CN113452647B - Feature identification method, feature identification device, electronic equipment and computer-readable storage medium - Google Patents

Feature identification method, feature identification device, electronic equipment and computer-readable storage medium Download PDF

Info

Publication number
CN113452647B
CN113452647B CN202010212359.0A CN202010212359A CN113452647B CN 113452647 B CN113452647 B CN 113452647B CN 202010212359 A CN202010212359 A CN 202010212359A CN 113452647 B CN113452647 B CN 113452647B
Authority
CN
China
Prior art keywords
http
address
concentration
features
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010212359.0A
Other languages
Chinese (zh)
Other versions
CN113452647A (en
Inventor
白艳富
钱华钩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN202010212359.0A priority Critical patent/CN113452647B/en
Publication of CN113452647A publication Critical patent/CN113452647A/en
Application granted granted Critical
Publication of CN113452647B publication Critical patent/CN113452647B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The application discloses a feature identification method, a feature identification device, electronic equipment and a computer readable storage medium, and relates to the technical field of network security. The specific implementation scheme is as follows: determining a first class IP address and a second class IP address according to the abnormal condition of the flow; the first type of IP address is a normal IP address, and the second type of IP address is a suspicious IP address; respectively counting the flow characteristic data of the first class of IP address and the second class of IP address in a preset time period; and identifying the CC attack flow characteristics according to the flow characteristic data. According to the embodiment of the application, the CC attack traffic characteristics can be efficiently identified, so that the identification rate of the CC attack is improved.

Description

Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for feature authentication, an electronic device, and a computer-readable storage medium.
Background
The CC (Challenge Collapsar) attack is one of DDOS attacks, and is more technology-intensive than other DDOS attacks, and one of the main reasons that it is difficult to prevent is self-disguising. The current common CC attack identification method comprises the following steps: by summarizing network traffic within a period of time, an Internet Protocol (IP) address with an excessively large access amount and obvious abnormality is determined as a CC attack source IP address. And the defense of the CC attack is realized by blocking the flow of the CC attack source IP address. However, in this case, when an attacker uses multiple attack source IP addresses to attack, the difference between the attack source IP address and the normal IP address is small, and the false alarm or the false alarm is likely to occur, so that the recognition rate of the CC attack is low.
Disclosure of Invention
The embodiment of the application provides a feature identification method, a feature identification device, electronic equipment and a computer readable storage medium, and aims to solve the problem that the existing CC attack is low in recognition rate.
In order to solve the technical problem, the present application is implemented as follows:
in a first aspect, an embodiment of the present application provides a feature identification method, including:
determining a first class IP address and a second class IP address according to the abnormal condition of the flow; the first type of IP address is a normal IP address, and the second type of IP address is a suspicious IP address;
respectively counting the flow characteristic data of the first class of IP address and the second class of IP address in a preset time period;
and identifying the CC attack flow characteristics according to the flow characteristic data.
Therefore, by means of the counted traffic characteristic data of the normal IP address and the suspicious IP address, the traffic characteristic of the normal IP address and the traffic characteristic of the suspicious IP address can be distinguished, so that the CC attack traffic characteristic can be identified efficiently, and the identification rate of the CC attack is improved.
Optionally, the traffic characteristic data includes the following contents:
a first HTTP request number of the first type of IP address;
a second HTTP request number of times for the second type of IP address;
a number of occurrences of each of a plurality of HTTP features;
wherein the HTTP features include at least one of HTTP request features and HTTP response features; and the IP address corresponding to the HTTP feature is the first-class IP address and/or the second-class IP address.
In this way, statistics of different classes of traffic characteristic data can be achieved based on parsing of HTTP request and response information.
Optionally, the identifying CC attack traffic characteristics according to the traffic characteristic data includes:
calculating the concentration and/or the suspiciousness of each HTTP feature;
according to the concentration degree and/or the suspicion degree of each HTTP feature, identifying CC attack flow features;
wherein the concentration of the HTTP features comprises a first concentration and a second concentration, the first concentration being a ratio of the number of occurrences of the HTTP features to the number of times of the first HTTP requests, the second concentration being a ratio of the number of occurrences of the HTTP features to the number of times of the second HTTP requests; the suspiciousness of the HTTP feature is a ratio of the second concentration to the first concentration.
Therefore, the HTTP characteristics of the normal IP address and the HTTP characteristics of the suspicious IP address can be effectively distinguished through the calculated concentration degree and/or the calculated doubt degree of the HTTP characteristics, and the CC attack traffic characteristics can be identified.
Optionally, the identifying CC attack traffic characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic includes:
and identifying the CC attack traffic characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic by adopting at least one of the following rules:
if the suspicious degree of the HTTP request characteristic exceeds a first preset threshold value, determining the HTTP request characteristic as a CC attack flow characteristic;
if the second concentration of the HTTP request features exceeds a second preset threshold, determining the HTTP request features as CC attack traffic features;
if the first concentration of the HTTP request features is lower than a third preset threshold, the second concentration of the HTTP request features exceeds a fourth preset threshold, and the HTTP request features are not in a preset feature list, determining the HTTP request features as CC attack traffic features;
if the HTTP response characteristics are 404 state codes and the second concentration of the HTTP response characteristics exceeds a fifth preset threshold, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics;
and if the HTTP response characteristics are non-404 state codes, the second concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics exceed respective sixth preset threshold values, and the first concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics are lower than respective seventh preset threshold values, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics.
Therefore, by means of the rule, the CC attack traffic characteristics can be conveniently and effectively identified.
Optionally, the HTTP request is characterized by: at least one of a URL field, a Host field, a User-Agent field, and a Referrer field in the HTTP request;
and/or the presence of a gas in the gas,
the HTTP response is characterized by: at least one of a 404 status code and a non-404 status code.
Optionally, the determining the first type of IP address and the second type of IP address according to the abnormal traffic condition includes:
determining CC attack starting time according to the abnormal flow condition;
determining an IP address accessed by normal flow in a first time period as the first type of IP address, and determining an IP address different from the first type of IP address in a second time period as the second type of IP address;
the first time period is a time period with a first duration before the CC attack starting time, and the second time period is a time period with a second duration after the CC attack starting time.
Thus, the IP address classification is carried out by taking the determined CC attack starting time as a demarcation point, and the accuracy of the IP address classification can be improved.
In a second aspect, an embodiment of the present application further provides a feature identification apparatus, including:
the determining module is used for determining a first class IP address and a second class IP address according to the abnormal flow condition; the first type of IP address is a normal IP address, and the second type of IP address is a suspicious IP address;
the statistical module is used for respectively counting the flow characteristic data of the first class of IP addresses and the second class of IP addresses within a preset time period;
and the identification module is used for identifying the CC attack flow characteristics according to the flow characteristic data.
Optionally, the traffic characteristic data includes the following contents:
a first HTTP request number of the first type of IP address;
a second HTTP request number of times for the second type of IP address;
a number of occurrences of each of a plurality of HTTP features;
wherein the HTTP features include at least one of HTTP request features and HTTP response features; and the IP address corresponding to the HTTP feature is the first-class IP address and/or the second-class IP address.
Optionally, the authentication module comprises:
the computing unit is used for computing the concentration and/or the suspiciousness of each HTTP feature;
the authentication unit is used for authenticating the CC attack flow characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic;
the concentration of the HTTP features comprises a first concentration and a second concentration, the first concentration is a ratio of the number of occurrences of the HTTP features to the number of occurrences of the first HTTP requests, and the second concentration is a ratio of the number of occurrences of the HTTP features to the number of occurrences of the second HTTP requests; the suspiciousness of the HTTP feature is a ratio of the second concentration to the first concentration.
Optionally, the identification unit is configured to:
and identifying the CC attack traffic characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic by adopting at least one of the following rules:
if the suspicious degree of the HTTP request characteristic exceeds a first preset threshold value, determining the HTTP request characteristic as a CC attack flow characteristic;
if the second concentration of the HTTP request features exceeds a second preset threshold, determining the HTTP request features as CC attack traffic features;
if the first concentration of the HTTP request features is lower than a third preset threshold, the second concentration of the HTTP request features exceeds a fourth preset threshold, and the HTTP request features are not in a preset feature list, determining the HTTP request features as CC attack traffic features;
if the HTTP response characteristics are 404 state codes and the second concentration of the HTTP response characteristics exceeds a fifth preset threshold, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics;
and if the HTTP response characteristics are non-404 state codes, the second concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics exceed respective sixth preset threshold values, and the first concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics are lower than respective seventh preset threshold values, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics.
Optionally, the HTTP request is characterized by: at least one of a URL field, a Host field, a User-Agent field, and a Referrer field in the HTTP request;
and/or the presence of a gas in the gas,
the HTTP response is characterized by: at least one of a 404 status code and a non-404 status code.
Optionally, the determining module includes:
the first determining unit is used for determining CC attack starting time according to the abnormal flow condition;
a second determining unit, configured to determine an IP address accessed by normal traffic in a first time period as the first type of IP address, and determine an IP address different from the first type of IP address in a second time period as the second type of IP address;
the first time period is a time period with a first duration before the CC attack starting time, and the second time period is a time period with a second duration after the CC attack starting time.
In a third aspect, an embodiment of the present application further provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a characterization method as described above.
In a fourth aspect, the present application further provides a non-transitory computer-readable storage medium storing computer instructions, where the computer instructions are configured to cause the computer to execute the feature identification method as described above.
According to another aspect of the present disclosure, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the method as described above.
One embodiment in the above application has the following advantages or benefits: the traffic characteristics of the normal IP address and the traffic characteristics of the suspicious IP address can be distinguished, so that the CC attack traffic characteristics can be efficiently identified, and the identification rate of the CC attack is improved. The technical means that the flow characteristic data of the first class IP address and the second class IP address in the preset time period are respectively counted and the CC attack flow characteristic is identified according to the flow characteristic data is adopted according to the abnormal flow condition, the technical problem that the identification rate of the CC attack by means of flow summarization is low in the prior art is solved, and the technical effect of improving the identification rate of the CC attack is achieved.
Other effects of the above-described alternative will be described below with reference to specific embodiments.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be considered limiting of the present application. Wherein:
FIG. 1 is a flow chart of a method of signature identification of an embodiment of the present application;
fig. 2 is a block diagram of a feature identification apparatus for implementing a feature identification method of an embodiment of the present application;
fig. 3 is a block diagram of an electronic device for implementing the feature identification method of the embodiment of the present application.
Detailed Description
The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The terms first, second and the like in the description and in the claims of the present application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. In the description and in the claims "and/or" means at least one of the connected objects.
To facilitate understanding of the present application, the CC attack is first explained as follows: as one of DDOS attacks, CC attacks are mainly used to attack pages. The principle of the CC attack is that a large number of proxy servers can initiate HTTP requests, and the HTTP requests are continuously initiated to some pages which consume higher resources to consume server resources, so that the access speed of page application is low, and even the servers cannot be normally connected. CC attacks are characterized by a very scattered but real attack source IP address.
Based on the principle and characteristics of CC attack, the embodiment of the application provides a method for identifying CC attack flow characteristics. Therefore, by means of the counted traffic characteristic data of the normal IP address and the suspicious IP address, the traffic characteristic of the normal IP address and the traffic characteristic of the suspicious IP address can be distinguished, so that the CC attack traffic characteristic can be identified efficiently, the identification rate of the CC attack is improved, and various masqueradings of an attacker can be better responded. Furthermore, after the CC attack traffic characteristics are identified, the CC attack traffic can be identified according to the CC attack traffic characteristics, so that the aim of protecting the server is fulfilled by blocking the CC attack traffic.
Referring to fig. 1, fig. 1 is a flowchart of a feature identification method provided in an embodiment of the present application, where the method is applied to an electronic device, and as shown in fig. 1, the method includes the following steps:
step 101: and determining the first class IP address and the second class IP address according to the abnormal flow condition.
In this embodiment, the first type IP address is a normal IP address, and the second type IP address is a suspicious IP address. The suspected IP address may be understood as a type of IP address that cannot determine whether it is a normal IP address, i.e., may be a CC attack IP address or a normal IP address.
Aiming at the abnormal flow condition, the electronic equipment can judge whether the current flow consumed per second is larger than a preset threshold value or not in real time, if so, the electronic equipment is in the abnormal flow condition, otherwise, the electronic equipment is in the normal flow condition. When the abnormal flow condition is determined, the CC attack state can be determined, and the current time minus a suspicious time period can be recorded as the CC attack starting time. The suspicious period of time may be preset based on actual demand, such as 10 minutes min.
Optionally, the process of determining the first type IP address and the second type IP address in step 101 may be: determining CC attack starting time according to the abnormal flow condition; determining an IP address accessed by normal flow in a first time period as a first-class IP address, and determining an IP address different from the first-class IP address in a second time period as a second-class IP address; the first time period is a time period with a first duration before the CC attack starting time, and the second time period is a time period with a second duration after the CC attack starting time.
It is understood that the first time period and the second time period may be the same or different. The first and second time periods may be selected based on actual demand. For example, if it is determined that the time in the abnormal traffic condition (CC attack state) is 4 00 and the suspicious time period is 10min, it may be determined that the CC attack start time is 3; and if the preset first time period is 1 hour h and the second time period is 0.5h, then the first time period is determined to be 2. Further, IP addresses of normal traffic accesses occurring in 2.
In addition, in this embodiment, an IP reputation base may be further combined, an IP address appearing in the IP reputation base is recorded as a third-class IP address, traffic consumed by the third-class IP address is regarded as CC attack traffic, and the direct CC attack traffic is directly blocked to protect the server.
Step 102: and respectively counting the flow characteristic data of the first class of IP address and the second class of IP address in a preset time period.
Alternatively, the preset time period may be determined based on the CC attack start time, for example, 1 hour or 2 hours after the CC attack start time. The traffic characterization data may be based on parsing the HTTP request and response information. The traffic characteristic data may include the following:
a first HTTP request number of times for the first type of IP address;
a second HTTP request number of times for a second type of IP address;
a number of occurrences of each of a plurality of HTTP features; wherein the HTTP feature comprises at least one of an HTTP request feature and an HTTP response feature; the IP address corresponding to the HTTP feature is the first type IP address and/or the second type IP address.
Optionally, the HTTP request feature may be: at least one of a uniform resource locator, URL, field in an HTTP request, a Host field, a User Agent, user-Agent, field, and a website way referer field. And/or, the HTTP response characteristics may be: at least one of a 404 status code and a non-404 status code. The non-404 status codes may also be referred to as 4xx status codes, such as 401, 402, 403, 405, 406, 407, and so on.
Step 103: and identifying the CC attack flow characteristics according to the flow characteristic data.
According to the characteristic identification method, the flow characteristics of the normal IP address and the flow characteristics of the suspicious IP address can be distinguished by means of the counted flow characteristic data of the normal IP address and the suspicious IP address, so that the CC attack flow characteristics can be efficiently identified, and the identification rate of the CC attack is improved.
In this embodiment of the present application, the process of identifying CC attack traffic characteristics according to the traffic characteristic data may be:
calculating the concentration and/or the suspiciousness of each HTTP feature;
and according to the concentration and/or the doubt of each HTTP feature, the CC attack traffic feature is identified.
Wherein the concentration of HTTP features may comprise a first concentration and a second concentration. The first concentration ratio is a ratio of the number of occurrences of the HTTP feature to the number of first HTTP requests (i.e., the number of HTTP requests for the first type of IP address), i.e., a ratio of the number of occurrences of the HTTP feature to the number of first HTTP requests. The second concentration ratio is a ratio of the number of occurrences of the HTTP feature to the number of second HTTP requests (i.e., the number of HTTP requests for the second type of IP address), i.e., a ratio of the number of occurrences of the HTTP feature to the number of second HTTP requests. That is, the first concentration represents the ratio of the number of occurrences of an HTTP feature to the total number of requests for the normal class of IP addresses, and the second concentration represents the ratio of the number of occurrences of an HTTP feature to the total number of requests for the suspicious class of IP addresses. For an HTTP feature, the higher its first concentration, the higher the probability of representing a normal traffic feature. For an HTTP feature, the higher its second concentration, the higher the probability of being an attack traffic feature.
The suspicion degree of the HTTP feature is a ratio of the second concentration to the first concentration of the HTTP feature. For an HTTP feature, the higher its suspiciousness, the higher the probability of being an attack traffic feature. Therefore, the HTTP characteristics of the normal IP address and the HTTP characteristics of the suspicious IP address can be effectively distinguished through the calculated concentration degree and/or the suspicion degree of the HTTP characteristics, and the identification of the CC attack flow characteristics is realized.
Further, the above process of identifying CC attack traffic characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic may be:
and identifying the CC attack traffic characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic by adopting at least one rule as follows:
1) If the suspicious degree of the HTTP request characteristic exceeds a first preset threshold value, determining the HTTP request characteristic as a CC attack flow characteristic;
for example, based on statistical traffic characteristic data, if the suspicious degree of the URL field 1 exceeds a preset threshold, the URL field 1 may be determined as a CC attack traffic characteristic; and if the suspicious degree of the URL field 2 does not exceed the preset threshold, determining that the URL field 2 is not the CC attack traffic characteristic.
For another example, based on the statistical traffic characteristic data, if the suspiciousness of the User-Agent field 1 exceeds a preset threshold, the User-Agent field 1 can be determined as the CC attack traffic characteristic; and if the suspicious degree of the User-Agent field 2 does not exceed the preset threshold, determining that the User-Agent field 2 is not the CC attack traffic characteristic.
2) If the second concentration of the HTTP request features exceeds a second preset threshold, determining the HTTP request features as CC attack traffic features;
for example, based on the statistical traffic characteristic data, if the second concentration of the URL field 3 exceeds a preset threshold, the URL field 3 may be determined as the CC attack traffic characteristic; and/or if the second concentration of the Host field 1 exceeds a preset threshold, determining the Host field 1 as the CC attack traffic characteristic; and/or if the second concentration of the referer field 1 exceeds a preset threshold, determining the referer field 1 as a CC attack traffic characteristic.
3) If the first concentration of the HTTP request features is lower than a third preset threshold, the second concentration of the HTTP request features exceeds a fourth preset threshold, and the HTTP request features are not in a preset feature list, determining the HTTP request features as CC attack traffic features;
for example, based on statistical traffic characteristic data, if the first concentration of the User-Agent field 2 is lower than a preset threshold, the second concentration of the User-Agent field 2 is higher than the preset threshold, and the User-Agent field 2 is not in a preset conventional User-Agent list, the User-Agent field 2 may be determined as a CC attack traffic characteristic.
For another example, based on the statistical traffic characteristic data, if the first concentration of the referer field 2 is lower than the preset threshold, the second concentration of the referer field 2 is higher than the preset threshold, and the referer field 2 is not in the preset conventional referer list, the referer field 2 may be determined as the CC attack traffic characteristic.
4) If the HTTP response characteristics are 404 state codes and the second concentration of the HTTP response characteristics exceeds a fifth preset threshold, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics;
for example, the HTTP request feature corresponding to the status code 404 in 4) may be a URL field, a Host field, a User-Agent field, or a referer field.
5) If the HTTP response characteristics are non-404 state codes, the second concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics exceed respective sixth preset threshold values, and the first concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics are lower than respective seventh preset threshold values, the HTTP request characteristics corresponding to the HTTP response characteristics are determined as CC attack traffic characteristics.
For example, based on statistical traffic characteristic data, if the second concentrations of the non-404 state codes and the corresponding Host fields 2 exceed respective preset thresholds, and the first concentrations of the non-404 state codes and the corresponding Host fields 2 are lower than respective preset thresholds, the Host fields 2 may be determined as CC attack traffic characteristics.
Therefore, by means of the rule, the CC attack traffic characteristics can be conveniently and effectively identified.
It should be noted that the first preset threshold, the second preset threshold, the third preset threshold, the fourth preset threshold, the fifth preset threshold, the sixth preset threshold, and the seventh preset threshold are preset based on actual requirements, and may be the same (partially the same or all the same), or different (partially different or all different), and this embodiment does not limit this.
The above rules are merely examples, and do not limit the specific implementation of the present application, and in some cases, other rules may be used to determine the CC attack traffic characteristics.
Furthermore, after the CC attack traffic characteristics are identified, the CC attack traffic can be identified according to the CC attack traffic characteristics, so that the purpose of protecting the server is achieved by means of blocking the CC attack traffic. For example, if it is determined that a certain Host field is a CC attack traffic feature, determining the traffic matched with the Host field as CC attack traffic; or if a certain User-Agent field is determined to be the CC attack traffic characteristic, determining the traffic matched with the User-Agent field as the CC attack traffic; or if determining that a certain referer field is the CC attack traffic characteristic, determining the traffic matched with the referer field as the CC attack traffic.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a feature identification apparatus according to an embodiment of the present application, and as shown in fig. 2, the feature identification apparatus 20 includes:
the determining module 21 is configured to determine a first type IP address and a second type IP address according to a traffic anomaly condition; the first type of IP address is a normal IP address, and the second type of IP address is a suspicious IP address;
the statistical module 22 is configured to separately count traffic characteristic data of the first class IP address and the second class IP address within a preset time period;
and the identification module 23 is configured to identify CC attack traffic characteristics according to the traffic characteristic data.
Optionally, the traffic characteristic data includes the following contents:
a first HTTP request number of the first type of IP address;
a second HTTP request number of times for the second class of IP addresses;
a number of occurrences of each of a plurality of HTTP features;
wherein the HTTP features include at least one of HTTP request features and HTTP response features; and the IP address corresponding to the HTTP feature is the first-class IP address and/or the second-class IP address.
Optionally, the identification module 23 includes:
the computing unit is used for computing the concentration degree and/or the suspiciousness degree of each HTTP feature;
the authentication unit is used for authenticating the CC attack flow characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic;
the concentration of the HTTP features comprises a first concentration and a second concentration, the first concentration is a ratio of the number of occurrences of the HTTP features to the number of occurrences of the first HTTP requests, and the second concentration is a ratio of the number of occurrences of the HTTP features to the number of occurrences of the second HTTP requests; the suspiciousness of the HTTP feature is a ratio of the second concentration to the first concentration.
Optionally, the identification unit is configured to:
and identifying the CC attack traffic characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic by adopting at least one of the following rules:
if the suspicious degree of the HTTP request characteristic exceeds a first preset threshold value, determining the HTTP request characteristic as a CC attack flow characteristic;
if the second concentration of the HTTP request features exceeds a second preset threshold, determining the HTTP request features as CC attack traffic features;
if the first concentration of the HTTP request features is lower than a third preset threshold, the second concentration of the HTTP request features exceeds a fourth preset threshold, and the HTTP request features are not in a preset feature list, determining the HTTP request features as CC attack traffic features;
if the HTTP response characteristics are 404 state codes and the second concentration of the HTTP response characteristics exceeds a fifth preset threshold, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics;
and if the HTTP response characteristics are non-404 state codes, the second concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics exceed respective sixth preset threshold values, and the first concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics are lower than respective seventh preset threshold values, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics.
Optionally, the HTTP request is characterized by: at least one of a URL field, a Host field, a User-Agent field, and a Referrer field in the HTTP request;
and/or the presence of a gas in the gas,
the HTTP response is characterized by: at least one of a 404 status code and a non-404 status code.
Optionally, the determining module 21 includes:
the first determining unit is used for determining CC attack starting time according to the abnormal flow condition;
a second determining unit, configured to determine an IP address accessed by normal traffic in a first time period as the first type of IP address, and determine an IP address different from the first type of IP address in a second time period as the second type of IP address;
the first time period is a time period with a first duration before the CC attack starting time, and the second time period is a time period with a second duration after the CC attack starting time.
It can be understood that the feature identification apparatus 20 according to the embodiment of the present application can implement the processes implemented in the embodiment of the method shown in fig. 1 and achieve the same beneficial effects, and in order to avoid repetition, the details are not repeated here.
According to an embodiment of the present application, the present application further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements each process implemented in the embodiment of the method shown in fig. 1, and achieves the same beneficial effects, and details are not described here to avoid repetition.
According to an embodiment of the present application, an electronic device and a readable storage medium are also provided.
Fig. 3 is a block diagram of an electronic device for implementing the feature identification method according to the embodiment of the present application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic devices may also represent various forms of mobile devices, such as personal digital processors, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.
As shown in fig. 3, the electronic apparatus includes: one or more processors 301, memory 302, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display graphical information of a GUI on an external input/output apparatus (such as a display device coupled to the interface). In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations (e.g., as a server array, a group of blade servers, or a multi-processor system). In fig. 3, one processor 301 is taken as an example.
Memory 302 is a non-transitory computer readable storage medium as provided herein. Wherein the memory stores instructions executable by at least one processor to cause the at least one processor to perform the characterization methods provided herein. The non-transitory computer-readable storage medium of the present application stores computer instructions for causing a computer to perform the feature identification method provided by the present application.
The memory 302, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules (e.g., the determination module 21, the statistics module 22, and the authentication module 23 shown in fig. 2) corresponding to the feature authentication method in the embodiment of the present application. The processor 301 executes various functional applications of the server and data processing by executing non-transitory software programs, instructions, and modules stored in the memory 302, that is, implements the characterization method in the above-described method embodiments.
The memory 302 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by use of the electronic device, and the like. Further, the memory 302 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 302 may optionally include memory located remotely from the processor 301, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The electronic device of the feature authentication method may further include: an input device 303 and an output device 304. The processor 301, the memory 302, the input device 303 and the output device 304 may be connected by a bus or other means, and fig. 3 illustrates the connection by a bus as an example.
The input device 303 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic equipment of the characterization method, such as a touch screen, a keypad, a mouse, a track pad, a touch pad, a pointer, one or more mouse buttons, a track ball, a joystick, or other input device. The output devices 304 may include a display device, auxiliary lighting devices (e.g., LEDs), and haptic feedback devices (e.g., vibrating motors), among others. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device can be a touch screen.
Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, application specific ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
These computer programs (also known as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
According to the technical scheme of the embodiment of the application, the traffic characteristics of the normal IP address and the traffic characteristics of the suspicious IP address can be distinguished by means of the counted traffic characteristic data of the normal IP address and the suspicious IP address, so that the CC attack traffic characteristics can be efficiently identified, and the identification rate of the CC attack is improved. Furthermore, after the CC attack traffic characteristics are identified, the CC attack traffic can be identified according to the CC attack traffic characteristics, so that the aim of protecting the server is fulfilled by blocking the CC attack traffic.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present application can be achieved, and the present invention is not limited herein.
The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A method of feature identification, comprising:
determining a first type of Internet Protocol (IP) address and a second type of IP address according to the abnormal flow condition; the first type of IP address is a normal IP address, and the second type of IP address is a suspicious IP address;
respectively counting the flow characteristic data of the first class of IP address and the second class of IP address in a preset time period;
according to the flow characteristic data, identifying CC attack flow characteristics;
the traffic characteristic data comprises the following:
a first HTTP request number of the first type of IP address;
a second HTTP request number of times for the second class of IP addresses;
a number of occurrences of each of a plurality of HTTP features;
wherein the HTTP features include at least one of HTTP request features and HTTP response features; the IP address corresponding to the HTTP feature is the first type of IP address and/or the second type of IP address;
the identifying of the CC attack traffic characteristics according to the traffic characteristic data comprises the following steps:
calculating the concentration and/or the suspiciousness of each HTTP feature;
according to the concentration degree and/or the suspicion degree of each HTTP feature, identifying CC attack flow features;
the concentration of the HTTP features comprises a first concentration and a second concentration, the first concentration is a ratio of the number of occurrences of the HTTP features to the number of occurrences of the first HTTP requests, and the second concentration is a ratio of the number of occurrences of the HTTP features to the number of occurrences of the second HTTP requests; the suspiciousness of the HTTP feature is a ratio of the second concentration to the first concentration.
2. The method of claim 1, wherein said characterizing CC attack traffic according to concentration and/or allegedness of each said HTTP feature comprises:
and identifying the CC attack traffic characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic by adopting at least one of the following rules:
if the suspicious degree of the HTTP request characteristic exceeds a first preset threshold value, determining the HTTP request characteristic as a CC attack flow characteristic;
if the second concentration of the HTTP request features exceeds a second preset threshold, determining the HTTP request features as CC attack traffic features;
if the first concentration of the HTTP request features is lower than a third preset threshold, the second concentration of the HTTP request features exceeds a fourth preset threshold, and the HTTP request features are not in a preset feature list, determining the HTTP request features as CC attack traffic features;
if the HTTP response characteristics are 404 state codes and the second concentration of the HTTP response characteristics exceeds a fifth preset threshold, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics;
and if the HTTP response characteristics are non-404 state codes, the second concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics exceed respective sixth preset threshold values, and the first concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics are lower than respective seventh preset threshold values, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics.
3. The method of claim 1, wherein,
the HTTP request is characterized by: at least one of a Uniform Resource Locator (URL) field, a Host field, a User Agent User-Agent field and a website way referer field in the HTTP request;
and/or the presence of a gas in the gas,
the HTTP response is characterized by: at least one of a 404 status code and a non-404 status code.
4. The method of claim 1, wherein the determining a first type of IP address and a second type of IP address based on traffic anomalies comprises:
determining CC attack starting time according to the abnormal flow condition;
determining an IP address accessed by normal flow in a first time period as the first type of IP address, and determining an IP address different from the first type of IP address in a second time period as the second type of IP address;
the first time period is a time period with a first duration before the CC attack starting time, and the second time period is a time period with a second duration after the CC attack starting time.
5. A feature authentication apparatus comprising:
the determining module is used for determining a first class of IP address and a second class of IP address according to the abnormal flow condition; the first type of IP address is a normal IP address, and the second type of IP address is a suspicious IP address;
the statistical module is used for respectively counting the flow characteristic data of the first class of IP addresses and the second class of IP addresses within a preset time period;
the identification module is used for identifying CC attack flow characteristics according to the flow characteristic data;
the traffic characteristic data comprises the following:
a first HTTP request number of the first type of IP address;
a second HTTP request number of times for the second class of IP addresses;
a number of occurrences of each of a plurality of HTTP features;
wherein the HTTP features include at least one of HTTP request features and HTTP response features; the IP address corresponding to the HTTP feature is the first type of IP address and/or the second type of IP address;
the authentication module comprises:
the computing unit is used for computing the concentration degree and/or the suspiciousness degree of each HTTP feature;
the identification unit is used for identifying CC attack flow characteristics according to the concentration degree and/or the suspiciousness degree of each HTTP characteristic;
the concentration of the HTTP features comprises a first concentration and a second concentration, the first concentration is a ratio of the number of occurrences of the HTTP features to the number of occurrences of the first HTTP requests, and the second concentration is a ratio of the number of occurrences of the HTTP features to the number of occurrences of the second HTTP requests; the suspiciousness of the HTTP feature is a ratio of the second concentration to the first concentration.
6. The apparatus of claim 5, wherein the authentication unit is to:
and identifying the CC attack traffic characteristics according to the concentration and/or the suspiciousness of each HTTP characteristic by adopting at least one of the following rules:
if the suspicious degree of the HTTP request characteristic exceeds a first preset threshold value, determining the HTTP request characteristic as a CC attack flow characteristic;
if the second concentration of the HTTP request features exceeds a second preset threshold, determining the HTTP request features as CC attack traffic features;
if the first concentration of the HTTP request features is lower than a third preset threshold, the second concentration of the HTTP request features exceeds a fourth preset threshold, and the HTTP request features are not in a preset feature list, determining the HTTP request features as CC attack traffic features;
if the HTTP response characteristics are 404 state codes and the second concentration of the HTTP response characteristics exceeds a fifth preset threshold value, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack flow characteristics;
and if the HTTP response characteristics are non-404 state codes, the second concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics exceed respective sixth preset threshold values, and the first concentration ratios of the HTTP response characteristics and the HTTP request characteristics corresponding to the HTTP response characteristics are lower than respective seventh preset threshold values, determining the HTTP request characteristics corresponding to the HTTP response characteristics as CC attack traffic characteristics.
7. The apparatus of claim 5, wherein,
the HTTP request is characterized by: at least one of a URL field, a Host field, a User-Agent field, and a Referrer field in the HTTP request;
and/or the presence of a gas in the gas,
the HTTP response is characterized by: at least one of a 404 status code and a non-404 status code.
8. The apparatus of claim 5, wherein the means for determining comprises:
the first determining unit is used for determining CC attack starting time according to the abnormal flow condition;
a second determining unit, configured to determine an IP address accessed by normal traffic in a first time period as the first type of IP address, and determine an IP address different from the first type of IP address in a second time period as the second type of IP address;
the first time period is a time period with a first duration before the CC attack starting time, and the second time period is a time period with a second duration after the CC attack starting time.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-4.
10. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-4.
CN202010212359.0A 2020-03-24 2020-03-24 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium Active CN113452647B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010212359.0A CN113452647B (en) 2020-03-24 2020-03-24 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010212359.0A CN113452647B (en) 2020-03-24 2020-03-24 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium

Publications (2)

Publication Number Publication Date
CN113452647A CN113452647A (en) 2021-09-28
CN113452647B true CN113452647B (en) 2022-11-29

Family

ID=77807407

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010212359.0A Active CN113452647B (en) 2020-03-24 2020-03-24 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium

Country Status (1)

Country Link
CN (1) CN113452647B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895521A (en) * 2009-05-22 2010-11-24 中国科学院研究生院 Network worm detection and characteristic automatic extraction method and system
CN103442018A (en) * 2013-09-17 2013-12-11 网宿科技股份有限公司 Dynamic defense method and system for CC (Challenge Collapsar) attack
CN103685294A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Method and device for identifying attack sources of denial of service attack
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN104378358A (en) * 2014-10-23 2015-02-25 河北省电力建设调整试验所 HTTP Get Flood attack prevention method based on server log
CN106357628A (en) * 2016-08-31 2017-01-25 东软集团股份有限公司 Attack defense method and device
CN107819727A (en) * 2016-09-13 2018-03-20 腾讯科技(深圳)有限公司 A kind of network safety protection method and system based on the safe credit worthiness of IP address
CN108810008A (en) * 2018-06-28 2018-11-13 腾讯科技(深圳)有限公司 Transmission control protocol traffic filtering method, apparatus, server and storage medium
CN110166408A (en) * 2018-02-13 2019-08-23 北京京东尚科信息技术有限公司 Defend the methods, devices and systems of extensive aggression
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101070614B1 (en) * 2009-12-18 2011-10-10 한국인터넷진흥원 Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895521A (en) * 2009-05-22 2010-11-24 中国科学院研究生院 Network worm detection and characteristic automatic extraction method and system
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN103442018A (en) * 2013-09-17 2013-12-11 网宿科技股份有限公司 Dynamic defense method and system for CC (Challenge Collapsar) attack
CN103685294A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Method and device for identifying attack sources of denial of service attack
CN104378358A (en) * 2014-10-23 2015-02-25 河北省电力建设调整试验所 HTTP Get Flood attack prevention method based on server log
CN106357628A (en) * 2016-08-31 2017-01-25 东软集团股份有限公司 Attack defense method and device
CN107819727A (en) * 2016-09-13 2018-03-20 腾讯科技(深圳)有限公司 A kind of network safety protection method and system based on the safe credit worthiness of IP address
CN110166408A (en) * 2018-02-13 2019-08-23 北京京东尚科信息技术有限公司 Defend the methods, devices and systems of extensive aggression
CN108810008A (en) * 2018-06-28 2018-11-13 腾讯科技(深圳)有限公司 Transmission control protocol traffic filtering method, apparatus, server and storage medium
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium

Also Published As

Publication number Publication date
CN113452647A (en) 2021-09-28

Similar Documents

Publication Publication Date Title
US11212306B2 (en) Graph database analysis for network anomaly detection systems
CN108353079B (en) Detection of cyber threats against cloud-based applications
US7583187B1 (en) System, method and computer program product for automatically summarizing security events
US11487880B2 (en) Inferring security incidents from observational data
US10873596B1 (en) Cybersecurity alert, assessment, and remediation engine
US9106681B2 (en) Reputation of network address
US8904531B1 (en) Detecting advanced persistent threats
US9027128B1 (en) Automatic identification of malicious budget codes and compromised websites that are employed in phishing attacks
US20160164893A1 (en) Event management systems
WO2015039553A1 (en) Method and system for identifying fraudulent websites priority claim and related application
US10104112B2 (en) Rating threat submitter
US9942255B1 (en) Method and system for detecting abusive behavior in hosted services
CN112953938B (en) Network attack defense method, device, electronic equipment and readable storage medium
CN111881453A (en) Container escape detection method and device and electronic equipment
US11658863B1 (en) Aggregation of incident data for correlated incidents
US9985980B1 (en) Entropy-based beaconing detection
CN110958250A (en) Port monitoring method and device and electronic equipment
CN113452647B (en) Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
US7533414B1 (en) Detecting system abuse
CN111953647A (en) Security verification method and device, electronic equipment and storage medium
CN113347186B (en) Reflection attack detection method and device and electronic equipment
CN114726579A (en) Method, apparatus, device, storage medium and program product for defending against network attacks
CN113642919A (en) Risk control method, electronic device, and storage medium
CN113765940A (en) Flow obfuscation method, device and equipment
CN111371557A (en) Block chain data processing method and device, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant