CN114006771B - Flow detection method and device - Google Patents
Flow detection method and device Download PDFInfo
- Publication number
- CN114006771B CN114006771B CN202111635844.XA CN202111635844A CN114006771B CN 114006771 B CN114006771 B CN 114006771B CN 202111635844 A CN202111635844 A CN 202111635844A CN 114006771 B CN114006771 B CN 114006771B
- Authority
- CN
- China
- Prior art keywords
- flow
- attack
- processing
- traffic
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The embodiment of the application provides a flow detection method and a device, which relate to the technical field of network security, and the flow detection method comprises the following steps: firstly, acquiring a flow to be detected; filtering the traffic to be detected according to a pre-configured traffic filtering list to obtain first processing traffic and blacklist traffic; then, network attack detection processing is carried out on the first processing flow according to a preset flow rule, and a second processing flow with no attack detected and a flow with an attack are obtained; then, carrying out collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm; and finally, obtaining blacklist flow, third processing flow and attack partner address information of the flow with the attack, and blocking the flow corresponding to the attack partner address information. Therefore, the method can timely block the found network attack host and the partner thereof in real time when the network attack is detected, thereby maintaining the network security.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a traffic detection method and apparatus.
Background
With the rapid development of information technology, computers and networks have become essential tools and approaches for daily office work, communication and cooperative interaction. However, in the current network environment, various network attack modes are diversified, and frequent outbreaks of various network security events also seriously affect the network information security of enterprises and individuals. The existing traffic detection method usually implements blocking processing for an attacking host through a firewall when detecting a network attack of the attacking host. However, in practice, it is found that the existing method can only perform attack blocking processing on a single attack host currently performing attack, and cannot effectively block attack groups of the single attack host, and meanwhile, a firewall is used for attack blocking, and two devices are divided between attack detection and attack blocking, so that the found network attack cannot be blocked in real time. Therefore, the existing method can only carry out attack blocking processing on a single attack host which currently implements the attack, and can not instantly block the found network attack in real time.
Disclosure of Invention
An object of the embodiments of the present application is to provide a traffic detection method and apparatus, which can block a discovered network attack host and its partners in real time when a network attack is detected, so as to maintain network security.
A first aspect of an embodiment of the present application provides a traffic detection method, including:
acquiring the flow to be detected;
filtering the flow to be detected according to a preset flow filtering list to obtain a first processing flow and a blacklist flow;
performing network attack detection processing on the first processing flow according to a preset flow rule to obtain a second processing flow in which the attack is not detected and a flow in which the attack exists;
performing collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm;
and acquiring the blacklist flow, the third processing flow and the attack group address information of the flow with the attack, and blocking the flow corresponding to the attack group address information.
In the implementation process, the flow to be detected is obtained firstly; filtering the traffic to be detected according to a pre-configured traffic filtering list to obtain first processing traffic and blacklist traffic; then, network attack detection processing is carried out on the first processing flow according to a preset flow rule, and a second processing flow with no attack detected and a flow with an attack are obtained; then, carrying out collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm; and finally, obtaining blacklist flow, third processing flow and attack partner address information of the flow with the attack, and blocking the flow corresponding to the attack partner address information. Therefore, the method can timely block the found network attack host and the partner thereof in real time when the network attack is detected, thereby maintaining the network security.
Further, the filtering the traffic to be detected according to a preconfigured traffic filtering list to obtain a first processed traffic and a blacklist traffic, including:
determining blacklist flow and white list flow in the flow to be detected according to a preconfigured flow filtering list;
determining the flow except the blacklist flow and the white list flow in the flow to be detected as a first processing flow;
and directly releasing the white list traffic, and executing the network attack detection processing on the first processing traffic according to a preset traffic rule to obtain second processing traffic of which the attack is not detected.
Further, performing network attack detection processing on the first processing traffic according to a preset traffic rule to obtain a second processing traffic in which an attack is not detected and a traffic in which the attack is present, including:
performing network attack detection processing on the first processing flow according to a preset flow rule to obtain an attack detection result;
and determining the flow with the attack detected and the second processing flow without the attack detected in the first processing flow according to the attack detection result, and performing collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm.
Further, obtaining the blacklist traffic, the third processing traffic and the attack group address information of the traffic with the attack comprises:
extracting attack address information in the blacklist traffic, the third processing traffic and the attacked traffic;
inquiring other attack address information related to the attack address information according to the cloud intelligence database;
and summarizing the attack address information and the other attack address information to obtain attack group address information.
Further, blocking the traffic corresponding to the attack group address information, including:
acquiring blocking processing configuration information, wherein the blocking processing configuration information at least comprises a blocking mode and blocking time;
when the blocking mode is bypass blocking, a blocking data packet is obtained, and the blocking data packet is continuously sent to an attack end according to the attack group address information within the blocking time so as to cut off the communication connection with the attack end;
and when the blocking mode is linkage blocking, configuring the attack group address information into linkage firewall equipment so that the firewall equipment blocks the flow corresponding to the attack group address information.
A second aspect of the embodiments of the present application provides a flow rate detection device, including:
the flow acquisition unit is used for acquiring the flow to be detected;
the first processing unit is used for filtering the traffic to be detected according to a pre-configured traffic filtering list to obtain first processing traffic and blacklist traffic;
the second processing unit is used for carrying out network attack detection processing on the first processing flow according to a preset flow rule to obtain a second processing flow with undetected attack and a flow with attack;
the third processing unit is used for carrying out collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm;
a group information obtaining unit, configured to obtain blacklist traffic, the third processing traffic, and attack group address information of the traffic with the attack;
and the blocking unit is used for carrying out blocking processing on the flow corresponding to the attack group address information.
In the implementation process, the flow acquisition unit acquires the flow to be detected firstly; the first processing unit filters the traffic to be detected according to a pre-configured traffic filtering list to obtain first processing traffic and blacklist traffic; then the second processing unit carries out network attack detection processing on the first processing flow according to a preset flow rule to obtain a second processing flow with undetected attack and a flow with attack; the third processing unit compares the second processing flow with the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm; and finally, the group information acquisition unit acquires blacklist flow, third processing flow and attack group address information of the flow with the attack, and the blocking unit blocks the flow corresponding to the attack group address information. Therefore, the device can timely block the found network attack host and the group thereof in real time when the network attack is detected, thereby maintaining the network security.
Further, the first processing unit includes:
the first determining subunit is configured to determine blacklist traffic and white list traffic in the traffic to be detected according to a preconfigured traffic filter list;
a second determining subunit, configured to determine, as a first processing flow, a flow except for the blacklist flow and the whitelist flow in the flow to be detected;
and the releasing subunit is configured to perform direct releasing processing on the white list traffic, and trigger the second processing unit to execute network attack detection processing on the first processing traffic according to a preset traffic rule, so as to obtain a second processing traffic for which an attack is not detected.
Further, the second processing unit includes:
the attack detection subunit is used for carrying out network attack detection processing on the first processing flow according to a preset flow rule to obtain an attack detection result;
and the third determining subunit is used for determining the flow with the attack detected in the first processing flow and the second processing flow without the attack detected according to the attack detection result, and triggering the third processing unit to execute the collision comparison of the second processing flow according to a preset cloud information database to obtain the third processing flow generating the alarm.
A third aspect of the embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the traffic detection method according to any one of the first aspect of the embodiments of the present application.
A fourth aspect of the present embodiment provides a computer-readable storage medium, which stores computer program instructions, where the computer program instructions, when read and executed by a processor, perform the traffic detection method according to any one of the first aspect of the present embodiment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flow chart of a flow detection method according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a flow rate detection device according to an embodiment of the present disclosure;
fig. 3 is a schematic overall structural diagram of a flow rate detection system according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flow chart of a flow detection method according to an embodiment of the present application. The flow detection method comprises the following steps:
s101, obtaining the flow to be detected.
In the embodiment of the present application, the execution subject of the method may be a computing device such as a computer and a server, and is not limited in this embodiment.
In this embodiment, an execution subject of the method may also be an intelligent device such as a smart phone and a tablet computer, which is not limited in this embodiment.
In the embodiment of the present application, the flow to be detected may be obtained in a mirror image flow manner, which is not limited in this embodiment of the present application.
S102, determining blacklist flow and white list flow in the flow to be detected according to a preset flow filtering list.
In the embodiment of the present application, the traffic filtering list includes a white list and a black list, and specifically, the list includes an IP address and the like, which is not limited in this embodiment of the present application.
S103, determining the flow except the blacklist flow and the white list flow in the flow to be detected as a first processing flow.
In the embodiment of the application, the traffic to be detected includes blacklist traffic, whitelist traffic and first processing traffic.
And S104, performing direct release processing on the white list flow, and executing the step S105.
In the embodiment of the application, filtering is performed according to a pre-configured flow filtering list, white list flows belonging to a white list are directly released, and flows belonging to a black list are black list flows.
In the embodiment of the application, after the blacklist traffic is detected, the attack group address information of the blacklist traffic can be immediately obtained, and the blocking processing is performed on the traffic corresponding to the attack group address information.
In the embodiment of the present application, by implementing the steps S102 to S104, the traffic to be detected can be filtered according to the preconfigured traffic filter list, so as to obtain the first processing traffic and the blacklist traffic.
And S105, performing network attack detection processing on the first processing flow according to a preset flow rule to obtain an attack detection result.
S106, determining the flow with the attack detected and the second processing flow without the attack detected in the first processing flow according to the attack detection result, and executing the step S107.
In the embodiment of the application, the first processing flow is judged through the preset flow rule in the rule engine, and the flow with the detected attack and the second processing flow without the detected attack are obtained.
In the embodiment of the present application, by implementing the steps S105 to S106, network attack detection processing can be performed on the first processing traffic according to a preset traffic rule, so as to obtain a second processing traffic in which an attack is not detected and a traffic in which an attack is present.
In the embodiment of the application, after the flow with the attack is detected, the attack group address information of the flow with the attack can be immediately obtained, and the blocking processing is carried out on the flow corresponding to the attack group address information.
And S107, performing collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm.
In the embodiment of the application, the second processing flow is collided with a preset cloud information database, and the flow which generates the alarm is determined as the third processing flow.
In the embodiment of the present application, after the third processing traffic is detected, the attack group address information of the third processing traffic may be immediately obtained, and the blocking processing may be performed on the traffic corresponding to the attack group address information.
In the embodiment of the application, by implementing the steps S102 to S107, whether an aggressive behavior exists in the flow to be detected can be determined, and the flow with the aggressive behavior is alarmed and blocked.
After step S107, the following steps are also included:
and S108, extracting blacklist traffic, third processing traffic and attack address information in the attacked traffic.
In the embodiment of the present application, the attack address information is specifically attack IP information, and is attack IP information corresponding to attack traffic detected after the above steps S102 to S107 are performed, where the attack traffic includes blacklist traffic, third processing traffic, and traffic with an attack.
S109, inquiring other attack address information related to the attack address information according to the cloud intelligence database.
In this embodiment, the other attack address information may be an attack IP that is not detected in the attack traffic, or may be attack IP information that is not detected in the attack traffic, and the like, which is not limited in this embodiment.
And S110, summarizing the attack address information and other attack address information to obtain attack group address information.
In the embodiment of the present application, by implementing the steps S108 to S110, blacklist traffic, third processing traffic, and attack group address information of traffic where an attack exists can be obtained.
In the embodiment of the present application, the method may be applied to a flow rate detection system, please refer to fig. 3, where fig. 3 is a schematic diagram of an overall structure of a flow rate detection system provided in the embodiment of the present application. As shown in fig. 3, the traffic detection system integrates attack IP discovery and blocking. Firstly, a judgment module carries out layer-by-layer filtering detection on traffic to be detected through a traffic filtering list, a traffic rule and a cloud information database, finds attack traffic (namely blacklist traffic, third processing traffic and traffic with attack), and carries out traffic blocking processing on attack traffic and a group IP of the attack traffic.
S111, obtaining blocking processing configuration information, wherein the blocking processing configuration information at least comprises a blocking mode and blocking time.
In the embodiment of the application, when blocking is performed, various types of firewall interfaces can be configured in advance, when a firewall is configured, firewall configuration information input by a user is obtained, and the firewall configuration information at least comprises a firewall model, firewall information and the like, and the embodiment of the application is not limited.
In the embodiment of the present application, after determining the address information of the attack group, different blocking manners may be determined according to the configuration information of the blocking manner to perform the blocking process, and when the blocking manner is the bypass blocking, step S112 is performed; when the blocking mode is the interlocking blocking, step S113 is executed.
And S112, when the blocking mode is bypass blocking, obtaining a blocking data packet, and continuously sending the blocking data packet to the attack end according to the attack group address information within the blocking time so as to cut off the communication connection with the attack end, and ending the process.
In the embodiment of the application, when the blocking mode is bypass blocking, the blocking data packet is sent to the attack end, and the communication connection with the attack end is cut off to block the attack behavior of the attack end.
In the embodiment of the application, in the bypass blocking, the user can also add a blocking white list, switch a manual automatic mode, set the blocking time of the blocked IP, and the like to perform flexible blocking.
In the embodiment of the application, the blocking data packet is sent to carry out bypass blocking, the integration of discovery and blocking of the attack IP can be realized, the discovery and blocking of the attack IP are tightly connected, the attack IP can be immediately blocked after the attack IP is discovered, and the timeliness of the existing method is shortened to the timeliness of millisecond level.
And S113, when the blocking mode is linkage blocking, the attack group address information is configured in the linkage firewall equipment so that the firewall equipment blocks the flow corresponding to the attack group address information.
In the embodiment of the application, when the blocking mode is linkage blocking, the attack group address information is added into equipment such as a firewall, and the subsequent attack behavior of the corresponding supply end of the attack group address information is prevented.
In the embodiment of the present application, the user in the linkage blocking may also flexibly block whether to perform the configurations such as blocking, blocking time, and the like in the embodiment of the present application.
In the embodiment of the application, the method integrates various firewall interface information, and a user can be pre-configured to connect to the firewall which is already in use. When other types of firewalls are replaced subsequently, only the configuration needs to be simply modified at the node, and the defect that calling scripts need to be written specifically for the firewalls in the prior art is overcome.
According to the embodiment of the application, blocking can be guaranteed when the attack IP is found, namely, the blocking millisecond-level time difference is found, blocking is carried out timely and effectively, and the subsequent attack behavior of the attack IP is prevented. When linkage blocking is carried out, the user can be ensured to more conveniently block the attack IP and the group IP, the firewall can be connected to block the attack IP only by simply filling firewall information into a page, and manual blocking or targeted writing and adding of a blocking script are not needed.
In the embodiment of the present application, by performing the steps S112 to S113, it is possible to block traffic corresponding to attack partner address information.
It can be seen that, by implementing the traffic detection method described in this embodiment, when a network attack is detected, the discovered network attack host and its partners can be blocked in real time, so as to maintain network security.
Example 2
Please refer to fig. 2, fig. 2 is a schematic structural diagram of a flow rate detection device according to an embodiment of the present application. As shown in fig. 2, the flow rate detection apparatus includes:
a flow rate obtaining unit 210, configured to obtain a flow rate to be detected;
the first processing unit 220 is configured to filter the traffic to be detected according to a preconfigured traffic filter list, so as to obtain a first processing traffic and a blacklist traffic;
a second processing unit 230, configured to perform network attack detection processing on the first processing traffic according to a preset traffic rule, so as to obtain a second processing traffic in which an attack is not detected and a traffic in which an attack is present;
the third processing unit 240 is configured to perform collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow generating an alarm;
a group information obtaining unit 250, configured to obtain blacklist traffic, third processing traffic, and attack group address information of traffic where an attack exists;
and the blocking unit 260 is configured to block traffic corresponding to the attack group address information.
As an alternative embodiment, the first processing unit 220 includes:
the first determining subunit 221 is configured to determine blacklist traffic and white list traffic in the traffic to be detected according to a preconfigured traffic filter list;
a second determining subunit 222, configured to determine, as a first processing flow, a flow except for the blacklist flow and the whitelist flow in the flow to be detected;
the releasing subunit 223 is configured to perform direct releasing processing on the white list traffic, and trigger the second processing unit 230 to perform network attack detection processing on the first processing traffic according to a preset traffic rule, so as to obtain a second processing traffic for which the existence of an attack is not detected.
As an alternative embodiment, the second processing unit 230 includes:
the attack detection subunit 231 is configured to perform network attack detection processing on the first processing traffic according to a preset traffic rule to obtain an attack detection result;
the third determining subunit 232 is configured to determine, according to the attack detection result, a flow rate in which an attack is detected and a second processing flow rate in which an attack is not detected in the first processing flow rate, and trigger the third processing unit to perform collision comparison on the second processing flow rate according to a preset cloud information database, so as to obtain a third processing flow rate for generating an alarm.
As an alternative embodiment, the group information obtaining unit 250 includes:
an extracting subunit 251, configured to extract attack address information in blacklist traffic, third processing traffic, and traffic with an attack;
the query subunit 252 is configured to query, according to the cloud intelligence database, other attack address information associated with the attack address information;
and the collecting subunit 253 is configured to collect the attack address information and other attack address information to obtain attack partner address information.
As an alternative embodiment, the blocking unit 260 includes:
an obtaining subunit 261, configured to obtain blocking processing configuration information, where the blocking processing configuration information at least includes a blocking manner and a blocking time;
the blocking subunit 262 is configured to, when the blocking manner is bypass blocking, obtain a blocking data packet, and continuously send the blocking data packet to the attack end according to the attack group address information within the blocking time, so as to cut off the communication connection with the attack end; and when the blocking mode is linkage blocking, configuring the attack group address information into the linkage firewall equipment so that the firewall equipment blocks the flow corresponding to the attack group address information.
In the embodiment of the application, the discovery and the blocking of the attack IP are automated and integrated, and the blocking operation can be immediately carried out after the attack is discovered. In addition, by utilizing cloud intelligence, a plurality of IP lists of the party to which the attack IP belongs can be obtained and blocked. Besides, various firewall interface information is integrated, after firewall information is simply input into the interface, the corresponding firewall interface can be selected to perform IP blocking operation, discovery and addition of attack IP are integrated into firewall blocking, millisecond time difference is achieved, and a script is not added by means of timing scanning.
In the embodiment of the present application, for explanation of the flow rate detection device, reference may be made to the description in embodiment 1, and details are not repeated in this embodiment.
It can be seen that, by implementing the traffic detection device described in this embodiment, when a network attack is detected, the discovered network attack host and its partners can be blocked in real time, so as to maintain network security.
An embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the flow detection method in embodiment 1 of the present application.
An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the method for detecting a flow in embodiment 1 of the present application is performed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (8)
1. A method for detecting traffic, comprising:
acquiring the flow to be detected;
filtering the flow to be detected according to a preset flow filtering list to obtain a first processing flow and a blacklist flow;
performing network attack detection processing on the first processing flow according to a preset flow rule to obtain a second processing flow in which the attack is not detected and a flow in which the attack exists;
performing collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm;
acquiring the blacklist flow, the third processing flow and the attack group address information of the flow with the attack, and blocking the flow corresponding to the attack group address information;
the network attack detection processing is performed on the first processing flow according to a preset flow rule to obtain a second processing flow in which the attack is not detected and a flow in which the attack exists, and the method comprises the following steps:
performing network attack detection processing on the first processing flow according to a preset flow rule to obtain an attack detection result;
and determining the flow with the attack detected and the second processing flow without the attack detected in the first processing flow according to the attack detection result, and performing collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm.
2. The traffic detection method according to claim 1, wherein the filtering the traffic to be detected according to a pre-configured traffic filtering list to obtain a first processed traffic and a blacklist traffic, includes:
determining blacklist flow and white list flow in the flow to be detected according to a preconfigured flow filtering list;
determining the flow except the blacklist flow and the white list flow in the flow to be detected as a first processing flow;
and directly releasing the white list traffic, and executing the network attack detection processing on the first processing traffic according to a preset traffic rule to obtain second processing traffic of which the attack is not detected.
3. The traffic detection method of claim 1, wherein the obtaining of the blacklisted traffic, the third processed traffic and the attack group address information of the attacked traffic comprises:
extracting attack address information in the blacklist traffic, the third processing traffic and the attacked traffic;
inquiring other attack address information related to the attack address information according to the cloud intelligence database;
and summarizing the attack address information and the other attack address information to obtain attack group address information.
4. The traffic detection method according to claim 1, wherein blocking the traffic corresponding to the attack group address information comprises:
acquiring blocking processing configuration information, wherein the blocking processing configuration information at least comprises a blocking mode and blocking time;
when the blocking mode is bypass blocking, a blocking data packet is obtained, and the blocking data packet is continuously sent to an attack end according to the attack group address information within the blocking time so as to cut off the communication connection with the attack end;
and when the blocking mode is linkage blocking, configuring the attack group address information into linkage firewall equipment so that the firewall equipment blocks the flow corresponding to the attack group address information.
5. A flow rate detecting device, characterized by comprising:
the flow acquisition unit is used for acquiring the flow to be detected;
the first processing unit is used for filtering the traffic to be detected according to a pre-configured traffic filtering list to obtain first processing traffic and blacklist traffic;
the second processing unit is used for carrying out network attack detection processing on the first processing flow according to a preset flow rule to obtain a second processing flow with undetected attack and a flow with attack;
the third processing unit is used for carrying out collision comparison on the second processing flow according to a preset cloud information database to obtain a third processing flow for generating an alarm;
a group information obtaining unit, configured to obtain blacklist traffic, the third processing traffic, and attack group address information of the traffic with the attack;
the blocking unit is used for carrying out blocking processing on the flow corresponding to the attack group address information;
the second processing unit includes:
the attack detection subunit is used for carrying out network attack detection processing on the first processing flow according to a preset flow rule to obtain an attack detection result;
and the third determining subunit is used for determining the flow with the attack detected in the first processing flow and the second processing flow without the attack detected according to the attack detection result, and triggering the third processing unit to execute the collision comparison of the second processing flow according to a preset cloud information database to obtain the third processing flow generating the alarm.
6. The flow rate detecting apparatus according to claim 5, wherein the first processing unit includes:
the first determining subunit is configured to determine blacklist traffic and white list traffic in the traffic to be detected according to a preconfigured traffic filter list;
a second determining subunit, configured to determine, as a first processing flow, a flow except for the blacklist flow and the whitelist flow in the flow to be detected;
and the releasing subunit is configured to perform direct releasing processing on the white list traffic, and trigger the second processing unit to execute network attack detection processing on the first processing traffic according to a preset traffic rule, so as to obtain a second processing traffic for which an attack is not detected.
7. An electronic device, characterized in that the electronic device comprises a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the flow detection method of any one of claims 1 to 4.
8. A readable storage medium, having stored thereon computer program instructions, which when read and executed by a processor, perform the flow detection method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111635844.XA CN114006771B (en) | 2021-12-30 | 2021-12-30 | Flow detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111635844.XA CN114006771B (en) | 2021-12-30 | 2021-12-30 | Flow detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114006771A CN114006771A (en) | 2022-02-01 |
| CN114006771B true CN114006771B (en) | 2022-03-29 |
Family
ID=79932140
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111635844.XA Active CN114006771B (en) | 2021-12-30 | 2021-12-30 | Flow detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114006771B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114900352A (en) * | 2022-04-25 | 2022-08-12 | 中国工商银行股份有限公司 | Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product |
| CN114866349B (en) * | 2022-07-06 | 2022-11-15 | 深圳市永达电子信息股份有限公司 | Network information filtering method |
| CN114866361A (en) * | 2022-07-11 | 2022-08-05 | 北京微步在线科技有限公司 | Method, device, electronic equipment and medium for detecting network attack |
| CN115913785A (en) * | 2023-01-09 | 2023-04-04 | 北京微步在线科技有限公司 | Multi-firewall linkage method and equipment |
| CN116055170B (en) * | 2023-01-10 | 2024-01-23 | 北京微步在线科技有限公司 | Flow data detection method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN106657025A (en) * | 2016-11-29 | 2017-05-10 | 神州网云(北京)信息技术有限公司 | Network attack behavior detection method and device |
| CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9178899B2 (en) * | 2013-08-28 | 2015-11-03 | Bank Of America Corporation | Detecting automated site scans |
-
2021
- 2021-12-30 CN CN202111635844.XA patent/CN114006771B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN106657025A (en) * | 2016-11-29 | 2017-05-10 | 神州网云(北京)信息技术有限公司 | Network attack behavior detection method and device |
| CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114006771A (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114006771B (en) | Flow detection method and device | |
| CN107196895B (en) | Network attack tracing implementation method and device | |
| CN110809010B (en) | Threat information processing method, device, electronic equipment and medium | |
| CN109450955B (en) | Traffic processing method and device based on network attack | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
| CN109271793B (en) | Internet of things cloud platform equipment category identification method and system | |
| CN109104438B (en) | Botnet early warning method and device in narrow-band Internet of things and readable storage medium | |
| CN114363044B (en) | Hierarchical alarm method, hierarchical alarm system, storage medium and terminal | |
| CN103379099A (en) | Hostile attack identification method and system | |
| CN111581397A (en) | Network attack tracing method, device and equipment based on knowledge graph | |
| CN110138770B (en) | Threat information generation and sharing system and method based on Internet of things | |
| CN108293044A (en) | System and method for detecting malware infection via domain name service flow analysis | |
| CN108183888A (en) | A kind of social engineering Network Intrusion path detection method based on random forests algorithm | |
| CN111726364B (en) | Host intrusion prevention method, system and related device | |
| CN104753861A (en) | Security event handling method and device | |
| US11128649B1 (en) | Systems and methods for detecting and responding to anomalous messaging and compromised accounts | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN110798426A (en) | Method and system for detecting flood DoS attack behavior and related components | |
| CN109409113B (en) | Power grid data safety protection method and distributed power grid data safety protection system | |
| CN107666468A (en) | network security detection method and device | |
| CN109474510B (en) | Mailbox safety cross audit method, system and storage medium | |
| CN112600719A (en) | Alarm clustering method, device and storage medium | |
| CN113992435A (en) | Attack detection tracing method, device and system | |
| CN115174279A (en) | Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |