CN113760664A - Two-stage threshold attack detection method, computer and storage medium - Google Patents

Two-stage threshold attack detection method, computer and storage medium Download PDF

Info

Publication number
CN113760664A
CN113760664A CN202111060878.0A CN202111060878A CN113760664A CN 113760664 A CN113760664 A CN 113760664A CN 202111060878 A CN202111060878 A CN 202111060878A CN 113760664 A CN113760664 A CN 113760664A
Authority
CN
China
Prior art keywords
threshold
level
access
nodes
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111060878.0A
Other languages
Chinese (zh)
Other versions
CN113760664B (en
Inventor
史建焘
刘立坤
余翔湛
叶麟
李精卫
韦贤葵
石开宇
车佳臻
赵跃
冯帅
王久金
宋赟祖
谭通海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology
Original Assignee
Harbin Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology filed Critical Harbin Institute of Technology
Priority to CN202111060878.0A priority Critical patent/CN113760664B/en
Publication of CN113760664A publication Critical patent/CN113760664A/en
Application granted granted Critical
Publication of CN113760664B publication Critical patent/CN113760664B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3037Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a memory, e.g. virtual memory, cache
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/805Real-time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/81Threshold
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/885Monitoring specific for caches

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a two-stage threshold attack detection method, a computer and a storage medium, and belongs to the technical field of intelligent detection. A two-stage threshold attack detection method based on I-stage and II-stage comprises the steps of firstly reconstructing a pattern matching algorithm automaton, selecting all nodes with the layer being more than or equal to 4, increasing the number of times of access t and increasing a level I threshold L for each selected node1And a level II threshold L2Then executing the next step, secondly, receiving the data T to be matched by the automaton, and setting the level I threshold value L1Threshold node ratio p1And a level II threshold L2Threshold node ratio p2Setting the pointer to be 0, matching the first character of the pointer pointing to T, executing the next step, and finally counting the number of node accesses; judging whether the number of node accesses exceeds an I-level threshold value L or not1And a level II threshold L2Threshold node ratio p1And node ratio p2If the number of accesses exceeds the threshold, the determination is made as an attack. Solves the problem that the prior art can not recognizeAnd (4) identifying the technical problem that the DPI system is attacked.

Description

Two-stage threshold attack detection method, computer and storage medium
Technical Field
The application relates to an attack detection method, in particular to a two-stage threshold attack detection method, a computer and a storage medium, and belongs to the technical field of intelligent detection.
Background
DDoS attacks are the most common and greatly influenced network security threats faced by internet users due to the characteristics of low cost, obvious attack effect and the like, and a large number of people participate in attack and defense countermeasures in national network battles, academic circles, enterprise circles, hacker circles and the like. Algorithm complexity attacks are typical application layer DDos attacks that cause algorithms that process application layer data to run at worst time complexity all the time by elaborating the packets, thereby consuming a lot of system space-time resources forcing the DPI to stop checking some or all of the traffic.
As a first line of defense of network security, a deep packet inspection system (DPI) is an important target of cache attack. An attacker uses a detection means to obtain a partial pattern as prior knowledge, then modifies partial characters of the known pattern according to a common pattern matching algorithm to be used as an attack sample, and finally, attacks are implemented through a large number of replay attack samples. When a network criminal implements cache attack, DPI may be destroyed, and as the system crashes or legitimate traffic drops, an attacker then sends a large amount of spam traffic or specifically designed attack data to a server protected by DPI.
The existing cache attack detection method is based on node threshold value to detect, namely all automaton nodes are divided into regular access nodes and infrequent access nodes, the proportion of the access times of the infrequent access nodes to the data length is counted according to a data packet, if the access times exceed a set threshold value, the data packet is identified as an attack packet, but if an attacker grasps a boundary between the regular access nodes and the infrequent access nodes, the attack data is very easy to construct, and the detection of the method is bypassed.
Disclosure of Invention
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. It should be understood that this summary is not an exhaustive overview of the invention. It is not intended to determine the key or critical elements of the present invention, nor is it intended to limit the scope of the present invention. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is discussed later.
In view of this, the present invention provides a two-stage threshold attack detection method, a computer, and a storage medium scheme for identifying attack data to protect a DPI system from being attacked, in order to solve the technical problem that attack data cannot be identified in the prior art.
A two-stage threshold attack detection method comprises an I-stage threshold and a II-stage threshold, and comprises the following steps:
step one, reconstructing a pattern matching algorithm automaton, selecting all nodes with the layer being more than or equal to 4, and increasing the number of times of access t and the level I threshold value L for each selected node1And a level II threshold L2Then executing the step two;
step two, the automaton receives the data T to be matched and compares the level I threshold value L1Threshold node ratio p1And a level II threshold L2Threshold node ratio p2Setting the pointer to 0, scanning the current character by the first character of the matching pointer pointing to T, and executing the third step;
thirdly, counting the access times of the nodes; judging whether the number of node accesses exceeds an I-level threshold value L or not1If the access times of the current node exceed the I-level threshold value L1If so, executing the step four; if the current node access times do not exceed the I-level threshold value L1Then, the access times of the current node and a II-level threshold value L are compared2Comparing, if the access times of the current node exceed the II-level threshold value L2If the access times of the current node do not exceed the II-level threshold value L, executing the step five2Pointing the matching pointer to the next character of the T, scanning the next character, and executing the current step;
step four, calculating the threshold value L exceeding the level I1Node access proportion p1(ii) a If the current node access times exceed the node access proportion p1Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p1Returning to the third step;
step five, calculating the threshold value L exceeding the II level2Node access proportion p2(ii) a If the current node access times exceed the node access proportion p2Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p2And returning to the step three.
Preferably, the calculation of step four exceeds a level I threshold L1Node access proportion p1The specific method comprises the following steps:
Figure BDA0003256487730000021
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
Preferably, the calculation of step five exceeds a level II threshold L2Node access proportion p2The specific method comprises the following steps:
Figure BDA0003256487730000022
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
A computer comprising a memory storing a computer program and a processor implementing the steps of a two-level threshold attack detection method when executing said computer program.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, implements a two-stage threshold attack detection method.
The invention has the following beneficial effects: the invention provides a two-stage threshold attack detection method, which judges whether the node access times exceed a threshold node proportion or not by counting the node access times, identifies and judges attack data, and solves the technical problems that the prior art cannot identify the attack data and a DPI system is attacked.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flow chart of a detection method according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following further detailed description of the exemplary embodiments of the present application with reference to the accompanying drawings makes it clear that the described embodiments are only a part of the embodiments of the present application, and are not exhaustive of all embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Embodiment 1, referring to fig. 1, illustrates this embodiment, and the two-stage threshold attack detection method of this embodiment includes an I-stage threshold and a II-stage threshold, and includes the following steps:
step one, reconstructing a pattern matching algorithm automaton, selecting all nodes with the layer being more than or equal to 4, and increasing the number of times of access t and the level I threshold value L for each selected node1And a level II threshold L2Then executing the step two;
in particular, a level I threshold L1Taking the maximum value of each node after a certain time of normal flow; the calculation formula is as follows
L1i=max{ni}
Wherein n represents an access node;
in particular, a level I threshold L2The level threshold value is calculated according to the following formula:
L2i=(1+m)×L1i,where 0<m<2
where m denotes a preset threshold coefficient.
Step two, the automaton receives the data T to be matched and compares the level I threshold value L1Threshold node ratio p1And a level II threshold L2Threshold node ratio p2Setting the pointer to 0, scanning the current character by the first character of the matching pointer pointing to T, and executing the third step;
thirdly, counting the access times of the nodes; judging whether the number of node accesses exceeds an I-level threshold value L or not1If the access times of the current node exceed the I-level threshold value L1If so, executing the step four; if the current node access times do not exceed the I-level threshold value L1Then, the access times of the current node and a II-level threshold value L are compared2Comparing, if the access times of the current node exceed the II-level threshold value L2If the access times of the current node do not exceed the II-level threshold value L, executing the step five2Point the matching pointer to the next character of T, scan downA character, executing the current step;
specifically, each time a selected node is accessed, the number of times the node is accessed is increased by 1.
In particular, until the matching pointer points to the end of T.
Step four, calculating the threshold value L exceeding the level I1Node access proportion p1(ii) a If the current node access times exceed the node access proportion p1Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p1Returning to the third step;
step five, calculating the threshold value L exceeding the II level2Node access proportion p2(ii) a If the current node access times exceed the node access proportion p2Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p2And returning to the step three.
Specifically falling, the two-stage threshold detection corresponds to a TCP flow or UDP packet from which data is to be sent as input to the DPI engine. The number of real-time accesses to the node will be updated as the pointer to the input data moves.
Specifically, the calculation of step four exceeds the level I threshold L1Node access proportion p1The specific method comprises the following steps:
Figure BDA0003256487730000041
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
Specifically, the calculation of step five exceeds a level II threshold L2Node access proportion p2The specific method comprises the following steps:
Figure BDA0003256487730000042
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
The computer device of the present invention may be a device including a processor, a memory, and the like, for example, a single chip microcomputer including a central processing unit and the like. And the processor is used for implementing the steps of the recommendation method capable of modifying the relationship-driven recommendation data based on the CREO software when executing the computer program stored in the memory.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
Computer-readable storage medium embodiments
The computer readable storage medium of the present invention may be any form of storage medium that can be read by a processor of a computer device, including but not limited to non-volatile memory, ferroelectric memory, etc., and the computer readable storage medium has stored thereon a computer program that, when the computer program stored in the memory is read and executed by the processor of the computer device, can implement the above-mentioned steps of the CREO-based software that can modify the modeling method of the relationship-driven modeling data.
The computer program comprises computer program code which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.

Claims (5)

1. A two-stage threshold attack detection method comprises a stage I threshold and a stage II threshold, and is characterized by comprising the following steps:
step one, reconstructing a pattern matching algorithm automaton, selecting all nodes with the layer being more than or equal to 4, and increasing the number of times of access t and the level I threshold value L for each selected node1And a level II threshold L2Then executing the step two;
step two, the automaton receives the data T to be matched and compares the level I threshold value L1Threshold node ratio p1And a level II threshold L2Threshold node ratio p2Setting the pointer to 0, scanning the current character by the first character of the matching pointer pointing to T, and executing the third step;
thirdly, counting the access times of the nodes; judging whether the number of node accesses exceeds an I-level threshold value L or not1If the access times of the current node exceed the I-level threshold value L1If so, executing the step four; if the current node access times do not exceed the I-level threshold value L1Then, the access times of the current node and a II-level threshold value L are compared2Comparing, if the access times of the current node exceed the II-level threshold value L2If the access times of the current node do not exceed the II-level threshold value L, executing the step five2Pointing the matching pointer to the next character of the T, scanning the next character, and executing the current step;
step four, calculating the threshold value L exceeding the level I1Node access proportion p1(ii) a If the current node access times exceed the node access proportion p1Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p1Returning to the third step;
step five, calculating the threshold value L exceeding the II level2Node access proportion p2(ii) a If the current node access times exceed the node access proportion p2Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p2And returning to the step three.
2. The detection method according to claim 1, characterized by the steps ofStep four the calculation exceeds a level I threshold L1Node access proportion p1The specific method comprises the following steps:
Figure FDA0003256487720000011
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
3. The detection method according to claim 1, wherein the calculation of step five exceeds a level II threshold L2Node access proportion p2The specific method comprises the following steps:
Figure FDA0003256487720000021
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
4. A computer comprising a memory storing a computer program and a processor implementing the steps of a two-level threshold attack detection method as claimed in any one of claims 1 to 3 when executing said computer program.
5. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a two-level threshold attack detection method according to any one of claims 1 to 3.
CN202111060878.0A 2021-09-10 2021-09-10 Two-stage threshold attack detection method, computer and storage medium Active CN113760664B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111060878.0A CN113760664B (en) 2021-09-10 2021-09-10 Two-stage threshold attack detection method, computer and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111060878.0A CN113760664B (en) 2021-09-10 2021-09-10 Two-stage threshold attack detection method, computer and storage medium

Publications (2)

Publication Number Publication Date
CN113760664A true CN113760664A (en) 2021-12-07
CN113760664B CN113760664B (en) 2022-09-27

Family

ID=78794695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111060878.0A Active CN113760664B (en) 2021-09-10 2021-09-10 Two-stage threshold attack detection method, computer and storage medium

Country Status (1)

Country Link
CN (1) CN113760664B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2009864A1 (en) * 2007-06-28 2008-12-31 Nibelung Security Systems GmbH Method and apparatus for attack prevention
CN102821081A (en) * 2011-06-10 2012-12-12 中国电信股份有限公司 Method and system for monitoring DDOS (distributed denial of service) attacks in small flow
CN104022924A (en) * 2014-07-02 2014-09-03 浪潮电子信息产业股份有限公司 Method for detecting HTTP (hyper text transfer protocol) communication content
CN105991511A (en) * 2015-01-27 2016-10-05 阿里巴巴集团控股有限公司 Method and device for detecting CC attack
CN107360118A (en) * 2016-05-09 2017-11-17 中国移动通信集团四川有限公司 A kind of advanced constant threat attack guarding method and device
US20180159878A1 (en) * 2016-12-01 2018-06-07 Institute For Information Industry Attacking node detection apparatus, method, and non-transitory computer readable storage medium thereof
US20180262521A1 (en) * 2017-03-13 2018-09-13 Molbase (Shanghai) Biotechnology Co., Ltd Method for web application layer attack detection and defense based on behavior characteristic matching and analysis
US20190207973A1 (en) * 2016-11-23 2019-07-04 Tencent Technology (Shenzhen) Company Limited Website attack detection and protection method and system
CN112019533A (en) * 2020-08-20 2020-12-01 紫光云(南京)数字技术有限公司 Method and system for relieving DDoS attack on CDN system
CN112953938A (en) * 2021-02-20 2021-06-11 百度在线网络技术(北京)有限公司 Network attack defense method and device, electronic equipment and readable storage medium
CN112989327A (en) * 2019-12-18 2021-06-18 拓尔思天行网安信息技术有限责任公司 Detection method, device, equipment and storage medium for stealing website data

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2009864A1 (en) * 2007-06-28 2008-12-31 Nibelung Security Systems GmbH Method and apparatus for attack prevention
CN102821081A (en) * 2011-06-10 2012-12-12 中国电信股份有限公司 Method and system for monitoring DDOS (distributed denial of service) attacks in small flow
CN104022924A (en) * 2014-07-02 2014-09-03 浪潮电子信息产业股份有限公司 Method for detecting HTTP (hyper text transfer protocol) communication content
CN105991511A (en) * 2015-01-27 2016-10-05 阿里巴巴集团控股有限公司 Method and device for detecting CC attack
CN107360118A (en) * 2016-05-09 2017-11-17 中国移动通信集团四川有限公司 A kind of advanced constant threat attack guarding method and device
US20190207973A1 (en) * 2016-11-23 2019-07-04 Tencent Technology (Shenzhen) Company Limited Website attack detection and protection method and system
US20180159878A1 (en) * 2016-12-01 2018-06-07 Institute For Information Industry Attacking node detection apparatus, method, and non-transitory computer readable storage medium thereof
US20180262521A1 (en) * 2017-03-13 2018-09-13 Molbase (Shanghai) Biotechnology Co., Ltd Method for web application layer attack detection and defense based on behavior characteristic matching and analysis
CN112989327A (en) * 2019-12-18 2021-06-18 拓尔思天行网安信息技术有限责任公司 Detection method, device, equipment and storage medium for stealing website data
CN112019533A (en) * 2020-08-20 2020-12-01 紫光云(南京)数字技术有限公司 Method and system for relieving DDoS attack on CDN system
CN112953938A (en) * 2021-02-20 2021-06-11 百度在线网络技术(北京)有限公司 Network attack defense method and device, electronic equipment and readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘燕兵等: "一种面向大规模URL过滤的多模式串匹配算法", 《计算机学报》 *
史建焘等: "一种DHT安全性优化策略", 《智能计算机与应用》 *

Also Published As

Publication number Publication date
CN113760664B (en) 2022-09-27

Similar Documents

Publication Publication Date Title
US11157617B2 (en) System and method for statistical analysis of comparative entropy
CN109684835B (en) System and method for detecting malicious files using machine learning
US8522349B2 (en) Detecting and defending against man-in-the-middle attacks
US20180069883A1 (en) Detection of Known and Unknown Malicious Domains
CN108337219B (en) Method for preventing Internet of things from being invaded and storage medium
CN111552971B (en) Malicious software family classification evasion method based on deep reinforcement learning
WO2021017318A1 (en) Cross-site scripting attack protection method and apparatus, device and storage medium
CN113992444A (en) Network attack traceability and anti-system based on host computer defense
CN110830490A (en) Malicious domain name detection method and system based on area confrontation training deep network
CN115378733B (en) Multi-step attack scene construction method and system based on dynamic graph embedding
CN109600362A (en) Zombie host recognition methods, identification equipment and medium based on identification model
CN114928452A (en) Access request verification method, device, storage medium and server
CN112738107B (en) Network security evaluation method, device, equipment and storage medium
CN115174160B (en) Malicious encryption traffic classification method and device based on stream level and host level
CN113760664B (en) Two-stage threshold attack detection method, computer and storage medium
CN113596044B (en) Network protection method and device, electronic equipment and storage medium
CN112351002B (en) Message detection method, device and equipment
CN115001866B (en) Safety protection method based on immune mechanism, electronic equipment and storage medium
CN113779567B (en) DPI cache loss attack oriented defense method, computer and storage medium
CN114726634B (en) Knowledge graph-based hacking scene construction method and device
CN116527317A (en) Access control method, system and electronic equipment
CN116436649B (en) Network security system and method based on cloud server crypto machine
CN107547547B (en) TCP CC identification method based on edit distance
US10819683B2 (en) Inspection context caching for deep packet inspection
CN113329035A (en) Method and device for detecting attack domain name, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant