CN113760664B - Two-stage threshold attack detection method, computer and storage medium - Google Patents

Two-stage threshold attack detection method, computer and storage medium Download PDF

Info

Publication number
CN113760664B
CN113760664B CN202111060878.0A CN202111060878A CN113760664B CN 113760664 B CN113760664 B CN 113760664B CN 202111060878 A CN202111060878 A CN 202111060878A CN 113760664 B CN113760664 B CN 113760664B
Authority
CN
China
Prior art keywords
threshold
node
level
access
nodes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111060878.0A
Other languages
Chinese (zh)
Other versions
CN113760664A (en
Inventor
史建焘
刘立坤
余翔湛
叶麟
李精卫
韦贤葵
石开宇
车佳臻
赵跃
冯帅
王久金
宋赟祖
谭通海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology
Original Assignee
Harbin Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology filed Critical Harbin Institute of Technology
Priority to CN202111060878.0A priority Critical patent/CN113760664B/en
Publication of CN113760664A publication Critical patent/CN113760664A/en
Application granted granted Critical
Publication of CN113760664B publication Critical patent/CN113760664B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3037Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a memory, e.g. virtual memory, cache
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/805Real-time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/81Threshold
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/885Monitoring specific for caches

Abstract

The invention provides a two-stage threshold attack detection method, a computer and a storage medium, and belongs to the technical field of intelligent detection. A two-stage threshold attack detection method based on I-stage and II-stage comprises the steps of firstly reconstructing a pattern matching algorithm automaton, selecting all nodes with the layer being more than or equal to 4, increasing the number of times of access t and increasing a level I threshold L for each selected node 1 And a level II threshold L 2 Then executing the next step, secondly, receiving the data T to be matched by the automaton, and enabling the I-level threshold value L 1 Threshold node ratio p 1 And a level II threshold L 2 Threshold node ratio p 2 Setting the pointer to be 0, matching the first character of the pointer pointing to T, executing the next step, and finally counting the number of node accesses; judging whether the number of node accesses exceeds an I-level threshold value L or not 1 And a level II threshold L 2 Threshold node ratio p 1 And node ratio p 2 If the number of accesses exceeds the threshold, the determination is made as an attack. The technical problem that the DPI system cannot recognize the attack data received by the DPI system in the prior art is solved.

Description

Two-stage threshold attack detection method, computer and storage medium
Technical Field
The application relates to an attack detection method, in particular to a two-stage threshold attack detection method, a computer and a storage medium, and belongs to the technical field of intelligent detection.
Background
DDoS attacks are the most common and greatly influenced network security threats faced by internet users due to the characteristics of low cost, obvious attack effect and the like, and a large number of people participate in attack and defense countermeasures in national network battles, academic circles, enterprise circles, hacker circles and the like. Algorithm complexity attacks are typical application layer DDos attacks that cause algorithms that process application layer data to run at worst time complexity all the time by elaborating the packets, thereby consuming a lot of system space-time resources forcing the DPI to stop checking some or all of the traffic.
As a first line of defense of network security, a deep packet inspection system (DPI) is an important target of cache attack. An attacker uses a detection means to obtain a partial pattern as prior knowledge, then modifies partial characters of the known pattern according to a common pattern matching algorithm to be used as an attack sample, and finally, attacks are implemented through a large number of replay attack samples. When a network criminal implements cache attack, DPI may be destroyed, and as the system crashes or legitimate traffic drops, an attacker then sends a large amount of spam traffic or specifically designed attack data to a server protected by DPI.
The existing cache attack detection method is based on node threshold value to detect, namely all automaton nodes are divided into regular access nodes and infrequent access nodes, the proportion of the access times of the infrequent access nodes to the data length is counted according to a data packet, if the access times exceed a set threshold value, the data packet is identified as an attack packet, but if an attacker grasps a boundary between the regular access nodes and the infrequent access nodes, the attack data is very easy to construct, and the detection of the method is bypassed.
Disclosure of Invention
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. It should be understood that this summary is not an exhaustive overview of the invention. It is not intended to determine the key or critical elements of the present invention, nor is it intended to limit the scope of the present invention. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is discussed later.
In view of this, the present invention provides a two-stage threshold attack detection method, a computer, and a storage medium scheme for identifying attack data to protect a DPI system from being attacked, in order to solve the technical problem that attack data cannot be identified in the prior art.
A two-stage threshold attack detection method comprises an I-stage threshold and a II-stage threshold, and comprises the following steps:
step one, reconstructing a pattern matching algorithm automaton, selecting all nodes with the layer being more than or equal to 4, and increasing the number of times of access t and the level I threshold value L for each selected node 1 And a level II threshold L 2 Then executing the step two;
step two, the automaton receives the data T to be matched and compares the level I threshold value L 1 Threshold node ratio p 1 And a level II threshold L 2 Threshold node ratio p 2 Setting the pointer to point to the first character of T, scanning the current character, and executing the third step;
step three, counting the access times of the nodes; judging whether the number of node accesses exceeds an I-level threshold value L or not 1 If the access times of the current node exceed the I-level threshold value L 1 If so, executing the step four; if the current node access times do not exceed the I-level threshold value L 1 Then, the current node access times and a II-level threshold value L are compared 2 Comparing, if the access times of the current node exceed the II-level threshold value L 2 If the access times of the current node do not exceed the II-level threshold value L, executing the step five 2 Pointing the matching pointer to the next character of the T, scanning the next character, and executing the current step;
step four, calculating the threshold value L exceeding the level I 1 Node access proportion p 1 (ii) a If the current node access times exceed the node access proportion p 1 Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p 1 Returning to the third step;
step five, calculating the threshold value L exceeding the II level 2 Node access proportion p 2 (ii) a If the current node access times exceed the node access proportion p 2 Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p 2 And returning to the step three.
Preferably, the calculation of step four exceeds a level I threshold L 1 Node access proportion p 1 The specific method comprises the following steps:
Figure GDA0003804537670000021
the method comprises the steps that t represents the number of access times of nodes, k represents the number of set threshold nodes, the threshold nodes are set on low-frequency access nodes, under the real flow, the high-frequency access nodes of the AC automaton are on the first 5 layers, the first 3 layers have the largest access, in order to prevent the high false negative rate, the first 3 layers are used as the high-frequency access nodes, and two levels of thresholds are set on all nodes more than or equal to 4 layers.
Preferably, the calculation of step five exceeds a level II threshold L 2 Node access proportion p 2 The specific method comprises the following steps:
Figure GDA0003804537670000022
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
A computer comprising a memory storing a computer program and a processor implementing the steps of a two-level threshold attack detection method when executing said computer program.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, implements a two-stage threshold attack detection method.
The invention has the following beneficial effects: the invention provides a two-stage threshold attack detection method, which judges whether the node access times exceed a threshold node proportion or not by counting the node access times, identifies and judges attack data, and solves the technical problems that the prior art cannot identify the attack data and a DPI system is attacked.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flow chart of a detection method according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following further detailed description of the exemplary embodiments of the present application with reference to the accompanying drawings makes it clear that the described embodiments are only a part of the embodiments of the present application, and are not exhaustive of all embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Embodiment 1, referring to fig. 1, illustrates this embodiment, and the two-stage threshold attack detection method of this embodiment includes an I-stage threshold and a II-stage threshold, and includes the following steps:
step one, reconstructing a pattern matching algorithm automaton, selecting all nodes with the layer being more than or equal to 4, and increasing the number of times of access t and the level I threshold value L for each selected node 1 And a level II threshold L 2 Then executing the step two;
in particular, a level I threshold L 1 Taking the maximum value of each node after a certain time of normal flow; computingThe formula is as follows
L 1i =max{n i }
Wherein n represents an access node;
in particular, a class II threshold L 2 The level threshold value is calculated according to the following formula:
L 2i =(1+m)×L 1i ,where 0<m<2
where m denotes a preset threshold coefficient.
Step two, the automaton receives the data T to be matched and compares the level I threshold value L 1 Threshold node ratio p 1 And a level II threshold L 2 Threshold node ratio p 2 Setting the pointer to 0, scanning the current character by the first character of the matching pointer pointing to T, and executing the third step;
thirdly, counting the access times of the nodes; judging whether the number of node accesses exceeds an I-level threshold value L or not 1 If the access times of the current node exceed the I-level threshold value L 1 If so, executing the step four; if the current node access times do not exceed the I-level threshold value L 1 Then, the access times of the current node and a II-level threshold value L are compared 2 Comparing, if the access times of the current node exceed the II-level threshold value L 2 If the access times of the current node do not exceed the II-level threshold value L, executing the step five 2 Pointing the matching pointer to the next character of the T, scanning the next character, and executing the current step;
specifically, each time a selected node is accessed, the number of times the node is accessed is increased by 1.
In particular, until the matching pointer points to the end of T.
Step four, calculating the threshold value L exceeding the level I 1 Node access proportion p 1 (ii) a If the current node access times exceed the node access proportion p 1 Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p 1 Returning to the third step;
step five, calculating the threshold value L exceeding the II level 2 Node access proportion p 2 (ii) a If the current node access times exceed the node access proportion p 2 Identifying the current node access as an attack; if the current node access times do not exceed the nodePoint access ratio p 2 And returning to the step three.
Specifically, the two-stage threshold detection corresponds to a TCP flow or UDP packet from which data is to be sent as input to the DPI engine. The number of real-time accesses to the node will be updated as the pointer to the input data moves.
Specifically, the calculation of step four exceeds the level I threshold L 1 Node access proportion p 1 The specific method comprises the following steps:
Figure GDA0003804537670000041
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
Specifically, the calculation of step five exceeds a level II threshold L 2 Node access proportion p 2 The specific method comprises the following steps:
Figure GDA0003804537670000042
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
The computer device of the present invention may be a device including a processor, a memory, and the like, for example, a single chip microcomputer including a central processing unit and the like. And the processor is used for implementing the steps of the recommendation method capable of modifying the relationship-driven recommendation data based on the CREO software when executing the computer program stored in the memory.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
Computer-readable storage medium embodiments
The computer readable storage medium of the present invention may be any form of storage medium that can be read by a processor of a computer device, including but not limited to non-volatile memory, ferroelectric memory, etc., and the computer readable storage medium has stored thereon a computer program that, when the computer program stored in the memory is read and executed by the processor of the computer device, can implement the above-mentioned steps of the CREO-based software that can modify the modeling method of the relationship-driven modeling data.
The computer program comprises computer program code which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.

Claims (3)

1. A two-stage threshold attack detection method comprises a I-stage threshold and a II-stage threshold, and is characterized by comprising the following steps:
step one, reconstructing a pattern matching algorithm automaton, selecting all nodes with the layer being more than or equal to 4, and increasing the number of times of access t and the level I threshold value L for each selected node 1 And a level II threshold L 2 Then executing the step two;
level I threshold L 1 Taking the maximum value of normal flow passing through each node; the calculation formula is as follows:
L 1i =max{n i }
wherein n represents an access node;
in particular, a class II threshold L 2 The level threshold value is calculated according to the following formula:
L 2i =(1+m)×L 1i ,where 0<m<2
wherein m represents a preset threshold coefficient;
step two, the automaton receives the data T to be matched and compares the level I threshold value L 1 Threshold node ratio p 1 And a level II threshold L 2 Threshold node ratio p 2 Setting the pointer to 0, scanning the current character by the first character of the matching pointer pointing to T, and executing the third step;
thirdly, counting the access times of the nodes; judging whether the number of node accesses exceeds an I-level threshold value L or not 1 If the access times of the current node exceed the I-level threshold value L 1 If so, executing the step four; if the current node access times do not exceed the I-level threshold value L 1 Then, the access times of the current node and a II-level threshold value L are compared 2 Comparing, if the access times of the current node exceed the II-level threshold value L 2 If the access times of the current node do not exceed the II-level threshold value L, executing the step five 2 Scanning the next character of the T pointed by the matching pointer, executing the current step, and adding 1 to the accessed times of the node every time the selected node is accessed until the matching pointer points to the end of the T;
step four, calculating the threshold value L exceeding the level I 1 Node access proportion p 1 (ii) a If the current node access times exceed the node access proportion p 1 Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p 1 Returning to the third step; the two-stage threshold detection corresponds to a TCP flow or UDP packet from which data is to be sent as input to the DPI engine; when the pointer pointing to the input data moves, the real-time access times to the nodes are updated;
calculating exceeding a level I threshold L 1 Node access proportion p 1 The specific method comprises the following steps:
Figure FDA0003804537660000011
step five, calculating the threshold value L exceeding the II level 2 Node access ratioExample p 2 (ii) a If the current node access times exceed the node access proportion p 2 Identifying the current node access as an attack; if the current node access times do not exceed the node access proportion p 2 Returning to the third step;
calculating exceeding a level II threshold L 2 Node access proportion p 2 The specific method comprises the following steps:
Figure FDA0003804537660000021
wherein t represents the access times of the nodes, k represents the number of the set threshold nodes, the threshold nodes are set at the low-frequency access nodes, the high-frequency access nodes of the AC automaton are at the first 5 layers and the first 3 layers have the most access under the real flow, in order to prevent the false negative rate, the first 3 layers are used as the high-frequency access nodes, and the two-level thresholds are set at all the nodes of more than or equal to 4 layers.
2. A computer comprising a memory storing a computer program and a processor, the processor implementing the steps of a two-stage threshold attack detection method as claimed in claim 1 when executing the computer program.
3. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a two-stage threshold attack detection method according to claim 1.
CN202111060878.0A 2021-09-10 2021-09-10 Two-stage threshold attack detection method, computer and storage medium Active CN113760664B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111060878.0A CN113760664B (en) 2021-09-10 2021-09-10 Two-stage threshold attack detection method, computer and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111060878.0A CN113760664B (en) 2021-09-10 2021-09-10 Two-stage threshold attack detection method, computer and storage medium

Publications (2)

Publication Number Publication Date
CN113760664A CN113760664A (en) 2021-12-07
CN113760664B true CN113760664B (en) 2022-09-27

Family

ID=78794695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111060878.0A Active CN113760664B (en) 2021-09-10 2021-09-10 Two-stage threshold attack detection method, computer and storage medium

Country Status (1)

Country Link
CN (1) CN113760664B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2009864A1 (en) * 2007-06-28 2008-12-31 Nibelung Security Systems GmbH Method and apparatus for attack prevention
CN102821081A (en) * 2011-06-10 2012-12-12 中国电信股份有限公司 Method and system for monitoring DDOS (distributed denial of service) attacks in small flow
CN107360118A (en) * 2016-05-09 2017-11-17 中国移动通信集团四川有限公司 A kind of advanced constant threat attack guarding method and device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104022924A (en) * 2014-07-02 2014-09-03 浪潮电子信息产业股份有限公司 Method for detecting HTTP (hyper text transfer protocol) communication content
CN105991511A (en) * 2015-01-27 2016-10-05 阿里巴巴集团控股有限公司 Method and device for detecting CC attack
WO2018095192A1 (en) * 2016-11-23 2018-05-31 腾讯科技(深圳)有限公司 Method and system for website attack detection and prevention
TWI617939B (en) * 2016-12-01 2018-03-11 財團法人資訊工業策進會 Attacking node detection apparatus, method, and computer program product thereof
CN106790292A (en) * 2017-03-13 2017-05-31 摩贝(上海)生物科技有限公司 The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis
CN112989327A (en) * 2019-12-18 2021-06-18 拓尔思天行网安信息技术有限责任公司 Detection method, device, equipment and storage medium for stealing website data
CN112019533A (en) * 2020-08-20 2020-12-01 紫光云(南京)数字技术有限公司 Method and system for relieving DDoS attack on CDN system
CN112953938B (en) * 2021-02-20 2023-04-28 百度在线网络技术(北京)有限公司 Network attack defense method, device, electronic equipment and readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2009864A1 (en) * 2007-06-28 2008-12-31 Nibelung Security Systems GmbH Method and apparatus for attack prevention
CN102821081A (en) * 2011-06-10 2012-12-12 中国电信股份有限公司 Method and system for monitoring DDOS (distributed denial of service) attacks in small flow
CN107360118A (en) * 2016-05-09 2017-11-17 中国移动通信集团四川有限公司 A kind of advanced constant threat attack guarding method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种DHT安全性优化策略;史建焘等;《智能计算机与应用》;20121201;全文 *

Also Published As

Publication number Publication date
CN113760664A (en) 2021-12-07

Similar Documents

Publication Publication Date Title
US11856021B2 (en) Detecting and mitigating poison attacks using data provenance
US10574681B2 (en) Detection of known and unknown malicious domains
US10423786B2 (en) System and method for statistical analysis of comparative entropy
US8522349B2 (en) Detecting and defending against man-in-the-middle attacks
CN108337219B (en) Method for preventing Internet of things from being invaded and storage medium
CN109600362B (en) Zombie host recognition method, device and medium based on recognition model
CN111552971B (en) Malicious software family classification evasion method based on deep reinforcement learning
CN110830490B (en) Malicious domain name detection method and system based on area confrontation training deep network
WO2021017318A1 (en) Cross-site scripting attack protection method and apparatus, device and storage medium
CN113992444A (en) Network attack traceability and anti-system based on host computer defense
WO2020248687A1 (en) Method and apparatus for preventing malicious attack
CN113760664B (en) Two-stage threshold attack detection method, computer and storage medium
CN115001866B (en) Safety protection method based on immune mechanism, electronic equipment and storage medium
CN112738107A (en) Network security evaluation method, device, equipment and storage medium
CN112351002A (en) Message detection method, device and equipment
CN116527317A (en) Access control method, system and electronic equipment
CN109660499B (en) Attack interception method and device, computing equipment and storage medium
CN115174160B (en) Malicious encryption traffic classification method and device based on stream level and host level
CN116915450A (en) Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction
CN114726634B (en) Knowledge graph-based hacking scene construction method and device
CN113779567B (en) DPI cache loss attack oriented defense method, computer and storage medium
CN114928452A (en) Access request verification method, device, storage medium and server
TW202311994A (en) System and method of malicious domain query behavior detection
CN113596044A (en) Network protection method and device, electronic equipment and storage medium
US10819683B2 (en) Inspection context caching for deep packet inspection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant