CN113518057A - Detection method and device for distributed denial of service attack and computer equipment thereof - Google Patents

Detection method and device for distributed denial of service attack and computer equipment thereof Download PDF

Info

Publication number
CN113518057A
CN113518057A CN202010273353.4A CN202010273353A CN113518057A CN 113518057 A CN113518057 A CN 113518057A CN 202010273353 A CN202010273353 A CN 202010273353A CN 113518057 A CN113518057 A CN 113518057A
Authority
CN
China
Prior art keywords
data
value
threshold
distribution
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010273353.4A
Other languages
Chinese (zh)
Other versions
CN113518057B (en
Inventor
陈嘉豪
郭豪
洪春华
张融
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202010273353.4A priority Critical patent/CN113518057B/en
Publication of CN113518057A publication Critical patent/CN113518057A/en
Application granted granted Critical
Publication of CN113518057B publication Critical patent/CN113518057B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application discloses a detection method, a device and a computer device of a distributed denial of service attack.A first distribution data is obtained by obtaining flow data sent by a first device to the outside of a local area network in a first time period in the local area network, a first threshold value is obtained according to historical flow data of the first device, a first statistical value of the first distribution data is compared with the first threshold value to judge whether the first device has the distributed denial of service attack. By the method for acquiring the dynamic first threshold based on the historical traffic data, compared with the manual setting of the fixed static threshold condition, the distributed denial of service attack sent out in the local area network can be effectively detected.

Description

Detection method and device for distributed denial of service attack and computer equipment thereof
Technical Field
The embodiment of the application relates to the technical field of network security, in particular to a method and a device for detecting distributed denial of service attacks, computer equipment and a computer readable storage medium thereof.
Background
Distributed Denial of Service (DDoS) attacks are currently an attack means that seriously threatens network security and affects the quality of Service of a website. DDoS attacks utilize multiple distributed attack sources to send massive data packets beyond their processing capabilities to the attacked target, consuming available system and bandwidth resources, resulting in network service paralysis.
At present, the DDoS attack detection process is generally as follows: manually and empirically setting the flow threshold, and pre-storing the flow threshold in a computer device. In the existing network operation, the computer equipment can obtain the inbound data stream sent to the server, count the flow of the data stream, compare the flow with a flow threshold value, and determine that the server is attacked by the network if the flow is greater than the flow threshold value.
However, only DDoS attack detection aiming at a server is available at present, and DDoS attack sent by a computer device in a local area network to an external network cannot be detected.
Disclosure of Invention
The following is a summary of the subject matter described in detail herein. This summary is not intended to limit the scope of the claims.
The application provides a method and a device for detecting distributed denial of service attacks, computer equipment and a computer readable storage medium thereof, which can detect the distributed denial of service attacks sent out in a local area network.
According to a first aspect of the present application, a method for detecting a distributed denial of service attack is provided, which includes:
acquiring flow data sent by first equipment to the outside of a local area network within a first time period in the local area network;
acquiring characteristic data which accords with a characteristic type in the flow data, and obtaining first distribution data according to the distribution of the characteristic data in a first time period;
obtaining a first statistical value according to the first distribution data;
acquiring historical traffic data sent to the outside of a local area network by the first equipment in a historical time period;
obtaining a first threshold value according to the historical flow data;
and comparing the first statistical value with the first threshold, and if the first statistical value is greater than the first threshold, determining that the first device sends out the distributed denial of service attack.
According to a second aspect of the present application, there is provided a device for detecting a distributed denial of service attack, including:
the flow acquisition module is used for acquiring flow data sent by first equipment to the outside of the local area network within a first time period in the local area network;
the data extraction module is used for acquiring feature data which accord with feature types in the flow data and obtaining first distribution data according to the distribution of the feature data in a first time period;
the statistical module is used for obtaining a first statistical value according to the first distribution data;
the data acquisition module is used for acquiring historical traffic data sent to the outside of the local area network by the first equipment in a historical time period;
the threshold value calculation module is used for obtaining a first threshold value according to the historical flow data;
the judging module compares the first statistical value with the first threshold value, and if the first statistical value is larger than the first threshold value.
According to a third aspect of the present application, there is provided a device for detecting a distributed denial of service attack, including:
at least one memory;
at least one processor;
at least one program;
said programs being stored in said memory, said processor executing said at least one of said programs to implement a method of detection of a distributed denial of service attack as described in the first aspect of the present application.
According to a fourth aspect of the present application, there is provided a computer device comprising the apparatus for detecting a distributed denial of service attack according to the second or third aspect of the present application.
According to a fifth aspect of the present application, there is provided a computer-readable storage medium storing computer-executable instructions for performing the method for detecting a distributed denial of service attack according to the first aspect of the present application.
According to the technical scheme, flow data sent by first equipment to the outside of the local area network within a first time period are obtained in the local area network, first distribution data of the distribution of the characteristic data within the first time period are obtained according to the characteristic types in the flow data, in addition, a first threshold value is obtained according to historical flow data sent by the first equipment to the outside of the local area network within a historical time period, a first statistical value of the first distribution data is compared with the first threshold value to judge whether the first equipment has a distributed denial of service attack, and the first threshold value is adaptively changed according to the historical flow data of the first equipment within the historical time period, so that the size of the first threshold value accords with the current service scene. By the method for acquiring the dynamic first threshold based on the historical traffic data, compared with the manual setting of the fixed static threshold condition, the distributed denial of service attack sent out in the local area network can be effectively detected.
Drawings
The accompanying drawings are included to provide a further understanding of the claimed subject matter and are incorporated in and constitute a part of this specification, illustrate embodiments of the subject matter and together with the description serve to explain the principles of the subject matter and not to limit the subject matter.
FIG. 1 is a schematic diagram of a network environment for a DDoS attack;
FIG. 2 is a system architecture diagram of a distributed denial of service attack detection method according to an exemplary embodiment of the present application;
FIG. 3 is a flow chart of a method for detecting a distributed denial of service attack as provided by an exemplary embodiment of the present application;
FIG. 4 is a graph of a distribution of first distribution data provided by an exemplary embodiment of the present application;
FIG. 5 is a flowchart of a specific method of step 350 of FIG. 3;
FIG. 6 is a flowchart of a specific method of step 510 of FIG. 5;
FIG. 7 is a graph of comparative distributions of first and second distribution data provided by an exemplary embodiment of the present application;
FIG. 8 is a flowchart illustrating a method of step 520 of FIG. 5;
FIG. 9 is a graph of a distribution of flow distribution data after a1 st order discrete wavelet transform is performed as provided by an exemplary embodiment of the present application;
FIG. 10 is a graph of a distribution of flow distribution data after a 5 th order discrete wavelet transform is performed as provided by an exemplary embodiment of the present application;
FIG. 11 is a graph of a distribution of flow distribution data after a 7 th order discrete wavelet transform is performed as provided by an exemplary embodiment of the present application;
FIG. 12 is a flowchart of a method specific to step 330 of FIG. 3;
FIG. 13 is a graph of a profile of processing first profile data as provided by an exemplary embodiment of the present application;
FIG. 14 is a flowchart of a method for detecting a distributed denial of service attack as provided by an exemplary embodiment of the present application;
FIG. 15 is a schematic diagram of determining abnormal flow data of a first device and a second device according to an exemplary embodiment of the present application;
FIG. 16 is a flowchart of a particular method of step 1410 of FIG. 14;
FIG. 17 is a data processing flow diagram of a method for detecting a distributed denial of service attack as provided by an exemplary embodiment of the present application;
FIG. 18 is a schematic flow chart of a time series algorithm provided by an exemplary embodiment of the present application;
FIG. 19 is a monitor interface view of a traffic monitoring program provided by an exemplary embodiment of the present application;
fig. 20 is a traffic data distribution graph of an example DDoS attack provided by an exemplary embodiment of the present application;
FIG. 21 is a block diagram illustrating an exemplary embodiment of a distributed denial of service attack detection apparatus;
FIG. 22 is a block diagram illustrating an exemplary embodiment of a distributed denial of service attack detection apparatus;
FIG. 23 is a block diagram of a computer device provided in an exemplary embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
It should be noted that although functional blocks are partitioned in a schematic diagram of an apparatus and a logical order is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the partitioning of blocks in the apparatus or the order in the flowchart. The terms first, second and the like in the description and in the claims, and the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
First, several terms referred to in the present application are resolved:
local area network, a type of private network, is typically located within or near a building, such as a home, office, or factory. Local area networks are widely used to connect personal computers and consumer electronic devices, enabling them to share resources and exchange information. When local area networks are used in companies, they are referred to as enterprise networks.
The IP datagram in the network communication protocol carries a source IP address and a destination IP address, wherein the destination IP address refers to an IP address of destination equipment to be accessed, and the source IP address refers to an IP address of sending equipment.
CUSUM (cumulant Sum) algorithm: the main idea of the accumulation and algorithm is that a network data stream is regarded as a random model, when an abnormal condition occurs, the structure of the model changes, and as long as the change of the model can be detected, an attack behavior can be found in time. The CUSUM algorithm is a common algorithm for detecting the abnormality, has the characteristics of simple calculation and high efficiency, and is widely applied to the environment needing real-time detection. In addition, the algorithm has good adaptivity by setting different detection parameters, modifying an expected value generation method, dynamically generating a threshold value and the like. The CUSUM algorithm can detect a statistical process-averaged value change, is asymptotically optimal given that the parametric model is known, and is sensitive to sequence detection with small changes.
In the technical field of network security, a Distributed Denial of Service (DDoS) attack is an attack means that seriously threatens network security and affects website Service quality at present, and the DDoS attack uses a plurality of Distributed attack sources to send a mass data packet beyond the processing capability of an attacked target to consume available system and bandwidth resources, thereby causing network Service paralysis.
Referring to fig. 1, a schematic diagram of a network environment of a DDoS attack is shown, which includes a network server 110 and a local area network 120, where the local area network 120 has a plurality of terminal devices 130, where the terminal devices 130 refer to terminal devices accessing the local area network, and may be desktop computers, notebooks, local servers, mobile phones, tablets, and the like, the terminal devices 130 may access the local area network in a wired or wireless manner, and the terminal devices 130 access the internet through a gateway 140 in the local area network, for example, may access the network server 110 through the internet. When the terminal device 130 in the lan 120 becomes a "broiler" or a puppet device due to infection of a virus, a trojan, or a malicious program, a DDoS attack may be sent out of the lan 120, for example, a DDoS attack is sent to the network server 110, which may cause abnormal traffic in the lan, thereby affecting normal service development of services in the lan. Common DDoS attacks include traffic-type attacks and connectivity-type attacks. The traffic type attack refers to the terminal device 130 sending an excessive amount of random or specific IP packets to the network server 110, which results in that the network server 110 cannot process other normal IP packets, and the connection attack type attack refers to the terminal device 130 sending a large amount of forged TCP connection requests to the network server 110, which causes the network server 110 to be exhausted of resources and cannot respond to or process normal service requests in time.
The conventional DDoS attack detection is mainly performed on the network server 110 side to detect whether the current network server 110 is attacked by DDoS, and a general method is to manually set a traffic threshold value by experience to obtain inbound data streams of the network server 110, and count the traffic data, where the main purpose of DDoS attack is to paralyze the network server 110, so that a large number of data streams having the same destination IP are present in the inbound traffic data of the network server 110, and it is only necessary to count the traffic data of the same destination IP, compare the counted traffic with the traffic threshold value, and if the traffic is greater than the traffic threshold value, determine that the network server 110 is attacked by DDoS.
However, the above DDoS attack detection method is only suitable for detecting inbound traffic of a server, and is not suitable for detecting DDoS attacks sent by computer equipment in a local area network to the outside of the local area network.
Therefore, the embodiment of the application provides a method and a device for detecting a distributed denial of service attack, a computer device and a computer readable storage medium thereof, which can detect the distributed denial of service attack sent from the inside to the outside of a local area network and reduce the situation of misjudgment.
The detection method for the distributed denial of service attack provided by the embodiment of the application can be applied to an application environment shown in fig. 2, where the application environment includes: the system comprises a network server 110 and a local area network 120, wherein a plurality of terminal devices 130 are arranged in the local area network 120, and the terminal devices 130 refer to terminal devices accessing the local area network, and can be fixed devices in the local area network, such as desktop computers, printers, local servers or smart home devices, and the like, and also can be mobile devices, such as notebooks, mobile phones, tablets, wearable devices, and the like; the terminal device 130 may access the local area network in a wired or wireless manner, for example, access the local area network in a wired manner through a network cable, an exchange, and the like, or access the local area network in a wireless manner, for example, access the local area network through a wireless WiFi, a mobile base station, a hotspot signal, or a bluetooth signal. The terminal device 130 accesses the internet through the gateway 140 in the local area network, and may access the web server 110 through the internet, for example. The system further comprises a detection device 210, and the detection device 210 is accessed to the local area network in a wired or wireless mode.
In an embodiment, the detection device 210 may be a stand-alone computing device, such as a stand-alone desktop, a laptop, a local server, or a mobile terminal device, the detection device 210 is installed with a flow monitoring program and stores flow data, and the flow monitoring program may be implemented based on a fast general-purpose computing engine, such as a SPARK computing engine (SPARK computing engine). The stored traffic data may be traffic data obtained and cached immediately, or historical traffic data, for example, traffic data in the previous week, the traffic data may be stored in a memory of the detection device 210, or an independent database may be set for storage, the traffic data may also be stored in a cloud server outside the local area network, and the traffic monitoring program may be a desktop application program, or a mobile application program, an applet, or a web client. In another embodiment, the detection device 210 may also be any terminal device 130 in the local area network, and the detection device 210 is formed only by the terminal device 130 running the traffic monitoring program. In another embodiment, the detection device 210 may also be a gateway 140 of a local area network, that is, a traffic monitoring program is built in the gateway 140, and the condition of traffic monitoring can be checked and the traffic monitoring program can be configured by accessing or remotely accessing the gateway 140 in the local area network.
Fig. 3 is a method for detecting a distributed denial of service attack according to an exemplary embodiment of the present application, where the method is applied to the detection device 210 shown in fig. 2, and the method specifically includes step 310, step 320, step 330, step 340, step 350, and step 360.
Step 310, acquiring, in the local area network, traffic data sent by the first device to the outside of the local area network within the first time period.
The detection device 210 can obtain the traffic data of the first device through the traffic monitoring program, the first device may be any terminal device 130 in the local area network, and the detection device 210 may identify the first device by the IP address, that is, each terminal device 130 in the local area network has a different IP address in the first time period, in an embodiment, the detection device 210 only needs to identify the traffic data in the local area network, because the data sent by the terminal device 130 to the outside of the local area network all include a destination IP address and a source IP address, the source IP address is the IP address of the terminal device 130, the destination IP address is the IP address outside the local area network to which the terminal device 130 needs to access, for example, the terminal device 130 needs to access the network server 110 in fig. 2, the source IP address of the network request sent by the terminal device 130 is the IP address of the terminal device 130, and the destination IP address is the IP address of the network server 110, the flow monitoring program can judge whether the data of the access request is the flow data sent to the outside of the local area network only by acquiring the data of the access request, and in addition, the flow data sent to the outside of the local area network by the first equipment in the first time period can be acquired only by counting the outgoing flow data with the same source IP address in the first time period. The flow monitoring program can monitor all computer devices in the local area network, and only the flow data of different source IP addresses need to be counted. Each flow data record has a timestamp and a field value to be analyzed, the timestamp is used for performing time aggregation statistics, and the analysis field is used for performing filtering or feature screening.
In one embodiment, the first time period may be a preset time period or configured by an administrator, the first time period has a fixed position in the time counting period, the first time period is a time period in which the start time and the end time are fixed in the time counting period, for example, one day (24 hours) is used as the time counting period, 12 o 'clock 01 to 20 o' clock 00 of the day may be set as the first time period, and for example, one week is used as the time counting period, and the third whole day (24 hours) may be set as the first time period. Illustratively, the time counting period in the following embodiments is mainly described in units of one day, but those skilled in the art can set other time counting periods, for example, in units of one week, one month or one year, without departing from the spirit of the present application. The first time period may include the current real-time, for example, a time period 50 minutes before the current time as the first time period, or the first time period may be any selected time period within the time counting period, and may span the current time counting period, for example, the first time period is from 23 pm at the previous day to 01 pm at 1 pm at the previous day, as long as the time interval of the first time period is less than the time counting period.
It should be noted that the acquired traffic data needs to be stored, which may be stored in a memory of the detection device 210, or may be stored in a database or a cloud server in the local area network. The collection of flow data may be real-time, for example, on a particular day, the flow data for that day may be collected in real-time and stored for calculation as historical flow data for a subsequent day.
And 320, acquiring characteristic data which accords with the characteristic type in the flow data, and obtaining first distribution data according to the distribution of the characteristic data in a first time period.
The flow monitoring program counts the flow data according to the characteristic type, the characteristic type can be preset by an administrator or obtained by selection, and the characteristic type comprises at least one of protocol type, flow speed, packet volume speed, packet length, time-to-live value TTL, source port, destination port and source internet protocol IP number. The first distribution data is a distribution of the characteristic data over a period of time.
Because different DDoS attacks have different expressions on flow data, an administrator selects a proper characteristic type for statistics according to the DDoS attack type to be detected, and takes SYN Flood attacks (synchronous Sequence number attacks) as an example. Those skilled in the art can also screen corresponding characteristic data according to different DDoS attack types and different rules without departing from the spirit of the present application, for example, traffic data with a packet size greater than a set value is used as the characteristic data without distinguishing protocol types of the data.
Fig. 4 is a graph of the distribution of the first distribution data, in which the abscissa is time, the origin of the abscissa is the start time of the first period, and the end point is the end time of the first period. The ordinate corresponds to the feature type, taking SYN Flood attack as an example, the ordinate is the number of SYN packets, the traffic monitoring program counts the corresponding feature data of each unit time, taking unit time as an example, the traffic monitoring program counts the number of SYN packets sent by the first device to the outside of the local area network every minute in the first time period, thereby forming first distribution data. It can be seen that the first distribution data is discrete and thus can be represented in a time series, such as Xn(n-0, 1, 2.) where n represents a time sequence number for each unit time in the first time period.
Step 330, obtaining a first statistical value according to the first distribution data.
Since the first distribution data is in unit time, the flow monitoring program counts the first distribution data to obtain a first statistical value so that the first distribution data can be used for comparison. The first statistical value may be any one of a minimum value, a maximum value, and a mean value of the first distribution data, may be other types of statistical values reflecting characteristics of the first distribution data, such as variance, standard deviation, and an accumulated sum of all or part of the flow data, and may be a combination of the above statistical values, such as a sum of the mean value and the variance. Since the original traffic data may include a lot of interference information and information redundancy, in order to better analyze the data, in an embodiment, the first distribution data may be subjected to noise reduction, and then the first statistical value is obtained by calculation. The denoising process may adopt an existing signal denoising algorithm, such as a discrete wavelet transform algorithm, a discrete fourier transform filtering algorithm, and the like.
Step 340, obtaining historical traffic data sent by the first device to outside the local area network within a historical time period.
Here, the historical time period refers to a period of time before the current first time period is obtained in step 310, taking a time counting cycle as one day as an example, the time period before the current day can be used as the historical time period in the embodiment of the present application, for example, the last 7 days can be taken in the embodiment, that is, a time period of 7 days before 0 o' clock of the current day is used as the historical time period, and the historical traffic data sent by the first device to the outside of the local area network in the historical time period represents the historical network activity behavior of the first device.
Step 350, obtaining a first threshold value according to the historical flow data.
Since the historical traffic data sent by the first device to the outside of the local area network within the historical time period represents the historical network activity behavior of the first device, the first threshold value calculated according to the historical traffic data reflects the historical network activity characteristics of the first device.
Step 360, comparing the first statistical value with the first threshold, and if the first statistical value is greater than the first threshold, determining that the first device sends out a distributed denial of service attack.
The traffic monitoring program compares the first statistical value with the first threshold, and the first statistical value reflects the current network activity characteristics of the first device and the historical network activity characteristics of the first device. If the first statistical value is greater than the first threshold value, it indicates that the current flow data sent by the first device to the outside of the local area network is abnormal, and since the first distribution data is the feature data corresponding to the DDoS attack behavior, it is determined that the first device sends out the DDoS attack in the current first time period.
According to the detection method for the distributed denial of service attack, the flow data sent by the first device to the outside of the local area network in the first time period is obtained in the local area network, the first distribution data distributed in the first time period by the feature data is obtained according to the feature type in the flow data, the first threshold value is obtained according to the historical flow data sent by the first device to the outside of the local area network in the historical time period, the first statistical value of the first distribution data is compared with the first threshold value to judge whether the distributed denial of service attack occurs to the first device, and the first threshold value is adaptively changed according to the historical flow data of the first device in the historical time period, so that the size of the first threshold value can be in accordance with the current service scene. By the method for acquiring the dynamic first threshold based on the historical traffic data, compared with the manual setting of the fixed static threshold condition, the distributed denial of service attack sent out in the local area network can be effectively detected.
In one embodiment, referring to FIG. 5, step 350 further includes the steps of:
and 510, obtaining second distribution data according to the distribution of the historical flow data in the first time period.
The historical traffic data is traffic data sent by the first device to the outside of the local area network within a historical time period, and the first time period is a time period in which the start time and the end time are fixed within a time counting period, for example, 12: 01 to 20: 00/day, so that the second distribution data distributed by the historical traffic data in the first time period reflects network activity behaviors of the first device in the first time period in the historical time period. For example, taking the historical time period as a week and taking one day as a time counting period as an example, traffic data sent by the first device to the outside of the local area network within 7 days of pushing forward from 0 point of the day is acquired as historical traffic data. The first time period counted by the first distribution data is 12 o 'clock 01 to 20 o' clock 00 of the current day, and the feature data which is sent by the first device to the outside of the local area network and conforms to the feature type in the historical time period is 12 o 'clock 01 to 20 o' clock 00 of the current day, so that the network activity behavior of the first device in the previous week is reflected in 12 o 'clock 01 to 20 o' clock 00 of the previous week.
Step 520, a first threshold is obtained according to the second distribution data.
The abscissa and ordinate of the second distribution data correspond to the first distribution data, and the flow monitoring program also counts the second data to obtain the first threshold value in order to compare the second distribution data with the first distribution data. The first threshold reflects network activity behavior characteristics of the first device over a historical period of time.
In an embodiment, the second distribution data may be a historical traffic data distribution of one of the time counting periods, for example, if the current day is wednesday, and the current statistical first time period is 12: 01 to 20: 00, the second distribution data may be a historical traffic data distribution of 12: 01 to 20: 00 of the last wednesday first time period, or may be a historical traffic data distribution of 12: 01 to 20: 00 of the previous day (tuesday) first time period.
In another embodiment, the second distribution data may be obtained by counting historical traffic data distribution of a plurality of time counting cycles, for example, the historical time periods include a plurality of first time periods corresponding to the respective time counting cycles, and the historical traffic data is distributed in the plurality of first time periods in the historical time periods, for example, taking one day as the time counting cycle, taking traffic data sent by the first device to outside the local area network within 7 days from 0 point before the current day as the historical traffic data, where the current day is a week. The first time period counted by the first distribution data is 12: 01: 20: 00 of the current day, and the corresponding first time period is 12: 01: 20: 00 of the current day every 7 days, so that the historical traffic data distribution of every day in the historical time period can be counted to obtain second distribution data, and the second distribution data reflect the network activity behavior of the first device in the historical first time period. The statistical calculation mode may be combined with statistical modes such as an average value, a maximum value, a minimum value, a variance, a standard deviation, and the like. For example, in one embodiment, referring to FIG. 6, step 510 further includes the steps of:
and step 610, obtaining second distribution data according to the sum of the average value and the variance value of the historical flow data in a plurality of first time periods.
In the embodiment of the invention, the data statistics corresponding to each unit time is obtained by calculating the sum of the mean value and the variance value of the flow data of the corresponding time sequence in each first time period, so as to obtain the second distribution data. The variance value represents the degree of dispersion or deviation in the statistical data, and may be a variance or a mean square error (also called standard deviation) or a multiple of the variance or the mean square error. Referring to fig. 7, a graph showing a comparison distribution of first distribution data and second distribution data is shown, a curve a shown by a solid line is the first distribution data, a curve b shown by a dotted line is the second distribution data, a unit of an abscissa in the coordinate system is a unit time t, an origin of the abscissa is a start time of a first time period, an end point is an end time of the first time period, and a unit of an ordinate corresponds to a characteristic type, such as a packet amount or a flow rate of a packet of a specific type.
In one embodiment, referring to FIG. 8, step 520 further comprises the following steps:
step 810, acquiring a peak value of historical flow data in the second distribution data;
during calculation, the flow rate data per unit time in the second distribution data is counted, and the maximum value is obtained as the peak value of the historical flow rate data in the second distribution data, and as shown in fig. 7, a straight line c indicated by a dotted line is the peak value of the historical flow rate data in the second distribution data.
Step 820, adding the first increment to the peak value to obtain a second threshold value;
in fig. 7, a straight line d indicated by a dashed-dotted line is a second threshold obtained by adding a first increment to the peak, and since the peak of the historical traffic data also belongs to the historical normal traffic data of the first device, the first increment is added to the peak as the second threshold indicating the abnormal traffic, the first increment can be understood as a reserved quantity for avoiding misjudgment, the first increment can be set empirically, for example, a fixed value or a proportional value of the maximum peak, and the first increment can also be statistically obtained from existing data, for example, the first increment is a standard deviation of the second distribution data.
Step 830, the second threshold value is used as the first threshold value, or a multiple of the second threshold value is used as the first threshold value.
In an embodiment, the second threshold is used as the first threshold, and since the second threshold represents abnormal traffic, the first statistical value of the first distribution data may be compared with the second threshold, and if the first statistical value is greater than the second threshold, it is determined that the first device sends out a DDoS attack. For example, when the first statistical value is an average value of the first distribution data, if the average value of the first distribution data is greater than a second threshold value, it is determined that the first device sends out a DDoS attack.
In another embodiment, a multiple of the second threshold is used as the first threshold, and in this case, the corresponding first statistical value is in a multiple relation with the data amount per unit time in the first distribution data, for example, the first statistical value is a sum of all data of the first distribution data, or the first statistical value is a sum of traffic data of a portion of the first distribution data that is greater than the second threshold, and in this case, the multiple of the second threshold is used as the first threshold accordingly.
In one embodiment, before step 510 is executed, noise reduction processing is performed on the historical traffic data, and then second distribution data is obtained according to distribution of the noise-reduced historical traffic data in a first time period. The method for denoising historical flow data comprises the following steps:
acquiring the distribution of historical flow data in each first time period;
and performing noise reduction processing on the historical flow distribution data of each first time period. The denoising process may adopt an existing signal denoising algorithm, such as a discrete wavelet transform algorithm, a discrete fourier transform filtering algorithm, and the like.
In one embodiment, the historical flow distribution data of each first time period is subjected to denoising processing through a discrete wavelet transform algorithm, and the discrete wavelet transform can extract the spectral characteristics of a time series and has the capacity of representing the local characteristics of signals in both a time domain and a frequency domain. The detail component and the approximate component can be obtained after the original data is subjected to discrete wavelet transform. The detail component represents the high frequency part in the original data and contains information such as noise of the original signal, and the approximate component is the low frequency part of the original data and represents the main behavior and information of the original signal. The low frequency approximation component is more reflective of the change in abnormal behavior. In order to better acquire the main behavior information of the original data, a pyramid recursive algorithm is adopted to perform multi-order discrete wavelet transformation on the original data to acquire a k-order approximate component. When the order k is larger, the main trend and the main information of the approximate component are more obvious, but if the order is too large, too much detail information can be discarded, so that the change information is reduced, and the judgment of the change of the characteristic data is not facilitated.
Fig. 9 is a historical flow rate data distribution graph after 1-order discrete wavelet transform is performed on historical flow rate distribution data of a first time period, fig. 10 is a historical flow rate data distribution graph after 5-order discrete wavelet transform is performed, and fig. 11 is a historical flow rate data distribution graph after 7-order discrete wavelet transform is performed, and tests show that main information and data change reflecting time series can be better described after 5-order discrete wavelet transform is performed, and redundant information and noise are not generated, so that the 5-order discrete wavelet transform is adopted for denoising processing in the embodiment of the present application. In addition to performing denoising processing on the historical traffic distribution data, corresponding denoising processing may be performed on the first distribution data, that is, an algorithm of 5 th order discrete wavelet transform may also be applied to perform denoising processing on the first distribution data in step 330.
The above steps are described below with reference to specific calculation formulas, where the historical time periods include m first time periods, and the first time periods are determined by the above step 310 and may be m first time periodsWhen a preset time period or configured by an administrator is used, that is, when traffic data sent by a first device to the outside of the local area network within a first time period is obtained in the local area network, obtaining distribution data of historical traffic data in each first time period, and performing the noise reduction processing described in the above embodiment on the distribution of the historical traffic data in each first time period, after the noise reduction processing is performed, the traffic data per unit time in the first time period may be represented as: x is the number of(i,t)Where i represents the ith historical time period, t represents a specific time in the first time period, e.g., 1 minute per unit time, t is 12 o' clock 01 minutes, x(i,t)The flow rate data counted in 1 minute from the time point 01 at 12 points are shown.
Calculating an average value of the flow data corresponding to each first time period in each unit time:
Figure BDA0002443916140000111
for example, when t is 12 o 'clock 01 minutes, it represents an average value of the flow rate data within 1 minute from the 12 o' clock 01 minute in the history period.
Calculating a variance σ (t) of the flow data corresponding to each of the first time periods per unit time, the variance σ (t) being calculated by the following formula:
Figure BDA0002443916140000121
Figure BDA0002443916140000122
for example, when t is 12 o 'clock 01 minutes, σ represents the variance of the flow data within 1 minute from the time of all 12 o' clock 01 minutes in the history period.
Obtaining second distribution data according to the sum of the average value and the variance value of the historical flow data in the plurality of first time periods:
Figure BDA0002443916140000123
where b (t) is the second distribution data, where C · σ (t) is a variance value, C is a variance value coefficient, and the variance value coefficient is used to adjust the upper limit of the dynamic threshold of the second distribution data, and finally, a curve b as shown in fig. 7 is generated.
In the second distribution data b (t), obtaining the maximum value thres in the second distribution data b (t)normalAs the peak value of the second distribution data b (t), i.e. thresnormalThe straight line c shown in fig. 7 is the peak value thres of the second distribution data b (t)normal
Adding a first increment to the peak value to obtain a second threshold, in an embodiment, the first increment is a standard deviation std (b) of the second distribution data, and the second threshold may be represented as thresabnormalMax (b) + std (b). In fig. 7, the second threshold may be used as a criterion for determining an abnormal flow rate, for example, the second threshold is used as a first threshold to compare with a statistical value of the first distribution data, or a multiple of the second threshold is used to compare with a statistical value of the first distribution data.
In one embodiment, the step 330 further includes the following steps:
and comparing the first distribution data with the second threshold value, and acquiring the accumulated sum of the flow data of the part, which is greater than the second threshold value, in the first distribution data, wherein the accumulated sum is the first statistical value.
By using the cumulative sum of the flow rate data of the first distribution data larger than the second threshold as the first statistical value, it is possible to identify abnormal flow rate data and reduce erroneous judgment of normal flow rate data.
In an embodiment, referring to fig. 12, the step 330 further includes the following steps
Step 1210, obtaining a difference value between the first distribution data and a peak value to obtain third distribution data;
the peak value is subtracted from the data volume of the first distribution data in each unit time to obtain third distribution data, which is equivalent to the first distribution data wholly translated downwards by a peak value, and the peak value reflects the maximum normal data volume of the first equipment in the historical time period, so that the third distribution data are negative numbers if the flow data of the first distribution data are normal, on one hand, the abnormal flow can be identified, on the other hand, the condition of threshold value judgment can be improved, and the condition of misjudgment is further avoided.
Step 1220, comparing the third distribution data with the second threshold, and obtaining a cumulative sum of flow data of a portion of the third distribution data that is greater than the second threshold, where the cumulative sum is the first statistical value.
In one embodiment, the cumulative sum of the flow data of the part exceeding the second threshold value in each unit time within the first time period is sequentially calculated according to the time sequence, the cumulative sum is sequentially compared with the first threshold value, when the cumulative sum is greater than the first threshold value, the first device is judged to send out the DDoS attack, and if the flow data corresponding to the currently calculated unit time does not exceed the second threshold value, the cumulative sum is cleared. In this embodiment, in consideration of the persistence of DDoS attack, only when the sum of accumulations continues to be accumulated and exceeds the first threshold, it is determined that the first device sends out DDoS attack, and the situation of misjudgment can be further reduced.
Referring to the flow data distribution diagram of FIG. 13, wherein the curve e indicated by the dotted line is the first distribution data, the first distribution data can be represented by XnAnd (n-0, 1, 2.) wherein n represents a time sequence number corresponding to each unit time in the first time period. For example, if the first time period corresponding to the first distribution data is 12: 01 to 20: 00, and the first distribution data is aggregated in a unit time of 1 minute, there are 480 time sequences, and the first distribution data may be represented as Xn(n ═ 0,1, 2.. 480). Said XnMay be the first distribution data subjected to the noise reduction processing.
Third distribution data ZnThe calculation formula of (n ═ 0,1, 2.) is: zn=Xn-thresnormalWherein thresnormalIs the peak in the second distribution data. The curve f shown by the solid line in fig. 13 is the third distribution data, and it can be seen that if the time series isIn the case where no singular point is included, Zn(n-0, 1,2, …) is a negative value.
In fig. 13, a straight line h indicated by a chain line is a first threshold thresDDoSThe first threshold is a multiple of the second threshold, i.e. thresDDoS=t·h=t·thresabnormalWhere t is a constant coefficient.
When the first device has DDoS attack, Z is startednGreater than a second threshold value, i.e. Zn>thresabnormalThis indicates that the characteristic data is rapidly mutated, in which case Z isnBecomes positive and when the second threshold is exceeded, the anomaly Z will be addressed as followskThe values are accumulated by using an accumulation sum CUSUM algorithm:
yn=(yn-1+Zk)+,y 00, wherein ynFor the sum of accumulations, when the sum of accumulations is ynAnd when the first threshold value is exceeded, the DDoS attack behavior of the first equipment is judged. In one embodiment, when Z isnAbove a second threshold, begin summingnAre accumulated in pair ynDuring the accumulation, if the accumulated sum y is exceedednIf the sum y exceeds a first threshold value, the first equipment is judged to have DDoS attack behavior, and if the sum y is accumulatednHas not exceeded the first threshold and is currently Z per unit timenLess than a second threshold, then the sum y is summednAnd clearing. Referring to FIG. 13, Z at the time indicated by arrow A1nAbove the second threshold, start ynStarting the accumulation, Z for subsequent accumulations can be seenkThe value increases and then decreases until the time indicated by the arrow A2 is reached, at which time ZnLess than a second threshold value due to the cumulative sum ynThe first threshold has not been exceeded, so the cumulative sum y is summed at the time indicated by arrow A2nAnd performing zero clearing. As another example, Z at the time indicated by the arrow B1 in FIG. 13nGreater than a second threshold, and again for the running sum ynAccumulating until all the time points between the time points indicated by an arrow B2 in FIG. 13, the accumulated Zn is larger than a second threshold value, and the accumulated sum y is the time point indicated by an arrow B2nIf the first threshold value is exceeded, the first setting is determinedAnd a DDoS attack behavior is generated.
In the above embodiment, the first threshold is determined by analyzing the historical data of the first device itself. When the first device history data is sparse or the characteristic value of the history data is small, the suddenly increased small-scale data can be judged to be abnormal behavior, for example, the terminal device which is not started in the previous week in the local area network has a small first threshold value, and when the terminal device is normally used, the flow data is increased rapidly relative to the history data, so that the misjudgment is easy to occur. In order to deal with the above situation, in an embodiment, as shown in fig. 14, the method further includes the following steps:
step 1410, determining a second device in the local area network that has not issued the distributed denial of service attack.
The second device is a terminal device that determines that a DDoS attack is not issued, and is hereinafter referred to as a normal terminal device, where reference may be made to steps 310 to 360 in the foregoing embodiment to determine whether the second device is a terminal device that does not issue a DDoS attack.
Step 1420, obtaining contrast traffic data sent by the second device to the outside of the local area network within the first time period.
For example, if the first time period is 12: 01 to 20: 00, the traffic data sent to the outside of the lan by the first device in the time period of 12: 01 to 20: 00 is obtained, and the comparative traffic data sent to the outside of the lan by the second device in the time period of 12: 01 to 20: 00 is also obtained.
And 1430, obtaining a third threshold value according to the comparison flow data.
The third threshold value is dynamically varied based on the comparison flow data. In an embodiment, first, feature data meeting a feature type in the contrast flow data is obtained, fourth distribution data is obtained according to distribution of the feature data in a first time period, then a maximum value of the fourth distribution data is obtained, the maximum value of the fourth distribution data is added with a second increment to obtain a third threshold, the second increment is a difference between the maximum value and a mean value of the fourth distribution data, where the third threshold may be represented as: thres ═ max + (max-mean), where max represents the maximum value of the fourth distribution data and mean represents the average value of the fourth distribution data. The third threshold in this embodiment may objectively reflect the normal network activity behavior of the similar terminal device in the local area network, and further reduce the possibility of misjudgment. Referring to fig. 15, a rounded rectangular frame 1510 is flow data to be detected in a local area network, where a hollow circle represents normal flow data, and a solid circle represents abnormal flow data, a flow monitoring program detects the flow data in the local area network to obtain a second device 1520 determining that a DDoS attack is not issued and a first device 1530 suspected of issuing the DDoS attack, where a statistical value of first distribution data of the first device in a first time period is greater than a first threshold, a third threshold thres is obtained through feature data of the second device 1520, the data in the first device 1530 is compared with the third threshold thres, and then the abnormal data in the circle 1540 in fig. 15 is identified, and it is determined that the first device 1530 of the first device issues the DDoS attack.
The step 360 further comprises:
step 1440, comparing the first statistical value with the first threshold and a third threshold, and if the first statistical value is greater than the first threshold and greater than the third threshold, determining that the first device issues a distributed denial of service attack.
In this embodiment, two thresholds are set, including a first threshold obtained based on the historical traffic data of the first device itself and a third threshold obtained based on the current traffic data of the normal terminal device in the same time period, and because the normal network activities of other terminal devices in the local area network are referred to, the misjudgment phenomenon caused by the small historical traffic data of the first device can be avoided, and the occurrence of the misreporting situation can be further avoided.
In addition, in an embodiment, the third thresholds of the plurality of second devices may be counted, and the third threshold with the largest threshold is compared with the first statistical value of the first device. Namely, when the first distribution data is greater than the first threshold and greater than the third thresholds of all the second devices, it is determined that the first device sends out a DDoS attack.
In addition, in an embodiment, after determining that the current first device does not send out a DDoS attack within the first time period, the current first device is automatically marked as the second device, so as to be used as a reference when detecting other terminal devices.
In one embodiment, referring to fig. 16, the step 1410 includes the following steps;
step 1610, obtaining characteristic data which accords with the characteristic type in the contrast flow data, and obtaining fourth distribution data according to the distribution of the characteristic data in a first time period;
step 1620, obtaining a second statistical value according to the fourth distribution data;
step 1630, obtaining comparison historical traffic data sent by the second device to outside the local area network within a historical time period;
step 1640, obtaining a fourth threshold value according to the comparison historical flow data;
step 1650, comparing the second statistic value with the fourth threshold value, and determining the second device if the second statistic value is smaller than the fourth threshold value.
In the above steps 1610 to 1650, by comparing the second statistical value of the fourth distribution data obtained by the distribution of the current terminal device in the first time period with the fourth threshold obtained by comparing the historical traffic data, it can be accurately determined whether the current terminal device is the second device. For a specific implementation manner of the step 1610 to the step 1650, reference may be made to the processing procedure of the traffic data of the first device in the foregoing embodiment.
The traffic monitoring program may execute the detection method of the distributed denial of service attack in the above embodiment at preset time intervals, for example, the traffic data in the local area network may be automatically extracted and analyzed at a new first time period every 1 hour, where the first time period is dynamically changed, for example, the first time period of the previous detection period is 12: 01 to 20: 00, and the first time period of the current detection period is 13: 01 to 21: 00, and due to the dynamic change of the first time period, the statistical traffic data may also dynamically change, and the corresponding historical traffic data may also dynamically change, so that the first threshold and the third threshold of different detection periods may also correspondingly dynamically change.
Referring to fig. 2, the detection device 210 executes the detection method of the distributed denial of service attack in the above embodiment through a traffic monitoring program, so as to monitor all the terminal devices 130 in the local area network. Illustratively, the following is the process of monitoring traffic within the entire lan by the detection device 210: referring to fig. 17, the detection device 210 collects traffic from the local area network, and first performs preprocessing on the collected traffic, including: acquiring traffic data sent out from a local area network, performing aggregation filtering on the acquired traffic data according to a set time counting period and unit time, extracting feature data of different terminal devices 130 from the traffic data according to src _ IP (source IP address) network protocols corresponding to different DDoS attack types, and generating first distribution data. Then, performing time series anomaly detection on the first distribution data, including: detecting the first distributed data by using a time series algorithm, wherein the time series algorithm is shown in fig. 18, firstly performing discrete wavelet transform on flow data of the first distributed data to perform noise reduction on the flow data in the first distributed data, then acquiring historical flow data sent by a terminal device of a current flow data source IP address, performing dynamic threshold calculation to obtain a corresponding first threshold, and as shown in fig. 17, detecting equipment 210 performs CUSUM algorithm detection on the flow data after discrete wavelet transform according to the first threshold to judge whether DDoS attack occurs, and analyzing all outgoing flow data in the local area network by the detecting equipment 210 to obtain an abnormal detection result of the local area network data flow in a specified time period. If there is no abnormal traffic data time period, no alarm is given, and if there is abnormal traffic data time period, the traffic data is filtered according to the set rule policy, for example, the terminal device 130 with the source IP address having abnormal browsing is prohibited from sending traffic data, or the terminal device 130 is prohibited from sending traffic data to the destination IP address, or the terminal device 130 is prohibited from accessing the external network. In addition, an outgoing DDoS alarm event is generated to notify the relevant management personnel to process. The detection device 210 performs the above operations through a flow monitoring program implemented based on a SPARK computing engine (SPARK computing engine), for example, a SPARK computing engine to perform aggregation filtering, feature extraction, and time-series algorithm on flow data.
Wherein the detection device 210 can view the monitored condition through a program interface as shown in fig. 19. When detecting that a terminal device 130 sends a DDoS attack, an alarm is triggered, the sum of the start time, the end time, and the flow data of the feature data, the feature value mean value and the maximum feature value are recorded for the abnormal first time period, details of each DDoS attack, including a source IP address and a destination IP address, are displayed in an event list box 1910 in fig. 19, and in addition, network access data of all terminal devices 130 are displayed in a distribution statistics window 1920 in fig. 19. When an administrator selects a DDoS attack event, the first distribution data of the event may be displayed in a profile window 1920. In addition, in a first statistical window 1930 shown in fig. 19, statistics of DDoS attack anomaly data for a source IP address are displayed, and in a second statistical window 1940 shown in fig. 19, statistics of DDoS attack anomaly data for a destination IP address are displayed.
For example, the traffic monitoring program detects that the terminal device 130 with the source IP address 172.16.0.5 sends out a DDoS attack, where the monitored first time period is 2019-11-2311: 20 to 2019-11-2312: 42 for a total of 82 minutes, fig. 20 is a corresponding distribution data diagram, where a dotted line shown by an arrow j is abnormal traffic data detected by the traffic monitoring program, and when the DDoS attack is detected to start at 2019-11-2312: 24:00 and end at 2019-11-2312: 39:00, 337906 syn _ sent packets are sent in total, where a maximum value is 48427 data packets sent in one minute, and a corresponding first threshold value is only 83 data packets, which accords with historical network activity behavior of the terminal device 130.
Fig. 21 is a block diagram illustrating a structure of a distributed denial of service attack detection apparatus according to an embodiment of the present application, where the detection apparatus includes:
the traffic obtaining module 2110 is configured to obtain, in a local area network, traffic data sent by a first device to the outside of the local area network within a first time period;
the data extraction module 2120 is used for obtaining feature data which accord with feature types in the flow data and obtaining first distribution data according to distribution of the feature data in a first time period;
the statistical module 2120 obtains a first statistical value according to the first distribution data;
the data acquisition module 2140 is configured to acquire historical traffic data sent by the first device to the outside of the local area network within a historical time period;
the threshold calculation module 2150 is used for obtaining a first threshold according to the historical flow data;
the determining module 2160 compares the first statistical value with the first threshold, and determines that the first device sends out a distributed denial of service attack if the first statistical value is greater than the first threshold.
The historical traffic data in segment 21 is adaptively changed to enable the size of the first threshold to conform to the current traffic scenario. By the method for acquiring the dynamic first threshold based on the historical traffic data, compared with the manual setting of the fixed static threshold condition, the distributed denial of service attack sent out in the local area network can be effectively detected.
Fig. 22 is a block diagram illustrating a structure of a distributed denial of service attack detection apparatus according to an embodiment of the present application, where the apparatus includes: at least one processor 2210, at least one memory 2220, and at least one program stored on memory 2220 and executable on processor 2210 to implement a method of detecting a distributed denial of service attack as in the above-described embodiments.
The processor 2210 and the memory 2220 may be connected by a bus or other means, such as a bus connection in fig. 22.
Fig. 23 is a computer device provided in an embodiment of the application, where the computer device includes the detection apparatus for a distributed denial of service attack in the above-described embodiment.
An embodiment of the present application further provides a computer-readable storage medium storing computer-executable instructions, which are executed by a processor or controller, for example, by a processor 2210 of the figure, and can cause the processor 2210 to perform the user identification generation method in the embodiment of the present application, for example, performing the method steps 301 to 306 of fig. 3, the method steps 501 to 502 of fig. 5, the method step 610 of fig. 6, the method steps 810 to 830 of fig. 8, the method steps 1210 to 1220 of fig. 12, the method steps 1410 to 1440 of fig. 14, and the method steps 1610 to 1650 of fig. 16, which are described above.
The above-described embodiments of the apparatus are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may also be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
One of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
While the preferred embodiments of the present invention have been described, the present invention is not limited to the above embodiments, and those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present invention, and such equivalent modifications or substitutions are included in the scope of the present invention defined by the claims.

Claims (15)

1. A method for detecting a distributed denial of service attack, comprising:
acquiring flow data sent by first equipment to the outside of a local area network within a first time period in the local area network;
acquiring characteristic data which accords with a characteristic type in the flow data, and obtaining first distribution data according to the distribution of the characteristic data in a first time period;
obtaining a first statistical value according to the first distribution data;
acquiring historical traffic data sent to the outside of a local area network by the first equipment in a historical time period;
obtaining a first threshold value according to the historical flow data;
and comparing the first statistical value with the first threshold, and if the first statistical value is greater than the first threshold, determining that the first device sends out the distributed denial of service attack.
2. The method of claim 1, wherein the feature type comprises at least one of a protocol type, a traffic speed, a packet length, a time-to-live value, TTL, a source port, a destination port, and a source internet protocol, IP, number.
3. The method according to claim 1, wherein the first statistical value is any one of a minimum value, a maximum value, and an average value of the first distribution data.
4. The method of claim 1, wherein deriving a first statistical value from the first distribution data comprises:
carrying out noise reduction processing on the first distribution data;
and obtaining a first statistical value according to the first distribution data subjected to noise reduction processing.
5. The method of claim 1, wherein said deriving a first threshold from said historical flow data comprises:
obtaining second distribution data according to the distribution of the historical flow data in the first time period;
and obtaining a first threshold value according to the second distribution data.
6. The method of claim 5, wherein the deriving second distribution data from the distribution of the historical traffic data over the first time period comprises:
and obtaining second distribution data according to the sum of the average value and the variance value of the historical flow data in the plurality of first time periods.
7. The method of claim 5, wherein said deriving a first threshold from said second distribution data comprises:
acquiring a peak value of historical flow data in the second distribution data;
adding the peak value to a first increment to obtain a second threshold value;
the second threshold value is taken as the first threshold value, or a multiple of the second threshold value is taken as the first threshold value.
8. The method of claim 7, wherein the first increment is a standard deviation of the second distribution data.
9. The method of claim 7, wherein deriving a first statistical value from the first distribution data comprises:
and comparing the first distribution data with the second threshold value, and acquiring the accumulated sum of the flow data of the part, which is greater than the second threshold value, in the first distribution data, wherein the accumulated sum is the first statistical value.
10. The method of claim 7, wherein deriving a first statistical value from the first distribution data comprises:
obtaining a difference value between the first distribution data and the peak value to obtain third distribution data;
and comparing the third distribution data with the second threshold value to obtain the accumulated sum of the flow data of the part, which is greater than the second threshold value, in the third distribution data.
11. The method according to any one of claims 1 to 10, further comprising the steps of:
determining second equipment which does not send out the distributed denial of service attack in the local area network;
acquiring contrast flow data sent by the second equipment to the outside of the local area network within the first time period;
obtaining a third threshold value according to the comparison flow data;
comparing the first statistical value with the first threshold, and if the first statistical value is greater than the first threshold, determining that the first device sends out a distributed denial of service attack, including:
and comparing the first statistical value with the first threshold and a third threshold, and if the first statistical value is greater than the first threshold and greater than the third threshold, determining that the first device sends out a distributed denial of service attack.
12. The method of claim 11, wherein said deriving a third threshold from said comparative flow data comprises:
acquiring characteristic data which accords with the characteristic type in the comparison flow data, and obtaining fourth distribution data according to the distribution of the characteristic data in a first time period;
and acquiring the maximum value of the fourth distributed data, and adding a second increment to the maximum value of the fourth distributed data to obtain a third threshold, wherein the second increment is the difference value between the maximum value and the average value of the fourth distributed data.
13. The method of claim 11, wherein the step of determining a second device within the local area network that has not issued a distributed denial of service attack comprises:
acquiring characteristic data which accords with the characteristic type in the comparison flow data, and obtaining fourth distribution data according to the distribution of the characteristic data in a first time period;
obtaining a second statistical value according to the fourth distribution data;
acquiring comparison historical flow data sent by the second equipment to the outside of the local area network within a historical time period;
obtaining a fourth threshold value according to the comparison historical flow data;
and comparing the second statistic value with the fourth threshold value, and if the second statistic value is smaller than the fourth threshold value, determining the second equipment.
14. A distributed denial of service attack detection apparatus, comprising:
the flow acquisition module is used for acquiring flow data sent by first equipment to the outside of the local area network within a first time period in the local area network;
the data extraction module is used for acquiring feature data which accord with feature types in the flow data and obtaining first distribution data according to the distribution of the feature data in a first time period;
the statistical module is used for obtaining a first statistical value according to the first distribution data;
the data acquisition module is used for acquiring historical traffic data sent to the outside of the local area network by the first equipment in a historical time period;
the threshold value calculation module is used for obtaining a first threshold value according to the historical flow data;
and the judging module is used for comparing the first statistical value with the first threshold value, and if the first statistical value is larger than the first threshold value, determining that the first equipment sends out the distributed denial of service attack.
15. A distributed denial of service attack detection apparatus, comprising:
at least one memory;
at least one processor;
at least one program;
the programs are stored in the memory and the processor executes the at least one program to implement the method of detecting a distributed denial of service attack as set forth in any of claims 1-13.
CN202010273353.4A 2020-04-09 2020-04-09 Method and device for detecting distributed denial of service attack and computer equipment thereof Active CN113518057B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010273353.4A CN113518057B (en) 2020-04-09 2020-04-09 Method and device for detecting distributed denial of service attack and computer equipment thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010273353.4A CN113518057B (en) 2020-04-09 2020-04-09 Method and device for detecting distributed denial of service attack and computer equipment thereof

Publications (2)

Publication Number Publication Date
CN113518057A true CN113518057A (en) 2021-10-19
CN113518057B CN113518057B (en) 2024-03-08

Family

ID=78060257

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010273353.4A Active CN113518057B (en) 2020-04-09 2020-04-09 Method and device for detecting distributed denial of service attack and computer equipment thereof

Country Status (1)

Country Link
CN (1) CN113518057B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500050A (en) * 2022-01-26 2022-05-13 亚信科技(成都)有限公司 Data state detection method and device and storage medium
CN114629694A (en) * 2022-02-28 2022-06-14 天翼安全科技有限公司 Detection method and related device for distributed denial of service (DDoS)
CN115051847A (en) * 2022-06-07 2022-09-13 中国电子信息产业集团有限公司第六研究所 Method and device for determining attack level of denial of service attack and electronic equipment
CN115277713A (en) * 2022-07-27 2022-11-01 京东科技信息技术有限公司 Load balancing method and device

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
CN103701794A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for denial of service attack
CN104202329A (en) * 2014-09-12 2014-12-10 北京神州绿盟信息安全科技股份有限公司 DDoS (distributed denial of service) attack detection method and device
KR20170011598A (en) * 2015-07-23 2017-02-02 주식회사 케이티 System, method and computer program for detecting and blocking the denial of service attack
CN106411934A (en) * 2016-11-15 2017-02-15 平安科技(深圳)有限公司 DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device
CN107800674A (en) * 2016-09-07 2018-03-13 百度在线网络技术(北京)有限公司 A kind of method and apparatus for being used to detect the attack traffic of distributed denial of service
CN107864155A (en) * 2017-12-12 2018-03-30 蔡昌菊 A kind of DDOS attack detection method of high-accuracy
US10027694B1 (en) * 2016-03-28 2018-07-17 Amazon Technologies, Inc. Detecting denial of service attacks on communication networks
CN108965347A (en) * 2018-10-10 2018-12-07 腾讯科技(深圳)有限公司 A kind of detecting method of distributed denial of service attacking, device and server
CN109922072A (en) * 2019-03-18 2019-06-21 腾讯科技(深圳)有限公司 A kind of detecting method of distributed denial of service attacking and device
CN110958245A (en) * 2019-11-29 2020-04-03 广州市百果园信息技术有限公司 Attack detection method, device, equipment and storage medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
CN103701794A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for denial of service attack
CN104202329A (en) * 2014-09-12 2014-12-10 北京神州绿盟信息安全科技股份有限公司 DDoS (distributed denial of service) attack detection method and device
KR20170011598A (en) * 2015-07-23 2017-02-02 주식회사 케이티 System, method and computer program for detecting and blocking the denial of service attack
US10027694B1 (en) * 2016-03-28 2018-07-17 Amazon Technologies, Inc. Detecting denial of service attacks on communication networks
CN107800674A (en) * 2016-09-07 2018-03-13 百度在线网络技术(北京)有限公司 A kind of method and apparatus for being used to detect the attack traffic of distributed denial of service
CN106411934A (en) * 2016-11-15 2017-02-15 平安科技(深圳)有限公司 DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device
US20180367565A1 (en) * 2016-11-15 2018-12-20 Ping An Technology (Shenzhen) Co., Ltd. Method, device, server and storage medium of detecting dos/ddos attack
CN107864155A (en) * 2017-12-12 2018-03-30 蔡昌菊 A kind of DDOS attack detection method of high-accuracy
CN108965347A (en) * 2018-10-10 2018-12-07 腾讯科技(深圳)有限公司 A kind of detecting method of distributed denial of service attacking, device and server
CN109922072A (en) * 2019-03-18 2019-06-21 腾讯科技(深圳)有限公司 A kind of detecting method of distributed denial of service attacking and device
CN110958245A (en) * 2019-11-29 2020-04-03 广州市百果园信息技术有限公司 Attack detection method, device, equipment and storage medium

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500050A (en) * 2022-01-26 2022-05-13 亚信科技(成都)有限公司 Data state detection method and device and storage medium
CN114500050B (en) * 2022-01-26 2024-03-15 亚信科技(成都)有限公司 Data state detection method, device and storage medium
CN114629694A (en) * 2022-02-28 2022-06-14 天翼安全科技有限公司 Detection method and related device for distributed denial of service (DDoS)
CN114629694B (en) * 2022-02-28 2024-01-19 天翼安全科技有限公司 Distributed denial of service (DDoS) detection method and related device
CN115051847A (en) * 2022-06-07 2022-09-13 中国电子信息产业集团有限公司第六研究所 Method and device for determining attack level of denial of service attack and electronic equipment
CN115051847B (en) * 2022-06-07 2024-01-19 中国电子信息产业集团有限公司第六研究所 Method, device and electronic equipment for determining attack level of denial of service attack
CN115277713A (en) * 2022-07-27 2022-11-01 京东科技信息技术有限公司 Load balancing method and device

Also Published As

Publication number Publication date
CN113518057B (en) 2024-03-08

Similar Documents

Publication Publication Date Title
CN113518057B (en) Method and device for detecting distributed denial of service attack and computer equipment thereof
US9531742B2 (en) Detection of malicious network connections
US8001601B2 (en) Method and apparatus for large-scale automated distributed denial of service attack detection
CN108429651B (en) Flow data detection method and device, electronic equipment and computer readable medium
JP6703613B2 (en) Anomaly detection in data stream
CN111935170B (en) Network abnormal flow detection method, device and equipment
CN111427336B (en) Vulnerability scanning method, device and equipment for industrial control system
US8578493B1 (en) Botnet beacon detection
CN108965347B (en) Distributed denial of service attack detection method, device and server
US7752665B1 (en) Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory
CN111541661A (en) Power information network attack scene reconstruction method and system based on causal knowledge
JP2018533897A5 (en)
CN107623685B (en) Method and device for rapidly detecting SYN Flood attack
US11108801B2 (en) Low-complexity detection of potential network anomalies using intermediate-stage processing
CN114338372B (en) Network information security monitoring method and system
KR101187023B1 (en) A network abnormal traffic analysis system
CN108712365B (en) DDoS attack event detection method and system based on flow log
CN117220958A (en) DDoS attack detection method based on sketch under high-speed network scene
CN113691498B (en) Electric power internet of things terminal safety state evaluation method and device and storage medium
CN113806753A (en) Intranet host threat prediction method and system based on label calculation
CN110162969B (en) Flow analysis method and device
CN111510443A (en) Terminal monitoring method and terminal monitoring device based on equipment portrait
CN117596049B (en) DDoS attack detection method and device
CN117424762B (en) DDOS attack detection method, medium and device
Naveen et al. Application of Change Point Outlier Detection Methods in Real Time Intrusion Detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant