CN113194086A - Anti-attack method and device - Google Patents
Anti-attack method and device Download PDFInfo
- Publication number
- CN113194086A CN113194086A CN202110461464.2A CN202110461464A CN113194086A CN 113194086 A CN113194086 A CN 113194086A CN 202110461464 A CN202110461464 A CN 202110461464A CN 113194086 A CN113194086 A CN 113194086A
- Authority
- CN
- China
- Prior art keywords
- learning
- attack
- subtask
- parameter
- task
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an anti-attack method and equipment. Wherein, the method comprises the following steps: establishing an anti-attack parameter learning task; wherein, the anti-attack parameter learning task at least comprises: learning an IP address of target equipment, learning duration and a plurality of attack prevention parameter learning elements; establishing a learning subtask for each anti-attack parameter learning element; executing each learning subtask in parallel; and determining that the execution time of each learning subtask reaches the learning duration, and setting a threshold value of an anti-attack parameter according to the learned parameter of each learning subtask to defend against the distributed denial of service attack.
Description
Technical Field
The present application relates to communication technology, and more particularly, to an anti-attack method and apparatus
Background
DDoS (Distributed Denial of Service) refers to an attacker combining a plurality of computers as an attack platform by means of a client/server technology to launch DDoS attacks on one or more targets, thereby exponentially improving the power of Denial of Service attacks.
At present, the DDos anti-attack protection scheme mainly collects device information periodically through manual or third-party devices and adjusts and optimizes a protection strategy threshold value. However, manually collecting device information may result in inaccurate communications due to human factors.
The current protection policy threshold configuration is mainly based on subjective experience, or acquires required information through third-party equipment, or deploys the device in a transparent direct mode when the device is initially deployed, or manually collects open ports and service conditions of a server. The method comprises the steps that required information is collected through a third-party device, for example, a network bandwidth peak value or the connection number is checked from a firewall, on one hand, the collection device does not exist necessarily, and on the other hand, the services opened on a server and the connection number conditions corresponding to service ports cannot be visually seen from the firewall; if the device is deployed in a transparent direct connection mode when the device is initially deployed, the value of a DDoS attack protection device is lost, and the transparent direct connection is generally a method which is not connected with a network and is used for avoiding the influence caused by the transparent direct connection; if the open port and the service condition of the server are collected manually, there may be problems of inaccurate statistical information or slow response due to human factors.
Disclosure of Invention
The application aims to provide an anti-attack method and equipment, wherein a DDoS anti-attack threshold value is set through flow learning.
In order to achieve the above object, the present application provides an attack prevention method, including: establishing an anti-attack parameter learning task; wherein, the anti-attack parameter learning task at least comprises: learning an IP address of target equipment, learning duration and a plurality of attack prevention parameter learning elements; establishing a learning subtask for each anti-attack parameter learning element; executing each learning subtask in parallel; and determining that the execution time of each learning subtask reaches the learning duration, and setting a threshold value of an anti-attack parameter according to the learned parameter of each learning subtask to defend against the distributed denial of service attack.
In order to achieve the above object, the present application further provides an anti-attack device, which includes a forwarding module, a processor and a memory; the memory is used for storing processor executable instructions; the processor executes the processor-executable instructions in the memory to perform the following: establishing an anti-attack parameter learning task; wherein, the anti-attack parameter learning task at least comprises: learning an IP address of target equipment, learning duration and a plurality of attack prevention parameter learning elements; establishing a learning subtask for each anti-attack parameter learning element; executing each learning subtask in parallel; and determining that the execution time of each learning subtask reaches the learning duration, and setting a threshold value of the anti-attack parameter according to the learned parameter of each learning subtask.
The method and the device have the advantages that the user does not need to collect information through third-party equipment or manually collect information, protection threshold value configuration is carried out through flow learning, and usability and friendliness of the DDoS attack protection equipment are greatly improved.
Drawings
Fig. 1 is a flowchart illustrating an anti-attack method provided in the present application;
FIG. 2 is a flow chart illustrating the output of the result of the learning subtask in the embodiment of the present application;
fig. 3 is a flowchart of the attack prevention device provided in the present application.
Detailed Description
A detailed description will be given of a number of examples shown in a number of figures. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present application. Well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the examples.
The term "including" as that term is used is meant to include, but is not limited to; the term "comprising" means including but not limited to; the terms "above," "within," and "below" include the instant numbers; the terms "greater than" and "less than" mean that the number is not included. The term "based on" means based on at least a portion thereof.
Fig. 1 is a flowchart illustrating an anti-attack method provided in the present application, where the method includes:
102, establishing a learning subtask for each anti-attack parameter learning element;
and step 104, determining that the execution time of each learning subtask reaches the learning duration, and setting a threshold value of an anti-attack parameter according to the learned parameter of each learning subtask to defend against the distributed denial of service attack.
The method and the device have the advantages that the user does not need to collect information through third-party equipment or manually collect information, protection threshold value configuration is carried out through flow learning, and usability and friendliness of the DDoS attack protection equipment are greatly improved.
In this application, when a new learning task is created, the input information of the learning task at least includes: learning name, learning target device IP address, learning duration, learning element information, and the like, the learning element information including bandwidth, connection number, port (TCP port, UDP port, HTTP port, and the like), port connection number (TCP connection number, UDP port connection number, HTTP connection number, and the like). The user may input a learning name as learning element information on the basis of the learning task information.
The device extracts a learning task list based on the input learning task, decomposes the learning task list into a learning subtask according to each learning element, and assigns a learning subtask ID to each learning subtask.
In this embodiment, a learning task list extracted by the device is shown in table 1:
TABLE 1
FIG. 2 is a flow chart illustrating the execution of a learning subtask in an embodiment of the present application;
And monitoring and analyzing the service flow of each message by the equipment forwarding message, and storing the parameters of the service flow of each message.
and the equipment searches the matched service flow in each service flow which is recorded and forwarded by the learning target equipment IP address based on the learning task list.
and the equipment acquires the parameters of the learning target of each learning subtask from the flow parameters of the matched service flow according to the matched learning subtasks, and learns according to the learning time.
and step 205, outputting the result of each learning subtask.
The device can display the learning result of each subtask on a web interface, and the user can set DDoS attack prevention parameters according to the learning result of each learning subtask to attack with DDoS.
The method and the device have the advantages that the DDoS anti-attack parameters are set based on flow self-learning, usability and friendliness of DDoS attack protection equipment are greatly improved, and a user can set a DDoS protection strategy more specifically according to the forwarding flow of the equipment.
Fig. 3 is a flowchart of the attack prevention device provided in the present application. The device 30 comprises a forwarding module 31, a processor 32 and a memory 33; the memory 33 is for storing processor-executable instructions; processor 32, by executing processor-executable instructions in memory, is configured to perform the following: establishing an anti-attack parameter learning task; wherein, the anti-attack parameter learning task at least comprises: learning an IP address of target equipment, learning duration and a plurality of attack prevention parameter learning elements; establishing a learning subtask for each anti-attack parameter learning element; executing each learning subtask; and determining that the execution time of each learning subtask reaches the learning duration, and setting a threshold value of the anti-attack parameter according to the learned parameter of each learning subtask. Wherein the plurality of anti-attack parameter learning elements at least comprise: a bandwidth learning element, a connection number learning element, a port learning element, and a port connection number learning element.
After the processor 32 executes the process of establishing a learning subtask for each attack prevention parameter learning element by executing the processor executable instructions in the memory 33, the following process is also executed: identifying a subtask for each learning subtask; each learning subtask is executed in parallel.
Processor 32 performs each learning subtask by executing processor-executable instructions in memory 33, including: recording the flow parameters of each service flow forwarded by the forwarding module; searching matched service flows in each service flow which is recorded and forwarded according to the IP address of the learning target equipment; the task objective of each learning subtask is executed based on the traffic parameters of the matched traffic flow. Wherein the task objective of each learning subtask includes: learning network uplink and downlink bandwidth peak values in the learning time length, learning network flow each protocol message frequency peak value in the learning time length, learning server per second connection number peak values in the learning time length, learning server open ports in the learning time length, and learning connection number peak values of server open ports per second in the learning time length.
The method and the device have the advantages that the user does not need to collect information through third-party equipment or manually collect information, protection threshold value configuration is carried out through flow learning, and usability and friendliness of the DDoS attack protection equipment are greatly improved.
The present invention is not intended to be limited to the particular embodiments shown and described, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method of protecting against attacks, the method comprising:
establishing an anti-attack parameter learning task; wherein the anti-attack parameter learning task at least comprises: learning an IP address of target equipment, learning duration and a plurality of attack prevention parameter learning elements;
establishing a learning subtask for each anti-attack parameter learning element;
executing each of the learning subtasks in parallel;
and determining that the execution time of each learning subtask reaches the learning duration, and setting a threshold value of an anti-attack parameter according to the learned parameter of each learning subtask to defend against the distributed denial of service attack.
2. The method of claim 1, wherein the plurality of anti-attack parameter learning elements comprises at least: a bandwidth learning element, a connection number learning element, a port learning element, and a port connection number learning element.
3. The method of claim 1, wherein after establishing a learning subtask for each attack-prevention parameter learning element, the method further comprises:
and respectively identifying the subtasks for each learning subtask.
4. The method of claim 2, wherein performing each of the learning subtasks comprises:
recording the flow parameters of each forwarded service flow;
searching matched service flows in each service flow which is recorded and forwarded according to the IP address of the learning target equipment;
and executing the task target of each learning subtask based on the matched flow parameters of the service flow.
5. The method of claim 4, wherein the task objectives of each of the learning subtasks include: learning network uplink and downlink bandwidth peak values in the learning time length, learning network flow protocol message frequency peak values in the learning time length, learning a server per second connection number peak value in the learning time length, learning a server open port in the learning time length, and learning a server open port per second connection number peak value in the learning time length.
6. An attack-resistant device, the device comprising a forwarding module, a processor, and a memory; the memory is to store processor-executable instructions; wherein the processor executes processor-executable instructions in the memory to:
establishing an anti-attack parameter learning task; wherein the anti-attack parameter learning task at least comprises: learning an IP address of target equipment, learning duration and a plurality of attack prevention parameter learning elements;
establishing a learning subtask for each anti-attack parameter learning element;
executing each of the learning subtasks in parallel;
and determining that the execution time of each learning subtask reaches the learning duration, and setting a threshold value of an anti-attack parameter according to the learned parameter of each learning subtask.
7. The apparatus of claim 6, wherein the plurality of anti-attack parameter learning elements comprises at least: a bandwidth learning element, a connection number learning element, a port learning element, and a port connection number learning element.
8. The apparatus of claim 6, wherein the processor executes the processor-executable instructions in the memory to establish a learning subtask for each attack prevention parameter learning element, and then executes the following processing:
and respectively identifying the subtasks for each learning subtask.
9. The device of claim 7, wherein the processor executing each of the learning subtasks by executing the processor-executable instructions in the memory comprises:
recording the flow parameters of each service flow forwarded by the forwarding module;
searching matched service flows in each service flow which is recorded and forwarded according to the IP address of the learning target equipment;
and executing the task target of each learning subtask based on the matched flow parameters of the service flow.
10. The apparatus of claim 9, wherein the task objectives of each of the learning subtasks include: learning network uplink and downlink bandwidth peak values in the learning time length, learning network flow protocol message frequency peak values in the learning time length, learning a server per second connection number peak value in the learning time length, learning a server open port in the learning time length, and learning a server open port per second connection number peak value in the learning time length.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110461464.2A CN113194086B (en) | 2021-04-27 | 2021-04-27 | Anti-attack method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110461464.2A CN113194086B (en) | 2021-04-27 | 2021-04-27 | Anti-attack method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113194086A true CN113194086A (en) | 2021-07-30 |
| CN113194086B CN113194086B (en) | 2022-05-27 |
Family
ID=76979637
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110461464.2A Active CN113194086B (en) | 2021-04-27 | 2021-04-27 | Anti-attack method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113194086B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113890746A (en) * | 2021-08-16 | 2022-01-04 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
| CN113904835A (en) * | 2021-09-30 | 2022-01-07 | 新华三信息安全技术有限公司 | Attack prevention method and device for message uploading to CPU |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107276808A (en) * | 2017-06-21 | 2017-10-20 | 北京华创网安科技股份有限公司 | A kind of optimization method of Traffic Anomaly monitoring |
| CN108574668A (en) * | 2017-03-10 | 2018-09-25 | 北京大学 | A kind of ddos attack peak flow prediction technique based on machine learning |
| CN108768876A (en) * | 2018-06-05 | 2018-11-06 | 清华大学深圳研究生院 | A kind of traffic scheduling method of Machine oriented learning framework |
| CN109743314A (en) * | 2018-12-29 | 2019-05-10 | 杭州迪普科技股份有限公司 | Monitoring method, device, computer equipment and its storage medium of Network Abnormal |
| CN109948674A (en) * | 2019-03-05 | 2019-06-28 | 清华大学 | Method for measuring similarity and system based on depth meta learning |
| CN110399222A (en) * | 2019-07-25 | 2019-11-01 | 北京邮电大学 | GPU cluster deep learning task parallel method, device and electronic equipment |
| CN111181930A (en) * | 2019-12-17 | 2020-05-19 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, computer equipment and storage medium |
| CN111310922A (en) * | 2020-03-27 | 2020-06-19 | 北京奇艺世纪科技有限公司 | Method, device, equipment and storage medium for processing deep learning calculation task |
| CN112395062A (en) * | 2020-11-17 | 2021-02-23 | 深圳前海微众银行股份有限公司 | Task processing method, device, equipment and computer readable storage medium |
| US20210081787A1 (en) * | 2019-09-12 | 2021-03-18 | Beijing University Of Posts And Telecommunications | Method and apparatus for task scheduling based on deep reinforcement learning, and device |
-
2021
- 2021-04-27 CN CN202110461464.2A patent/CN113194086B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108574668A (en) * | 2017-03-10 | 2018-09-25 | 北京大学 | A kind of ddos attack peak flow prediction technique based on machine learning |
| CN107276808A (en) * | 2017-06-21 | 2017-10-20 | 北京华创网安科技股份有限公司 | A kind of optimization method of Traffic Anomaly monitoring |
| CN108768876A (en) * | 2018-06-05 | 2018-11-06 | 清华大学深圳研究生院 | A kind of traffic scheduling method of Machine oriented learning framework |
| CN109743314A (en) * | 2018-12-29 | 2019-05-10 | 杭州迪普科技股份有限公司 | Monitoring method, device, computer equipment and its storage medium of Network Abnormal |
| CN109948674A (en) * | 2019-03-05 | 2019-06-28 | 清华大学 | Method for measuring similarity and system based on depth meta learning |
| CN110399222A (en) * | 2019-07-25 | 2019-11-01 | 北京邮电大学 | GPU cluster deep learning task parallel method, device and electronic equipment |
| US20210081787A1 (en) * | 2019-09-12 | 2021-03-18 | Beijing University Of Posts And Telecommunications | Method and apparatus for task scheduling based on deep reinforcement learning, and device |
| CN111181930A (en) * | 2019-12-17 | 2020-05-19 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, computer equipment and storage medium |
| CN111310922A (en) * | 2020-03-27 | 2020-06-19 | 北京奇艺世纪科技有限公司 | Method, device, equipment and storage medium for processing deep learning calculation task |
| CN112395062A (en) * | 2020-11-17 | 2021-02-23 | 深圳前海微众银行股份有限公司 | Task processing method, device, equipment and computer readable storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113890746A (en) * | 2021-08-16 | 2022-01-04 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
| CN113890746B (en) * | 2021-08-16 | 2024-05-07 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
| CN113904835A (en) * | 2021-09-30 | 2022-01-07 | 新华三信息安全技术有限公司 | Attack prevention method and device for message uploading to CPU |
| CN113904835B (en) * | 2021-09-30 | 2023-10-24 | 新华三信息安全技术有限公司 | Anti-attack method and device for message to CPU |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113194086B (en) | 2022-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Phan et al. | OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks | |
| Kalkan et al. | JESS: Joint entropy-based DDoS defense scheme in SDN | |
| EP3229407B1 (en) | Application signature generation and distribution | |
| US10084713B2 (en) | Protocol type identification method and apparatus | |
| US10091167B2 (en) | Network traffic analysis to enhance rule-based network security | |
| Giotis et al. | Leveraging SDN for efficient anomaly detection and mitigation on legacy networks | |
| CN113194086B (en) | Anti-attack method and device | |
| US7307999B1 (en) | Systems and methods that identify normal traffic during network attacks | |
| CN109587156B (en) | Method, system, medium, and apparatus for identifying and blocking abnormal network access connection | |
| CN107800668B (en) | Distributed denial of service attack defense method, device and system | |
| KR101250899B1 (en) | Apparatus for detecting and preventing application layer distribute denial of service attack and method | |
| CN103840983A (en) | WEB tunnel detection method based on protocol behavior analysis | |
| Muraleedharan et al. | Behaviour analysis of HTTP based slow denial of service attack | |
| Lin et al. | MECPASS: Distributed denial of service defense architecture for mobile networks | |
| CN107707549B (en) | Device and method for automatically extracting application characteristics | |
| EP2109282B1 (en) | Method and system for mitigation of distributed denial of service attacks based on IP neighbourhood density estimation | |
| US20050251859A1 (en) | Method of monitoring and protecting a private network against attacks from a public network | |
| CN109889470B (en) | Method and system for defending DDoS attack based on router | |
| WO2019140876A1 (en) | Method for establishing phantom device capable of network attack prevention, medium, and device | |
| Crichigno et al. | A flow-based entropy characterization of a NATed network and its application on intrusion detection | |
| EP2112800B1 (en) | Method and system for enhanced recognition of attacks to computer systems | |
| WO2020170802A1 (en) | Detection device and detection method | |
| CN109688136B (en) | Detection method, system and related components for forging IP attack behavior | |
| JP2006164038A (en) | Method for coping with dos attack or ddos attack, network device and analysis device | |
| Tahmassebpour | Immediate detection of DDoS attacks with using NetFlow on cisco devices IOS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |