CN113890746B

CN113890746B - Attack traffic identification method, device, equipment and storage medium

Info

Publication number: CN113890746B
Application number: CN202110938516.0A
Authority: CN
Inventors: 闫菲菲; 王广江; 胡玉庆
Original assignee: Dawning Information Industry Beijing Co Ltd
Current assignee: Dawning Information Industry Beijing Co Ltd
Priority date: 2021-08-16
Filing date: 2021-08-16
Publication date: 2024-05-07
Anticipated expiration: 2041-08-16
Also published as: CN113890746A

Abstract

The application discloses an attack flow identification method, an attack flow identification device, attack flow identification equipment and a storage medium, wherein the attack flow identification method comprises the following steps: the first processor performs flow learning on the received service flow, identifies the received service flow according to a preset flow identification model, if the first processor identifies abnormal flow, sends a flow identification threshold to the second processor, and leads the flow to be identified to the second processor, wherein the flow identification threshold is obtained by the first processor performing flow learning on the abnormal flow and the service flow received in a preset time period before the abnormal flow is received, the flow to be identified comprises the abnormal flow or the service flow with the source address identical to that of the abnormal flow, and the second processor performs attack flow identification on at least one flow to be identified received in the detection time according to the flow identification threshold. Therefore, the accuracy of attack traffic identification can be improved.

Description

Attack traffic identification method, device, equipment and storage medium

Technical Field

The present application relates to the field of computer networks, and in particular, to a method, an apparatus, a device, and a storage medium for identifying attack traffic.

Background

With the development of computer network technology, security problems based on network connection are increasingly prominent. Distributed denial of service attacks (Distributed Denial of Service, DDoS) are an easy to launch, difficult to defend, and extremely damaging means of attack in network security issues. Specifically, DDoS refers to that multiple attackers at different locations launch attacks (i.e. false data request messages) to at least one target server at the same time, or an attacker controls multiple machines at different locations and uses the machines to launch attacks to the target server at the same time, so that the target server is congested and cannot provide normal network services to the outside. Since the point of attack is distributed across different places, such attacks are referred to as distributed denial of service attacks. How to defend DDoS generally requires timely and accurate identification of attack traffic and interception or discarding of the identified attack traffic, so that the identification of attack traffic is very critical to defend DDoS.

In the prior art, attack flow identification is performed by a Central Processing Unit (CPU) or a network processor according to a preset threshold, wherein the threshold is set according to manual experience.

Because the threshold value is set according to manual experience, the accuracy rate of identifying the attack flow is low in the method, and the defense effect of DDoS is affected, for example, if the threshold value is set too low, more normal flow is identified as the attack flow to be intercepted, and the interception rate is affected; if the threshold value is set too high, attack traffic is not intercepted, so that the probability of the target server being attacked is high.

Disclosure of Invention

The application provides an attack flow identification method, an attack flow identification device, attack flow identification equipment and a storage medium, and aims to solve the problem of low accuracy of identifying abnormal flows.

In a first aspect, the present application provides an attack traffic recognition method, which is applied to an attack traffic recognition device, where the attack traffic recognition device includes a first processor and a second processor, and the method includes:

the first processor performs flow learning on the received service flow and identifies the received service flow according to a preset flow identification model;

If the first processor identifies abnormal traffic, sending a traffic identification threshold to the second processor, and pulling traffic to be identified to the second processor, wherein the traffic identification threshold is obtained by the first processor performing traffic learning on the abnormal traffic and traffic received in a preset time period before the abnormal traffic is received, and the traffic to be identified comprises the abnormal traffic or traffic with a source address identical to a source address of the abnormal traffic;

And the second processor performs attack flow identification on at least one flow to be identified received in the detection time according to the flow identification threshold.

Optionally, the attack traffic recognition is performed on at least one traffic to be recognized received in the detection time by the second processor according to the traffic recognition threshold, including:

the second processor counts at least one flow to be identified received in the detection time to obtain statistical information of each flow to be identified;

And the second processor identifies whether each flow to be identified is attack flow or not according to the statistical information of each flow to be identified and the flow identification threshold value.

Another embodiment of the above application has the following advantages or benefits: and counting at least one flow to be identified received in the detection time by the second processor to obtain the statistical information of each flow to be identified, and identifying whether each flow to be identified is attack flow or not according to the statistical information of each flow to be identified and the flow identification threshold value. Thus, the traffic to be identified received in the detection time can be identified.

Optionally, the second processor counts at least one flow to be identified received in the detection time to obtain statistical information of each flow to be identified, including:

The second processor establishes a flow table for at least one flow to be identified received in the detection time, wherein the flow table comprises five-tuple information of each flow to be identified, the type of each flow to be identified and the flow table establishment time;

The second processor counts each flow to be identified in the flow table to obtain statistical information of each flow to be identified, wherein the statistical information comprises a statistical value of each message in at least one message forming each flow to be identified;

And storing the statistical information of each flow to be identified in a cache.

Another embodiment of the above application has the following advantages or benefits: the flow table is built for at least one flow to be identified received in the detection time, and then statistics is carried out on each flow to be identified in the flow table to obtain the statistical information of each flow to be identified, so that the statistical information of each flow to be identified is obtained.

Optionally, the second processor identifies whether each flow to be identified is an attack flow according to the statistical information of each flow to be identified and the flow identification threshold, including:

The second processor sequentially reads the statistical information of each flow to be identified stored in the cache, and compares the statistical information of each flow to be identified with the flow identification threshold value, wherein the flow identification threshold value comprises at least one attack type threshold value;

if the statistical value of one or more messages in at least one message forming the flow to be identified is greater than or equal to the threshold value of the corresponding attack type, determining that the flow to be identified is attack flow;

And if the statistical values of all messages in at least one message forming the flow to be identified are smaller than the threshold value of the corresponding attack type, determining that the flow to be identified is normal flow.

Another embodiment of the above application has the following advantages or benefits: and comparing the statistical information of the traffic to be identified with a traffic identification threshold value through the statistical information of each traffic to be identified, if the statistical value of one or more messages in at least one message forming the traffic to be identified is greater than or equal to the threshold value of the corresponding attack type, determining that the traffic to be identified is the attack traffic, otherwise, determining that the traffic to be identified is the normal traffic, thereby realizing the identification of the attack traffic.

Optionally, the buffer memory includes a first buffer memory area and a second buffer memory area, and the second processor stores statistical information of each flow to be identified in the buffer memory, including:

the second processor searches a first target cache region with a current state being a writable state from the first cache region and the second cache region;

The second processor stores the statistical information of each flow to be identified received in the detection time in the first target cache region;

The second processor sets a flag bit of the first target cache region as a first flag bit, and the first flag bit is used for indicating that the state of the first target cache region is a readable state.

Another embodiment of the above application has the following advantages or benefits: the first detection time is counted by using the first buffer area, the second detection time is counted by using the second buffer area, and the used counting space is switched after the detection time is finished, so that time-dependent judgment of each flow to be identified is not needed, and the flow to be identified is cleared after the processing of one buffer area is finished. By adopting the method, the cache space can be saved, the calculation time and the resource cost are saved, and the performance of the system is improved.

Optionally, the second processor sequentially reads the statistical information of each flow to be identified stored in the cache, including:

The second processor sequentially reads the statistical information of each flow to be identified stored in the second target cache area with the current state being a readable state, and sets the flag bit of the second target cache area as a second flag bit after the reading is finished, wherein the second flag bit is used for indicating that the state of the first target cache area is a writable state.

Another embodiment of the above application has the following advantages or benefits: when each flow to be identified is identified, the time-dependent judgment of each flow to be identified is not needed, so that the buffer memory space can be saved, the calculation time and the resource cost are saved, and the performance of the system is improved.

Optionally, the second processor counts at least one flow to be identified received in the detection time, including:

The second processor acquires a blacklist and a whitelist;

The second processor discards the traffic to be identified, which hits the blacklist, from at least one of the traffic to be identified received in the detection time, and transparently transmits the traffic to be identified, which hits the blacklist, wherein the traffic to be identified, which hits the blacklist, is the traffic to be identified, which has the same quintuple information as any quintuple information in the blacklist, and the traffic to be identified, which hits the whitelist, is the traffic to be identified, which has the same quintuple information as any quintuple information in the whitelist;

And the second processor counts the traffic to be identified, which is not hit in the blacklist and the whitelist, in at least one traffic to be identified received in the detection time.

Another embodiment of the above application has the following advantages or benefits: the method comprises the steps of obtaining the blacklist and the whitelist before at least one flow to be identified is received in the detection time, discarding the flow to be identified hitting the blacklist, and transmitting the flow to be identified hitting the whitelist thoroughly, wherein the number of the counted flows to be identified can be reduced by carrying out subsequent statistics on the flow to be identified which is not hitting the blacklist and the whitelist, the efficiency of identifying the attack flow is further improved, and the large-flow and low-delay attack flow identification is conveniently realized.

Optionally, the second processor acquires a blacklist and a whitelist, including:

the second processor sends the identified attack traffic to the first processor;

The first processor performs false source detection on the received attack traffic, if the detection is passed, five-tuple information of the attack traffic is added into the white list, and if the detection is not passed, five-tuple information of the attack traffic is added into the black list;

the second processor receives the blacklist and the whitelist sent by the first processor.

Another embodiment of the above application has the following advantages or benefits: and the second processor sends the identified attack flow to the first processor, the first processor detects false sources of the received attack flow, a black-and-white list is obtained according to the detection result, and the accuracy of obtaining the black-and-white list is ensured.

In a second aspect, the present application provides an attack traffic recognition device, including: a first processor and a second processor;

The first processor is configured to:

The method comprises the steps of performing flow learning on received service flow, and identifying the received service flow according to a preset flow identification model;

If abnormal traffic is identified, sending a traffic identification threshold to the second processor, and pulling traffic to be identified to the second processor, wherein the traffic identification threshold is obtained by the first processor performing traffic learning on the abnormal traffic and traffic received in a preset time period before the abnormal traffic is received, and the traffic to be identified comprises traffic with the same abnormal traffic or source address as that of the abnormal traffic;

The second processor is configured to:

And carrying out attack flow identification on at least one flow to be identified received in the detection time according to the flow identification threshold.

In a third aspect, the present application provides an attack traffic recognition device, including: a processor; and

A memory for storing executable instructions of the processor;

Wherein the processor is configured to perform the attack traffic identification method according to the first aspect or any of the possible implementations of the first aspect via execution of the executable instructions.

In a fourth aspect, an embodiment of the present application provides a computer readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the attack traffic identification method according to the first aspect or any of the possible implementation manners of the first aspect.

In a fifth aspect, an embodiment of the present application provides a computer program product, which includes a computer program, where the computer program when executed by a processor implements the attack traffic recognition method according to the first aspect or any of the possible implementation manners of the first aspect.

According to the attack flow identification method, the device, the equipment and the storage medium, the first processor performs flow learning on the received business flow and identifies the received business flow according to the preset flow identification model, if the first processor identifies the abnormal flow, the flow identification threshold is sent to the second processor, the flow to be identified (including the abnormal flow and the business flow with the source address identical to that of the abnormal flow) is pulled to the second processor, the second processor performs attack flow identification on at least one flow to be identified received in the detection time according to the flow identification threshold, and as the flow identification threshold is obtained by performing flow learning on the abnormal flow and the business flow received in the preset time period before the abnormal flow is received, namely, is obtained by the first processor on historical business flow learning, compared with the flow identification threshold set according to manual experience, the accuracy of identifying the attack flow is higher. And by the mode of combining the first processor and the second processor, the efficiency of identifying the attack traffic can be improved, and the high-traffic and low-delay attack traffic identification can be realized.

Drawings

Fig. 1 is a schematic diagram of an application scenario of an attack traffic recognition method according to an embodiment of the present application;

fig. 2 is a flowchart of an attack traffic recognition method according to an embodiment of the present application;

fig. 3 is a flowchart of an embodiment of an attack traffic identification method according to an embodiment of the present application;

Fig. 4 is a schematic diagram of a processing procedure of a second processor in an attack traffic recognition method according to an embodiment of the present application;

Fig. 5 is a flowchart of an embodiment of an attack traffic identification method according to an embodiment of the present application;

Fig. 6 is a schematic diagram of a processing flow of a message in an attack traffic recognition method according to an embodiment of the present application;

Fig. 7 is a flowchart of an attack traffic recognition method according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of an attack traffic recognition device according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of an attack traffic recognition device according to an embodiment of the present application.

Detailed Description

Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings. The embodiments described below by referring to the drawings are illustrative and intended to explain the present application and should not be construed as limiting the application.

The terms first and second and the like in the description, the claims and the drawings of embodiments of the application are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the application described herein may be implemented, for example, in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

In the related art, since the threshold value for identifying whether the attack traffic is set according to the manual experience, the accuracy of identifying the attack traffic is low, and the defending effect of the DDoS is affected. In order to solve the problem, the embodiment of the application provides an attack flow identification method, an attack flow identification device, equipment and a storage medium, by arranging two processors, a first processor performs flow learning on received service flow, identifies the received service flow according to a preset flow identification model, if the first processor identifies abnormal flow, sends a flow identification threshold to a second processor, and pulls flow to be identified (including abnormal flow and service flow with the same source address as that of the abnormal flow) to the second processor, and the second processor performs attack flow identification on at least one flow to be identified received in the detection time according to the flow identification threshold.

First, an application scenario according to an embodiment of the present application is described as an example.

The attack flow identification method provided by the embodiment of the application can be at least applied to the following application scenarios, and is explained below with reference to the accompanying drawings.

For example, fig. 1 is a schematic diagram of an application scenario of an attack traffic recognition method provided by an embodiment of the present application, where as shown in fig. 1, the application scenario includes a network device A1, a network device A2, and an attack traffic recognition device 3, where the network device A1 may be a router, and the network device A2 may be a server. The attack traffic identification device 3 may be disposed between A1 and A2, where the attack traffic identification device 3 is connected to A1 and A2, or may be connected through a network, where the attack traffic identification device 3 receives traffic from A1, and when no attack traffic is identified, the attack traffic identification method provided by the embodiment of the present application is implemented, the traffic is transmitted through (i.e. directly forwarded from A1 to A2), the IP address of A1 is a source address, and the address of A2 is a destination address. When attack traffic is identified, for example, if A2 is subjected to a DDOS attack, the attack traffic identification device 3 intercepts the attack traffic, for example, discards the attack traffic.

The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

Fig. 2 is a flowchart of an attack traffic recognition method provided by an embodiment of the present application, where the attack traffic recognition method may be performed by an attack traffic recognition device, and the attack traffic recognition device includes a first processor and a second processor, and as shown in fig. 2, the method of the embodiment may include:

S101, the first processor performs flow learning on the received service flow, and identifies the received service flow according to a preset flow identification model.

Specifically, the attack traffic recognition device in this embodiment may also be referred to as a DDOS attack recognition cleaning device, where the first processor may receive a packet from a router, and the router may send traffic to the first processor by means of splitting or mirroring. After receiving the service traffic, the first processor performs traffic recognition on the received service traffic according to a preset traffic recognition model, and optionally, the preset traffic recognition model may be an entropy-based machine learning model, and performs real-time DDOS attack detection on the received service traffic through the preset traffic recognition model. If no abnormal flow is identified in the current preset time period, the first processor learns the service flow in the current preset time period, obtains a flow identification threshold value and sends the flow identification threshold value to the second processor for the second processor in the next time period to use. If abnormal traffic is identified, S102 is performed.

S102, if the first processor identifies the abnormal flow, sending a flow identification threshold to the second processor, and pulling the flow to be identified to the second processor, wherein the flow identification threshold is obtained by the first processor performing flow learning on the abnormal flow and the traffic flow received in a preset time period before the abnormal flow is received, and the flow to be identified comprises the abnormal flow or the traffic flow with the source address identical to the source address of the abnormal flow.

Specifically, if the first processor identifies the abnormal traffic, the traffic identification threshold obtained by performing traffic learning on the abnormal traffic and the traffic received in a preset time period before the abnormal traffic is received is sent to the second processor, and optionally, the preset time period may not be set, that is, the traffic identification threshold is obtained by performing traffic learning on the abnormal traffic and the traffic received before the abnormal traffic is received by the first processor. It will be appreciated that the traffic identification threshold is learned by the first processor from historical traffic. And if the first processor identifies the normal flow, the first processor transparently transmits the normal flow.

As an implementation manner, the first processor performs traffic learning on the abnormal traffic and the traffic received in a preset time period before the abnormal traffic is received, and may count different elements of at least one packet forming the traffic according to the attack type, where the elements may be values of parameters in a source address (SIP) or a Tcp field (Flag), and when the counted elements are source addresses, an average number of packets from the same source address in the preset time period may be taken as a traffic identification threshold.

Optionally, different attack types are statistics on different elements of the message, in the embodiment of the application, one flow includes a plurality of messages, the messages are all IP packets, information carried in different messages is different, and according to the difference of the information carried in the messages, different statistics values can be obtained when the information carried in the messages is counted, and the statistics values correspond to different attack types.

The attack types can include TCP flooding (Flood) attack and UDP Flood attack, and the TCP flooding attack is divided into SYN Flood attack, SYN+ACK Flood attack, ACK Flood attack, FIN/RST Flood attack, TCP newly-built connection Flood attack, TCP PPS Flood attack and the like.

Specifically, when the first processor identifies the abnormal traffic, traffic traction is performed on the abnormal traffic or traffic with the same source address as that of the abnormal traffic, the traffic traction is performed to the second processor, and the second processor processes the traffic traction, specifically, attack traffic identification, cleaning and the like. It will be appreciated that the first processor does not process the abnormal traffic, but instead directs the abnormal traffic to the second processor for processing by the second processor, and that the first processor transparently transmits the normal traffic, which means that the traffic is transmitted from the source address to the destination address. After the first processor pulls the traffic to be identified to the second processor, the first processor can also continue to learn and identify the traffic received subsequently. By the mode that the first processor and the second processor are combined for processing, the efficiency of attack traffic identification can be improved, and high-traffic and low-delay attack traffic identification can be realized. In addition, the flow identification threshold value according to which the second processor carries out attack flow identification on abnormal flow is obtained by the first processor according to the history service flow, and compared with the flow identification threshold value set according to manual experience, the flow identification threshold value is higher in accuracy, so that the accuracy of identifying the attack flow is higher.

S103, the second processor identifies attack traffic of at least one traffic to be identified received in the detection time according to the traffic identification threshold.

Specifically, in one implementation manner, the second processor performs attack traffic recognition on at least one traffic to be recognized received in the detection time according to the traffic recognition threshold, which may be to respectively recognize each traffic to be recognized, if the traffic to be recognized is recognized as the attack traffic, intercept or discard, and if the traffic to be recognized is recognized as the normal traffic, transparent transmission is performed on the normal traffic.

According to the attack flow identification method provided by the embodiment, the first processor performs flow learning on the received service flow and identifies the received service flow according to the preset flow identification model, if the first processor identifies the abnormal flow, the flow identification threshold is sent to the second processor, the flow to be identified (including the abnormal flow and the service flow with the source address identical to that of the abnormal flow) is pulled to the second processor, and the second processor performs attack flow identification on at least one flow to be identified received in the detection time according to the flow identification threshold, and as the flow identification threshold is obtained by performing flow learning on the abnormal flow and the service flow received in the preset time period before the abnormal flow is received, namely, the first processor learns the historical service flow, compared with the flow identification threshold set according to manual experience, the accuracy of identifying the attack flow is higher. And by the mode of combining the first processor and the second processor, the efficiency of identifying the attack traffic can be improved, and the high-traffic and low-delay attack traffic identification can be realized.

Fig. 3 is a flowchart of an embodiment of an attack traffic identification method according to an embodiment of the present application, as shown in fig. 3, where the method according to the embodiment is based on the method shown in fig. 2, and optionally, S103 may be implemented by:

S1031, the second processor counts at least one flow to be identified received in the detection time to obtain statistical information of each flow to be identified.

Specifically, since attack detection is to detect that a protected domain (DIP, such as a target server) is under attack within a period of time, attack detection needs to be completed within the period of time, where the period of time is a detection time, and the detection time can be preset, and at least one traffic to be identified is received within the detection time. And counting the flow to be identified after receiving the flow to be identified.

Specifically, in one implementation, S1031 may include:

S10311, the second processor establishes a flow table for at least one flow to be identified received in the detection time, wherein the flow table comprises five-tuple information of each flow to be identified, the type of each flow to be identified and the flow table establishment time.

Specifically, the five-tuple information may include a source address (SIP), a destination address (DIP), a source port, a destination port, and a protocol type. Wherein DIP is also referred to as the protected domain.

When a flow table is established for each flow to be identified, the flow table comprises five-tuple information of each flow to be identified, the type of each flow to be identified and the flow table establishment time, wherein the types can comprise newly-built, concurrent and aging, newly-built flow to be identified in the flow table is newly-built, concurrent refers to the flow to be identified which is established in the flow table but is not aged, and aging refers to the valid period of the flow to be identified. By creating a flow table, the five-tuple computing hash (hash) value can be used for addressing, and the second processor can identify the newly created and concurrent types of traffic to be identified. Optionally, the flow table in this embodiment may use a packet trigger aging manner, that is, when a piece of to-be-identified flow with the same five-tuple information arrives again, the flow table is updated, so that the aging time of the piece of to-be-identified flow is reached, and the piece of to-be-identified flow is aged. This aging approach does not require additional flow table maintenance logic, and thus can save certain resources.

S10312, the second processor counts each flow to be identified in the flow table to obtain statistical information of each flow to be identified, wherein the statistical information comprises a statistical value of each message in at least one message forming each flow to be identified.

Specifically, a flow to be identified includes at least one message, i.e., is composed of at least one message, and the statistical information of the flow to be identified includes a statistical value of each message in the at least one message composing the flow to be identified.

Optionally, since the flow table includes the setup time, whether the flow to be identified is aged or not may be determined according to the preset aging time and the setup time, and the aged message is not identified. And identifying the newly-built and concurrent traffic to be identified.

S10313, the second processor stores the statistical information of each flow to be identified in the buffer memory.

S1032, the second processor identifies whether each flow to be identified is attack flow or not according to the statistical information of each flow to be identified and the flow identification threshold value.

Accordingly, S1032 may specifically include:

S10321, the second processor sequentially reads the statistical information of each flow to be identified stored in the cache, and compares the statistical information of each flow to be identified with a flow identification threshold, wherein the flow identification threshold comprises at least one attack type threshold.

Specifically, a flow to be identified includes at least one message, the messages are all IP packets, information carried in different messages is different, and different statistics values can be obtained when the information carried in the messages is counted according to the difference of the information carried in the messages, and the statistics values correspond to different attack types. The traffic recognition threshold comprises at least one attack type threshold, and when the statistical information of the traffic to be recognized is compared with the traffic recognition threshold, each statistical value and each attack type threshold are compared in sequence.

S10322, if the statistical value of one or more messages in at least one message forming the traffic to be identified is greater than or equal to the threshold value of the corresponding attack type, determining that the traffic to be identified is attack traffic; if the statistical value of all messages in at least one message forming the flow to be identified is smaller than the threshold value of the corresponding attack type, determining that the flow to be identified is normal flow.

That is, there may be one message greater than or equal to the threshold value of the attack type, or there may be a plurality of messages greater than or equal to the threshold value of the attack type, that is, there may be one attack type hit, or there may be a plurality of attack types hit, whether one or a plurality, and the traffic to be identified is determined to be attack traffic.

Specifically, after the flow table is established, the traffic to be identified can be counted (i.e. identified and processed), and because the identification of the attack traffic is to detect that a Dip is under attack in a period of time, all the statistics items need to be counted in the period of time (whether the attack traffic is identified and processed), and after the period of time is exceeded, the statistics is cleared, and the statistics is carried out again.

In this embodiment, the second processor counts at least one flow to be identified received in the detection time to obtain statistical information of each flow to be identified, and identifies whether each flow to be identified is an attack flow according to the statistical information of each flow to be identified and the flow identification threshold. Thus, the traffic to be identified received in the detection time can be identified.

Furthermore, in order to reduce the system overhead, it is necessary to calculate whether each flow to be identified is effective or not while avoiding the statistics of each flow to be identified, and the statistics can be performed in a time division multiplexing manner. Dividing the cache into two parts, namely a first cache region and a second cache region, counting by using the first cache region in the t1 time period, counting by using the second cache region in the t2 time period, and switching from the first cache region to the second cache region after the t1 time period is ended. Therefore, aging judgment is not required to be carried out on each flow to be identified, and the counting time of each buffer area is finished, namely the buffer area is cleared. This mode will be specifically described below.

In one implementation manner, the buffer includes a first buffer area and a second buffer area, and the second processor stores the statistical information of each traffic to be identified in the buffer in S10313, which may be:

S201, the second processor searches a first target cache region with a current state being a writable state from the first cache region and the second cache region.

Specifically, for example, the flag bit of the buffer is in a writable state when it is 0 and in a readable state when it is 1. Firstly, searching a buffer area with a flag bit of 0. When the buffer is in writable state, the data can be written.

S202, the second processor stores statistical information of each flow to be identified received in the detection time in a first target cache region.

S203, the second processor sets a flag bit of the first target cache region as a first flag bit, wherein the first flag bit is used for indicating that the state of the first target cache region is a readable state.

After all the traffic to be identified in the detection time is stored in the first target cache region, the second processor sets the flag bit of the first target cache region as the first flag bit so that the state of the first target cache region is a readable state.

Correspondingly, in S10321, the second processor reads the statistical information of each flow to be identified stored in the cache in turn, which may specifically be:

The second processor sequentially reads the statistical information of each flow to be identified stored in the first target cache area with the current state being a readable state, and sets the flag bit of the first target cache area as a second flag bit after the reading is finished, wherein the second flag bit is used for indicating that the state of the first target cache area is a writable state.

In an implementation manner, the second processor may include a traffic buffer module and a statistics module, and fig. 4 is a schematic diagram of a processing procedure of the second processor in an attack traffic recognition method according to an embodiment of the present application, as shown in fig. 4, where the method in this embodiment may include:

s1, a flow cache module establishes a flow table for at least one flow to be identified received in the detection time.

S2, the second processor sends a statistical request of the flow to be identified to the statistical module.

S3, the statistics module performs statistics on each flow to be identified in the flow table to obtain statistics information of each flow to be identified, searches a buffer area with a zone bit of 0, and writes the flow to be identified in the flow table into the buffer area.

The statistical information comprises a statistical value of each message in at least one message forming each flow to be identified. The flag bit of the buffer area is in a writable state when 0 and in a readable state when 1. For example, the flag bit of the current first buffer area shown in fig. 4 is 0, and the flag bit of the second buffer area is 1.

S4, the second processor reads the statistical information of each flow to be identified stored in the buffer area with the flag bit of 1, sets the flag bit of the buffer area to be 0 after the reading is finished, and identifies whether each flow to be identified is attack flow or not according to the statistical information of each flow to be identified and the flow identification threshold value.

Specifically, the statistical information of the traffic to be identified may be compared with a traffic identification threshold, where the traffic identification threshold includes at least one attack type threshold, and if the statistical value of one or more messages in at least one message forming the traffic to be identified is greater than or equal to the corresponding attack type threshold, it is determined that the traffic to be identified is attack traffic; if the statistical value of all messages in at least one message forming the flow to be identified is smaller than the threshold value of the corresponding attack type, determining that the flow to be identified is normal flow.

In this embodiment, the buffer is divided into the first buffer area and the second buffer area, the first detection time is counted by using the first buffer area, the second detection time is counted by using the second buffer area, and the used counting space is switched after the detection time is over, so that it is not necessary to perform aging judgment on each flow to be identified, because one buffer area is cleared after being processed. By adopting the method, the cache space can be saved, the calculation time and the resource cost are saved, and the performance of the system is improved.

Fig. 5 is a flowchart of an embodiment of an attack traffic recognition method according to an embodiment of the present application, as shown in fig. 5, where, based on the method shown in fig. 3, the method of this embodiment may optionally include S1031:

S301, the second processor acquires a blacklist and a whitelist.

As an implementation manner, S301 may specifically be: the second processor sends the identified attack flow to the first processor, the first processor carries out false source detection on the received attack flow, if the false source detection is passed, quintuple information of the attack flow is added to the white list, if the false source detection is not passed, quintuple information of the attack flow is added to the black list, and the second processor receives the black list and the white list sent by the first processor.

S302, the second processor discards the traffic to be identified hitting the blacklist in at least one traffic to be identified received in the detection time, and transparently transmits the traffic to be identified hitting the whitelist, wherein the traffic to be identified hitting the blacklist is the traffic to be identified having the same quintuple information as any quintuple information in the blacklist, and the traffic to be identified hitting the whitelist is the traffic to be identified having the same quintuple information as any quintuple information in the whitelist.

And S303, the second processor counts the to-be-identified traffic which is not hit in the blacklist and the whitelist in at least one to-be-identified traffic received in the detection time.

Specifically, the second processor discards the traffic to be identified hitting the blacklist, does not count, and transparently transmits the traffic to be identified hitting the whitelist, so that the system performance can be improved.

According to the method provided by the embodiment, the blacklist and the whitelist are acquired before at least one flow to be identified is received in the detection time, the flow to be identified which hits the blacklist is discarded, the flow to be identified which hits the whitelist is transmitted thoroughly, and only the flow to be identified which does not hit the blacklist and the whitelist is counted in a follow-up manner, so that the counted number of the flows to be identified can be reduced, the efficiency of identifying the attack flow is further improved, and the large-flow and low-delay attack flow identification is facilitated.

The detailed procedure of the attack traffic recognition method provided by the application is described below with reference to a specific embodiment.

Fig. 6 is a schematic diagram of a processing flow of a message in an attack traffic recognition method according to an embodiment of the present application, where as shown in fig. 6, the message arrives at an attack traffic recognition device 2 through a router 1, where the attack traffic recognition device 2 includes a first processor and a second processor, the first processor learns traffic of received traffic and recognizes the received traffic according to a preset traffic recognition model, the first processor sends a traffic recognition threshold to the second processor if recognizing abnormal traffic, and pulls traffic to be recognized to the second processor, and transmits normal traffic, where the traffic to be recognized includes traffic with an abnormal traffic or a source address the same as a source address of the abnormal traffic, and the second processor recognizes the attack traffic of at least one traffic to be recognized received in a detection time according to the traffic recognition threshold. Optionally, the first processor may also send a black-and-white list to the second processor.

Fig. 7 is a flowchart of an attack traffic recognition method according to an embodiment of the present application, where, as shown in fig. 7, the method in this embodiment may include:

S401, the first processor performs flow learning on the received service flow, and identifies the received service flow according to a preset flow identification model.

S402, if the first processor identifies abnormal flow, the first processor sends a flow identification threshold to the second processor, and pulls the flow to be identified to the second processor.

The traffic identification threshold is obtained by the first processor performing traffic learning on the abnormal traffic and the traffic received in a preset time period before the abnormal traffic is received, and the traffic to be identified comprises the abnormal traffic or the traffic with the source address identical to the source address of the abnormal traffic.

S403, the second processor establishes a flow table for at least one flow to be identified received in the detection time, wherein the flow table comprises five-tuple information of each flow to be identified, the type of each flow to be identified and the flow table establishment time.

S404, the second processor counts each flow to be identified in the flow table to obtain statistical information of each flow to be identified, wherein the statistical information comprises a statistical value of each message in at least one message forming each flow to be identified.

And S405, the second processor stores the statistical information of each flow to be identified in a cache.

S406, the second processor searches the first target cache region with the current state being the writable state from the first cache region and the second cache region.

And S407, the second processor stores the statistical information of each flow to be identified received in the detection time in the first target cache region.

S408, the second processor sets a flag bit of the first target cache region as a first flag bit, wherein the first flag bit is used for indicating that the state of the first target cache region is a readable state.

S409, the second processor sequentially reads the statistical information of each flow to be identified stored in the first target cache area with the current state being the readable state, compares the statistical information of the flow to be identified with a flow identification threshold value for the statistical information of each flow to be identified, wherein the flow identification threshold value comprises at least one attack type threshold value, and sets the flag bit of the first target cache area as a second flag bit after the reading is finished, and the second flag bit is used for indicating that the state of the first target cache area is the writable state.

S410, if the statistical value of one or more messages in at least one message forming the flow to be identified is greater than or equal to the threshold value of the corresponding attack type, the second processor determines that the flow to be identified is attack flow; if the statistical value of all messages in at least one message forming the flow to be identified is smaller than the threshold value of the corresponding attack type, the second processor determines that the flow to be identified is normal flow.

S411, the second processor sends the identified attack traffic to the first processor.

And S412, the first processor performs false source detection on the received attack traffic, if the false source detection is passed, the five-tuple information of the attack traffic is added to the white list, and if the false source detection is not passed, the five-tuple information of the attack traffic is added to the black list.

And S413, the first processor sends the blacklist and the whitelist to the second processor.

S414, the second processor discards the traffic to be identified hitting the blacklist and transparently transmits the traffic to be identified hitting the whitelist.

The traffic to be identified hitting the blacklist is a message with the same quintuple information as any quintuple information in the blacklist, and the traffic to be identified hitting the whitelist is a message with the same quintuple information as any quintuple information in the whitelist.

S415, the second processor counts the to-be-identified traffic which is not hit in the blacklist and the whitelist in the at least one to-be-identified traffic received in the detection time.

Specifically, the second processor establishes a flow table for the traffic to be identified, which is not hit in the blacklist and the whitelist in at least one traffic to be identified and is received in the detection time, and then executes S404-S410 to identify the attack traffic and the normal traffic.

It should be noted that the black-and-white list is obtained by the second processor counting the traffic to be identified within a detection time. The black-and-white list can be used in the subsequent statistical process of the traffic to be identified. The number of quintuple information in the black-and-white list increases as the number of traffic to be identified counted by the second processor increases.

In an embodiment of the present application, the first processor may be a CPU, and the second processor may be a Field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA). The high-speed parallel characteristic of the FPGA can be utilized, attack flow can be more efficiently identified, and identification efficiency is improved.

According to the method provided by the embodiment, as the flow identification threshold is obtained by the first processor for learning the historical service flow, the flow identification threshold is accurate and reasonable, and the interception of the normal flow as the attack flow is avoided to the greatest extent. Because if the traffic identification threshold is set lower, more normal traffic is identified as attack traffic interception; if the traffic identification threshold is set higher, some attack traffic is released, so that the probability of the protected domain being attacked is higher. Therefore, the method provided by the embodiment can improve the interception effect of the whole system.

The following are embodiments of the apparatus of the present application that may be used to perform the above-described method embodiments of the present application. For details not disclosed in the embodiments of the device according to the application, reference is made to the above-described method embodiments of the application.

Fig. 8 is a schematic structural diagram of an attack traffic recognition device according to an embodiment of the present application, where, as shown in fig. 8, the device in this embodiment may include: a first processor 11 and a second processor 12, wherein,

The first processor 11 is configured to:

If the abnormal flow is identified, sending a flow identification threshold to the second processor, and pulling the flow to be identified to the second processor, wherein the flow identification threshold is obtained by the first processor performing flow learning on the abnormal flow and the service flow received in a preset time period before the abnormal flow is received, and the flow to be identified comprises the abnormal flow or the service flow with the source address identical to the source address of the abnormal flow;

the second processor 12 is configured to:

Optionally, the second processor 12 is configured to:

Counting at least one flow to be identified received in the detection time to obtain the statistical information of each flow to be identified;

And identifying whether each flow to be identified is attack flow or not according to the statistical information of each flow to be identified and the flow identification threshold value.

Optionally, the second processor 12 is specifically configured to:

Establishing a flow table for at least one flow to be identified received in the detection time, wherein the flow table comprises five-tuple information of each flow to be identified, the type of each flow to be identified and the flow table establishment time;

Counting each flow to be identified in the flow table to obtain the statistical information of each flow to be identified, wherein the statistical information comprises the statistical value of each message in at least one message forming each flow to be identified;

Optionally, the second processor 12 is specifically configured to:

sequentially reading the statistical information of each flow to be identified stored in the cache, and comparing the statistical information of the flow to be identified with a flow identification threshold value for the statistical information of each flow to be identified, wherein the flow identification threshold value comprises at least one attack type threshold value;

If the statistical value of one or more messages in at least one message forming the flow to be identified is greater than or equal to the threshold value of the corresponding attack type, determining that the flow to be identified is the attack flow;

if the statistical value of all messages in at least one message forming the flow to be identified is smaller than the threshold value of the corresponding attack type, determining that the flow to be identified is normal flow.

Optionally, the cache includes a first cache region and a second cache region, and the second processor 12 is specifically configured to:

Searching a first target cache region with a current state being a writable state from the first cache region and the second cache region;

storing the statistical information of each flow to be identified received in the detection time in a first target cache region;

Setting a flag bit of the first target cache region as a first flag bit, wherein the first flag bit is used for indicating that the state of the first target cache region is a readable state.

Optionally, the second processor 12 is specifically configured to:

And sequentially reading the statistical information of each flow to be identified stored in the first target buffer area with the current state being a readable state, and setting the flag bit of the first target buffer area as a second flag bit after the reading is finished, wherein the second flag bit is used for indicating that the state of the first target buffer area is a writable state.

Optionally, the second processor 12 is further configured to:

Obtaining a black list and a white list;

Discarding the traffic to be identified hitting the blacklist in at least one traffic to be identified received in the detection time, and transmitting the traffic to be identified hitting the whitelist, wherein the traffic to be identified hitting the blacklist is the traffic to be identified having the same quintuple information as any quintuple information in the blacklist, and the traffic to be identified hitting the whitelist is the traffic to be identified having the same quintuple information as any quintuple information in the whitelist;

And counting the to-be-identified traffic which is not hit in the blacklist and the whitelist in at least one to-be-identified traffic received in the detection time.

Optionally, the second processor 12 is specifically configured to:

Transmitting the identified attack traffic to a first processor;

Performing false source detection on the received attack traffic, adding quintuple information of the attack traffic into a white list if the false source detection is passed, and adding the quintuple information of the attack traffic into the black list if the false source detection is not passed;

And receiving the blacklist and the whitelist sent by the first processor.

The device provided in the embodiment of the present application may execute the above method embodiment, and the specific implementation principle and technical effects of the device may be referred to the above method embodiment, and this embodiment is not described herein again.

It should be noted that, it should be understood that the division of the modules of the above apparatus is merely a division of a logic function, and may be fully or partially integrated into a physical entity or may be physically separated. And these modules may all be implemented in software in the form of calls by the processing element; or can be realized in hardware; the method can also be realized in a form of calling software by a processing element, and the method can be realized in a form of hardware by a part of modules. For example, the processing module may be a processing element that is set up separately, may be implemented in a chip of the above-mentioned apparatus, or may be stored in a memory of the above-mentioned apparatus in the form of program codes, and the functions of the above-mentioned processing module may be called and executed by a processing element of the above-mentioned apparatus. The implementation of the other modules is similar. In addition, all or part of the modules can be integrated together or can be independently implemented. The processing element here may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.

For example, the modules above may be one or more integrated circuits configured to implement the methods above, such as: one or more Application SPECIFIC INTEGRATED Circuits (ASIC), or one or more microprocessors (DIGITAL SIGNAL processors, DSP), or one or more field programmable gate arrays (field programmable GATE ARRAY, FPGA), etc. For another example, when a module above is implemented in the form of processing element scheduler code, the processing element may be a general purpose processor, such as a central processing unit (central processing unit, CPU) or other processor that may invoke the program code. For another example, the modules may be integrated together and implemented in the form of a system-on-a-chip (SOC).

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.) means from one website, computer, server, or data center. Computer readable storage media can be any available media that can be accessed by a computer or data storage devices, such as servers, data centers, etc., that contain an integration of one or more available media. Usable media may be magnetic media (e.g., floppy disks, hard disks, magnetic tape), optical media (e.g., DVD), or semiconductor media (e.g., solid state disk STATE DISK (SSD)), among others.

Fig. 9 is a schematic structural diagram of an attack traffic recognition device according to an embodiment of the present application, as shown in fig. 9, the attack traffic recognition device of the present embodiment may include a processor 21 and a memory 22,

Wherein the memory 22 is used for storing executable instructions of the processor 21.

The processor 21 is configured to perform the attack traffic recognition method in the method embodiment described above via execution of executable instructions.

Alternatively, the memory 22 may be separate or integrated with the processor 21.

When the memory 22 is a device independent from the processor 21, the attack traffic recognition device of the present embodiment may further include:

a bus 23 for connecting the memory 22 and the processor 21.

Optionally, the attack traffic identification device of the present embodiment may further include: a communication interface 24, the communication interface 24 being connectable with the processor 21 via a bus 23.

The present application also provides a computer-readable storage medium having stored therein computer-executable instructions that, when run on a computer, cause the computer to perform an attack traffic recognition method as in the above-described embodiments.

The embodiment of the application also provides a computer program product, which comprises a computer program, and the computer program realizes the attack flow identification method in the embodiment when being executed by a processor.

In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.

While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims

1. An attack traffic recognition method, wherein the method is applied to an attack traffic recognition device, the attack traffic recognition device comprises a first processor and a second processor, and the method comprises:

The second processor stores the statistical information of each flow to be identified in a cache, wherein the cache comprises a first cache region and a second cache region;

the second processor sets a flag bit of the first target cache region as a first flag bit, wherein the first flag bit is used for indicating that the state of the first target cache region is a readable state;

2. The method of claim 1, wherein the second processor performs statistics on at least one of the traffic to be identified received during the detection time to obtain statistics on each of the traffic to be identified, including:

The second processor counts each flow to be identified in the flow table to obtain statistical information of each flow to be identified, wherein the statistical information comprises a statistical value of each message in at least one message forming each flow to be identified.

3. The method of claim 2, wherein the second processor identifying whether each of the traffic to be identified is an attack traffic based on the statistics of each of the traffic to be identified and the traffic identification threshold comprises:

4. A method according to claim 3, wherein the second processor sequentially reads the statistical information of each of the traffic to be identified stored in the cache, comprising:

5. The method of claim 1, wherein the second processor counts at least one of the traffic to be identified received during a detection time, comprising:

The second processor acquires a blacklist and a whitelist;

6. An attack traffic recognition device, comprising: a first processor and a second processor;

The first processor is configured to:

The second processor is configured to:

Counting at least one piece of flow to be identified received in the detection time according to the second processor to obtain statistical information of each piece of flow to be identified;

7. An attack traffic recognition device, comprising:

a first processor and a second processor; and

A memory for storing executable instructions of the processor;

Wherein the first processor and the second processor are configured to perform the attack traffic identification method according to any of claims 1-5 via execution of the executable instructions.

8. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the attack traffic recognition method according to any of claims 1-5.