished. However, the method is not suitable for pulse wave attack, when the pulse wave attack is encountered, because the speed of reaching the wave crest by a single attack is very fast, if the method is adopted, drainage reinjection is required for each attack, and the drainage reinjection generally needs about 3 to 10 seconds, so that the attack event cannot be responded in time, and the protected host computer is attacked successfully.
Therefore, how to detect the pulse wave attack traffic is one of the considerable technical problems.
Disclosure of Invention
In view of the above, the present application provides an attack detection method and apparatus for accurately detecting a pulse wave attack traffic.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, a traffic attack detection method is provided, which is applied in a detection device, and the method includes:
obtaining the current flow to be detected;
calculating flow attack information of the flow to be detected;
judging whether the flow attack information meets the attack condition of the pulse wave;
and if the pulse wave attack condition is met, confirming that the flow to be detected is the pulse wave attack flow.
Optionally, the traffic attack information in the present application at least includes one of the following items: the peak value of the single attack flow, the duration of the single attack and the attack time interval from the last time.
Optionally, the determining whether the traffic attack information meets a pulse wave attack condition includes:
calculating the time length difference between the duration of the single attack at this time and the duration of the single attack at the last time;
calculating the time interval difference between the attack time interval of the current time and the attack time interval of the last time;
judging whether the single attack flow peak value exceeds a set maximum attack flow peak value or not;
judging whether the duration difference is within a first set range;
judging whether the time interval difference is within a second set range;
and if all the judgment results are yes, confirming that the attack traffic information accords with the pulse wave attack condition.
Optionally, the determining whether the traffic attack information meets a pulse wave attack condition includes:
judging whether the single attack flow peak value exceeds the set minimum value of the single attack flow peak value;
judging whether the duration of the single attack is within the range of the duration of the single attack;
judging whether the attack time interval is within the attack time interval range;
and if all the judgment results are yes, confirming that the attack traffic information accords with the pulse wave attack condition.
Optionally, the traffic attack detection method provided by the present application further includes:
and if the flow to be detected is determined to be pulse wave attack flow for N times, determining that the flow is attacked by the pulse wave.
Optionally, the traffic attack detection method provided by the present application further includes:
when the pulse wave attack is confirmed, a drainage starting message is sent to the cleaning equipment;
and when detecting that the pulse wave attack does not exist, sending a drainage stopping message to the cleaning equipment.
According to a second aspect of the present application, there is provided a traffic attack detection apparatus, which is applied in a detection device, the apparatus including:
the acquisition module is used for acquiring the current flow to be detected;
the calculation module is used for calculating the flow attack information of the flow to be detected;
the judging module is used for judging whether the flow attack information accords with the pulse wave attack condition;
and the confirming module is used for confirming that the flow to be detected is the pulse wave attack flow if the judgment result of the judging module is in accordance with the pulse wave attack condition.
Optionally, the traffic attack information in the present application at least includes one of the following items: a single attack traffic peak, a single attack duration, and an attack time interval from the last time.
Optionally, the determining module is specifically configured to calculate a time difference between the duration of a single attack of this time and the duration of a single attack of the last time; calculating the time interval difference between the attack time interval of the current time and the attack time interval of the last time; judging whether the single attack flow peak value exceeds a set maximum attack flow peak value or not; judging whether the duration difference is within a first set range; judging whether the time interval difference is within a second set range; if all judgment results are yes, confirming that the attack traffic information conforms to the pulse wave attack condition;
alternatively, the first and second electrodes may be,
the judging module is specifically used for judging whether the single attack flow peak value exceeds the set minimum value of the single attack flow peak value; judging whether the duration of the single attack is within the range of the duration of the single attack; judging whether the attack time interval is within the attack time interval range; and if all the judgment results are yes, confirming that the attack traffic information accords with the pulse wave attack condition.
Optionally, the traffic attack detection apparatus provided in the present application further includes:
and the determining module is used for determining that the flow to be detected is the pulse wave attack flow if the flow to be detected is continuously confirmed for N times, and determining that the flow to be detected is the pulse wave attack flow.
Optionally, the traffic attack detection apparatus provided by the present application further includes:
the sending module is used for sending a drainage starting message to the cleaning equipment when the pulse wave attack is confirmed; and when detecting that the pulse wave attack does not exist, sending a drainage stopping message to the cleaning equipment.
According to a third aspect of the present application, there is provided a detection apparatus comprising a processor and a machine-readable storage medium, the machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiments of the present application.
According to a fourth aspect of the present application, there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are as follows:
after the detection equipment acquires the flow to be detected, the flow attack information of the flow to be detected is calculated, whether the flow attack information accords with the pulse wave attack condition or not is judged, and if the flow attack information accords with the pulse wave attack condition, the flow to be detected can be confirmed to be the pulse wave attack flow. By analyzing the pulse wave flow of the flow to be detected, the pulse wave attack flow can be accurately identified so as to timely deal with and defend the pulse wave attack.
Drawings
Fig. 1 is a schematic structural diagram of a detection apparatus provided in an embodiment of the present application;
fig. 2 is a flowchart of a traffic attack detection method provided in an embodiment of the present application;
FIG. 3 is a schematic diagram of a pulsed wave flow provided by an embodiment of the present application;
fig. 4 is a block diagram of a traffic attack detection apparatus according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Before introducing the traffic attack detection method provided by the application, firstly introducing the pulse wave attack:
the pulse wave attack is not a group of attacks with fixed message characteristics, but an attack behavior. The attack wave peak value similar to the pulse wave can be much larger than the common non-pulse wave attack flow, and for a bypass networking mode (the most common networking mode in the existing network of the DDoS attack resisting equipment), the attack form can trigger the issuing of the drainage rule and the defense strategy at the beginning of each pulse wave, and each pulse wave can cause fatal attack to a protected host because the attack flow reaches the peak value instantly. In view of this, the present application provides a traffic attack detection method to accurately detect a pulse wave attack, so as to better defend against the pulse wave attack.
Fig. 1 is a block diagram of a detection apparatus 100 according to the present embodiment. The detection device 100 includes a memory 110, a processor 120, and a communication module 130. The memory 110, the processor 120, and the communication module 130 are electrically connected to each other directly or indirectly to enable data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
The memory 110 is used to store programs or data. The Memory 110 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The processor 120 is used to read/write data or programs stored in the memory 110 and perform corresponding functions. For example, when the computer program stored in the memory 110 is executed by the processor 120, the traffic attack detection method disclosed in the embodiments of the present application can be implemented.
The communication module 130 is used for establishing a communication connection between the detection apparatus 100 and another communication terminal through a network, and for transceiving data through the network. For example, the detection device 100 may obtain the traffic to be detected from other communication terminals (such as a network core device) through the communication module 130.
It should be understood that the configuration shown in FIG. 1 is merely a schematic diagram of the configuration of the detection apparatus 100, and that the detection apparatus 100 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof. Optionally, the detection device 100 in this embodiment of the present application may be a network security device such as a DDoS detection device and a firewall, or may also be other devices, which is determined according to actual situations.
The traffic attack detection method provided by the present application is explained in detail below.
Referring to fig. 2, fig. 2 is a flowchart of a traffic attack detection method provided in the present application, and the method is applied to the detection device shown in fig. 1, and may include the following steps:
s201, obtaining the flow to be detected.
In this step, the detection device may obtain the traffic to be detected from the network core device, that is, the network core device copies or samples a part of the traffic flowing through the network core device as the traffic to be detected and sends the copied traffic to the detection device.
S202, flow attack information of the flow to be detected is calculated.
In this step, the previously learned pulse wave model may be used to calculate traffic attack information of the traffic to be detected.
Specifically, the pulse wave model is obtained based on a training of the flow to be detected acquired from a past time. Specifically, when the detection function of the detection device is started, the detection device trains a pulse wave attack model by using the detected traffic to be detected obtained historically, so that the pulse wave attack model can learn the characteristics of the pulse wave traffic to more accurately calculate the traffic attack information of the traffic to be detected. The present application does not limit the structure of the pulse wave model.
Optionally, averaging may be performed on the traffic attack information of the traffic to be detected acquired from the past, and then the traffic attack information of the current traffic to be detected is corrected based on the average value of each traffic attack information, so as to finally obtain the traffic attack information of the current traffic to be detected.
Optionally, when the flow attack information of the flow to be detected is calculated over the course, the flow attack information of each time is stored in the database, so that the flow attack information of each time is counted by using oscillograms in various time period forms such as day/week/month, and is displayed to the user.
Optionally, the traffic attack information in the present application may include, but is not limited to, at least one of the following: the single attack traffic peak, the single attack duration T1, and the attack time interval from the previous time T2, refer to the single attack traffic peak, T1, and T2 shown in fig. 3.
S203, judging whether the flow attack information meets the pulse wave attack condition; if the attack condition of the pulse wave is met, executing step S204; otherwise, the step S201 is continued.
Specifically, the description will be given by taking an example that the calculated attack traffic information includes a single attack traffic peak, a single attack duration, and an attack time interval from the previous time.
In one possible embodiment, step S203 may be implemented according to the following process: calculating the time length difference between the duration of the single attack at this time and the duration of the single attack at the last time; calculating the time interval difference between the attack time interval of the current time and the attack time interval of the last time; judging whether the single attack flow peak value exceeds a set maximum attack flow peak value or not; judging whether the time length difference is within a first set range; judging whether the time interval difference is within a second set range; and if all the judgment results are yes, confirming that the attack traffic information meets the pulse wave attack condition.
Specifically, the duration of a single attack this time is denoted as T1, the duration of a previous single attack is denoted as T1 ', the attack time interval this time is T2, and the attack time interval last time is T2', it should be noted that the attack time interval this time is previous time from the previous time, and the attack time interval last time is the attack time interval last time from the previous time. And, the first setting range may be a range formed by the last single attack duration T1 'and the last single attack duration T1', with the tolerance S being: the second setting range may be a range formed by the attack time interval T2 'preceding the tolerance S and the attack time interval T2' preceding the tolerance S, that is, the second setting range is: (-tolerance S + previous attack interval T2 '+ tolerance S + previous attack interval T2').
In practical applications, the first setting range and the second setting range may be dynamically adjusted, and the first setting range and the second setting range may be the same or different. In addition, the set maximum attack traffic peak value may be a maximum attack traffic peak value that the user network can bear, and may be, by default, 5Gbps, and the set maximum attack traffic peak value may be configurable.
On the basis, the time difference delta T1 between T1 and T1' can be calculated; and a time interval difference delta T2 between T2 and T2 ', and then judging whether a single attack flow peak value obtained based on the current calculation exceeds a set maximum attack flow peak value, and judging whether the time length difference delta T1 is in a range of (-S x T ', + S x T '), and judging whether the time interval difference delta T2 is in a range of (-S x T2 ', + S x T2 '), wherein if the judgment results of the three judgment steps are yes, the obtained flow attack information for confirming the flow to be detected accords with a pulse wave attack condition, namely, the obtained flow to be detected is confirmed to be the pulse wave attack flow. And when any judgment result is negative, confirming that the acquired flow attack information of the flow to be detected does not accord with the pulse wave attack condition, namely confirming that the flow to be detected is not the pulse wave attack flow.
Optionally, the tolerance S may be, but is not limited to, 0.5, and may be dynamically adjusted according to actual conditions.
By implementing the embodiment, the pulse wave attack flow can be effectively and accurately identified, and the method is relatively suitable for scenes with large flow fluctuation.
In another possible embodiment, step S203 may be implemented according to the following procedure: judging whether the single attack flow peak value exceeds the set minimum value of the single attack flow peak value; judging whether the duration of the single attack is within the range of the duration of the single attack; judging whether the attack time interval is within the attack time interval range; and if all the judgment results are yes, confirming that the attack traffic information meets the pulse wave attack condition.
Specifically, the default minimum value of the set single attack traffic peak value is 50Gbps, the minimum value can be configured, and an administrator can dynamically adjust the minimum value according to the output effect of the detection device on the pulse wave attack traffic; the single attack duration range can be, but is not limited to, between 10s and 300s, and the range can be configured; the attack time interval range can be, but is not limited to, between 10s and 300s, and the attack time interval range can be configured. In actual application, the detection device performs flow detection based on a default value.
On the basis, whether the single attack flow peak value of the flow to be detected exceeds 50Gbps can be judged; judging whether the duration of the single attack is between 10s and 300 s; judging whether the attack time interval is between 10s and 300 s; if the judgment results of the three are yes, confirming that the flow attack information of the flow to be detected accords with the pulse wave attack condition, namely confirming that the obtained flow to be detected is the pulse wave attack flow; if any of the three judgment results is negative, confirming that the flow attack information of the flow to be detected does not accord with the pulse wave attack condition, namely confirming that the flow to be detected is not the pulse wave attack flow.
By implementing the embodiment, the pulse wave attack flow can be effectively and accurately identified, and the method is relatively suitable for a scene with relatively fixed flow.
And S204, confirming that the flow to be detected is pulse wave attack flow.
When it is determined through any of the above embodiments that the flow attack information of the flow to be detected meets the pulse wave attack condition, it can be determined that the flow to be detected acquired this time is the pulse wave attack flow.
Optionally, the traffic attack detection method provided by the present application may further include the following steps:
and if the flow to be detected is continuously confirmed to be the pulse wave attack flow for N times, confirming that the flow is attacked by the pulse wave.
Specifically, the detection device may set a detection period, then implement the flow shown in fig. 2 in the detection period, and when it is determined that the flow to be detected is the pulse wave attack flow N times continuously, it may be determined that the network protected by the detection device is subjected to the pulse wave attack.
Optionally, the detection period may be, but is not limited to, 2 hours, and the like, and may be dynamically adjusted according to actual conditions; in addition, the value of N may be, but is not limited to, 5 times, and may be dynamically adjusted according to the actual situation.
On this basis, the traffic attack detection method provided in this embodiment further includes:
when the pulse wave attack is confirmed, a drainage starting message is sent to the cleaning equipment;
and when detecting that the pulse wave attack does not exist, sending a drainage stopping message to the cleaning equipment.
Specifically, when it is determined according to any embodiment of the present application that the networking protected by the detection device is attacked by the pulse wave, in order to ensure the security of the networking network, a defense function may be started, that is, a drainage start message is sent to the cleaning device through the management center, so that the cleaning device filters out the pulse wave attack traffic in time, that is, discards the pulse wave attack traffic in time, and thus, the network security of the protected networking can be ensured.
In addition, the detection device can also continuously detect the flow of the subsequently acquired flow to be detected, when the pulse wave attack flow is determined not to be detected any more, or the situation that the flow to be detected is determined to be the pulse wave attack flow for at least N times in a subsequent detection period is determined not to exist any more, the networking protected by the detection device can be determined not to be attacked by the pulse wave, the detection device sends a drainage stopping message to the cleaning device through the pipe center, which is equivalent to prolonging the anti-attack ending time of the cleaning device, thereby ensuring the network security of the protected network.
In addition, the drainage can be continued to the next pulse wave by prolonging the drainage time, so that the drainage is not repeated after the pulse wave attacks. During specific implementation, the detection device sends a message that the protected network is attacked by the pulse wave to the management center, so that the management center changes the drainage duration in the drainage rule, the time for introducing the flow into the cleaning device is prolonged, the cleaning device can clean the flow in a large amount, and the safety of the network is guaranteed to a certain extent.
Alternatively, the extended drain duration may be, but is not limited to, 360s, etc., which may be configurable but requires a maximum duration greater than the attack interval.
By implementing the flow attack detection method provided by the application, after the detection equipment acquires the flow to be detected, the flow attack information of the flow to be detected is calculated, whether the flow attack information accords with the pulse wave attack condition or not is judged, and if the flow attack information accords with the pulse wave attack condition, the flow to be detected can be confirmed to be the pulse wave attack flow. By analyzing the flow of the pulse wave to be detected, the attack flow of the pulse wave can be accurately identified, and the attack of the pulse wave can be responded and defended in time, so that the loss caused by the attack of the pulse wave can be reduced or avoided.
Based on the same invention concept, the application also provides a traffic attack detection device corresponding to the traffic attack detection method. The implementation of the traffic attack detection apparatus may refer to the above description of the traffic attack detection method, which is not discussed here.
Referring to fig. 4, fig. 4 is a flow attack detection apparatus provided in an exemplary embodiment of the present application, and is applied to the above detection device, where the apparatus includes:
an obtaining module 401, configured to obtain the current flow to be detected;
a calculating module 402, configured to calculate traffic attack information of the traffic to be detected;
a judging module 403, configured to judge whether the traffic attack information meets a pulse wave attack condition;
a confirming module 404, configured to confirm that the flow to be detected is a pulse wave attack flow if the determination result of the determining module is that the pulse wave attack condition is met.
Optionally, the traffic attack information at least includes one of: a single attack traffic peak, a single attack duration, and an attack time interval from the last time.
Optionally, the determining module 403 is specifically configured to calculate a time difference between the duration of a single attack of this time and the duration of a single attack of the last time; calculating the time interval difference between the attack time interval of the current time and the attack time interval of the last time; judging whether the single attack flow peak value exceeds a set maximum attack flow peak value or not; judging whether the duration difference is within a first set range; judging whether the time interval difference is within a second set range; if all judgment results are yes, confirming that the attack traffic information conforms to the pulse wave attack condition;
alternatively, the first and second liquid crystal display panels may be,
the determining module 403 is specifically configured to determine whether the single attack traffic peak exceeds a minimum value of a set single attack traffic peak; judging whether the duration of the single attack is within the range of the duration of the single attack; judging whether the attack time interval is within the attack time interval range; and if all the judgment results are yes, confirming that the attack traffic information accords with the pulse wave attack condition.
Optionally, the traffic attack detection apparatus provided in the present application further includes:
and the determining module 405 is configured to determine that the flow to be detected is the pulse wave attack flow if it is determined that the flow to be detected is the pulse wave attack flow N times continuously.
Optionally, the traffic attack detection apparatus provided in the present application further includes:
a sending module 406, configured to send a drainage start message to the cleaning device when it is determined that the cleaning device is attacked by the pulse wave; and when no pulse wave attack exists, sending a drainage stopping message to the cleaning equipment.
In addition, the present application provides a machine-readable storage medium, which stores a computer program, and when the computer program is called and executed by a processor, the computer program causes the processor to execute the traffic attack detection method provided by the present application.
For the embodiments of the detection device and the machine-readable storage medium, the content of the related method is substantially similar to that of the foregoing method embodiments, so that the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and actions of each unit/module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the units/modules described as separate parts may or may not be physically separate, and the parts displayed as units/modules may or may not be physical units/modules, may be located in one place, or may be distributed on a plurality of network units/modules. Some or all of the units/modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A traffic attack detection method is applied to detection equipment, and the method comprises the following steps:
obtaining the current flow to be detected;
calculating flow attack information of the flow to be detected;
judging whether the flow attack information accords with a pulse wave attack condition;
calculating the time length difference between the duration of the single attack at this time and the duration of the single attack at the last time;
calculating the time interval difference between the attack time interval of the current time and the attack time interval of the last time;
judging whether the single attack flow peak value exceeds a set maximum attack flow peak value or not;
judging whether the duration difference is within a first set range;
judging whether the time interval difference is within a second set range;
if all judgment results are yes, confirming that the attack traffic information conforms to the pulse wave attack condition;
and if the pulse wave attack condition is met, confirming that the flow to be detected is the pulse wave attack flow.
2. The method of claim 1, wherein the traffic attack information comprises at least one of: a single attack traffic peak, a single attack duration, and an attack time interval from the last time.
3. The method of claim 2, wherein determining whether the traffic attack information complies with a pulse wave attack condition comprises:
judging whether the single attack flow peak value exceeds the set minimum value of the single attack flow peak value;
judging whether the duration of the single attack is within the range of the duration of the single attack;
judging whether the attack time interval is within the attack time interval range;
and if all the judgment results are yes, confirming that the attack traffic information accords with the pulse wave attack condition.
4. The method of claim 1, further comprising:
and if the flow to be detected is determined to be pulse wave attack flow for N times, determining that the flow is attacked by the pulse wave.
5. The method of claim 4, further comprising:
when the pulse wave attack is confirmed, a drainage starting message is sent to the cleaning equipment;
and when detecting that the pulse wave attack does not exist, sending a drainage stopping message to the cleaning equipment.
6. A traffic attack detection device is applied to detection equipment, and the device comprises:
the acquisition module is used for acquiring the current flow to be detected;
the calculation module is used for calculating the flow attack information of the flow to be detected;
the judging module is used for judging whether the flow attack information accords with the pulse wave attack condition; the judging module is specifically used for calculating the time length difference between the single attack duration of the current time and the previous single attack duration; calculating the time interval difference between the attack time interval of the current time and the attack time interval of the last time; judging whether the single attack flow peak value exceeds a set maximum attack flow peak value or not; judging whether the duration difference is within a first set range; judging whether the time interval difference is within a second set range; if all judgment results are yes, confirming that the attack traffic information conforms to the pulse wave attack condition;
and the confirming module is used for confirming that the flow to be detected is the pulse wave attack flow if the judgment result of the judging module is in accordance with the pulse wave attack condition.
7. The apparatus of claim 6, wherein the traffic attack information comprises at least one of: a single attack traffic peak, a single attack duration, and an attack time interval from the last time.
8. The apparatus of claim 7,
the judging module is specifically used for judging whether the single attack flow peak value exceeds the set minimum value of the single attack flow peak value; judging whether the duration of the single attack is within the range of the duration of the single attack; judging whether the attack time interval is within the attack time interval range; and if all the judgment results are yes, confirming that the attack traffic information accords with the pulse wave attack condition.
9. The apparatus of claim 6, further comprising:
and the determining module is used for determining that the flow to be detected is the pulse wave attack flow if the flow to be detected is continuously confirmed for N times, and determining that the flow to be detected is the pulse wave attack flow.
10. The apparatus of claim 9, further comprising:
the sending module is used for sending a drainage starting message to the cleaning equipment when the pulse wave attack is confirmed;
and when detecting that the pulse wave attack does not exist, sending a drainage stopping message to the cleaning equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010892958.1A CN112073402B (en) | 2020-08-31 | 2020-08-31 | Traffic attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010892958.1A CN112073402B (en) | 2020-08-31 | 2020-08-31 | Traffic attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112073402A CN112073402A (en) | 2020-12-11 |
| CN112073402B true CN112073402B (en) | 2022-05-27 |
Family
ID=73664815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010892958.1A Active CN112073402B (en) | 2020-08-31 | 2020-08-31 | Traffic attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112073402B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457489A (en) * | 2010-10-26 | 2012-05-16 | 中国民航大学 | Attacking, detecting and defending module for LDoS (Low-rate Denial of Service) |
| CN105100017A (en) * | 2014-05-12 | 2015-11-25 | 中国民航大学 | LDoS attack detection method based on signal cross correlation |
| CN106302537A (en) * | 2016-10-09 | 2017-01-04 | 广东睿江云计算股份有限公司 | The cleaning method of a kind of DDOS attack flow and system |
| CN107302517A (en) * | 2016-04-15 | 2017-10-27 | 任子行网络技术股份有限公司 | The LDoS attack detection method and device of Internet Autonomous Domain |
| CN110233838A (en) * | 2019-06-06 | 2019-09-13 | 东软集团股份有限公司 | A kind of defence method, device and the equipment of pulsed attack |
| CN111444501A (en) * | 2020-03-16 | 2020-07-24 | 湖南大学 | L DoS attack detection method based on combination of Mel cepstrum and semi-space forest |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4827972B2 (en) * | 2007-09-28 | 2011-11-30 | 日本電信電話株式会社 | Network monitoring device, network monitoring method, and network monitoring program |
-
2020
- 2020-08-31 CN CN202010892958.1A patent/CN112073402B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457489A (en) * | 2010-10-26 | 2012-05-16 | 中国民航大学 | Attacking, detecting and defending module for LDoS (Low-rate Denial of Service) |
| CN105100017A (en) * | 2014-05-12 | 2015-11-25 | 中国民航大学 | LDoS attack detection method based on signal cross correlation |
| CN107302517A (en) * | 2016-04-15 | 2017-10-27 | 任子行网络技术股份有限公司 | The LDoS attack detection method and device of Internet Autonomous Domain |
| CN106302537A (en) * | 2016-10-09 | 2017-01-04 | 广东睿江云计算股份有限公司 | The cleaning method of a kind of DDOS attack flow and system |
| CN110233838A (en) * | 2019-06-06 | 2019-09-13 | 东软集团股份有限公司 | A kind of defence method, device and the equipment of pulsed attack |
| CN111444501A (en) * | 2020-03-16 | 2020-07-24 | 湖南大学 | L DoS attack detection method based on combination of Mel cepstrum and semi-space forest |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112073402A (en) | 2020-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109525500B (en) | Information processing method and information processing device capable of automatically adjusting threshold | |
| CN102291411A (en) | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service | |
| US8943591B2 (en) | Methods, systems, and computer program products for mitigating email address harvest attacks by positively acknowledging email to invalid email addresses | |
| WO2018032936A1 (en) | Method and device for checking domain name generated by domain generation algorithm | |
| CN109450955B (en) | Traffic processing method and device based on network attack | |
| CN109922072B (en) | Distributed denial of service attack detection method and device | |
| CN109327449B (en) | Attack path restoration method, electronic device and computer readable storage medium | |
| CN111756720B (en) | Targeted attack detection method, apparatus thereof and computer-readable storage medium | |
| CN107241304B (en) | Method and device for detecting DDoS attack | |
| CN111327615A (en) | CC attack protection method and system | |
| CN108632634A (en) | A kind of providing method and device of direct broadcast service | |
| CN1578231A (en) | Technique of detecting denial of service attacks | |
| CN109005181B (en) | Detection method, system and related components for DNS amplification attack | |
| CN105591832B (en) | application layer slow attack detection method and related device | |
| CN112073402B (en) | Traffic attack detection method and device | |
| CN110798382A (en) | Port storm threshold control method and device | |
| CN110061960A (en) | WAF rule self-study system | |
| CN110233838B (en) | Pulse type attack defense method, device and equipment | |
| CN101795277A (en) | Flow detection method and equipment in unidirectional flow detection mode | |
| CN105656848B (en) | Application layer rapid attack detection method and related device | |
| CN106230815A (en) | The control method of a kind of alarm log and device | |
| CN115865424A (en) | Network security processing method, device and equipment | |
| CN107800726A (en) | A kind of defence method of attack | |
| CN107819739B (en) | Method and server for determining whether long-link connection exists in terminal | |
| CN111241543B (en) | Method and system for intelligently resisting DDoS attack by application layer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |