CN113630394A - Method for defending ddos flow attack detection - Google Patents

Method for defending ddos flow attack detection Download PDF

Info

Publication number
CN113630394A
CN113630394A CN202110857125.6A CN202110857125A CN113630394A CN 113630394 A CN113630394 A CN 113630394A CN 202110857125 A CN202110857125 A CN 202110857125A CN 113630394 A CN113630394 A CN 113630394A
Authority
CN
China
Prior art keywords
flow
value
template
traffic
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110857125.6A
Other languages
Chinese (zh)
Inventor
彭勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Wangqing Information Technology Co ltd
Original Assignee
Jiangsu Wangqing Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Wangqing Information Technology Co ltd filed Critical Jiangsu Wangqing Information Technology Co ltd
Priority to CN202110857125.6A priority Critical patent/CN113630394A/en
Publication of CN113630394A publication Critical patent/CN113630394A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of computer networks and discloses a method for defending ddos flow attack detection, which comprises the following steps: s101: receiving an application flow request and monitoring an access request of a visiting IP; s102: judging whether the IP address is in a system white list, if so, entering step S109 to directly forward the request, and if not, entering step S103; the invention also provides a device for detecting and disposing the abnormal traffic attack, which comprises a traffic receiving unit, a static filtering unit, a dynamic monitoring filtering unit and a processing unit which are connected in sequence. According to the method, the abnormal flow can be rapidly screened out through dynamic filtering of the abnormal flow, and the abnormal flow can be judged through comparison operation of the flow value and the corresponding flow template value in the flow TOP N dynamic filtering table, so that the accuracy rate of abnormal flow detection is improved, and the abnormal attack can be screened out from normal access behaviors.

Description

Method for defending ddos flow attack detection
Technical Field
The invention relates to the technical field of computer networks, in particular to a detection method for defending ddos flow attack.
Background
With the rapid development of internet technology, there are more and more attacks using the internet, where a distributed denial of service (ddos) attack is a common attack means, and a common feature thereof is to use a protocol bug and send a large number of network packets that look legitimate to a victim target host through many forged "zombie hosts" to cause network blocking or exhaustion of target server resources to cause unavailability of services, and a distributed denial of service (ddos) attack refers to that a plurality of computers are combined together as an attack platform by means of client/server technology to launch ddos attack on one or more targets, thereby exponentially improving the power of the ddos attack.
The attack means adopted by the distributed denial of service attack is distributed, the attack mode changes the traditional point-to-point attack mode, the attack mode is irregular, and common protocols and services are generally used when the attack is carried out, so that the attack is difficult to distinguish from the types of the protocols and the services. When the attack is carried out, attack data packets are all disguised and are also forged on a source IP address, so that the address of the attack is difficult to determine, the address is difficult to search, the distributed denial of service attack is difficult to detect in a detection method, and the existing detection method is low in accuracy of abnormal flow detection, poor in identification precision, low in processing speed, high in complexity and incapable of meeting the requirements of people.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a detection method for defending ddos flow attack, and solves the problems that the existing detection method has low accuracy rate of abnormal flow detection, poor identification precision, low processing speed, higher complexity and can not meet the requirements of people.
(II) technical scheme
In order to achieve the purpose, the invention provides the following technical scheme:
a method of defending against detection of ddos traffic attacks, comprising the steps of:
s101: receiving an application flow request and monitoring an access request of a visiting IP;
s102: judging whether the IP address is in a system white list, if so, entering step S109 to directly forward the request, and if not, entering step S103;
s103: judging whether the IP address is in a system blacklist, if so, entering step S108 to directly discard the flow, and if not, entering step S104;
s104: judging whether the source address IP is in the TOP N sequence of the flow TOP N dynamic filter table, firstly obtaining a time node to which the current time belongs according to a preset time segmentation mode in S4, adopting 24 m hours as the current period, calculating the time period to which the current time belongs, changing the value of m according to the actual application scene to increase the period length, adopting the current time/24 m to obtain a time node k to which the visiting IP belongs, and then automatically loading the current flow TOP N dynamic filter table which can be realized through a linked list;
s105: if the IP address is in the flow TOP N dynamic filter table sequence, retrieving a flow template value corresponding to the time point of the address and numbered according to the time node of current flow acquisition according to a preset time window period, comparing the current flow value with the flow template value, judging whether the flow is abnormal flow according to whether the flow exceeds a preset threshold value, if so, entering step S108, and if not, entering step S107;
s106: if the IP address is not in the sequence of the TOP N dynamic filtering table of the flow, retrieving a flow template value corresponding to the time point from a flow average template EQ in the table according to a preset time window period and the time point of current flow acquisition of the address, comparing the current flow value with the flow template value, judging whether the flow is abnormal flow according to whether a preset threshold value beta is exceeded, if so, entering step S108, and if not, entering step S107;
s107: updating the flow template value of the IP address corresponding to the time node through the self-learning algorithm, judging that the flow is normal, and turning to step S109, wherein the specific implementation method for updating the flow template value of the IP address corresponding to the time node through the self-learning algorithm comprises the following steps: initializing a template, obtaining a flow template value through fast self-learning similar to maximum likelihood estimation, sampling the first accessed normal flow according to each corresponding time in each fixed flow period time window, taking the sampling value as an initialized flow template, and performing a second step: template self-learning, flow template value Mn (k) is obtained through a flow self-adaptive feedback type maximum likelihood estimation algorithm, the flow template value Mn-1(k) of the current time point of the previous time period and the unprocessed flow value Xn-1(k) obtained in the previous time window period are obtained through fast retrieval, the latter is multiplied by an abnormal judgment result factor b (k) (0/1), then the average operation is carried out on the former and the latter, the operation result is used as a new flow template value, and the third step is that: locking the template, wherein after self-learning for a period of time, the flow model can be locked by artificial participation, and learning is not performed any more;
s108: if the detected flow belongs to the abnormal flow, judging that the current flow is ddos attack behavior, and filtering the visiting IP request;
s109: and if the detected flow does not belong to the abnormal flow, forwarding the visiting IP request.
As a further scheme of the present invention, in S104, contents of the flow TOP N dynamic filtering table include IP information linked lists with the most advanced recorded flow ranks from 1 … … N + M, and the IP information linked lists are sequentially ranked from large to small according to historical flow, where the contents of one linked list ranked as N include: the IP address xxx, the history access traffic statistics xx, the traffic template Rn ═ Mn (1), Mn (2), Mn (3), … … Mn (K), where the traffic template is the main content of the table entry, if the time of a specific traffic cycle is divided into K, Mn (K) represents the characteristic value of the historical traffic of the IP address in the time period at the time point K, called the traffic template value, which is the maximum expected value of the historical traffic due to the cycle statistics, the calculation method is dynamically updated by a self-learning algorithm, in practical applications, the access behavior of the application traffic usually has strong periodicity (day/week), which is the key point of using the algorithm, and in addition, the content of the traffic TOP N dynamic filter table further includes a linked list E whose IP address and history access cumulative number are empty, and whose traffic average template EQ ═ E (1) The traffic template value of each node in E (2), E (3) … … E (K) is a statistical average of all non-TOP N historical access traffic at the time point, for example, the time of a specific traffic period is divided into K, and then Ek represents a characteristic value of all normal traffic at the time point K in the time period, which is actually an average value of historical traffic, and this is the most common way adopted by many other traffic detection methods, and the traffic TOP N dynamic filter table is obtained by self-learning, and also allows the traffic TOP N dynamic filter table to be manually adjusted and corrected, and has a large manual operation space.
Further, the TOP N dynamic filter table of the current traffic is automatically loaded in S104, and the arrangement order is updated in real time according to the historical traffic statistics, where the update of the arrangement order is based on the historical access traffic statistics of the IP addresses, and the specific ordering of the TOP N IP information linked lists is described as follows: referring to all historical access flow statistics of the IP addresses, if the historical access flow statistics of the current IP address exceeds the nth IP address, the related information of the IP address is replaced in the nth IP information linked list, the corresponding kth flow template value directly takes the kth value mn (k) ═ e (k) in the flow average template EQ, and in addition, the nth sorted original IP information linked list is moved down to a column, and the N sorted original IP information linked list enters a potential IP information linked list composed of M buffer records, and the flow template value corresponding to the linked list in the flow TOP N dynamic filter table is updated, which is specifically described as follows: for each visiting IP address, when the IP address is in the nth row in the N + M tables before the flow sorting and the flow value is judged to be normal flow, the flow value R is taken as an input to update the flow template value Mn (k) of the time point k corresponding to the nth row, the method is updated by a self-learning algorithm, when the address is not in the N + M tables before the flow sorting and the flow value is judged to be normal flow, the flow is taken as an input value X (k) to be averaged with the flow template value E (k) of the time point k corresponding to the flow average template, a new flow template value Enew (k) is obtained and updated into an information linked list, and the method is also updated into the information linked list by the self-learning algorithm Enew (k) ([ Eold (k) + b (k)) X (k) (/ 2).
On the basis of the foregoing scheme, the comparison operation algorithm in S105 and S106 is as follows: retrieving a flow template value Mn (k) of a time node according to the time node k of the current flow, dividing the current flow value X (k) by the flow template value Mn (k), namely X (k)/Mn (k), and directly judging the flow as abnormal flow if the current flow value exceeds a preset threshold value beta (beta is preset and beta is default to 3 according to experience) or judging the flow as suspected flow if the current flow value exceeds the preset threshold value beta; if the flow rate is determined to be the suspected flow rate, according to the current flow rate template, taking I (I is preset and default I is 5 according to experience) from the back, wherein the I is … … X (k +1) X (k + I) and the corresponding flow rate template value Mn (k +1) … … Mn (k + I), if X (k)/Mn (k) + X (k +1)/Mn (k +1) + … … + X (k + I)/Mn (k + I), and if the result exceeds a preset threshold value beta, determining the flow rate to be the abnormal flow rate, otherwise, determining the flow rate to be the normal flow rate, if the flow rate exceeds the threshold value, entering step S108, and if the flow rate does not exceed the threshold value, entering step S107.
Furthermore, in S107, the flow number sequence quantized in a time window period T is X (1), X (2) … … X (k)), the comparison operator is responsible for comparing the current flow number sequence X with the flow template number sequence M (1), M (2) … … M (k)) to output a result as an abnormal determination output, and further determines whether to input the current flow number sequence X (1), X (2) … … X (k)) into the flow template update according to the output result as an abnormal determination result factor b (k) (0/1), and the update method is to sum the X with the old flow template Mold (1), Mold (2) … … Mold (k)) obtained in the previous time window period T to obtain new flow templates M (1), M (2) … … M (k)), the recurrence formula for updating the flow template is expressed as: mn (k) represents the flow template value of the current time point in a time window period, Mn-1(k) is the flow template value of the current time point in the previous time window period, Xn-1(k) is the flow value which is received before, b (k) is an abnormal judgment result factor, Rinit (k) is an initialization flow template, the initial values are (0, 0 … 0), the result of b is assumed to be correct, after n times of average operation processing, the energy of abnormal flow is reduced to 1/n, and when n is large enough, the flow template value at the moment can be considered to be the optimal value.
The invention also provides a device for detecting and disposing the abnormal flow attack, which comprises a flow receiving unit, a static filtering unit, a dynamic monitoring filtering unit and a processing unit which are connected in sequence, wherein the dynamic monitoring filtering unit is also connected with an operation judging unit and a self-learning unit.
(III) advantageous effects
Compared with the prior art, the invention provides a method for defending ddos flow attack detection, which has the following beneficial effects:
1. the abnormal FLOW is dynamically filtered by adopting a dynamically updated FLOW TOP N dynamic filtering table in a static and dynamic combination mode, the abnormal FLOW can be quickly discriminated by the dynamic filtering mode of table lookup, and the method for judging the abnormality by comparing the FLOW value with the corresponding FLOW template value in the FLOW TOPN dynamic filtering table improves the accuracy rate of detecting the abnormal FLOW, ensures that the abnormal attack is discriminated from the normal access behavior, and has the characteristics of higher identification precision, higher processing speed and lower realization complexity compared with other ddos attack detection methods based on FLOW statistics.
2. The invention can improve the processing efficiency and the detection accuracy of the abnormal behavior, quickly detect and process the abnormal attack traffic and cannot influence the normal traffic access.
3. The method for filtering the TOP N dynamic filter table of the traffic is different from an attack detection method, the method adopts a mode of quickly inquiring the dynamic table without complex logic processing and judgment, realizes the quick processing and forwarding of the IP access condition, does not cause the influence on the access experience due to the time delay of application access, and the processing precision of the method mainly depends on the setting of the parameters N, M and K, which is related to the memory resource expense of the algorithm and can be flexibly set according to hardware resources in specific implementation.
4. The invention receives the flow request of the visit IP address through the flow receiving unit, the static filtering unit can judge as normal flow in the white list and judge as abnormal flow in the black list by setting the white list and the black list, the function of the dynamic monitoring filtering unit is to judge whether the visit IP address is in the TOPN dynamic filtering table of the flow, the operation judging unit is to operate the IP address in the sorting of the TOPN dynamic filtering table of the flow and not and judge whether the flow is abnormal flow, the self-learning unit executes the function of dynamically maintaining and updating the TOPN dynamic filtering table, sorts the historical visit flow statistics and dynamically updates the flow template of the corresponding visit IP address, and the processing unit has the function of discarding the abnormal flow request and forwarding the normal flow request.
Drawings
Fig. 1 is a schematic flow structure diagram of a method for defending ddos traffic attack detection according to the present invention;
fig. 2 is a schematic structural diagram of an apparatus for detecting and handling an abnormal traffic attack according to the present invention;
fig. 3 is a schematic structural diagram of a flow self-learning method of the method for defending ddos flow attack detection provided by the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-3, a method of defending against ddos traffic attack detection includes the steps of:
s101: receiving an application flow request and monitoring an access request of a visiting IP;
s102: judging whether the IP address is in a system white list, if so, entering step S109 to directly forward the request, and if not, entering step S103;
s103: judging whether the IP address is in a system blacklist, if so, entering step S108 to directly discard the flow, and if not, entering step S104;
s104: judging whether the source address IP is in the TOP N sequence of the flow TOP N dynamic filter table, firstly obtaining the time node to which the current time belongs according to a preset time segmentation mode in S4, adopting 24 m hours as the current period, calculating the time period to which the current time belongs, changing the value of m according to the actual application scene to increase the period length, adopting the current time/24 m to obtain the time node k to which the visiting IP belongs, then automatically loading the current flow TOP N dynamic filter table, wherein the flow TOPN dynamic filter table can be realized by a linked list, and the specific content is shown as the following table:
Figure 964149DEST_PATH_IMAGE001
s105: if the IP address is in the flow TOP N dynamic filter table sequence, retrieving a flow template value corresponding to the time point of the address and numbered according to the time node of current flow acquisition according to a preset time window period, comparing the current flow value with the flow template value, judging whether the flow is abnormal flow according to whether the flow exceeds a preset threshold value, if so, entering step S108, and if not, entering step S107;
s106: if the IP address is not in the sequence of the TOP N dynamic filtering table of the flow, retrieving a flow template value corresponding to the time point from a flow average template EQ in the table according to a preset time window period and the time point of current flow acquisition of the address, comparing the current flow value with the flow template value, judging whether the flow is abnormal flow according to whether a preset threshold value beta is exceeded, if so, entering step S108, and if not, entering step S107;
s107: updating the flow template value of the IP address corresponding to the time node through the self-learning algorithm, judging that the flow is normal, and turning to step S109, wherein the specific implementation method for updating the flow template value of the IP address corresponding to the time node through the self-learning algorithm comprises the following steps: initializing a template, obtaining a flow template value through fast self-learning similar to maximum likelihood estimation, sampling the first accessed normal flow according to each corresponding time in each fixed flow period time window, taking the sampling value as an initialized flow template, and performing a second step: template self-learning, wherein the flow template value Mn (k) is obtained through a flow self-adaptive feedback type maximum likelihood estimation algorithm, the flow template value Mn-1(k) of the current time point of the previous time period and the unprocessed flow value Xn-1(k) obtained in the previous time window period are obtained through quick retrieval, the unprocessed flow value Xn-1(k) is multiplied by an abnormal judgment result factor b (k) (0/1), the average operation is carried out on the abnormal judgment result Mn-1(k) and the unprocessed flow value Xn-1(k) and the unprocessed flow value is multiplied by the abnormal judgment result factor b (k) (0/1), and the average operation is carried out on the abnormal flow value and the unprocessed flow value Xn-1(k) and the unprocessed flow value is used as a new flow template value, so that abnormal flow cannot be learned, the abnormal flow is theoretically proved to be a fast-converging maximum likelihood estimation self-learning algorithm, and the third step: template locking, after self-learning for a period of time, the flow model can be locked by artificial participation, and learning is not performed any more, so that the rapidness and effectiveness of exception handling are ensured;
s108: if the abnormal FLOW is detected, judging that the current abnormal FLOW is a ddos attack behavior, filtering the access IP request, dynamically filtering the abnormal FLOW by adopting a dynamically updated FLOW TOP N dynamic filtering table in a static and dynamic combination mode, quickly screening the abnormal FLOW by the dynamic filtering mode of table lookup, improving the accuracy of detecting the abnormal FLOW by a method for judging the abnormality through the comparison operation of a FLOW numerical value and a corresponding FLOW template numerical value in the FLOW TOP N dynamic filtering table, ensuring that the abnormal attack is screened from the normal access behavior, and compared with other ddos attack detection methods based on FLOW statistics, the method has the characteristics of higher identification precision, higher processing speed and lower implementation complexity;
s109: if the abnormal flow is detected not to belong to, the visiting IP request is forwarded, the processing efficiency and the detection accuracy of the abnormal behavior are improved, the abnormal attack flow is rapidly detected and processed, and the normal flow access cannot be influenced.
In the S104 of the present invention, the contents of the flow TOP N dynamic filtering table include from 1 … … N + M IP information linked lists with the most recorded flow ranks at the TOP, and the IP information linked lists are sequentially sorted from large to small according to the historical flow, wherein the content of one linked list sorted into N includes: the IP address xxx, the history access traffic statistics xx, the traffic template Rn ═ Mn (1), Mn (2), Mn (3), … … Mn (K), where the traffic template is the main content of the table entry, if the time of a specific traffic cycle is divided into K, Mn (K) represents the characteristic value of the historical traffic of the IP address in the time period at the time point K, called the traffic template value, which is the maximum expected value of the historical traffic due to the cycle statistics, the calculation method is dynamically updated by a self-learning algorithm, in practical applications, the access behavior of the application traffic usually has strong periodicity (day/week), which is the key point of using the algorithm, and in addition, the content of the traffic TOP N dynamic filter table further includes a linked list E whose IP address and history access cumulative number are empty, and whose traffic average template EQ ═ E (1) The traffic template value for each node in E (2), E (3) … … E (K) is the statistical average of all non-TOPN historical access traffic at that point in time, e.g., dividing the time for a particular traffic period into K, ek represents the characteristic value of all normal flows in the time period at the time point k, and actually is the average value of historical flows, the method is also the most common method adopted by many other flow detection methods, the flow TOPN dynamic filter table is obtained by self-learning, manual adjustment and correction of the flow TOPN dynamic filter table are allowed, a large manual operation space is provided, the current flow TOPN dynamic filter table is automatically loaded in S104, the arrangement sequence is updated in real time according to historical flow statistics, the updating of the ranking order is based on the historical access flow statistics of the IP addresses, and the specific ranking description of the first N IP information linked lists is as follows: referring to all historical access flow statistics of the IP addresses, if the historical access flow statistics of the current IP address exceeds the nth IP address, the related information of the IP address is replaced in the nth IP information linked list, the corresponding kth flow template value directly takes the kth value mn (k) ═ e (k) in the flow average template EQ, and in addition, the nth sorted original IP information linked list is moved down to a column, and the N sorted original IP information linked list enters a potential IP information linked list composed of M buffer records, and the flow template value corresponding to the linked list in the flow TOP N dynamic filter table is updated, which is specifically described as follows: for each visiting IP address, when the IP address is in the nth row in the N + M tables before the flow sorting and the flow value is judged to be normal flow, updating the flow value R as an input to update the flow template value Mn (k) of the time point k corresponding to the nth row by a self-learning algorithm, when the address is not in the N + M tables before the flow sorting and a flow is judged to be normal flow, averaging the flow as an input value X (k) with the flow template value E (k) of the time point k corresponding to the flow average template to obtain a new flow template value Enew (k) and updating the new flow template value Enew (k) into an information linked list, wherein the self-learning algorithm Enew (k) is [ Eold (k) + b (k) X (k) ]/2, and the method for filtering the flow TOPN dynamic filtering list is different from the attack detection method, the method adopts a mode of quickly inquiring the dynamic table without complex logic processing and judgment, realizes the quick processing and forwarding of the IP access condition, does not cause the influence on the access experience due to the time delay of application access, and the processing precision of the method mainly depends on the setting of the parameters N, M and K, thereby being related to the memory resource expense of the algorithm and being flexibly set according to hardware resources in specific realization.
Specifically, the comparison algorithm in S105 and S106 is as follows: retrieving a flow template value Mn (k) of a time node according to the time node k of the current flow, dividing the current flow value X (k) by the flow template value Mn (k), namely X (k)/Mn (k), and directly judging the flow as abnormal flow if the current flow value exceeds a preset threshold value beta (beta is preset and beta is default to 3 according to experience) or judging the flow as suspected flow if the current flow value exceeds the preset threshold value beta; if the flow rate is judged to be suspected, according to a current flow rate template, taking I (I is preset and I is defaulted to be 5 according to experience) flow rate value X (k +1) … … X (k + I) and a corresponding flow rate template value Mn (k +1) … … Mn (k + I) backwards, if X (k)/Mn (k) + X (k +1)/Mn (k +1) + … … + X (k + I)/Mn (k + I), and if the result exceeds a preset threshold value beta, judging the flow rate to be abnormal, otherwise, judging the flow rate to be normal, if the result exceeds the preset threshold value beta, entering step S108, if the result does not exceed the threshold value, entering step S107, wherein the flow rate value sequence quantized in a time window period T in the step S107 is X (X (1), X (2) … … X (k), and a comparison operator is responsible for comparing the current flow rate value sequence X with the flow rate template value sequence M (M (1) M (2) … … M (k) performs comparison operation to output a result as an abnormal judgment output, and determines whether to input the current flow numerical value sequences X (X (1) and X (2) … … X (k)) into the flow template update according to the output result as an abnormal judgment result factor b (k) (0/1), wherein the update method is to perform summation operation on X and the old flow templates Mold (Mold (1) and Mold (2) … … Mold (k)) obtained in the last time window period T to obtain new flow templates M (M (1) and M (2) … … M (k)), and the recursion formula of the updated flow templates is expressed as: mn (k) represents a flow template value of a current time point in a time window period, Mn-1(k) is the flow template value of the current time point in the previous time window period, Xn-1(k) is the previously received unprocessed flow value, b (k) is an abnormal decision result factor, Rinit (k) is an initialized flow template, the initial values are (0, 0 … 0), the result of b is assumed to be correct, after n times of average operation processing, the energy of abnormal flow is reduced to 1/n, when n is large enough, the flow template value at the moment can be considered to be the best value, and the algorithm is proved to be a fast convergence maximum likelihood estimation self-learning algorithm theoretically and is the best estimation of access flow behavior.
The invention also provides a device for detecting and disposing the abnormal flow attack, which comprises a flow receiving unit, a static filtering unit, a dynamic monitoring filtering unit and a processing unit which are connected in sequence, wherein the dynamic monitoring filtering unit is also connected with an operation judging unit and a self-learning unit, the flow receiving unit receives the flow request of the visiting IP address, the static filtering unit can judge the visiting IP address to be normal flow in the white list and judge the visiting IP address to be abnormal flow in the black list by setting a white list and a black list, the dynamic monitoring filtering unit has the function of judging whether the visiting IP address is in the TOPN dynamic filtering table of the flow, the operation judging unit operates the IP addresses in the sequence of the TOPN dynamic filtering table of the flow and not and judges whether the IP addresses are abnormal flow, the self-learning unit executes the function of dynamically maintaining and updating the TOPN dynamic filtering table, and sequencing the historical access flow statistics, and dynamically updating the flow template of the corresponding access IP address, wherein the processing unit has the functions of discarding abnormal flow requests and forwarding normal flow requests.
In the description herein, it is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (6)

1. A method of defending against detection of ddos traffic attacks, comprising the steps of:
s101: receiving an application flow request and monitoring an access request of a visiting IP;
s102: judging whether the IP address is in a system white list, if so, entering step S109 to directly forward the request, and if not, entering step S103;
s103: judging whether the IP address is in a system blacklist, if so, entering step S108 to directly discard the flow, and if not, entering step S104;
s104: judging whether the source address IP is in the TOP N sequence of the flow TOP N dynamic filter table, firstly obtaining a time node to which the current time belongs according to a preset time segmentation mode in S4, adopting 24 m hours as the current period, calculating the time period to which the current time belongs, changing the value of m according to the actual application scene to increase the period length, adopting the current time/24 m to obtain a time node k to which the visiting IP belongs, and then automatically loading the current flow TOP N dynamic filter table which can be realized through a linked list;
s105: if the IP address is in the flow TOP N dynamic filter table sequence, retrieving a flow template value corresponding to the time point of the address and numbered according to the time node of current flow acquisition according to a preset time window period, comparing the current flow value with the flow template value, judging whether the flow is abnormal flow according to whether the flow exceeds a preset threshold value, if so, entering step S108, and if not, entering step S107;
s106: if the IP address is not in the sequence of the TOP N dynamic filtering table of the flow, retrieving a flow template value corresponding to the time point from a flow average template EQ in the table according to a preset time window period and the time point of current flow acquisition of the address, comparing the current flow value with the flow template value, judging whether the flow is abnormal flow according to whether a preset threshold value beta is exceeded, if so, entering step S108, and if not, entering step S107;
s107: updating the flow template value of the IP address corresponding to the time node through the self-learning algorithm, judging that the flow is normal, and turning to step S109, wherein the specific implementation method for updating the flow template value of the IP address corresponding to the time node through the self-learning algorithm comprises the following steps: initializing a template, obtaining a flow template value through fast self-learning similar to maximum likelihood estimation, sampling the first accessed normal flow according to each corresponding time in each fixed flow period time window, taking the sampling value as an initialized flow template, and performing a second step: template self-learning, flow template value Mn (k) is obtained through a flow self-adaptive feedback type maximum likelihood estimation algorithm, the flow template value Mn-1(k) of the current time point of the previous time period and the unprocessed flow value Xn-1(k) obtained in the previous time window period are obtained through fast retrieval, the latter is multiplied by an abnormal judgment result factor b (k) (0/1), then the average operation is carried out on the former and the latter, the operation result is used as a new flow template value, and the third step is that: locking the template, wherein after self-learning for a period of time, the flow model can be locked by artificial participation, and learning is not performed any more;
s108: if the detected flow belongs to the abnormal flow, judging that the current flow is ddos attack behavior, and filtering the visiting IP request;
s109: and if the detected flow does not belong to the abnormal flow, forwarding the visiting IP request.
2. The method for defending against ddos traffic attack detection according to claim 1, wherein the contents of the traffic TOP N dynamic filtering table in S104 include the TOP-ranked list of IP information from 1 … … N + M recorded traffic, which is ranked in order from large to small according to the historical traffic, wherein the contents of one list ranked as N include: the IP address xxx, the history access traffic statistics xx, the traffic template Rn ═ Mn (1), Mn (2), Mn (3), … … Mn (K), where the traffic template is the main content of the table entry, if the time of a specific traffic cycle is divided into K, Mn (K) represents the characteristic value of the historical traffic of the IP address in the time period at the time point K, called the traffic template value, which is the maximum expected value of the historical traffic due to the cycle statistics, the calculation method is dynamically updated by a self-learning algorithm, in practical applications, the access behavior of the application traffic usually has strong periodicity (day/week), which is the key point of using the algorithm, and in addition, the content of the traffic TOP N dynamic filter table further includes a linked list E whose IP address and history access cumulative number are empty, and whose traffic average template EQ ═ E (1) The traffic template value of each node in E (2), E (3) … … E (K) is a statistical average of all non-TOP N historical access traffic at the time point, for example, the time of a specific traffic period is divided into K, and then Ek represents a characteristic value of all normal traffic at the time point K in the time period, which is actually an average value of historical traffic, and this is the most common way adopted by many other traffic detection methods, and the traffic TOP N dynamic filter table is obtained by self-learning, and also allows the traffic TOP N dynamic filter table to be manually adjusted and corrected, and has a large manual operation space.
3. The method for defending ddos traffic attack detection according to claim 2, wherein the TOP N dynamic filtering table of the current traffic is automatically loaded in S104, and the ranking order is updated in real time according to the historical traffic statistics, wherein the updating of the ranking order is based on the historical access traffic statistics of the IP addresses, and the specific ranking of the TOP N linked lists of IP information is as follows: referring to all historical access flow statistics of the IP addresses, if the historical access flow statistics of the current IP address exceeds the nth IP address, the related information of the IP address is replaced in the nth IP information linked list, the corresponding kth flow template value directly takes the kth value mn (k) ═ e (k) in the flow average template EQ, and in addition, the nth sorted original IP information linked list is moved down to a column, and the N sorted original IP information linked list enters a potential IP information linked list composed of M buffer records, and the flow template value corresponding to the linked list in the flow TOP N dynamic filter table is updated, which is specifically described as follows: for each visiting IP address, when the IP address is in the nth row in the N + M tables before the flow sorting and the flow value is judged to be normal flow, the flow value R is taken as an input to update the flow template value Mn (k) of the time point k corresponding to the nth row, the method is updated by a self-learning algorithm, when the address is not in the N + M tables before the flow sorting and the flow value is judged to be normal flow, the flow is taken as an input value X (k) to be averaged with the flow template value E (k) of the time point k corresponding to the flow average template, a new flow template value Enew (k) is obtained and updated into an information linked list, and the method is also updated into the information linked list by the self-learning algorithm Enew (k) ([ Eold (k) + b (k)) X (k) (/ 2).
4. The method for defending ddos traffic attack detection according to claim 1, wherein the comparison algorithm in S105 and S106 is as follows: retrieving a flow template value Mn (k) of a time node according to the time node k of the current flow, dividing the current flow value X (k) by the flow template value Mn (k), namely X (k)/Mn (k), and directly judging the flow as abnormal flow if the current flow value exceeds a preset threshold value beta (beta is preset and beta is default to 3 according to experience) or judging the flow as suspected flow if the current flow value exceeds the preset threshold value beta; if the flow rate is determined to be the suspected flow rate, according to the current flow rate template, taking I (I is preset and default I is 5 according to experience) from the back, wherein the I is … … X (k +1) X (k + I) and the corresponding flow rate template value Mn (k +1) … … Mn (k + I), if X (k)/Mn (k) + X (k +1)/Mn (k +1) + … … + X (k + I)/Mn (k + I), and if the result exceeds a preset threshold value beta, determining the flow rate to be the abnormal flow rate, otherwise, determining the flow rate to be the normal flow rate, if the flow rate exceeds the threshold value, entering step S108, and if the flow rate does not exceed the threshold value, entering step S107.
5. The method as claimed in claim 1, wherein the flow value sequences quantized within a time window period T in S107 are X (1), X (2) … … X (k)), the comparing operator is responsible for comparing the current flow value sequence X with the flow template value sequences M (1), M (2) … … M (k)) to output the result as an abnormal determination output, and further determines whether to input the current flow value sequences X (1), X (2) … … X (k)) into the flow template update according to the output result as an abnormal determination result factor b (k) (0/1), and the updating method is to sum the current flow value sequences X with old flow templates Mold (1), Mold (2) … … Mold (k)) obtained from the previous time window period T to obtain new flow templates M (1), and M (2) and M (k), M (2) … … M (k)), the recurrence formula for updating the flow template is expressed as: mn (k) represents the flow template value of the current time point in a time window period, Mn-1(k) is the flow template value of the current time point in the previous time window period, Xn-1(k) is the flow value which is received before, b (k) is an abnormal judgment result factor, Rinit (k) is an initialization flow template, the initial values are (0, 0 … 0), the result of b is assumed to be correct, after n times of average operation processing, the energy of abnormal flow is reduced to 1/n, and when n is large enough, the flow template value at the moment can be considered to be the optimal value.
6. The device for detecting and disposing the abnormal traffic attack is characterized by comprising a traffic receiving unit, a static filtering unit, a dynamic monitoring filtering unit and a processing unit which are sequentially connected, wherein the dynamic monitoring filtering unit is further connected with an operation judging unit and a self-learning unit.
CN202110857125.6A 2021-07-28 2021-07-28 Method for defending ddos flow attack detection Pending CN113630394A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110857125.6A CN113630394A (en) 2021-07-28 2021-07-28 Method for defending ddos flow attack detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110857125.6A CN113630394A (en) 2021-07-28 2021-07-28 Method for defending ddos flow attack detection

Publications (1)

Publication Number Publication Date
CN113630394A true CN113630394A (en) 2021-11-09

Family

ID=78381510

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110857125.6A Pending CN113630394A (en) 2021-07-28 2021-07-28 Method for defending ddos flow attack detection

Country Status (1)

Country Link
CN (1) CN113630394A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113920698A (en) * 2021-11-25 2022-01-11 杭州安恒信息技术股份有限公司 Early warning method, device, equipment and medium for abnormal interface calling
CN114257461A (en) * 2022-03-01 2022-03-29 四川省商投信息技术有限责任公司 SDN switch flow table control method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050249214A1 (en) * 2004-05-07 2005-11-10 Tao Peng System and process for managing network traffic
CN102291411A (en) * 2011-08-18 2011-12-21 网宿科技股份有限公司 Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service
CN105721494A (en) * 2016-03-25 2016-06-29 中国互联网络信息中心 Method and device for detecting and disposing abnormal traffic attack

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050249214A1 (en) * 2004-05-07 2005-11-10 Tao Peng System and process for managing network traffic
CN102291411A (en) * 2011-08-18 2011-12-21 网宿科技股份有限公司 Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service
CN105721494A (en) * 2016-03-25 2016-06-29 中国互联网络信息中心 Method and device for detecting and disposing abnormal traffic attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113920698A (en) * 2021-11-25 2022-01-11 杭州安恒信息技术股份有限公司 Early warning method, device, equipment and medium for abnormal interface calling
CN114257461A (en) * 2022-03-01 2022-03-29 四川省商投信息技术有限责任公司 SDN switch flow table control method and device

Similar Documents

Publication Publication Date Title
CN113630394A (en) Method for defending ddos flow attack detection
CN111212053B (en) Industrial control honeypot-oriented homologous attack analysis method
EP1864226B1 (en) Methods, systems, and computer program products for network firewall policy optimization
US7610344B2 (en) Sender reputations for spam prevention
EP2824874B1 (en) Message profiling systems and methods
US8782781B2 (en) System for reclassification of electronic messages in a spam filtering system
US20080320119A1 (en) Automatically identifying dynamic Internet protocol addresses
US7809824B2 (en) Classification and cluster analysis spam detection and reduction
US8341740B2 (en) Method and system for identifying enterprise network hosts infected with slow and/or distributed scanning malware
US20140143825A1 (en) Reputation-Based In-Network Filtering of Client Event Information
WO2005119484A2 (en) Method and apparatus for managing connections and electronic messages
CN101141416A (en) Real-time rubbish mail filtering method and system used for transmission influx stage
WO2003003236A1 (en) Apparatus and method for handling electronic mail
CN108683686B (en) Random sub-domain DDoS attack detection method
JPH10243028A (en) Session cache and rule cashing method for dynamic filter
CN105721494A (en) Method and device for detecting and disposing abnormal traffic attack
CN110719272A (en) LR algorithm-based slow denial of service attack detection method
CN110650156A (en) Method and device for clustering relationships of network entities and method for identifying network events
US8612523B1 (en) Methods and apparatus for detecting botnet attacks
US20070282770A1 (en) System and methods for filtering electronic communications
CN111159702B (en) Process list generation method and device
CN113055333B (en) Network flow clustering method and device capable of adaptively and dynamically adjusting density grid
Yi et al. Source-based filtering scheme against DDOS attacks
CN110650157A (en) Fast-flux domain name detection method based on ensemble learning
Rana et al. Automated fast-flux detection using machine learning and genetic algorithms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20211109

RJ01 Rejection of invention patent application after publication