CN112953956A - Reflection amplifier identification method based on active and passive combination - Google Patents
Reflection amplifier identification method based on active and passive combination Download PDFInfo
- Publication number
- CN112953956A CN112953956A CN202110247040.6A CN202110247040A CN112953956A CN 112953956 A CN112953956 A CN 112953956A CN 202110247040 A CN202110247040 A CN 202110247040A CN 112953956 A CN112953956 A CN 112953956A
- Authority
- CN
- China
- Prior art keywords
- reflection amplifier
- reflection
- attack
- attack detection
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000001514 detection method Methods 0.000 claims abstract description 100
- 238000013480 data collection Methods 0.000 claims abstract description 22
- 238000012549 training Methods 0.000 claims abstract description 20
- 230000003321 amplification Effects 0.000 claims description 40
- 238000003199 nucleic acid amplification method Methods 0.000 claims description 40
- 230000004044 response Effects 0.000 claims description 17
- 239000000284 extract Substances 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 5
- 238000010801 machine learning Methods 0.000 claims description 3
- 238000010187 selection method Methods 0.000 claims description 3
- 230000013872 defecation Effects 0.000 claims description 2
- 238000012795 verification Methods 0.000 abstract description 2
- 230000009471 action Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a reflection amplifier identification method based on active and passive combination, which comprises the following operation steps: s1, constructing an identification system: the method comprises the steps of setting a model training module, an unknown attack detection module, a model updating module and a reflection amplifier data collection module. Relates to the technical field of network information security. The reflection amplifier identification method based on active and passive combination mainly comprises three steps of reflection amplifier identification in passive flow, discovery of unknown reflection amplifiers and reflection amplifier verification based on an active mode, wherein the reflection amplifiers can be identified from the passive flow by arranging an attack detection module.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to a reflection amplifier identification method based on active and passive combination.
Background
In the reflection attack, an attacker controls a controlled host to forge a source IP address to a reflector to be a large number of data packets of an attack target IP address, and after the reflector receives the data packets, the data packets are considered to be the request sent by the attack target, so that response data can be sent to the attacked target. When a large number of response data packets flood to an attack target, network bandwidth resources of the target can be exhausted, and denial of service attack is caused.
At present, reflection amplification attack is one of the most destructive attack forms at present, and is the largest complete threat on the internet, and the reflection amplification attack occupies the dominant position, and the reflection amplifier is an indispensable part in the reflection amplification attack, for the reflection amplification attack, once the flow is amplified, the occupied bandwidth will sharply rise, and no matter what kind of protection method is adopted, the cost and the cost will sharply rise, so the reflection amplification attack can be effectively relieved by treating the reflection point, and the premise that the reflection amplifier is treated by the reflection point is accurately and quickly identified, in the prior art, the reflection amplifier identification generally uses the traditional network scanning method, the method utilizes the characteristics of the reflection amplifier, so different identification methods are provided for different reflection amplifiers, and the method is an active mode, the method has the problems of long time consumption, large consumed bandwidth and high error rate, and in addition, the method cannot identify the unknown type of reflection amplifier because the active scanning method needs the characteristics of the known reflection amplifier.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a reflection amplifier identification method based on active and passive combination, and solves the problems that the traditional reflection amplifier identification network scanning method is long in time consumption, large in consumption bandwidth, high in error rate and difficult in identification of unknown amplifiers.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme: a reflection amplifier identification method based on active and passive combination comprises the following operation steps:
s1, constructing an identification system: setting a model training module, an unknown attack detection module, a model updating module, a reflection amplifier data collection module and a reflection amplifier IP library to form an identification system;
s2, constructing an attack detection module: collecting known reflection amplifier data, transmitting the data to a model training module, and training to generate an attack detection model by using a feature selection algorithm;
s3, detecting the type of the reflection amplification attack: inputting the flow into an attack detection module constructed in S2, detecting whether a reflection amplification attack of a known attack type exists, if the attack is detected, entering S6, and if not, entering S4;
s4, unknown attack detection: inputting flow data into an unknown attack detection module, detecting whether unknown attacks exist in the flow by using the size-to-quantity ratio of request response data packets, entering S5 if the unknown attacks exist, and ending system operation if the unknown attacks do not exist;
s5, updating an attack detection model: the flow data characteristics are input into a model updating module, and an attack detection model is updated aiming at the detected flow data of unknown attack, so that the data set updating attack detection model can identify the unidentifiable reflection amplifier;
s6, verifying a reflection amplifier: and inputting the flow data into a data collection module of the reflection amplifier, verifying the detected reflection amplifier in an active mode, confirming the attributes such as amplification factor and the like, and simultaneously recording the data of the reflection amplifier into an IP (Internet protocol) library of the reflection amplifier.
Further, the model training module in S1 mainly generates an attack detection model for the known reflection amplifier, and the attack detection module determines whether there is a reflection amplification attack in the passive traffic by using the generated attack detection model.
Further, the unknown attack detection module in S1 determines that there is no traffic of known type attack for the attack detection model, and detects whether there is an unknown attack by using the ratio of the size to the number of request response packets, and the module update module is mainly used to update the attack detection model so as to identify the reflection amplifier that cannot be identified.
Further, in S1, the reflection amplifier data collection module mainly uses an active detection method to confirm the attributes such as amplification factor of the reflection amplifier, and collects the data of the reflection amplifier.
Furthermore, the reflection amplifier IP library is used for storing and backing up the reflection amplifier data collected by the reflection amplifier data collection module and calling the data at a later period after the data is stored and backed up.
Further, when the model training module in S2 constructs the attack detection module, it autonomously constructs a reflection amplifier of a common protocol, generates traffic data as reflection amplification attack traffic of each protocol portion, collects a large amount of reflection amplification attack traffic data on the internet and normal traffic data, then selects features by using a feature selection algorithm, such as a statistical ranking network traffic feature selection method, extracts features from the traffic data set according to the selected features, and makes labels, and trains and generates the attack detection model by using a machine learning algorithm.
Further, when detecting, the attack detection module in S3 mainly determines whether there is a reflection amplification attack in the passive traffic by using the generated attack detection model, and when a group of traffic data enters the system, extracts the features of the group of traffic according to the feature matching required by the attack detection model, inputs the group of traffic features into the trained attack detection model, and determines whether there is a reflection amplification attack of a known type in the traffic by using the attack detection model.
Further, when detecting, the unknown attack detection module in S4 uses the ratio of the size to the number of the request response packets, and the comparison process is as follows: first, a1 is calculated as the size of a response packet/the size of a request packet, a2 is calculated as the number of response packets/the number of request packets, and if the size of a1 exceeds a certain threshold α 1 or the size of a2 exceeds a certain threshold α 2, it is determined that there is an unknown reflection amplifier, and the method enters a model updating module and a reflection amplifier data collecting module.
Further, in the model update module in S5, during update, a large amount of traffic data of the reflection amplifier that cannot be identified by the attack detection model is collected by using active probing or the like, the collected traffic data set is added to the original traffic data set to form a new data set, and then the attack detection model is retrained by using the new data set to generate an attack detection model that can identify the new type of reflection amplifier.
Further, when the reflection amplifier data collection module in S6 verifies, it first uses the information such as the IP address and the characteristics of the reflection amplifier collected by the previous module to actively detect the detected reflection amplifier, determine the specific amplification factor and other attributes, and then add the detected reflection amplifier data into the reflection amplifier IP library after determining that the reflection amplifier information is correct.
(III) advantageous effects
The invention has the following beneficial effects:
(1) the reflection amplifier identification method based on active and passive combination comprises an identification system consisting of a model training module, an unknown attack detection module, a model updating module, a reflection amplifier data collection module and a reflection amplifier IP library, and is mainly divided into three steps of reflection amplifier identification in passive flow, discovery of an unknown reflection amplifier and reflection amplifier verification based on an active mode during identification, wherein the reflection amplifier can be identified from the passive flow by arranging the attack detection module, a large amount of bandwidth is saved compared with a non-range active reflection amplifier detection method, meanwhile, the unknown attack detection module can be arranged to perform secondary calculation of the ratio of the size and the number of a request response data packet on the passive flow identified as the absence of known type reflection amplification attack, and discover the unknown type of reflection amplifier, the system has the function of automatically identifying the unknown type of reflection amplifier, and has stronger functions and higher safety protection;
(2) according to the reflection amplifier identification method based on active and passive combination, the reflection amplifier identified in passive flow can be actively verified by arranging the reflection amplifier data collection module, the specific amplification factor/attribute of the reflection amplifier is determined, the information of the reflection amplifier is accurately collected, meanwhile, the detection result can be verified again, and the detection accuracy is improved again.
Of course, it is not necessary for any product in which the invention is practiced to achieve all of the above-described advantages at the same time.
Drawings
FIG. 1 is a system diagram of a reflection amplifier identification method based on active and passive combination according to the present invention;
fig. 2 is a basic schematic diagram of a reflection attack in the prior art.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "opening," "upper," "lower," "thickness," "top," "middle," "length," "inner," "peripheral," and the like are used in an orientation or positional relationship that is merely for convenience in describing and simplifying the description, and do not indicate or imply that the referenced component or element must have a particular orientation, be constructed and operated in a particular orientation, and thus should not be considered as limiting the present invention.
Referring to fig. 1-2, an embodiment of the present invention provides a technical solution: a reflection amplifier identification method based on active and passive combination comprises the following operation steps:
s1, constructing an identification system: setting a model training module, an unknown attack detection module, a model updating module, a reflection amplifier data collection module and a reflection amplifier IP library to form an identification system;
s2, constructing an attack detection module: collecting known reflection amplifier data, transmitting the data to a model training module, and training to generate an attack detection model by using a feature selection algorithm;
s3, detecting the type of the reflection amplification attack: inputting the flow into an attack detection module constructed in S2, detecting whether a reflection amplification attack of a known attack type exists, if the attack is detected, entering S6, and if not, entering S4;
s4, unknown attack detection: inputting flow data into an unknown attack detection module, detecting whether unknown attacks exist in the flow by using the size-to-quantity ratio of request response data packets, entering S5 if the unknown attacks exist, and ending system operation if the unknown attacks do not exist;
s5, updating an attack detection model: the flow data characteristics are input into a model updating module, and an attack detection model is updated aiming at the detected flow data of unknown attack, so that the data set updating attack detection model can identify the unidentifiable reflection amplifier;
s6, verifying a reflection amplifier: and inputting the flow data into a data collection module of the reflection amplifier, verifying the detected reflection amplifier in an active mode, confirming the attributes such as amplification factor and the like, and simultaneously recording the data of the reflection amplifier into an IP (Internet protocol) library of the reflection amplifier.
The model training module in the S1 mainly generates an attack detection model for a known reflection amplifier, and the attack detection module determines whether there is a reflection amplification attack in the passive traffic by using the generated attack detection model.
The unknown attack detection module in S1 determines that there is no traffic of known type attack for the attack detection model, and detects whether there is an unknown attack by using the size-to-number ratio of the request-response packet, and the module update module is mainly used to update the attack detection model, so that it can identify the unidentifiable reflection amplifier.
In S1, the reflection amplifier data collection module mainly uses an active detection method to confirm the attributes such as amplification factor of the reflection amplifier and collect the data of the reflection amplifier.
And the reflection amplifier IP library is used for storing and backing up the reflection amplifier data collected by the reflection amplifier data collection module and calling the data at a later stage after defecation.
When the model training module in the S2 constructs the attack detection module, it autonomously constructs a reflection amplifier of a common protocol, generates traffic data as reflection amplification attack traffic of each protocol portion, collects a large amount of reflection amplification attack traffic data on the internet and normal traffic data, then selects features by using a feature selection algorithm, such as a statistical sorting network traffic feature selection method, extracts features from a traffic data set according to the selected features, makes labels, and trains and generates an attack detection model by using a machine learning algorithm.
When the attack detection module in the S3 detects, it mainly uses the generated attack detection model to determine whether there is a reflection amplification attack in the passive traffic, and when a group of traffic data enters the system, extracts the features of the group of traffic according to the feature matching required by the attack detection model, and inputs the group of traffic features into the trained attack detection model, and uses the attack detection model to determine whether there is a reflection amplification attack of a known type in the traffic.
When the unknown attack detection module in S4 detects, the comparison process is as follows, using the ratio of the size to the number of the request response data packets: first calculate a1Response packet size/request packet size, a2Number of response packets/number of request packets, if a1Is greater than a certain threshold value alpha1Or a is2Is greater than a certain threshold value alpha2Then the unknown reflection amplifier is considered to exist and enters the model update module and the reflection amplifier data collection module.
In the S5 model updating module, during updating, a large amount of flow data of the reflection amplifier that cannot be identified by the attack detection model is collected by means of active detection, the collected flow data set is added to the original flow data set to form a new data set, and then the attack detection model is retrained by using the new data set to generate an attack detection model that can identify the new type of reflection amplifier.
When the data collection module of the reflection amplifier in S6 verifies, it first uses the information such as IP address, characteristics, etc. of the reflection amplifier collected by the previous module to actively detect the detected reflection amplifier, determine its specific attributes such as amplification factor, etc., and then, after determining that the information of the reflection amplifier is correct, add the detected data of the reflection amplifier into the IP library of the reflection amplifier.
The working principle is as follows:
s1, constructing an identification system: setting a model training module, an unknown attack detection module, a model updating module, a reflection amplifier data collection module and a reflection amplifier IP library to form an identification system;
s2, constructing an attack detection module: collecting known reflection amplifier data, transmitting the data to a model training module, and training to generate an attack detection model by using a feature selection algorithm;
s3, detecting the type of the reflection amplification attack: inputting the flow into an attack detection module constructed in S2, detecting whether a reflection amplification attack of a known attack type exists, if the attack is detected, entering S6, and if not, entering S4;
s4, unknown attack detection: inputting flow data into an unknown attack detection module, detecting whether unknown attacks exist in the flow by using the size-to-quantity ratio of request response data packets, entering S5 if the unknown attacks exist, and ending system operation if the unknown attacks do not exist;
s5, updating an attack detection model: the flow data characteristics are input into a model updating module, and an attack detection model is updated aiming at the detected flow data of unknown attack, so that the data set updating attack detection model can identify the unidentifiable reflection amplifier;
s6, verifying a reflection amplifier: and inputting the flow data into a data collection module of the reflection amplifier, verifying the detected reflection amplifier in an active mode, confirming the attributes such as amplification factor and the like, and simultaneously recording the data of the reflection amplifier into an IP (Internet protocol) library of the reflection amplifier.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims (10)
1. A reflection amplifier identification method based on active and passive combination is characterized by comprising the following operation steps:
s1, constructing an identification system: setting a model training module, an unknown attack detection module, a model updating module, a reflection amplifier data collection module and a reflection amplifier IP library to form an identification system;
s2, constructing an attack detection module: collecting known reflection amplifier data, transmitting the data to a model training module, and training to generate an attack detection model by using a feature selection algorithm;
s3, detecting the type of the reflection amplification attack: inputting the flow into an attack detection module constructed in S2, detecting whether a reflection amplification attack of a known attack type exists, if the attack is detected, entering S6, and if not, entering S4;
s4, unknown attack detection: inputting flow data into an unknown attack detection module, detecting whether unknown attacks exist in the flow by using the size-to-quantity ratio of request response data packets, entering S5 if the unknown attacks exist, and ending system operation if the unknown attacks do not exist;
s5, updating an attack detection model: the flow data characteristics are input into a model updating module, and an attack detection model is updated aiming at the detected flow data of unknown attack, so that the data set updating attack detection model can identify the unidentifiable reflection amplifier;
s6, verifying a reflection amplifier: and inputting the flow data into a data collection module of the reflection amplifier, verifying the detected reflection amplifier in an active mode, confirming the attributes such as amplification factor and the like, and simultaneously recording the data of the reflection amplifier into an IP (Internet protocol) library of the reflection amplifier.
2. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: the model training module in the S1 mainly generates an attack detection model for a known reflection amplifier, and the attack detection module determines whether there is a reflection amplification attack in the passive traffic by using the generated attack detection model.
3. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: the unknown attack detection module in S1 determines that there is no traffic of known type attack for the attack detection model, and detects whether there is an unknown attack by using the size-to-number ratio of the request-response packet, and the module update module is mainly used to update the attack detection model, so that it can identify the unidentifiable reflection amplifier.
4. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: in S1, the reflection amplifier data collection module mainly uses an active detection method to confirm the attributes such as amplification factor of the reflection amplifier and collect the data of the reflection amplifier.
5. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: and the reflection amplifier IP library is used for storing and backing up the reflection amplifier data collected by the reflection amplifier data collection module and calling the data at a later stage after defecation.
6. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: when the model training module in the S2 constructs the attack detection module, it autonomously constructs a reflection amplifier of a common protocol, generates traffic data as reflection amplification attack traffic of each protocol portion, collects a large amount of reflection amplification attack traffic data on the internet and normal traffic data, then selects features by using a feature selection algorithm, such as a statistical sorting network traffic feature selection method, extracts features from a traffic data set according to the selected features, makes labels, and trains and generates an attack detection model by using a machine learning algorithm.
7. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: when the attack detection module in the S3 detects, it mainly uses the generated attack detection model to determine whether there is a reflection amplification attack in the passive traffic, and when a group of traffic data enters the system, extracts the features of the group of traffic according to the feature matching required by the attack detection model, and inputs the group of traffic features into the trained attack detection model, and uses the attack detection model to determine whether there is a reflection amplification attack of a known type in the traffic.
8. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: when the unknown attack detection module in S4 detects, the comparison process is as follows, using the ratio of the size to the number of the request response data packets: first calculate a1Response packet size/request packet size, a2Number of response packets/number of request packets, if a1Is greater than a certain threshold value alpha1Or a is2Is greater than a certain threshold value alpha2Then the unknown reflection amplifier is considered to exist and enters the model update module and the reflection amplifier data collection module.
9. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: in the S5 model updating module, during updating, a large amount of flow data of the reflection amplifier that cannot be identified by the attack detection model is collected by means of active detection, the collected flow data set is added to the original flow data set to form a new data set, and then the attack detection model is retrained by using the new data set to generate an attack detection model that can identify the new type of reflection amplifier.
10. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: when the data collection module of the reflection amplifier in S6 verifies, it first uses the information such as IP address, characteristics, etc. of the reflection amplifier collected by the previous module to actively detect the detected reflection amplifier, determine its specific attributes such as amplification factor, etc., and then, after determining that the information of the reflection amplifier is correct, add the detected data of the reflection amplifier into the IP library of the reflection amplifier.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110247040.6A CN112953956B (en) | 2021-03-05 | 2021-03-05 | Reflection amplifier identification method based on active and passive combination |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110247040.6A CN112953956B (en) | 2021-03-05 | 2021-03-05 | Reflection amplifier identification method based on active and passive combination |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112953956A true CN112953956A (en) | 2021-06-11 |
| CN112953956B CN112953956B (en) | 2022-11-18 |
Family
ID=76228564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110247040.6A Active CN112953956B (en) | 2021-03-05 | 2021-03-05 | Reflection amplifier identification method based on active and passive combination |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112953956B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114257452A (en) * | 2021-12-24 | 2022-03-29 | 中国人民解放军战略支援部队信息工程大学 | Method for discovering unknown UDP reflection amplification attack based on flow analysis |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160226894A1 (en) * | 2015-02-04 | 2016-08-04 | Electronics And Telecommunications Research Institute | System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model |
| CN106230819A (en) * | 2016-07-31 | 2016-12-14 | 上海交通大学 | A kind of DDoS detection method based on stream sampling |
| CN106341418A (en) * | 2016-10-08 | 2017-01-18 | 中国科学院信息工程研究所 | Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems |
| US20180191774A1 (en) * | 2016-12-29 | 2018-07-05 | Guangdong Eflycloud Computing Co., Ltd. | Method and system for shunting reflective ddos traffic |
| CN108696543A (en) * | 2018-08-24 | 2018-10-23 | 海南大学 | Distributed reflection Denial of Service attack detection based on depth forest, defence method |
| CN109040113A (en) * | 2018-09-04 | 2018-12-18 | 海南大学 | Detecting method of distributed denial of service attacking and device based on Multiple Kernel Learning |
| CN109818964A (en) * | 2019-02-01 | 2019-05-28 | 长沙市智为信息技术有限公司 | A kind of ddos attack detection method, device, equipment and storage medium |
| CN110011999A (en) * | 2019-03-29 | 2019-07-12 | 东北大学 | IPv6 network ddos attack detection system and method based on deep learning |
| US20190289032A1 (en) * | 2018-03-19 | 2019-09-19 | Fortinet, Inc. | Mitigation of ntp amplification and reflection based ddos attacks |
| CN110311925A (en) * | 2019-07-30 | 2019-10-08 | 百度在线网络技术(北京)有限公司 | Detection method and device, computer equipment and the readable medium of DDoS reflection-type attack |
| CN110661763A (en) * | 2018-06-29 | 2020-01-07 | 阿里巴巴集团控股有限公司 | DDoS reflection attack defense method, device and equipment |
| CN110691100A (en) * | 2019-10-28 | 2020-01-14 | 中国科学技术大学 | Hierarchical network attack identification and unknown attack detection method based on deep learning |
-
2021
- 2021-03-05 CN CN202110247040.6A patent/CN112953956B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160226894A1 (en) * | 2015-02-04 | 2016-08-04 | Electronics And Telecommunications Research Institute | System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model |
| CN106230819A (en) * | 2016-07-31 | 2016-12-14 | 上海交通大学 | A kind of DDoS detection method based on stream sampling |
| CN106341418A (en) * | 2016-10-08 | 2017-01-18 | 中国科学院信息工程研究所 | Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems |
| US20180191774A1 (en) * | 2016-12-29 | 2018-07-05 | Guangdong Eflycloud Computing Co., Ltd. | Method and system for shunting reflective ddos traffic |
| US20190289032A1 (en) * | 2018-03-19 | 2019-09-19 | Fortinet, Inc. | Mitigation of ntp amplification and reflection based ddos attacks |
| CN110661763A (en) * | 2018-06-29 | 2020-01-07 | 阿里巴巴集团控股有限公司 | DDoS reflection attack defense method, device and equipment |
| CN108696543A (en) * | 2018-08-24 | 2018-10-23 | 海南大学 | Distributed reflection Denial of Service attack detection based on depth forest, defence method |
| CN109040113A (en) * | 2018-09-04 | 2018-12-18 | 海南大学 | Detecting method of distributed denial of service attacking and device based on Multiple Kernel Learning |
| CN109818964A (en) * | 2019-02-01 | 2019-05-28 | 长沙市智为信息技术有限公司 | A kind of ddos attack detection method, device, equipment and storage medium |
| CN110011999A (en) * | 2019-03-29 | 2019-07-12 | 东北大学 | IPv6 network ddos attack detection system and method based on deep learning |
| CN110311925A (en) * | 2019-07-30 | 2019-10-08 | 百度在线网络技术(北京)有限公司 | Detection method and device, computer equipment and the readable medium of DDoS reflection-type attack |
| CN110691100A (en) * | 2019-10-28 | 2020-01-14 | 中国科学技术大学 | Hierarchical network attack identification and unknown attack detection method based on deep learning |
Non-Patent Citations (6)
| Title |
|---|
| CHANG LIU等: "Detect the reflection amplification attack based on UDP protocol", 《2015 10TH INTERNATIONAL CONFERENCE ON COMMUNICATIONS AND NETWORKING IN CHINA(CHINACOM)》 * |
| 刘东明等: "基于深度学习的放大攻击归因技术", 《通信技术》 * |
| 周文烽: "UDP反射攻击检测与响应技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 李传煌等: "基于深度学习的实时DDoS攻击检测", 《电信科学》 * |
| 林心阳等: "基于SSDP的物联网DDoS反射放大攻击及防御实验", 《现代计算机(专业版)》 * |
| 蒋泽军等: "反射放大型DDoS攻击与防御研究", 《计算机产品与流通》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114257452A (en) * | 2021-12-24 | 2022-03-29 | 中国人民解放军战略支援部队信息工程大学 | Method for discovering unknown UDP reflection amplification attack based on flow analysis |
| CN114257452B (en) * | 2021-12-24 | 2023-06-23 | 中国人民解放军战略支援部队信息工程大学 | Method for finding unknown UDP reflection amplification attack based on flow analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112953956B (en) | 2022-11-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106878995B (en) | Method for identifying abnormal type of wireless sensor network based on perception data | |
| CN105022960A (en) | Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow | |
| WO2009135396A1 (en) | Network attack processing method, processing device and network analyzing and monitoring center | |
| CN111478920A (en) | Method, device and equipment for detecting communication of hidden channel | |
| CN108632269A (en) | Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms | |
| US20120090027A1 (en) | Apparatus and method for detecting abnormal host based on session monitoring | |
| CN107360145A (en) | A kind of multinode honey pot system and its data analysing method | |
| CN110336789A (en) | Domain-flux Botnet detection method based on blended learning | |
| CN110798426A (en) | Method and system for detecting flood DoS attack behavior and related components | |
| CN112287251B (en) | Online store abnormal state detection method, device and system | |
| CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
| KR102083028B1 (en) | System for detecting network intrusion | |
| CN106357660A (en) | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system | |
| CN109639624A (en) | Lopsided data filtering method in a kind of Modbus Transmission Control Protocol fuzz testing | |
| CN112953956B (en) | Reflection amplifier identification method based on active and passive combination | |
| CN111404768A (en) | DPI recognition realization method and equipment | |
| CN110096013A (en) | A kind of intrusion detection method and device of industrial control system | |
| Xu et al. | [Retracted] DDoS Detection Using a Cloud‐Edge Collaboration Method Based on Entropy‐Measuring SOM and KD‐Tree in SDN | |
| CN112291213A (en) | Abnormal flow analysis method and device based on intelligent terminal | |
| CN109462580A (en) | Training flow detection model, the method and device for detecting service traffics exception | |
| CN113225356B (en) | TTP-based network security threat hunting method and network equipment | |
| US20200169577A1 (en) | Method and apparatus for generating virtual malicious traffic template for terminal group including device infected with malicious code | |
| CN112468512B (en) | Enterprise safety protection system and method based on white list mechanism | |
| CN101719906A (en) | Worm propagation behavior-based worm detection method | |
| CN108650274B (en) | Network intrusion detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 571924 301, floor 3, building A09, Hainan Ecological Software Park, high tech industry demonstration zone, Laocheng, Hainan Province Patentee after: Jizhi (Hainan) Information Technology Co.,Ltd. Country or region after: China Address before: 571924 Room 301, 3rd floor, building A09, Hainan Ecological Software Park, Laocheng hi tech Industrial Demonstration Zone, Chengmai County, Haikou City, Hainan Province Patentee before: Zhongdian Jizhi (Hainan) Information Technology Co.,Ltd. Country or region before: China |