CN113518064A - Defense method and device for challenging black hole attack, computer equipment and storage medium - Google Patents

Defense method and device for challenging black hole attack, computer equipment and storage medium Download PDF

Info

Publication number
CN113518064A
CN113518064A CN202110307308.0A CN202110307308A CN113518064A CN 113518064 A CN113518064 A CN 113518064A CN 202110307308 A CN202110307308 A CN 202110307308A CN 113518064 A CN113518064 A CN 113518064A
Authority
CN
China
Prior art keywords
request
url
access
model
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110307308.0A
Other languages
Chinese (zh)
Other versions
CN113518064B (en
Inventor
李祯
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110307308.0A priority Critical patent/CN113518064B/en
Publication of CN113518064A publication Critical patent/CN113518064A/en
Application granted granted Critical
Publication of CN113518064B publication Critical patent/CN113518064B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Abstract

The application relates to a defense method, a defense device, computer equipment and a storage medium for challenging black hole attacks, wherein the method comprises the following steps: acquiring url request data according to the url access request; inputting the request data into a url request model trained in advance to obtain a request quantity threshold; the url request model is a machine learning model obtained based on the access behavior data training of the target site; determining whether to pass the url access request based on the request quantity threshold. By the method and the device, the situation that normal access requests generated artificially are intercepted by mistake is reduced, and the probability of distinguishing real attacks is improved.

Description

Defense method and device for challenging black hole attack, computer equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a defense method and apparatus for challenging black hole attacks, a computer device, and a storage medium.
Background
The Challenge black hole attack (CC attack) is a page-based Distributed Denial of Service (DDoS) attack. Common CC attacks are mostly host resource consuming, which does not generate exceptionally large abnormal traffic. The CC attack generates a large number of legal web page requests by acting and starting the broilers, and the requests are uniformly directed to a certain damaged host. The victim host passively receives a large number of legal web page requests, consumes time and computing power to respond to the request of an attacker, and finally collapses. CC attacks, which are themselves normal requests, cannot be filtered with a hardware firewall.
The method comprises the steps that a common CC defense rule intercepts a source IP triggering a threshold value of a request number, once access exceeds the threshold value, a web background server generates one or more random numbers, each random number is mapped with a picture containing a problem to be solved, all pictures are stored in a database (or a file system) in a binary mode, and finally the pictures are linked to a dynamic page through the web server, a verification picture is returned to a browser terminal, and a calculation result of the browser terminal is returned to the web server. The main drawbacks of such a solution are as follows: 1) in general, the Web background server does not consider the various factors such as url types, access time ranges and the like, and directly sets an access threshold value, which affects experience; 2) the verification through the pictures has maintenance difficulty. Since the pictures are not generated in real time but from an already generated pool, they are reused. If the attacker uses a strong picture identification technology, the problem of picture learning can be traversed, and then replay attack is implemented; 3) if the conditions of website activity and centralized access occur, the condition of mistaken interception is easy to occur.
Disclosure of Invention
The embodiment of the application provides a defense method, a defense device, computer equipment and a storage medium for challenging black hole attacks, so that the problems that the defense method is unreasonable and false interception is easy to occur in the related technology are at least solved.
In a first aspect, an embodiment of the present application provides a defense method for challenging a black hole attack, including:
acquiring url request data according to the url access request;
inputting the request data into a url request model trained in advance to obtain a request quantity threshold; the url request model is a machine learning model obtained based on the access behavior data training of the target site;
determining whether to pass the url access request based on the request quantity threshold.
In some of these embodiments, the url request model includes at least one of a request rate baseline, a request dispersion baseline; the request rate baseline is the request rate of a single request end to the same url access request; the request dispersion baseline is the number of request items of a single request end to the url access request in the request time interval.
In some embodiments, the url request model includes a request rate baseline, and before extracting url request data according to the url access request, the method further includes:
acquiring access behavior data of a target site;
extracting training samples from the visit behavior data; the training sample comprises the access rates of different url addresses in different request time intervals of a single request end;
and taking the request time interval and the url address of a single request end as the input of a url request model, and taking the access rate of a target station corresponding to the url address in the request time interval as the output of the url request model for training to obtain a request rate baseline.
In some embodiments, the url request model includes a request dispersion baseline, and before extracting url request data according to the url access request, the method further includes:
acquiring access behavior data of a target site;
extracting training samples from the visit behavior data; the training sample comprises request dispersion of url access requests in a single request end request time interval;
and taking the request time interval of a single request end as the input of a url request model, and taking the request dispersion of the single request end corresponding to the request time interval as the output of the url request model for training to obtain a request dispersion baseline.
In some of these embodiments, determining whether to pass the url access request based on the request quantity threshold comprises:
when at least one url access request of the target site exceeds the request quantity threshold, obtaining a corresponding request IP and a corresponding request timestamp according to the url request data;
generating a check url corresponding to the url access request according to the request IP and the request timestamp and returning the check url to the client;
and determining whether to pass the url access request according to the check url.
In some of these embodiments, determining whether to pass the url access request based on the check url includes:
when prompt information triggered by verification operation of a user based on the verification url is received, determining whether to release the url access request according to the prompt information; otherwise
Blocking the url access request.
In some of these embodiments, the verification operation includes at least one of:
dragging operation through a slider and clicking operation through a designated control.
In a second aspect, an embodiment of the present application provides a defense apparatus for challenging black hole attack, including:
a request data acquisition unit, configured to acquire url request data according to the url access request;
a request quantity threshold value obtaining unit, configured to input the request data into a url request model trained in advance, so as to obtain a request quantity threshold value; the url request model is a machine learning model obtained based on the access behavior data training of the target site;
and the attack judging unit is used for judging whether to release the url access request based on the request quantity threshold.
In a third aspect, an embodiment of the present application provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements the defense method for challenging black hole attacks according to the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the defense method against black hole attacks as described in the first aspect above.
Compared with the related art, the defense method for challenging black hole attacks obtains the machine learning model through the access behavior data training based on the target site, inputs the request data into the url request model trained in advance to obtain the request quantity threshold value, and judges whether to release the url access request based on the request quantity threshold value, so that a more scientific CC protection threshold value is obtained based on the access request, the occurrence of the condition that normal access requests generated artificially by people are intercepted by mistake is reduced, and the probability of distinguishing real attacks is improved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic flow chart of a defense method for challenging black hole attacks in one embodiment of the present application;
FIG. 2 is a block diagram of a process for training a machine learning model based on access behavior data according to an embodiment of the present application;
FIG. 3 is a schematic flow chart illustrating the determination of whether to pass the url access request based on the request amount threshold in one embodiment of the present application;
FIG. 4 is a block diagram of a CC attack defense process in one embodiment of the present application;
FIG. 5 is a block diagram of a defense device for challenging black hole attacks in one embodiment of the present application;
fig. 6 is a schematic structural diagram of a computer device in one embodiment of the present application.
Description of the drawings: 201. a request data acquisition unit; 202. a request amount threshold acquisition unit; 203. an attack determination unit; 30. a bus; 31. a processor; 32. a memory; 33. a communication interface.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
With the continuous development of computer network technology, the normal operation of enterprises and the working life of individuals increasingly depend on the network technology. The network technology brings operating efficiency and convenience to people and brings opportunities to attackers in the network. At present, network attacks of an application layer are more and more diversified, and service safety threats are more and more severe.
The challenge of black hole attack (namely CC attack) is one of network attacks, and the CC attack mode mainly comprises 3 types: a single-host virtual multi-IP address attack mode, a proxy server group attack mode and a botnet attack mode. In the single-host virtual multi-IP address attack mode, an attacker utilizes one host to fictitious form a plurality of IP addresses to send access request packets to a designated page of a server, and when the server does not have time to process the access requests, the page cannot respond to the access requests of normal users, and normal access is denied. In the proxy server group attack mode, an attacker sends a page access request to a proxy server through an attack host, then the attack host can immediately disconnect the connection with the proxy server and immediately send the next access request, because the proxy server can certainly access the appointed page resource of the application server after receiving an access request instruction, when the application server does not have time to process a large number of access requests, the page cannot respond to the access request of a normal user, and the normal access is rejected at the moment. In the botnet attack mode, an attacker sends an attack instruction to a botnet host through an attack host, the botnet host automatically sends a page access request to an application server, and when the botnet with a certain scale is used for CC attack, huge access flow is caused to the page of the application server, and the server can be paralyzed.
The embodiment provides a defense method for challenging black hole attacks. Fig. 1 is a flowchart of a defense method for challenging black hole attack according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
and step S101, acquiring url request data according to the url access request.
In this embodiment, the defense method for challenging the black hole attack may be used in the defense detection process of the network device against the behavior of the network attack (such as DDOS attack like CC attack). The network device may be a Mobile phone, a tablet, a computer, an MID (Mobile Internet Devices), a smart tv, etc. The network equipment is provided with WAF (Web Application Firewall), vulnerability scanning, Firewall and other products for carrying out security defense on network attacks. The client can access the network device through the network to request resources from a server, which can be a website server (such as a web server, an Http server, and the like), a file server, a database server, an application server, and the like, and the number of the client and the server can be one or more.
In this embodiment, when a client initiates a url access request to the target site, the url access request is analyzed to obtain url request data, where the url request data at least includes a uniform resource locator (url) address corresponding to the url access request, access times within a request time interval, a request IP, a request timestamp, and the like.
Step S102, inputting the request data into a url request model trained in advance to obtain a request quantity threshold; the url request model is a machine learning model obtained based on the access behavior data of the target site.
In this embodiment, a machine learning model obtained by training an artificial neural network may be constructed, and the artificial neural network includes supervised learning, unsupervised learning, and re-excited learning according to the difference of the amount of information provided by the environment. Preferably, supervised learning provides a training sample set including given inputs and expected outputs through the environment, and the neural network continuously modifies the network parameters to improve its performance according to the error between the actual output and the expected output of the network, thereby implementing a learning training process.
As shown in fig. 2, in the present embodiment, a large amount of access behavior data is generated in the daily network access process. And acquiring a training sample set based on the access behavior data of the target site for training to obtain a machine learning model. Specifically, after a url access request initiated by a client is obtained, the url access request is passed after being detected by a web firewall rule, and then the url access request is passed to network equipment and sent to modeling learning to obtain a url request model.
In this embodiment, after the url request model is obtained, the request quantity threshold corresponding to the request data is obtained by using the model, so that the request quantity threshold can more scientifically reflect the threshold condition of the normal access request, and the accuracy of defense identification is improved.
Step S103, whether to pass the url access request is judged based on the request quantity threshold value.
In this embodiment, whether to release the url access request may be performed according to a determination result by determining whether the access amount of the request data exceeds the request amount threshold. Specifically, when the access amount exceeds the request amount threshold, the url access request corresponding to the request data is considered as a suspected attack behavior, further attack behavior detection is triggered, and when the attack behavior is detected, the url access request is blocked, so that two layers of defense are formed. It should be noted that, in this embodiment, the access amount of the url access request where the request data is located is the same as the determination dimension of the request amount threshold, where the dimension at least includes at least one of a url access time period, a url address, and an attack manner, and may specifically be determined according to the requirements of real-time performance and accuracy of attack defense, and the present application is not particularly limited.
In summary, the defense method for challenging black hole attacks provided by the embodiment of the application obtains the machine learning model through the access behavior data training based on the target site, inputs the request data into the url request model trained in advance to obtain the request quantity threshold value, and accordingly judges whether to release the url access request based on the request quantity threshold value. The method and the device realize that the url access request based on the large flow obtains a more scientific CC protection threshold value, reduce the occurrence of the condition of mistakenly intercepting the artificially generated normal access request, and improve the probability of distinguishing the true attack.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
Based on the foregoing embodiments, in some of the embodiments, the url request model includes at least one of a request rate baseline and a request dispersion baseline, and the request quantity threshold may be a request rate threshold and/or a request dispersion threshold.
In this embodiment, the request rate baseline is a request rate of a single request end to the same url access request. Specifically, the request rate baseline may be a ratio of a url request amount of a single request end to the same url access request to a request time interval, that is, an average rate of any url access request in the request time interval. The request time interval can be preset according to requirements, the request rate baseline changes in real time at different request time intervals, and the request rate baselines at different request time intervals can be the same or different. The request dispersion baseline is the number of request items of a single request end to a url access request in a request time interval, namely how many different url addresses are requested to be accessed by the single request end in the request time interval.
In a specific embodiment, the url request model includes a request rate baseline, and before extracting url request data according to the url access request, the method further includes the following steps: acquiring access behavior data of a target site; extracting training samples from the visit behavior data; the training sample comprises the access rates of different url addresses in different request time intervals of a single request end; and taking the request time interval and the url address of a single request end as the input of a url request model, and taking the access rate of a target station corresponding to the url address in the request time interval as the output of the url request model for training to obtain a request rate baseline.
In another specific implementation, the url request model includes a request dispersion baseline, and before extracting url request data according to a url access request, the method further includes: acquiring access behavior data of a target site; extracting training samples from the visit behavior data; the training sample comprises request dispersion of url access requests in a single request end request time interval; and taking the request time interval of a single request end as the input of a url request model, and taking the request dispersion of the single request end corresponding to the request time interval as the output of the url request model for training to obtain a request dispersion baseline. The request dispersion can be calculated in the following manner. For example: the request time interval is 60s, there are 100 requesters, each of which generates url access request action, and among the 100 requesters, the url access request generated by each requester is various. The request end A requests 10 different urls within 60s, the request end B requests 60 different urls within 60s, and the request end C requests 40 different urls within 60 s. The request item number of the 100 request terminals is firstly calculated, and then the request item numbers are arranged in descending order according to the size of the item number, and the median is taken as the request dispersion of a single request terminal. Preferably, the maximum and minimum values may be removed and the median may be taken. More preferably, a median is selected between the median and the maximum to obtain the request dispersion of a single request end.
It is understood that, in other embodiments, the url request model may also be a CPU occupancy baseline, a traffic baseline, and the like of the target station, and the present application is not particularly limited.
As shown in fig. 3, on the basis of the above embodiments, in some of the embodiments, determining whether to pass the url access request based on the request amount threshold includes:
step S1031, when at least one url access request of the target site exceeds the request quantity threshold, obtaining a corresponding request IP and a request timestamp according to the url request data;
step S1032, generating a verification url corresponding to the url access request according to the request IP and the request timestamp, and returning the verification url to the client.
In this embodiment, the request data may be input into a url request model trained in advance, and a request quantity threshold is obtained based on at least one of a request rate baseline and a request dispersion baseline, where the request quantity threshold is a request rate threshold and/or a request dispersion threshold. Namely, when the request rate and/or the request dispersion of at least one url access request of the target site exceeds a corresponding threshold, the suspected attack behavior is judged to exist, and the suspected attack processing is carried out.
In this embodiment, the access request is analyzed to obtain a request IP and a timestamp triggering the request, a verification url is formed based on the request IP and the request timestamp, and the verification url is returned to the client for verification. Optionally, the request timestamp may be incorporated into a suffix of the request IP to obtain the check url, which is not specifically limited in this application.
And step S1033, determining whether to pass the url access request according to the check url. Specifically, determining whether to release the url access request according to the check url includes: and when prompt information triggered by the verification operation of the user based on the verification url is received, determining whether to release the url access request according to the prompt information.
For example, in one particular embodiment, the verification operation includes a click operation through a designated control. Specifically, a JS script file may be configured in the verification url, so as to return the verification url including the specified control to the client. Therefore, when people frequently visit, the appointed control is manually clicked, and prompt information of successful verification can be triggered and returned. And releasing the url access request after receiving the prompt message of successful verification. Optionally, the prompt message may be an associated url that feeds back the verification success message. However, if the specific control cannot be clicked in the attack behavior of the machine script, the prompt message for successful verification cannot be triggered, and the url access request is blocked after the prompt message for successful verification is not received, so that the attack request cannot be sent.
It is understood that the verification operation may also be other designated operations such as a dragging operation of the slider, for example, when the mouse is dragged correctly within 5 seconds, a prompt message that the feedback verification is successful is triggered.
As shown in fig. 4, on the basis of the above embodiments, in one embodiment, the request end first initiates a url access request, and then inputs the request data into a url request model trained in advance to obtain a request amount threshold. And judging whether the url access request reaches a request quantity threshold value or not based on the request quantity threshold value. When the request quantity threshold value is not reached, judging that no suspected attack behavior exists, and repeatedly executing the calculation of the request quantity threshold value; and when the request quantity threshold is reached, judging that the suspected attack behavior exists, and further processing the suspected attack behavior at the moment. Specifically, a verification url is obtained according to the url request data and returned to the client, and the url access request is released to the network device after the prompt message of successful verification is received.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.
The embodiment also provides a defense device for challenging black hole attacks, which is used for implementing the above embodiments and preferred embodiments, and the description of the device is omitted. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a defense apparatus for challenging black hole attack according to an embodiment of the present application, and as shown in fig. 5, the apparatus includes: a request data acquisition unit 201, a request amount threshold acquisition unit 202, and an attack determination unit 203.
A request data obtaining unit 201, configured to obtain url request data according to the url access request;
a request quantity threshold obtaining unit 202, configured to input the request data into a url request model trained in advance, to obtain a request quantity threshold; the url request model is a machine learning model obtained based on the access behavior data training of the target site;
and the attack judgment unit 203 is used for judging whether to release the url access request based on the request quantity threshold value.
In some of these embodiments, the url request model includes at least one of a request rate baseline, a request dispersion baseline; the request rate baseline is the request rate of a single request end to the same url access request; the request dispersion baseline is the number of request items of a single request end to the url access request in the request time interval.
In some embodiments, the url request model includes a request rate baseline, and the defense device for challenging black hole attacks further includes: the device comprises a first access behavior data unit, a first training sample acquisition unit and a first training unit.
The first access behavior data unit is used for acquiring access behavior data of a target site;
the first training sample acquisition unit is used for extracting training samples from the visit behavior data; the training sample comprises the access rates of different url addresses in different request time intervals of a single request end;
and the first training unit is used for taking the request time interval and the url address of a single request end as the input of the url request model, and taking the access rate of a target station corresponding to the url address in the request time interval as the output of the url request model for training to obtain a request rate baseline.
In some embodiments, the url request model includes a request dispersion baseline, and the defense device for challenging black hole attack further includes: the system comprises a second access behavior data unit, a second training sample acquisition unit and a second training unit.
The second access behavior data unit is used for acquiring access behavior data of the target site;
the second training sample acquisition unit is used for extracting training samples from the visit behavior data; the training sample comprises request dispersion of url access requests in a single request end request time interval;
and the second training unit is used for taking the request time interval of the single request end as the input of the url request model, and taking the request dispersion of the single request end corresponding to the request time interval as the output of the url request model for training to obtain a request dispersion baseline.
In some embodiments, the attack determination unit 203 includes: the device comprises a request information acquisition module, a check url generation module and a judgment module.
A request information obtaining module, configured to obtain a corresponding request IP and a request timestamp according to the url request data when at least one url access request of the target site exceeds the request amount threshold;
the verification url generation module is used for generating a verification url corresponding to the url access request according to the request IP and the request timestamp and returning the verification url to the client;
and the judging module is used for determining whether to release the url access request according to the check url.
In some embodiments, the determining module comprises: the system comprises a first access request defense module and a second access request defense module.
The first access request defense module is used for triggering prompt information when receiving verification operation of a user based on the verification url, and determining whether to pass the url access request according to the prompt information;
and the second access request defense module is used for blocking the url access request.
In some of these embodiments, the verification operation includes at least one of:
dragging operation through a slider and clicking operation through a designated control.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
In addition, the defense method for challenging the black hole attack described in the embodiment of the present application in conjunction with fig. 1 may be implemented by a computer device. Fig. 6 is a hardware structure diagram of a computer device according to an embodiment of the present application.
The computer device may comprise a processor 31 and a memory 32 in which computer program instructions are stored.
Specifically, the processor 31 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 32 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 32 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 32 may include removable or non-removable (or fixed) media, where appropriate. The memory 32 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 32 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 32 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
The memory 32 may be used to store or cache various data files that need to be processed and/or used for communication, as well as possible computer program instructions executed by the processor 31.
The processor 31 may read and execute the computer program instructions stored in the memory 32 to implement any one of the above-described embodiments of the defense method against black hole attacks.
In some of these embodiments, the computer device may also include a communication interface 33 and a bus 30. As shown in fig. 6, the processor 31, the memory 32, and the communication interface 33 are connected via the bus 30 to complete mutual communication.
The communication interface 33 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication interface 33 may also enable communication with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.
Bus 30 comprises hardware, software, or both coupling the components of the computer device to each other. Bus 30 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 30 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (Front Side Bus), an FSB (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (Peripheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Association) Bus, abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 30 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The computer device may execute the defense method for challenging black hole attacks in the embodiment of the present application based on the obtained program instructions, thereby implementing the defense method for challenging black hole attacks described in conjunction with fig. 1 to 4.
In addition, in combination with the defense method for challenging black hole attacks in the above embodiments, embodiments of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the above-described embodiments of a method of defending against a challenging black hole attack.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A defense method for challenging black hole attack is characterized by comprising the following steps:
acquiring url request data according to the url access request;
inputting the request data into a url request model trained in advance to obtain a request quantity threshold; the url request model is a machine learning model obtained based on the access behavior data training of the target site;
determining whether to pass the url access request based on the request quantity threshold.
2. The method of defending against a challenging black hole attack according to claim 1, wherein the url request model comprises at least one of a request rate baseline, a request dispersion baseline; the request rate baseline is the request rate of a single request end to the same url access request; the request dispersion baseline is the number of request items of a single request end to the url access request in the request time interval.
3. The method for defending against a challenge black hole attack as recited in claim 2, wherein the url request model comprises a request rate baseline, and before extracting url request data according to the url access request, further comprising:
acquiring access behavior data of a target site;
extracting training samples from the visit behavior data; the training sample comprises the access rates of different url addresses in different request time intervals of a single request end;
and taking the request time interval and the url address of a single request end as the input of a url request model, and taking the access rate of a target station corresponding to the url address in the request time interval as the output of the url request model for training to obtain a request rate baseline.
4. The method for defending against a challenge black hole attack according to claim 2, wherein the url request model includes a request dispersion baseline, and before extracting url request data according to a url access request, the method further comprises:
acquiring access behavior data of a target site;
extracting training samples from the visit behavior data; the training sample comprises request dispersion of url access requests in a single request end request time interval;
and taking the request time interval of a single request end as the input of a url request model, and taking the request dispersion of the single request end corresponding to the request time interval as the output of the url request model for training to obtain a request dispersion baseline.
5. The method of claim 1, wherein determining whether to pass the url access request based on the request quantity threshold comprises:
when at least one url access request of the target site exceeds the request quantity threshold, obtaining a corresponding request IP and a corresponding request timestamp according to the url request data;
generating a check url corresponding to the url access request according to the request IP and the request timestamp and returning the check url to the client;
and determining whether to pass the url access request according to the check url.
6. The method of claim 5, wherein determining whether to pass the url access request according to the check url comprises:
when prompt information triggered by verification operation of a user based on the verification url is received, determining whether to release the url access request according to the prompt information; otherwise
Blocking the url access request.
7. The method of claim 6, wherein the verification operation comprises at least one of:
dragging operation through a slider and clicking operation through a designated control.
8. A defense apparatus for challenging black hole attacks, comprising:
a request data acquisition unit, configured to acquire url request data according to the url access request;
a request quantity threshold value obtaining unit, configured to input the request data into a url request model trained in advance, so as to obtain a request quantity threshold value; the url request model is a machine learning model obtained based on the access behavior data training of the target site;
and the attack judging unit is used for judging whether to release the url access request based on the request quantity threshold.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of defending against challenging black hole attacks according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of defending against a challenging black hole attack as claimed in any one of claims 1 to 7.
CN202110307308.0A 2021-03-23 2021-03-23 Defense method and device for challenging black hole attack, computer equipment and storage medium Active CN113518064B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110307308.0A CN113518064B (en) 2021-03-23 2021-03-23 Defense method and device for challenging black hole attack, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110307308.0A CN113518064B (en) 2021-03-23 2021-03-23 Defense method and device for challenging black hole attack, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113518064A true CN113518064A (en) 2021-10-19
CN113518064B CN113518064B (en) 2023-04-07

Family

ID=78061921

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110307308.0A Active CN113518064B (en) 2021-03-23 2021-03-23 Defense method and device for challenging black hole attack, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113518064B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992403A (en) * 2021-10-27 2022-01-28 北京知道创宇信息技术股份有限公司 Access speed limit interception method and device, defense server and readable storage medium
CN115022011A (en) * 2022-05-30 2022-09-06 北京天融信网络安全技术有限公司 Method, device, equipment and medium for identifying missed scanning software access request
CN115883254A (en) * 2023-01-28 2023-03-31 北京亿赛通科技发展有限责任公司 DoS attack defense method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN108334774A (en) * 2018-01-24 2018-07-27 中国银联股份有限公司 A kind of method, first server and the second server of detection attack
US20190036878A1 (en) * 2017-07-25 2019-01-31 Ca, Inc. Protecting computer servers from api attacks using coordinated varying of url addresses in api requests
CN111740999A (en) * 2020-06-22 2020-10-02 杭州安恒信息技术股份有限公司 DDOS attack identification method, system and related device
CN112039887A (en) * 2020-08-31 2020-12-04 杭州安恒信息技术股份有限公司 CC attack defense method and device, computer equipment and storage medium
CN112153011A (en) * 2020-09-01 2020-12-29 杭州安恒信息技术股份有限公司 Detection method and device for machine scanning, electronic equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190036878A1 (en) * 2017-07-25 2019-01-31 Ca, Inc. Protecting computer servers from api attacks using coordinated varying of url addresses in api requests
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN108334774A (en) * 2018-01-24 2018-07-27 中国银联股份有限公司 A kind of method, first server and the second server of detection attack
CN111740999A (en) * 2020-06-22 2020-10-02 杭州安恒信息技术股份有限公司 DDOS attack identification method, system and related device
CN112039887A (en) * 2020-08-31 2020-12-04 杭州安恒信息技术股份有限公司 CC attack defense method and device, computer equipment and storage medium
CN112153011A (en) * 2020-09-01 2020-12-29 杭州安恒信息技术股份有限公司 Detection method and device for machine scanning, electronic equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992403A (en) * 2021-10-27 2022-01-28 北京知道创宇信息技术股份有限公司 Access speed limit interception method and device, defense server and readable storage medium
CN115022011A (en) * 2022-05-30 2022-09-06 北京天融信网络安全技术有限公司 Method, device, equipment and medium for identifying missed scanning software access request
CN115022011B (en) * 2022-05-30 2024-02-02 北京天融信网络安全技术有限公司 Method, device, equipment and medium for identifying access request of missing scan software
CN115883254A (en) * 2023-01-28 2023-03-31 北京亿赛通科技发展有限责任公司 DoS attack defense method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113518064B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN113518064B (en) Defense method and device for challenging black hole attack, computer equipment and storage medium
EP2863611B1 (en) Device for detecting cyber attack based on event analysis and method thereof
US20200358819A1 (en) Systems and methods using computer vision and machine learning for detection of malicious actions
US9386078B2 (en) Controlling application programming interface transactions based on content of earlier transactions
Choi et al. A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment
Al-Hammadi et al. DCA for bot detection
WO2018095192A1 (en) Method and system for website attack detection and prevention
US20230089187A1 (en) Detecting abnormal packet traffic using fingerprints for plural protocol types
US20180309772A1 (en) Method and device for automatically verifying security event
CN110650142B (en) Access request processing method, device, system, storage medium and computer equipment
WO2015039553A1 (en) Method and system for identifying fraudulent websites priority claim and related application
CN111786966A (en) Method and device for browsing webpage
WO2014142791A1 (en) Event correlation based on confidence factor
WO2013059287A1 (en) System and method for detection of denial of service attacks
CN112751815B (en) Message processing method, device, equipment and computer readable storage medium
CN111565203B (en) Method, device and system for protecting service request and computer equipment
CN107612926B (en) One-sentence speech WebShell interception method based on client recognition
CN113556343B (en) DDoS attack defense method and device based on browser fingerprint identification
CN110858831B (en) Safety protection method and device and safety protection equipment
CN111049783A (en) Network attack detection method, device, equipment and storage medium
CN103973635A (en) Page access control method, and related device and system
CN112839017A (en) Network attack detection method and device, equipment and storage medium thereof
CN114244564A (en) Attack defense method, device, equipment and readable storage medium
Sree et al. HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce
CN111131309A (en) Distributed denial of service detection method and device and model creation method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant