CN113014529A - Network attack identification method, device, medium and equipment - Google Patents
Network attack identification method, device, medium and equipment Download PDFInfo
- Publication number
- CN113014529A CN113014529A CN201911315514.5A CN201911315514A CN113014529A CN 113014529 A CN113014529 A CN 113014529A CN 201911315514 A CN201911315514 A CN 201911315514A CN 113014529 A CN113014529 A CN 113014529A
- Authority
- CN
- China
- Prior art keywords
- target
- data set
- vulnerable
- user
- vulnerable target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention relates to a network attack identification method, a network attack identification device, a network attack identification medium and network attack identification equipment, wherein the network attack identification method comprises the following steps: acquiring log data in a preset time period, and determining a vulnerable target, wherein the vulnerable target comprises a specified path and/or a URL type; constructing user behavior characteristics and establishing a data set based on the vulnerable target; training a machine learning model based on the data set, extracting decision logic, constructing an algorithm rule and verifying; and using the verified algorithm rule for identifying the network attack. The method starts from the vulnerable path and/or url-pattern, avoids the complex process of modeling all the access behaviors of the user, simplifies the complexity of modeling, reduces the difficulty of network attack identification, and improves the identification accuracy and recall rate.
Description
Technical Field
The present disclosure relates to network security, and more particularly, to a method, an apparatus, a medium, and a device for identifying network attacks.
Background
In the related art, the existing methods for detecting network attacks mainly include two types, one is an attack detection method based on access frequency limitation, and the other is an attack detection method based on access behaviors. The attack detection of the access frequency limitation is mainly to limit abnormal users with too high access frequency, and in order to reduce misjudgment, the access frequency is usually limited to be very high, so that many abnormal users can be missed to be identified. The attack detection based on the access behaviors mainly detects abnormal users with single access behaviors, and when the access behaviors of the users are concentrated in a certain URL or a certain interface within a period of time, the users are identified as abnormal users. Anomalous user detection based on single access behavior fails to identify anomalous users with cluttered access behavior. When the access behavior of certain attack I P is cluttered and the access frequency is not high, it is easily overlooked by the above two identification strategies.
Disclosure of Invention
To overcome the problems in the related art, a network attack identification method, device, medium, and apparatus are provided.
According to a first aspect herein, there is provided a method of identifying a cyber attack, comprising:
acquiring log data in a preset time period, and determining a vulnerable target, wherein the vulnerable target comprises a specified path and/or a URL type;
constructing user behavior characteristics and establishing a data set based on the vulnerable target;
training a machine learning model based on the data set, extracting decision logic, constructing an algorithm rule and verifying;
and using the verified algorithm rule for identifying the network attack.
The constructing the user behavior characteristics based on the vulnerable targets comprises:
equally dividing the preset time period into m time segments;
and constructing user behavior characteristics according to the times of accessing the vulnerable target by the user and the number of time segments of each access.
The user behavior characteristics comprise:
the number of time segments a user is in when accessing the vulnerable target;
the number of segments of time during which the user accesses the vulnerable target within a first period of time;
the number of time segments during which the user accesses the vulnerable target within a second time period;
a total number of times that a user accesses the vulnerable target;
a standard deviation of a number of times that a user accesses the vulnerable target within each time segment;
and in the user IP accessing the vulnerable target, the number of the same-segment IP to which the user IP belongs.
The vulnerable target comprises a first target and a second target, the first target is different from the second target, and the establishing a data set based on the vulnerable target comprises:
establishing a training data set and a testing data set based on the first target; based on the second goal, a set of validation data is established.
The training of the machine learning model and the extraction of decision logic based on the data set, the construction of algorithm rules and the verification comprise:
training a machine learning model using the training data set;
extracting a decision logic of the trained machine learning model, and constructing an algorithm rule according to the decision logic;
testing the accuracy of the algorithm rule using the test data set;
verifying the generality of the algorithm rule using the verification data set.
According to another aspect of the present disclosure, there is provided a network attack recognition apparatus, including:
the log module is used for acquiring log data in a preset time period and determining a vulnerable target, wherein the vulnerable target comprises a specified path and/or a URL type;
the construction module is used for constructing user behavior characteristics and establishing a data set based on the vulnerable target;
the rule extraction module is used for training a machine learning model based on the data set, extracting decision logic, constructing an algorithm rule and verifying the algorithm rule;
and the application module is used for using the verified algorithm rule for identifying the network attack.
The constructing the user behavior characteristics based on the vulnerable targets comprises:
equally dividing the preset time period into m time segments;
and constructing user behavior characteristics according to the times of accessing the vulnerable target by the user and the number of time segments of each access.
The user behavior characteristics comprise:
the number of time segments a user is in when accessing the vulnerable target;
the number of segments of time during which the user accesses the vulnerable target within a first period of time;
the number of time segments during which the user accesses the vulnerable target within a second time period;
a total number of times that a user accesses the vulnerable target;
a standard deviation of a number of times that a user accesses the vulnerable target within each time segment;
and in the user IP accessing the vulnerable target, the number of the same-segment IP to which the user IP belongs.
The vulnerable target comprises a first target and a second target, the first target is different from the second target, and the establishing a data set based on the vulnerable target comprises:
establishing a training data set and a testing data set based on the first target; based on the second goal, a set of validation data is established.
The training of the machine learning model and the extraction of decision logic based on the data set, the construction of algorithm rules and the verification comprise:
training a machine learning model using the training data set;
extracting a decision logic of the trained machine learning model, and constructing an algorithm rule according to the decision logic;
testing the accuracy of the algorithm rule using the test data set;
verifying the generality of the algorithm rule using the verification data set.
According to another aspect herein, there is provided a computer readable storage medium having stored thereon a computer program which, when executed, implements the steps of the method of identifying a network attack.
According to another aspect herein, there is provided a computer device comprising a processor, a memory and a computer program stored on the memory, the processor implementing the steps of the method of identifying a cyber attack when executing the computer program.
The network attack identification method can start from the vulnerable path and/or url-pattern, avoids the complex process of modeling all access behaviors of the user, simplifies the complexity of modeling, reduces the difficulty of network attack identification, improves the identification accuracy and recall rate, and can accurately identify the attack behaviors with disordered access behaviors and low access frequency.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, are included to provide a further understanding of the disclosure, and are incorporated in and constitute a part of this specification. In the drawings:
fig. 1 is a flow chart illustrating a method of identifying a cyber attack according to an example embodiment.
Fig. 2 is a block diagram illustrating an apparatus for identifying cyber attacks according to an example embodiment.
FIG. 3 is a block diagram illustrating a computer device according to an example embodiment.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings of the embodiments of the present invention, and it is obvious that the described embodiments are some but not all of the embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments herein without making any creative effort, shall fall within the scope of protection. It should be noted that the embodiments and features of the embodiments may be arbitrarily combined with each other without conflict.
Fig. 1 is a flow chart illustrating a method of identifying a cyber attack according to an example embodiment. Referring to fig. 1, the method for identifying a network attack includes:
step S11, obtaining log data in a preset time period, and determining a vulnerable target, where the vulnerable target includes a specified path and/or URL type.
Step S12, based on the vulnerable target, constructing user behavior characteristics and establishing a data set;
step S13, training a machine learning model based on the data set, extracting decision logic, constructing an algorithm rule and verifying;
and step S14, using the verified algorithm rule for identifying the network attack.
The preset time period may be 24 hours, 48 hours or any other time period, as determined by the actual situation. According to log data in a preset time period, URLs visited by a user in the time period can be counted, and according to past experience, which URLs are easy to attack or which paths are easy to attack in the URLs visited by the user can be determined, so that vulnerable paths and vulnerable URL types are determined, and vulnerable targets are determined according to the vulnerable paths and/or the vulnerable URL types.
According to the target of the vulnerability, for the users accessing the paths and/or URL types, according to the access behavior of each user, the user behavior characteristics are constructed, meanwhile, according to experience, the users are identified, for example, the user with the attack behavior is identified as 1, the user without the attack behavior is identified as 0, and then a data set is established.
In one embodiment, in step S12, constructing the user behavior feature based on the vulnerability objective includes:
equally dividing a preset time period into m time segments;
and constructing user behavior characteristics according to the times of accessing the vulnerable target by the user and the number of time segments of each access.
In the present embodiment, the preset time period is the past 24 hours, each time segment is 10 minutes, and the 24 hours can be equally divided into 144 time segments. In practical applications, the length of the preset time period and the length of each time segment may be set according to experience and practical situations, and the present disclosure is not limited thereto.
In one embodiment, the user behavior characteristics include:
the number of time segments a user is in when accessing the vulnerable target. When a user accesses a website corresponding to a vulnerable target, 1 or more time slices are occupied according to the time span of each access, and if the duration of one access is 5 minutes and each time slice is 10 minutes, the access may be in one time slice or two time slices. The duration of normal network access and network attack is different, and therefore the number of time segments involved is also different.
The number of segments of time during which the user accesses the vulnerable target during the first time period. In the present embodiment, the first period is a period from 0 to 7 am. Normal users rarely access the network during this period, and for network attackers, network attacks may be conducted often using this period.
The number of segments of time during which the user accesses the vulnerable target during the second time period. In this embodiment, the second period is an operating period from 7 o 'clock to 19 o' clock, and the access of normal users is generally concentrated in this period, and an attacker may also take the normal users as a cover and initiate a network attack in this period.
The total number of times the user accesses the vulnerable target. The network access of normal users is generally less in access times, and the network attack behavior may be multiple access.
The standard deviation of the number of times a user accesses a vulnerable target within each time segment. Due to the randomness of the access of the normal users, the number of the access times in each time slice is random, so the standard deviation value of the number of the access times in each time slice is large. The network attack is mostly an automatic program request, the number of accesses in each time slice is very close to or even equal, and therefore the standard deviation value of the network attack is very small. The standard deviation of the number of times a normal user and a network attacker access the vulnerable target within each time segment is different.
And in the user IP accessing the vulnerable target, the number of the same-segment IP to which the user IP belongs. A network attacker launches network attack, possibly uses a plurality of computers, and the IP of the computers inevitably has the same C-section IP or the same B-section IP.
And establishing a data set for training a machine model and verifying an algorithm rule by using the user data which is constructed as the uplink characteristic and marked.
In one embodiment, the vulnerable target includes a first target and a second target, the first target is different from the second target, and the establishing the data set based on the vulnerable target in step S12 includes:
establishing a training data set and a testing data set based on a first target; based on the second objective, a set of validation data is established.
Training a machine learning model based on a data set and extracting decision logic, and constructing and verifying an algorithm rule comprises the following steps:
the machine learning model is trained using a set of training data. And training a machine learning model by using a training data set, wherein the machine learning model can be an AdaBoost model or a RandomForest model, and can also be other models, and the method is not limited herein.
And extracting the decision logic of the trained machine learning model, and constructing an algorithm rule according to the decision logic. And (3) after the machine learning model is trained, visually displaying the decision flow of the machine learning model, extracting and correcting the decision logic with accurate prediction, and constructing an algorithm rule by using the corrected decision logic.
The accuracy of the algorithm rules is tested using the test data set. And testing the extracted algorithm rule by using a test data set which has the same vulnerable target as the training data set and is different from the training data set, wherein the accuracy of identifying the network attack by the test algorithm rule is 100%.
The commonality of the algorithm rules is verified using the verification data set. And (3) continuously testing the algorithm rule by using the verification data sets with different vulnerable targets to verify whether the algorithm rule can identify the network attack with the accuracy rate of 100% for the user data sets based on different paths and/or URL types.
After multiple rounds of tests, the accuracy and the universality of the extracted algorithm rule reach expectations, the algorithm rule can be online, and the verified algorithm rule is used for identifying network attacks.
By the embodiment, the network attack identification method provided by the invention can start from the vulnerable path and/or url-pattern, avoid the complex process of modeling all access behaviors of the user, simplify the complexity of modeling, reduce the difficulty of network attack identification, improve the identification accuracy and recall rate, and accurately identify the attack behaviors with disordered access behaviors and low access frequency.
Fig. 2 is a block diagram illustrating an apparatus for identifying cyber attacks according to an example embodiment. Referring to fig. 2, the network attack recognition apparatus includes: the system comprises a log module 201, a construction module 202, a rule extraction module 203 and an application module 204.
The logging module 201 is configured to obtain log data within a preset time period, and determine a vulnerable target, where the vulnerable target includes a specified path and/or URL type.
The construction module 202 is configured for constructing user behavior characteristics and building data sets based on the vulnerability objectives.
The rule extraction module 203 is configured to train a machine learning model based on a data set and extract decision logic, construct algorithm rules and validate.
The application module 204 is configured for using the validated algorithm rules for identification of a network attack.
The constructing module 202 constructs user behavior characteristics based on the vulnerability objectives, including:
equally dividing a preset time period into m time segments;
and constructing user behavior characteristics according to the times of accessing the vulnerable target by the user and the number of time segments of each access.
The user behavior characteristics comprise:
the number of time segments in which the user accesses the vulnerable target;
the number of time segments in which the user accesses the vulnerable target in the first time period;
the number of time segments in which the user accesses the vulnerable target in the second time period;
total number of times a user accesses a vulnerable target;
the standard deviation of the number of times that a user accesses a vulnerable target within each time slice;
and in the user IP accessing the vulnerable target, the number of the same-segment IP to which the user IP belongs.
The vulnerable target includes a first target and a second target, the first target being different from the second target, and the constructing module 202 builds the data set based on the vulnerable target includes:
establishing a training data set and a testing data set based on a first target; based on the second objective, a set of validation data is established.
Training a machine learning model based on a data set and extracting decision logic, and constructing and verifying an algorithm rule comprises the following steps:
training a machine learning model using a training data set;
extracting the decision logic of the trained machine learning model, and constructing an algorithm rule according to the decision logic;
testing the accuracy of the algorithm rule using the test data set;
the commonality of the algorithm rules is verified using the verification data set.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
FIG. 3 is a block diagram illustrating a computer device 300 for identification of a network attack, according to an example embodiment. For example, the computer device 300 may be provided as a server. Referring to fig. 3, the computer device 300 includes a processor 301, and the number of the processors may be set to one or more as necessary. The computer device 300 further comprises a memory 302 for storing instructions, such as an application program, executable by the processor 301. The number of the memories can be set to one or more according to needs. Which may store one or more application programs. The processor 301 is configured to execute instructions to perform the above-described network attack identification method.
As will be appreciated by one skilled in the art, the embodiments herein may be provided as a method, apparatus (device), or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied in the medium. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, including, but not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer, and the like. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices) and computer program products according to embodiments herein. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that an article or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of additional like elements in the article or device comprising the element.
While the preferred embodiments herein have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following appended claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of this disclosure.
It will be apparent to those skilled in the art that various changes and modifications may be made herein without departing from the spirit and scope thereof. Thus, it is intended that such changes and modifications be included herein, provided they come within the scope of the appended claims and their equivalents.
Claims (12)
1. A network attack recognition method is characterized by comprising the following steps:
acquiring log data in a preset time period, and determining a vulnerable target, wherein the vulnerable target comprises a specified path and/or a URL type;
constructing user behavior characteristics and establishing a data set based on the vulnerable target;
training a machine learning model based on the data set, extracting decision logic, constructing an algorithm rule and verifying;
and using the verified algorithm rule for identifying the network attack.
2. The method for identifying network attacks according to claim 1, wherein the constructing user behavior characteristics based on the vulnerable target comprises:
equally dividing the preset time period into m time segments;
and constructing user behavior characteristics according to the times of accessing the vulnerable target by the user and the number of time segments of each access.
3. The method for identifying network attacks according to claim 2, wherein the user behavior characteristics comprise:
the number of time segments a user is in when accessing the vulnerable target;
the number of segments of time during which the user accesses the vulnerable target within a first period of time;
the number of time segments during which the user accesses the vulnerable target within a second time period;
a total number of times that a user accesses the vulnerable target;
a standard deviation of a number of times that a user accesses the vulnerable target within each time segment;
and in the user IP accessing the vulnerable target, the number of the same-segment IP to which the user IP belongs.
4. The method of identifying a network attack of claim 1, wherein the vulnerable target comprises a first target and a second target, the first target being different from the second target, and wherein establishing the data set based on the vulnerable target comprises:
establishing a training data set and a testing data set based on the first target; based on the second goal, a set of validation data is established.
5. The method for identifying cyber attacks according to claim 4, wherein the training of the machine learning model and the extraction of decision logic based on the data set, the construction of algorithm rules and the verification comprise:
training a machine learning model using the training data set;
extracting a decision logic of the trained machine learning model, and constructing an algorithm rule according to the decision logic;
testing the accuracy of the algorithm rule using the test data set;
verifying the generality of the algorithm rule using the verification data set.
6. An apparatus for identifying a cyber attack, comprising:
the log module is used for acquiring log data in a preset time period and determining a vulnerable target, wherein the vulnerable target comprises a specified path and/or a URL type;
the construction module is used for constructing user behavior characteristics and establishing a data set based on the vulnerable target;
the rule extraction module is used for training a machine learning model based on the data set, extracting decision logic, constructing an algorithm rule and verifying the algorithm rule;
and the application module is used for using the verified algorithm rule for identifying the network attack.
7. The apparatus for identifying network attacks according to claim 6, wherein the constructing a user behavior signature based on the vulnerable target comprises:
equally dividing the preset time period into m time segments;
and constructing user behavior characteristics according to the times of accessing the vulnerable target by the user and the number of time segments of each access.
8. The apparatus for identifying cyber attacks according to claim 7, wherein the user behavior characteristics include:
the number of time segments a user is in when accessing the vulnerable target;
the number of segments of time during which the user accesses the vulnerable target within a first period of time;
the number of time segments during which the user accesses the vulnerable target within a second time period;
a total number of times that a user accesses the vulnerable target;
a standard deviation of a number of times that a user accesses the vulnerable target within each time segment;
and in the user IP accessing the vulnerable target, the number of the same-segment IP to which the user IP belongs.
9. The apparatus for identifying a network attack of claim 6, wherein the vulnerable target comprises a first target and a second target, the first target being different from the second target, and wherein establishing the data set based on the vulnerable target comprises:
establishing a training data set and a testing data set based on the first target; based on the second goal, a set of validation data is established.
10. The apparatus for identifying cyber attacks according to claim 9, wherein the training of the machine learning model and the extraction of decision logic based on the data set, the construction of algorithm rules and the verification comprise:
training a machine learning model using the training data set;
extracting a decision logic of the trained machine learning model, and constructing an algorithm rule according to the decision logic;
testing the accuracy of the algorithm rule using the test data set;
verifying the generality of the algorithm rule using the verification data set.
11. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed, implements the steps of the method according to any one of claims 1-5.
12. A computer arrangement comprising a processor, a memory and a computer program stored on the memory, characterized in that the steps of the method according to any of claims 1-5 are implemented when the computer program is executed by the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911315514.5A CN113014529B (en) | 2019-12-19 | 2019-12-19 | Network attack identification method, device, medium and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911315514.5A CN113014529B (en) | 2019-12-19 | 2019-12-19 | Network attack identification method, device, medium and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113014529A true CN113014529A (en) | 2021-06-22 |
| CN113014529B CN113014529B (en) | 2023-09-26 |
Family
ID=76382574
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911315514.5A Active CN113014529B (en) | 2019-12-19 | 2019-12-19 | Network attack identification method, device, medium and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113014529B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11443045B2 (en) * | 2020-05-05 | 2022-09-13 | Booz Allen Hamilton Inc. | Methods and systems for explaining a decision process of a machine learning model |
| CN115987687A (en) * | 2023-03-17 | 2023-04-18 | 鹏城实验室 | Network attack evidence obtaining method, device, equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
| US20160234249A1 (en) * | 2013-05-03 | 2016-08-11 | John Wong | Method and system for mitigation of distributed denial of service (ddos) attacks |
| CN106375331A (en) * | 2016-09-23 | 2017-02-01 | 北京网康科技有限公司 | Mining method and device of attacking organization |
| CN107426132A (en) * | 2016-05-23 | 2017-12-01 | 腾讯科技(深圳)有限公司 | The detection method and device of network attack |
| CN109067586A (en) * | 2018-08-16 | 2018-12-21 | 海南大学 | Ddos attack detection method and device |
| CN109525551A (en) * | 2018-10-07 | 2019-03-26 | 杭州安恒信息技术股份有限公司 | A method of the CC based on statistical machine learning attacks protection |
-
2019
- 2019-12-19 CN CN201911315514.5A patent/CN113014529B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
| US20160234249A1 (en) * | 2013-05-03 | 2016-08-11 | John Wong | Method and system for mitigation of distributed denial of service (ddos) attacks |
| CN107426132A (en) * | 2016-05-23 | 2017-12-01 | 腾讯科技(深圳)有限公司 | The detection method and device of network attack |
| CN106375331A (en) * | 2016-09-23 | 2017-02-01 | 北京网康科技有限公司 | Mining method and device of attacking organization |
| CN109067586A (en) * | 2018-08-16 | 2018-12-21 | 海南大学 | Ddos attack detection method and device |
| CN109525551A (en) * | 2018-10-07 | 2019-03-26 | 杭州安恒信息技术股份有限公司 | A method of the CC based on statistical machine learning attacks protection |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11443045B2 (en) * | 2020-05-05 | 2022-09-13 | Booz Allen Hamilton Inc. | Methods and systems for explaining a decision process of a machine learning model |
| CN115987687A (en) * | 2023-03-17 | 2023-04-18 | 鹏城实验室 | Network attack evidence obtaining method, device, equipment and storage medium |
| CN115987687B (en) * | 2023-03-17 | 2023-05-26 | 鹏城实验室 | Network attack evidence obtaining method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113014529B (en) | 2023-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3651043B1 (en) | Url attack detection method and apparatus, and electronic device | |
| JP6918245B2 (en) | Identity verification method and equipment | |
| CN109922032B (en) | Method, device, equipment and storage medium for determining risk of logging in account | |
| US9824197B2 (en) | Classifier training method and apparatus, identity authentication method and system | |
| CN105635126B (en) | Malice network address accesses means of defence, client, security server and system | |
| US9490987B2 (en) | Accurately classifying a computer program interacting with a computer system using questioning and fingerprinting | |
| US20140096242A1 (en) | Method, system and client terminal for detection of phishing websites | |
| CN108369603B (en) | Substance detection processing method, substance detection processing device and detection equipment | |
| CN113014529B (en) | Network attack identification method, device, medium and equipment | |
| CN109842858B (en) | Service abnormal order detection method and device | |
| CN110602135B (en) | Network attack processing method and device and electronic equipment | |
| CN111611559A (en) | Identity verification method and device | |
| CN109711173B (en) | Password file leakage detection method | |
| CN111783105A (en) | Penetration testing method, device, equipment and storage medium | |
| KR102130582B1 (en) | Web-based brute force attack blocking device and method using machine learning | |
| CN111586028A (en) | Abnormal login evaluation method and device, server and storage medium | |
| CN106375259B (en) | Same-user account identification method and device | |
| KR102143510B1 (en) | Risk management system for information cecurity | |
| CN108959931B (en) | Vulnerability detection method and device, information interaction method and equipment | |
| CN107124330B (en) | Data downloading control method and system | |
| CN107229865B (en) | Method and device for analyzing Webshell intrusion reason | |
| CN114298714A (en) | Account identity authentication method and device, electronic equipment and storage medium | |
| CN115842640A (en) | CC attack protection method, device, medium and equipment | |
| US10091311B2 (en) | Smart location determination | |
| KR20210076455A (en) | Method and apparatus for automated verifying of xss attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |