CN113709156A - NIDS network penetration detection method, computer and storage medium - Google Patents
NIDS network penetration detection method, computer and storage medium Download PDFInfo
- Publication number
- CN113709156A CN113709156A CN202110994850.8A CN202110994850A CN113709156A CN 113709156 A CN113709156 A CN 113709156A CN 202110994850 A CN202110994850 A CN 202110994850A CN 113709156 A CN113709156 A CN 113709156A
- Authority
- CN
- China
- Prior art keywords
- message
- data
- nids
- attack
- ttl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Abstract
The invention provides a NIDS network penetration detection method, a computer and a storage medium, and belongs to the technical field of intelligent detection. Firstly, detecting the field value from NIDS to TTL of a service terminal in a TCP state machine attack model; secondly, judging the type of the received message data packet, executing attack detection of the control message data when the message data packet is a control message, and executing attack detection of the data message when the message data packet is a data message; secondly, detecting a control message in a TCP state machine attack model; and finally, detecting a data message data packet in the TCP state machine attack model. The invention solves the technical problem of TCP state machine attack bypassing NIDS detection by identifying the TCP state machine attack pseudo data packet.
Description
Technical Field
The application relates to network penetration detection, in particular to a NIDS network penetration detection method, a computer and a storage medium, and belongs to the technical field of intelligent detection.
Background
TCP state machine attacks are mainly based on bypassing NIDS detection. The TCP state machine defines: the TCP protocol stack maintains a state machine of the TCP, a server side operating the TCP protocol stack and a network security device as a middleman have different state machines of the TCP protocol stack, and an attacker utilizes the difference of the TCP protocol stack and the server side to implement network penetration by sending forged data packets, for example, carefully designed messages are inserted into normal TCP streams, and the messages cannot be sent to the server side but can be received and processed by an NIDS system in the middle position of the network.
TCP state machine attack model: an attacker utilizes the difference of TCP state machines of a TCP server and a network security device as a middle person to implement network penetration by inserting forged messages into a normal TCP stream. The message forgery method comprises the following two steps: the first step is to measure the network distance between the client and the server, and set the TTL field to be smaller than the measurement distance; the second step is to tamper the TCP Control Block (TCB) or the data content fills the garbage data, and modify the transmission sequence number or transmission sequence of TCP.
Therefore, aiming at the attack method of the TCP state machine attack model, the invention provides an NIDS network penetration detection method for detecting TCP state machine attack forged messages.
Disclosure of Invention
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. It should be understood that this summary is not an exhaustive overview of the invention. It is not intended to determine the key or critical elements of the present invention, nor is it intended to limit the scope of the present invention. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is discussed later.
In view of this, the present invention provides a NIDS network penetration detection method for solving the technical problem of a TCP state machine attacking NIDS, which includes the following steps:
step one, detecting a TTL field value from an NIDS to a service terminal;
step two, judging the type of the received message, executing step three when the message is a control message, and executing step four when the message is a data message packet;
step three, detecting a control message in the attack of the TCP state machine;
and step four, detecting the data message in the TCP state machine attack.
Preferably, the specific method for detecting the value of the TTL field from the NIDS to the server side in the TCP state machine attack model in the first step includes the following steps:
step one, generating a TTL table containing a TTL threshold field value and a service identification field;
step two, calculating field values hos from the NIDS to a service terminal;
step one, comparing hops of the field values obtained in the step two with TTL threshold values in a TTL Table, and when the hops is less than TableTTLIf yes, updating TTL threshold value in TTL table, and when pkt is reachedTTL<TableTTLThe method is assumed to be an attack message; wherein TableTTLIndicating the value of the TTL threshold field, pkt, in the TTL tableTTLIndicating the value of the TTL field in the message received by the NIDS.
Preferably, the specific method for calculating the field value hos from the NIDS to the service end in the second step is to calculate by the following formula:
wherein, hos is the value of NIDS to service end field, baseiIs a radix, takes a value of [64,128,255],PktTTLThe value of the TTL field in the message received for the NIDS.
Preferably, the detecting of the control message in the TCP state machine attack in the third step specifically includes detecting TCB creation, TCB destruction, TCB reversion, and Resync + Desync attack means.
Preferably, the detecting the data packet in the TCP state machine attack in the fourth step specifically includes detecting data overlapping, unordered data overlapping, ordered data overlapping, and data asynchronous attack means.
Preferably, the specific method for detecting the control packet in the TCP state machine attack model in step three includes the following steps:
step three, preventing the NIDS from not discarding the control message when receiving a plurality of same quadruplets and SYN or SYN/ACK with conflicting sequence numbers, and constructing a TCB chain for the message with the same quadruplet sequence number conflict;
step two, a timer is established for each TCB chain, and the timer is updated when a new message arrives;
step three, when the captured control messages have sequence number conflict, storing the conflicting control messages into a TCB chain;
step three, receiving the next message;
step three, when the TCB is in the counterfeit message of the creation stage, checking the serial number of the next message, and if the message in the TCB chain is continuous with the serial number of the next message, indicating that the message is a normal message; discarding other messages in the TCB chain as attack messages;
when the TCB is in a destroying stage, when the TCB timer is overtime, releasing the TCB chain; when the TCB timer is not overtime, the quadruplet data message is received after the RST/FIN message, the RST/FIN message can be determined to be an attack message, the TCB chain is reserved, and the RST/FIN message is discarded;
preferably, the specific method for detecting a data packet in a TCP state machine attack in step four includes the following steps:
step four, constructing an auxiliary buffer area, and storing message pointers with overlapped sending serial numbers;
step two, when the captured data messages have sequence numbers overlapping, if Seqpkt<SeqexpectedIdentified as an attack if Seqpkt>SeqexpectedStoring a first data packet pointer in a common TCP receive buffer, and storing an overlapping data packet pointer in an auxiliary buffer; wherein SeqpktSequence number, Seq, indicating the message currently being processed by NIDSexpectedA sequence number indicating that the NIDS expects to receive the message;
step four and three, after the NIDS finishes processing the current data message, updating the SeqexpectedFor receiving the next data message;
and step four, determining which stored message in the receiving buffer area and the auxiliary buffer area is correct, and discarding the attack message.
Preferably, the specific method for determining which stored message in the receiving buffer and the auxiliary buffer is correct in step four is to determine which stored message in the normal buffer and the auxiliary buffer stores the correct message by receiving the next message, and the specific determination method is:
(1) the correct message is received from the buffer, and the data message from the auxiliary buffer is an attack message
Seqnext+Datanext=Seqbuffer
Wherein SeqnextIndicating the sequence number of the next Data message received by the NIDS, DatanextIndicating the next received NIDSData length of data message, SeqbufferIndicating the expected sequence number of the data message stored in the normal buffer area;
(2) the attack message is received in the buffer, and the normal message is received in the auxiliary buffer
Seqnext=SeqAux_buffer+DataAux_buffer
Wherein SeqAux_bufferIndicating expected sequence numbers, Data, of Data messages stored in the auxiliary bufferAux_bufferIndicating the data length of the data message stored in the auxiliary buffer area.
A computer comprising a memory storing a computer program and a processor implementing the steps of a NIDS network penetration detection method when executing the computer program.
A computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a NIDS network penetration detection method.
The invention has the following beneficial effects: the invention solves the technical problem of TCP state machine attack bypassing NIDS detection by identifying the TCP state machine attack pseudo data packet, and effectively improves the capability of NIDS for resisting attack.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow diagram of a method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of TCB chain construction according to an embodiment of the present invention;
fig. 3 is a schematic diagram of TCP state machine attack according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following further detailed description of the exemplary embodiments of the present application with reference to the accompanying drawings makes it clear that the described embodiments are only a part of the embodiments of the present application, and are not exhaustive of all embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Embodiment 1, referring to fig. 1 to fig. 3, illustrates this embodiment, and the NIDS network penetration detection method of this embodiment includes the following steps:
step one, detecting a TTL field value from an NIDS to a service terminal;
because the network distance between the TCP client and the NIDS is closer than the distance between the TCP client and the NIDS and the server, an attacker intelligently sends the inserted data packet to the NIDS by controlling the TTL field and cannot reach the target server, so that the NIDS is attacked. For the analysis of the attack characteristics, the server is assumed to be credible, and for this reason, a TTL table is generated to record the field value between the NIDS and the server, namely the hop count, so that the hop count from the client to the server is recorded, and the minimum hop count between the NIDS and the server is found according to the recorded value.
Specifically, the step one of detecting the value of the TTL field from the NIDS to the service end includes the following steps:
step one, generating a TTL table containing a TTL threshold field value and a service identification field;
specifically, the TTL threshold field value is the minimum field value from the NIDS to the service end, that is, the minimum hop count from the NIDS to the service end, the TTL threshold is monitored and extracted from the server data packet, and one data packet is sent from different systems, so the TTL threshold is different, but the common point is that the initial value is 2nOr 2n-1。
Step two, calculating the field value hos from the NIDS to the service terminal, and calculating by the following formula:
wherein, hos is the value of NIDS to service end field, baseiIs a radix, takes a value of [64,128,255],PktTTLThe value of the TTL field in the message received for the NIDS.
Step three, comparing hops obtained from step two with TTL threshold in TTL Table, when hops is less than TableTTLIf yes, updating TTL threshold value in TTL table, and when pkt is reachedTTL<TableTTLThe method is assumed to be an attack message; wherein TableTTLIndicating the value of the TTL threshold field, pkt, in the TTL tableTTLIndicating the value of the TTL field in the message received by the NIDS.
In particular, the minimum number of hops between the NIDS and the server may change due to dynamic changes in the network path. Therefore, the data message is not enough to be accurately identified to attack, and the NIDS needs to detect whether the data message conforms to the forged data message in order to accurately identify the attack, so that the second step is executed to further identify the attack.
Step two, judging the type of the received message, executing step three when the message is a control message, and executing step four when the message is a data message;
the core of the TCP attack strategy is to destroy or deceive NIDS, and an attacker designs network penetration strategies at different stages in the whole TCP connection process, so the strategies are specifically divided into two attack strategies, namely a control message attack strategy and a data message attack strategy.
Specifically, the control message attack strategy is to identify a control message, and specifically includes detecting TCB creation, TCB destruction, TCB reversal, and Resync + Desync attack means.
Specifically, the data packet attack strategy is to identify the data packet, and specifically includes means for detecting data overlapping, unordered data overlapping, ordered data overlapping, and data asynchronous attack.
Step three, detecting a control message in the attack of the TCP state machine;
the purpose of an attacker is to destroy the TCB by sending an insertion control message, such as injecting a SYN message with a pseudo sequence number before the normal SYN message in the TCB creation phase. To break this intention, the present invention constructs a TCB chain for the same quadruplet for messages with conflicting sequence numbers (as shown in fig. 2), so that the NIDS will not discard the control message when receiving multiple SYN or SYN/ACK with the same quadruplet and conflicting sequence numbers.
Specifically, the detection of the control message in the TCP state machine attack model includes the following steps:
step three, preventing the NIDS from not discarding the control message when receiving a plurality of same quadruplets and SYN or SYN/ACK with conflicting sequence numbers, and constructing a TCB chain for the message with the same quadruplet sequence number conflict;
step two, a timer is established for each TCB chain, and the timer is updated when a new message arrives;
step three, when the captured control messages have sequence number conflict, storing the conflicting control messages into a TCB chain;
and step three, receiving the next data message.
Step three, when the TCB is in the creation stage, checking the serial number of the next message, and if the message in the TCB chain is continuous with the serial number of the next message, indicating that the message is a normal message; discarding other messages in the TCB chain as attack messages;
when the TCB is in a destroying stage, when the TCB timer is overtime, releasing the TCB chain; when the TCB timer is not overtime, the quadruple message is received after the RST/FIN message, the RST/FIN message can be determined to be an attack message, the TCB chain is reserved, and the RST/FIN packet is discarded.
And step four, detecting the data message in the TCP state machine attack.
The attack principle of the forged data message is as follows: the data message-based attack is to protect the attack data by generating garbage data. The attack characteristic is that the data message with the same or wrong sending sequence number is forged and is overlapped with the sending sequence number of the normal data message, the characteristic can cause that the NIDS fails to recombine and restore the TCP data, and the flow behind the attack message is discarded.
Specifically, the specific method for detecting the data message in the TCP state machine attack in the fourth step includes the following steps:
step four, constructing an auxiliary buffer area, and storing message pointers with overlapped sending serial numbers;
step four, when the captured data message existsIf the sequence numbers overlap, if Seqpkt<SeqexpectedIdentified as an attack if Seqpkt>SeqexpectedStoring a first data message pointer in a common TCP receiving buffer area, and storing an overlapped data message pointer in an auxiliary buffer area; wherein SeqpktSequence number, Seq, indicating the message currently being processed by NIDSexpectedA sequence number indicating that the NIDS expects to receive the message;
step four and three, after the NIDS finishes processing the current data message, updating the SeqexpectedFor receiving the next data message;
and step four, determining which stored message in the receiving buffer area and the auxiliary buffer area is correct, and discarding the attack message.
Specifically, the fourth way determines which stored message in the normal buffer area and the auxiliary buffer area stores the correct message by receiving the next data message, and the specific judgment method is as follows:
(1) the data message in the receiving buffer area is the correct message, and the data message in the auxiliary buffer area is the attack message
Seqnext+Datanext=Seqbuffer
Wherein SeqnextIndicating the sequence number of the next Data message received by the NIDS, DatanextIndicates the data length, Seq, of the next data packet received by the NIDSbufferIndicating the expected sequence number of the data message stored in the normal buffer area;
(2) the data message in the receiving buffer area is an attack message, and the data message in the auxiliary buffer area is a normal message
Seqnext=SeqAux_buffer+DataAux_buffer
Wherein SeqAux_bufferIndicating expected sequence numbers, Data, of Data messages stored in the auxiliary bufferAux_bufferIndicating the data length of the data message stored in the auxiliary buffer area.
The computer device of the present invention may be a device including a processor, a memory, and the like, for example, a single chip microcomputer including a central processing unit and the like. And the processor is used for implementing the steps of the recommendation method capable of modifying the relationship-driven recommendation data based on the CREO software when executing the computer program stored in the memory.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
Computer-readable storage medium embodiments
The computer readable storage medium of the present invention may be any form of storage medium that can be read by a processor of a computer device, including but not limited to non-volatile memory, ferroelectric memory, etc., and the computer readable storage medium has stored thereon a computer program that, when the computer program stored in the memory is read and executed by the processor of the computer device, can implement the above-mentioned steps of the CREO-based software that can modify the modeling method of the relationship-driven modeling data.
The computer program comprises computer program code which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.
Claims (10)
1. A NIDS network penetration detection method is characterized by comprising the following steps:
step one, detecting a TTL field value from an NIDS to a service terminal;
step two, judging the type of the received message, executing step three when the message is a control message, and executing step four when the message is a data message;
step three, detecting a control message in the attack of the TCP state machine;
and step four, detecting the data message in the TCP state machine attack.
2. The method of claim 1, wherein the step of detecting the value of the NIDS to the TTL field of the service end specifically comprises the steps of:
step one, generating a TTL table containing a TTL threshold field value and a service identification field;
step two, calculating field values hos from the NIDS to a service terminal;
step one, comparing hops of the field values obtained in the step two with TTL threshold values in a TTL Table, and when the hops is less than TableTTLIf yes, updating TTL threshold value in TTL table, and when pkt is reachedTTL<TableTTLThe method is assumed to be an attack message; wherein TableTTLIndicating the value of the TTL threshold field, pkt, in the TTL tableTTLIndicating the value of the TTL field in the message received by the NIDS.
3. The method of claim 2, wherein the step two of calculating the value hos of the NIDS to the service end field is calculated by the following formula:
wherein, hos is the value of NIDS to service end field, baseiIs a radix, takes a value of [64,128,255],PktTTLThe value of the TTL field in the message received for the NIDS.
4. The detection method according to claim 3, wherein the detection of the control packet in the TCP state machine attack in step three specifically includes detection of TCB creation, TCB destruction, TCB reversion and Resync + Desync attack means.
5. The detection method according to claim 4, wherein the detecting the data packet in the TCP state machine attack in the fourth step specifically includes detecting data overlapping, unordered data overlapping, ordered data overlapping and data asynchronous attack means.
6. The detection method according to claim 5, wherein the specific method for detecting the control packet in the TCP state machine attack in step three is that the method comprises the following steps:
step three, preventing the NIDS from not discarding the control message when receiving a plurality of same quadruplets and SYN or SYN/ACK with conflicting sequence numbers, and constructing a TCB chain for the message with the same quadruplet sequence number conflict;
step two, a timer is established for each TCB chain, and the timer is updated when a new message arrives;
step three, when the captured control messages have sequence number conflict, storing the conflicting control messages into a TCB chain;
step three, receiving the next message;
step three, when the TCB is in the creation stage, checking the serial number of the next message, and if the message in the TCB chain is continuous with the serial number of the next message, indicating that the message is a normal message; discarding other messages in the TCB chain as attack messages;
when the TCB is in a destroying stage, when the TCB timer is overtime, releasing the TCB chain; when the TCB timer is not overtime, the quadruple message is received after the RST/FIN message, the RST/FIN message can be determined to be an attack message, the TCB chain is reserved, and the RST/FIN packet is discarded.
7. The detection method according to claim 6, wherein the specific method for detecting the data packet in the TCP state machine attack in the fourth step is to include the following steps:
step four, constructing an auxiliary buffer area, and storing message pointers with overlapped sending serial numbers;
step two, when the captured data messages have sequence numbers overlapping, if Seqpkt<SeqexpectedIdentified as an attack if Seqpkt>SeqexpectedStoring the first datagram pointer in the ordinary TCP receiving buffer area and the overlapped datagram pointerIn the auxiliary buffer area; wherein SeqpktSequence number, Seq, indicating the message currently being processed by NIDSexpectedA sequence number indicating that the NIDS expects to receive the message;
step four and three, after the NIDS finishes processing the current data message, updating the SeqexpectedFor receiving the next data message;
and step four, determining which stored message in the receiving buffer area and the auxiliary buffer area is correct, and discarding the attack message.
8. The detecting method according to claim 7, wherein the specific method for determining which stored message in the receiving buffer and the auxiliary buffer is correct in step four is to determine which stored message in the normal buffer and the auxiliary buffer is the correct message stored by receiving the next data message, and the specific determining method is:
(1) the data message in the receiving buffer area is the correct message, and the data message in the auxiliary buffer area is the attack message
Seqnext+Datanext=Seqbuffer
Wherein SeqnextIndicating the sequence number of the next Data message received by the NIDS, DatanextIndicates the data length, Seq, of the next data packet received by the NIDSbufferIndicating the expected sequence number of the data message stored in the normal buffer area;
(2) the data message in the receiving buffer area is an attack message, and the data message in the auxiliary buffer area is a normal message
Seqnext=SeqAux_buffer+DataAux_buffer
Wherein SeqAux_bufferIndicating expected sequence numbers, Data, of Data messages stored in the auxiliary bufferAux_bufferIndicating the data length of the data message stored in the auxiliary buffer area.
9. A computer comprising a memory storing a computer program and a processor, the processor implementing the steps of a NIDS network penetration detection method according to any one of claims 1 to 8 when executing the computer program.
10. A computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements a NIDS network penetration detection method as recited in any one of claims 1 to 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110994850.8A CN113709156B (en) | 2021-08-27 | 2021-08-27 | NIDS network penetration detection method, computer and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110994850.8A CN113709156B (en) | 2021-08-27 | 2021-08-27 | NIDS network penetration detection method, computer and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113709156A true CN113709156A (en) | 2021-11-26 |
CN113709156B CN113709156B (en) | 2022-09-27 |
Family
ID=78655861
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110994850.8A Active CN113709156B (en) | 2021-08-27 | 2021-08-27 | NIDS network penetration detection method, computer and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113709156B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102281295A (en) * | 2011-08-06 | 2011-12-14 | 黑龙江大学 | Method for easing distributed denial of service attacks |
WO2016177131A1 (en) * | 2015-08-17 | 2016-11-10 | 中兴通讯股份有限公司 | Method, apparatus, and system for preventing dos attacks |
CN111031077A (en) * | 2020-03-10 | 2020-04-17 | 杭州圆石网络安全技术有限公司 | Flow cleaning method, flow cleaning system and equipment |
CN111212096A (en) * | 2020-01-02 | 2020-05-29 | 杭州圆石网络安全技术有限公司 | Method, device, storage medium and computer for reducing IDC defense cost |
US20210092153A1 (en) * | 2018-02-05 | 2021-03-25 | Chongqing University Of Posts And Telecommunications | Ddos attack detection and mitigation method for industrial sdn network |
-
2021
- 2021-08-27 CN CN202110994850.8A patent/CN113709156B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102281295A (en) * | 2011-08-06 | 2011-12-14 | 黑龙江大学 | Method for easing distributed denial of service attacks |
WO2016177131A1 (en) * | 2015-08-17 | 2016-11-10 | 中兴通讯股份有限公司 | Method, apparatus, and system for preventing dos attacks |
US20210092153A1 (en) * | 2018-02-05 | 2021-03-25 | Chongqing University Of Posts And Telecommunications | Ddos attack detection and mitigation method for industrial sdn network |
CN111212096A (en) * | 2020-01-02 | 2020-05-29 | 杭州圆石网络安全技术有限公司 | Method, device, storage medium and computer for reducing IDC defense cost |
CN111031077A (en) * | 2020-03-10 | 2020-04-17 | 杭州圆石网络安全技术有限公司 | Flow cleaning method, flow cleaning system and equipment |
Non-Patent Citations (1)
Title |
---|
周慧华: "《基于网络的入侵检测系统及其安全性研究》", 《湖北民族学院学报(自然科学版)》 * |
Also Published As
Publication number | Publication date |
---|---|
CN113709156B (en) | 2022-09-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107749848B (en) | Internet of things data processing method and device and Internet of things system | |
CN108200068B (en) | Port monitoring method and device, computer equipment and storage medium | |
CN107800678B (en) | Method and device for detecting abnormal registration of terminal | |
CN110086780B (en) | Method and device for processing tampered transaction based on Ether house and storage medium | |
CN111262701A (en) | Replay attack detection method, system, equipment and storage medium | |
CN108737110B (en) | Data encryption transmission method and device for preventing replay attack | |
RU2407216C1 (en) | Method for message integration into digital image | |
CN109447809B (en) | Video active identification method combined with block chain | |
CN108712363A (en) | A kind of daily record encipher-decipher method | |
CN113709156B (en) | NIDS network penetration detection method, computer and storage medium | |
US20220092201A1 (en) | Authentication of files | |
CN112788039B (en) | DDoS attack identification method, device and storage medium | |
CN111865924B (en) | Method and system for monitoring user side | |
CN112235329A (en) | Method, device and network equipment for identifying authenticity of SYN message | |
CN115174160B (en) | Malicious encryption traffic classification method and device based on stream level and host level | |
CN112769635A (en) | Service identification method and device for multi-granularity feature analysis | |
US8104092B1 (en) | Document integrity assurance | |
CN116094786A (en) | Data processing method, system, device and storage medium based on double-factor protection | |
CN114697088B (en) | Method and device for determining network attack and electronic equipment | |
CN109509095B (en) | Video active identification method combined with block chain | |
CN114692222A (en) | Image processing method and device | |
CN108073814B (en) | Shelling method and system based on static structured shelling parameters and storage medium | |
US10425233B2 (en) | Method for automatically verifying a target computer file with respect to a reference computer file | |
CN113645176A (en) | Method and device for detecting counterfeit flow and electronic equipment | |
CN111385511A (en) | Video data processing method and device and video recording equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |