CN114124562A - Defense method, defense device, electronic equipment and storage medium - Google Patents
Defense method, defense device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114124562A CN114124562A CN202111460071.6A CN202111460071A CN114124562A CN 114124562 A CN114124562 A CN 114124562A CN 202111460071 A CN202111460071 A CN 202111460071A CN 114124562 A CN114124562 A CN 114124562A
- Authority
- CN
- China
- Prior art keywords
- message
- fingerprint
- byte data
- protocol
- dynamic fingerprint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000007123 defense Effects 0.000 title claims abstract description 42
- 230000003068 static effect Effects 0.000 claims abstract description 36
- 238000004590 computer program Methods 0.000 claims description 12
- 238000010276 construction Methods 0.000 claims description 8
- 238000000605 extraction Methods 0.000 claims description 4
- 238000001514 detection method Methods 0.000 abstract description 15
- 238000007796 conventional method Methods 0.000 abstract 1
- 230000008569 process Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The embodiment of the application provides a defense method, a defense device, electronic equipment and a storage medium, and relates to the technical field of network security. The method comprises the steps of carrying out protocol analysis on received flow to obtain an application layer protocol message; identifying the message by using a preset static fingerprint library; if the identification is unsuccessful, a preset dynamic fingerprint library is used for identification so as to defend the flow, and the static fingerprint and the dynamic fingerprint are combined to comprehensively detect the message, so that the detection accuracy is improved, and the problems of low detection accuracy and incomplete detection in the conventional method are solved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a defense method, an apparatus, an electronic device, and a storage medium.
Background
UDP (user data gram protocol) is a connectionless transport layer protocol, and provides a transaction-oriented simple unreliable information transmission service, and UDP is an extremely wide application as a transport layer protocol, and is often used as a main object of an attack by a hacker. An attacker attacks various services on the internet by forging a large number of UDP messages, causing it to generate denial of service.
At present, common UDP flooding defense methods have methods such as active destination speed limit, port check, first packet discard and the like, but the defense methods are poor in pertinence and poor in defense effect, and therefore attack messages can be mistakenly cleaned or put through. For example, by detecting the packet body of a UDP data packet, when there is no data matching with the protocol feature word of the application layer protocol in the packet body of the UDP data packet, the UDP data packet is considered to be a UDP data packet attacked by the DDOS, and therefore the data packet is discarded.
Disclosure of Invention
An object of the embodiments of the present application is to provide a defense method, an apparatus, an electronic device, and a storage medium, which combine a static fingerprint and a dynamic fingerprint to comprehensively detect a packet, thereby improving detection accuracy and solving the problems of low detection accuracy and incomplete detection in the existing methods.
The embodiment of the application provides a defense method, which comprises the following steps:
carrying out protocol analysis on the received flow to obtain an application layer protocol message;
identifying the message by using a preset static fingerprint library;
and if the identification is unsuccessful, utilizing a preset dynamic fingerprint library for identification so as to defend the flow.
In the implementation process, the dynamic fingerprint and the static fingerprint are combined to detect the defense method of the UDP flood attack, so that the accuracy and the efficiency of attack detection are improved, the problem that the application layer in a UDP flood attack message does not have the protocol characteristic word or the characteristic word is not obvious so that the attack cannot be detected is solved, and the defense precision is improved.
Further, the method further comprises establishing a static fingerprint library:
extracting message characteristics of standard application protocol messages, wherein the message characteristics are common characteristics of all standard application protocol messages;
and generating a static protocol fingerprint database by using the message characteristics.
In the implementation process, the static fingerprint of the standard application protocol message is formed by using the common obvious characteristics of the standard application protocol message.
Further, the method further comprises establishing a dynamic fingerprint library:
and performing dynamic fingerprint learning on the non-standard application protocol message to generate a dynamic fingerprint library.
In the implementation process, the identification of the application layer protocol without obvious characteristic words is realized by establishing a dynamic fingerprint library.
Further, the performing dynamic fingerprint learning on the non-standard application protocol to generate a dynamic fingerprint library includes:
intercepting byte data of the nonstandard application protocol message according to the configured offset;
querying a Map data structure for the presence of the byte data;
if yes, adding 1 to the hit frequency of the byte data;
and if the hit times of the byte data exceed a preset threshold, determining the byte data as an effective fingerprint, adding 1 to the offset of the byte data, and updating the current dynamic fingerprint database.
In the implementation process, effective fingerprints are determined by counting the hit times of the message, so that the dynamic fingerprint database is updated.
Further, the performing dynamic fingerprint learning on the non-standard application protocol to generate a dynamic fingerprint library further includes:
if the byte data does not exist in the Map data structure, judging whether the capacity of the Map data structure reaches the preset capacity or not;
if not, storing the byte data into a Map data structure;
and if so, replacing the fingerprint data with the least hit times in the Map data structure with the byte data.
In the implementation process, the capacity of the Map data structure is limited, and the problem that the Map data structure is suddenly expanded and the memory is insufficient when a normal message comes can be solved.
An embodiment of the present application further provides a defense apparatus, the apparatus includes:
the analysis module is used for carrying out protocol analysis on the received flow to obtain an application layer protocol message;
the first identification module is used for identifying the message by utilizing a preset static fingerprint library;
and the second identification module is used for identifying by using a preset dynamic fingerprint library if the identification is unsuccessful so as to defend the flow.
In the implementation process, the dynamic fingerprint and the static fingerprint are combined to detect the defense method of the UDP flood attack, so that the accuracy and the efficiency of attack detection are improved, the problem that the application layer in a UDP flood attack message does not have the protocol characteristic word or the characteristic word is not obvious so that the attack cannot be detected is solved, and the defense precision is improved.
Further, the apparatus further comprises:
the characteristic extraction module is used for extracting message characteristics of the standard application protocol messages, wherein the message characteristics are common characteristics of all the standard application protocol messages;
and the static fingerprint database construction module is used for generating a static protocol fingerprint database by utilizing the message characteristics.
In the implementation process, the static fingerprint of the standard application protocol message is formed by using the common obvious characteristics of the standard application protocol message.
Further, the apparatus further comprises:
and the dynamic fingerprint database construction module is used for performing dynamic fingerprint learning on the non-standard application protocol message to generate a dynamic fingerprint database.
In the implementation process, the identification of the application layer protocol without obvious characteristic words is realized by establishing the dynamic fingerprint database, so that the identification of the message is more comprehensive, and the identification accuracy is improved.
An embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the defense method described in any one of the above.
The embodiment of the present application further provides a readable storage medium, in which computer program instructions are stored, and when the computer program instructions are read and executed by a processor, the defense method of any one of the foregoing embodiments is executed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flowchart of a defense method according to an embodiment of the present disclosure;
fig. 2 is a flow chart of message identification provided in the embodiment of the present application;
FIG. 3 is a flow chart of the construction of a static fingerprint database according to an embodiment of the present application;
FIG. 4 is a flow chart of the construction of a dynamic fingerprint database according to an embodiment of the present disclosure;
FIG. 5 is a flowchart illustrating a process of generating a dynamic fingerprint database according to an embodiment of the present disclosure;
FIG. 6 is a block diagram of a defense apparatus according to an embodiment of the present disclosure;
fig. 7 is a block diagram of another defense apparatus according to an embodiment of the present disclosure.
Icon:
100-an analysis module; 200-a first identification module; 300-a second identification module; 401-feature extraction module; 402-static fingerprint library construction module; 500-dynamic fingerprint library construction module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, fig. 1 is a flowchart of a defense method according to an embodiment of the present disclosure. The method can be applied to defending UDP flooding attack in DDOS equipment. The method is a defense method for detecting UDP flooding attacks by combining static fingerprints and dynamic fingerprints, and accuracy and efficiency of attack detection are improved. The method specifically comprises the following steps:
step S100: carrying out protocol analysis on the received flow to obtain an application layer protocol message;
step S200: identifying the message by using a preset static fingerprint library;
step S300: and if the identification is unsuccessful, utilizing a preset dynamic fingerprint library for identification so as to defend the flow.
Specifically, as shown in fig. 2, a flow chart of message identification is shown, where a protocol of traffic entering a traffic inlet is analyzed to determine whether the traffic is a UDP protocol; if the UDP protocol exists, acquiring a UDP application layer protocol message; identifying the UDP application layer protocol message by using a static protocol fingerprint library; if the identification is unsuccessful, the dynamic fingerprint library is used for identification, if the identification is unsuccessful, the UDP application layer protocol message is discarded, and if the identification is successful, the UDP application layer protocol message enters a flow outlet.
Since the UDP protocol message does not always have obvious feature words, some application layer protocols have no feature words or the feature words are not obvious, and the feature word-based detection method fails at this time.
Therefore, the dynamic fingerprint identification and the static fingerprint identification are combined to detect the UDP flooding attack, and both the standard application protocol message and the non-standard application layer protocol message in the UDP protocol message can be detected, so that the detection of the UDP protocol message is more comprehensive, and the accuracy and the efficiency of the detection are improved.
The method also includes constructing a static fingerprint library and a dynamic fingerprint library.
As shown in fig. 3, a flow chart for constructing a static fingerprint database specifically includes:
step S401: extracting message characteristics of standard application protocol messages, wherein the message characteristics are common characteristics of all standard application protocol messages;
step S402: and generating a static protocol fingerprint database by using the message characteristics.
Firstly, classifying application protocols in a UDP packet, wherein common application protocol (standard application protocol) specifications are quite clear, and fingerprints can be generated by abstracting according to the protocol specifications, the fingerprints are similar to a regular expression, the common characteristics such as enumeration of a second byte of a standard application protocol message, fixed length of the second byte, unique ID of a first byte, certain fixed information and the like are required to be contained in the message, and the common characteristics are used for describing the common characteristics of the standard application protocol message and are collectively called as static protocol fingerprints. The static fingerprint generator can be used for generating the static fingerprint, and is similar to a code compiler, namely, the protocol field is analyzed, then codes of various languages can be generated, and then the generated codes are added into the project, so that the identification function of the protocol can be realized, and the description is omitted.
As shown in fig. 4, a flow chart for constructing a dynamic fingerprint library, which is used for performing dynamic fingerprint learning on a non-standard application protocol packet to generate the dynamic fingerprint library, specifically includes:
step S501: intercepting byte data of the nonstandard application protocol message according to the configured offset;
step S502: querying a Map data structure for the presence of the byte data;
step S503: if yes, adding 1 to the hit frequency of the byte data;
step S504: if the hit times of the byte data exceed a preset threshold, determining the byte data as an effective fingerprint, adding 1 to the offset of the byte data, and updating the current dynamic fingerprint database;
step S505: if the byte data does not exist in the Map data structure, judging whether the capacity of the Map data structure reaches the preset capacity or not;
step S506: if not, storing the byte data into a Map data structure;
step S507: and if so, replacing the fingerprint data with the least hit times in the Map data structure with the byte data.
As shown in fig. 5, for a generation flow chart of a dynamic fingerprint library, sometimes a UDP application layer packet is not a common standard protocol, but may be some custom protocols, and these protocols are all non-standard application protocols, and for a non-standard application protocol packet, dynamic fingerprint learning needs to be performed.
The dynamic fingerprint learning is to acquire Y byte data of a current message, which deviates X offsets from a first byte of a packet body, to query the acquired byte data in a Map data structure, if the byte data exists in the Map data structure, add one to the number of times of hit of the byte data, and judge whether the number of times of hit exceeds a preset threshold, if so, it is indicated that the message corresponding to the byte data is abnormal (the same message is repeatedly sent for many times), the message is discarded, meanwhile, if the number of times of hit exceeds the preset threshold, for example, N times, it is indicated that the byte data is an effective fingerprint, the byte data can be added to a dynamic fingerprint library, and the current dynamic fingerprint library is updated, and then add one to the offset X until the learned dynamic fingerprint reaches the optimum. When the same message is received next time, the message is directly discarded, and the defense purpose is realized.
The optimal fingerprint setting mode is as follows: when the offset X is increased to a certain value, the number of hits of the corresponding byte data in a unit time is lower than a set threshold, and then the byte data with the length corresponding to the last value (X-1) of the offset is used as the optimal fingerprint, because the length of the fingerprint is too short, which easily causes false cleaning, and too long, which easily causes some attack traffic to be passed.
If the byte data does not exist in the Map data structure, storing the byte data into the Map data structure; because the Map data structure is not dynamically expanded but limited by K, the transient flow of the attack is particularly large, and if the Map data structure is not limited, the memory can be burst. Therefore, when an object with the minimum hit frequency is recorded in the Map data structure, when a new message arrives, whether the capacity of the Map data structure reaches the preset capacity or not needs to be judged, if the capacity does not reach the preset capacity, the byte data is stored in the Map data structure, and meanwhile, the hit frequency is set to be 1; if the capacity of the Map data structure is full, the object with the smallest number of hits in the Map data structure is replaced with the byte data. The method can solve the problem that the Map data structure is suddenly expanded and the memory is insufficient when a normal message comes, and the abnormal messages are generally continuously sent, so the method has high identification efficiency.
The application combines the dynamic fingerprint with the static fingerprint, and provides a defense method for detecting UDP flooding attack based on the combination of the dynamic fingerprint and the static fingerprint, which improves the accuracy and efficiency of attack detection, and can play a role in defense for both standard application protocol messages and non-standard application protocol messages, so that the defense for the messages is more comprehensive, thereby improving the detection and identification efficiency for the protocol messages, solving the problem that the application layer in the UDP flooding attack messages does not have protocol characteristic words, or the characteristic words are not obvious and cause the attack can not be detected, improving the defense precision of the UDP flooding attack, and avoiding the possibility of mistaken cleaning of flow.
An embodiment of the present application further provides a defense apparatus, as shown in fig. 6, which is a block diagram of the defense apparatus, and the apparatus includes but is not limited to:
the analysis module 100 is configured to perform protocol analysis on the received traffic to obtain an application layer protocol packet;
a first identification module 200, configured to identify the packet by using a preset static fingerprint library;
and a second identification module 300, configured to, if the identification is unsuccessful, perform identification using a preset dynamic fingerprint library to defend the traffic.
Exemplarily, as shown in fig. 7, a block diagram of another defense apparatus provided in an embodiment of the present application is further provided, where the apparatus further includes:
a feature extraction module 401, configured to extract a message feature of a standard application protocol message, where the message feature is a common feature of all standard application protocol messages;
a static fingerprint database constructing module 402, configured to generate a static protocol fingerprint database by using the message characteristics.
The device also includes:
the dynamic fingerprint library constructing module 500 is configured to perform dynamic fingerprint learning on the non-standard application protocol packet to generate a dynamic fingerprint library, and specifically includes:
intercepting byte data of the nonstandard application protocol message according to the configured offset;
querying a Map data structure for the presence of the byte data;
if yes, adding 1 to the hit frequency of the byte data;
if the hit times of the byte data exceed a preset threshold, determining the byte data as an effective fingerprint, adding 1 to the offset of the byte data, and updating the current dynamic fingerprint database;
if the byte data does not exist in the Map data structure, judging whether the capacity of the Map data structure reaches the preset capacity or not;
if not, storing the byte data into a Map data structure;
and if so, replacing the fingerprint data with the least hit times in the Map data structure with the byte data.
The dynamic fingerprint and the static fingerprint are combined to detect the defense method of the UDP flood attack, the accuracy and the efficiency of attack detection are improved, the problem that the application layer in a UDP flood attack message does not have the protocol characteristic word or the characteristic word is not obvious so that the attack cannot be detected is solved, and the defense precision is improved.
The embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, the memory is used for storing a computer program, and the processor runs the computer program to make the electronic device execute the defense method described above.
The embodiment of the present application further provides a readable storage medium, in which computer program instructions are stored, and when the computer program instructions are read and executed by a processor, the defense method is executed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A defense method, the method comprising:
carrying out protocol analysis on the received flow to obtain an application layer protocol message;
identifying the message by using a preset static fingerprint library;
and if the identification is unsuccessful, utilizing a preset dynamic fingerprint library for identification so as to defend the flow.
2. The defense method of claim 1, further comprising building a library of static fingerprints:
extracting message characteristics of standard application protocol messages, wherein the message characteristics are common characteristics of all standard application protocol messages;
and generating a static protocol fingerprint database by using the message characteristics.
3. The defense method of claim 1, further comprising establishing a dynamic fingerprint library:
and performing dynamic fingerprint learning on the non-standard application protocol message to generate a dynamic fingerprint library.
4. The defense method according to claim 3, wherein the dynamic fingerprint learning for the non-standard application protocol to generate a dynamic fingerprint library comprises:
intercepting byte data of the nonstandard application protocol message according to the configured offset;
querying a Map data structure for the presence of the byte data;
if yes, adding 1 to the hit frequency of the byte data;
and if the hit times of the byte data exceed a preset threshold, determining the byte data as an effective fingerprint, adding 1 to the offset of the byte data, and updating the current dynamic fingerprint database.
5. The defense method according to claim 4, wherein the dynamic fingerprint learning for the non-standard application protocol to generate a dynamic fingerprint library further comprises:
if the byte data does not exist in the Map data structure, judging whether the capacity of the Map data structure reaches the preset capacity or not;
if not, storing the byte data into a Map data structure;
and if so, replacing the fingerprint data with the least hit times in the Map data structure with the byte data.
6. A defence apparatus, characterized in that it comprises:
the analysis module is used for carrying out protocol analysis on the received flow to obtain an application layer protocol message;
the first identification module is used for identifying the message by utilizing a preset static fingerprint library;
and the second identification module is used for identifying by using a preset dynamic fingerprint library if the identification is unsuccessful so as to defend the flow.
7. The defence device of claim 6 wherein the device further includes:
the characteristic extraction module is used for extracting message characteristics of the standard application protocol messages, wherein the message characteristics are common characteristics of all the standard application protocol messages;
and the static fingerprint database construction module is used for generating a static protocol fingerprint database by utilizing the message characteristics.
8. The defence device of claim 6 wherein the device further includes:
and the dynamic fingerprint database construction module is used for performing dynamic fingerprint learning on the non-standard application protocol message to generate a dynamic fingerprint database.
9. An electronic device, characterized in that the electronic device comprises a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the defense method according to any one of claims 1 to 5.
10. A readable storage medium having stored thereon computer program instructions which, when read and executed by a processor, perform the defence method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111460071.6A CN114124562A (en) | 2021-12-02 | 2021-12-02 | Defense method, defense device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111460071.6A CN114124562A (en) | 2021-12-02 | 2021-12-02 | Defense method, defense device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114124562A true CN114124562A (en) | 2022-03-01 |
Family
ID=80366311
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111460071.6A Pending CN114124562A (en) | 2021-12-02 | 2021-12-02 | Defense method, defense device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124562A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020129167A1 (en) * | 2001-03-12 | 2002-09-12 | Kabushiki Kaisha Toshiba | Data transfer scheme using caching technique for reducing network load |
| CN1845066A (en) * | 2006-05-16 | 2006-10-11 | 北京启明星辰信息技术有限公司 | Automatic protocol recognition method and system |
| CN101599976A (en) * | 2009-07-10 | 2009-12-09 | 成都市华为赛门铁克科技有限公司 | The method and apparatus of filtering user datagram protocol data packet |
| CN107404459A (en) * | 2016-05-19 | 2017-11-28 | 华为技术有限公司 | Obtain the method and the network equipment of the fingerprint characteristic of network attack message |
| KR101896267B1 (en) * | 2017-09-28 | 2018-09-10 | 큐비트시큐리티 주식회사 | System and method for detecting attack based on real-time log analysis |
| US20210029113A1 (en) * | 2019-07-24 | 2021-01-28 | Konica Minolta, Inc. | Authentication system, assistance server and non-transitory computer-readable recording medium encoded with assistance program |
| CN112559824A (en) * | 2020-12-24 | 2021-03-26 | 北京嘀嘀无限科技发展有限公司 | Message processing method, device and equipment |
-
2021
- 2021-12-02 CN CN202111460071.6A patent/CN114124562A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020129167A1 (en) * | 2001-03-12 | 2002-09-12 | Kabushiki Kaisha Toshiba | Data transfer scheme using caching technique for reducing network load |
| CN1845066A (en) * | 2006-05-16 | 2006-10-11 | 北京启明星辰信息技术有限公司 | Automatic protocol recognition method and system |
| CN101599976A (en) * | 2009-07-10 | 2009-12-09 | 成都市华为赛门铁克科技有限公司 | The method and apparatus of filtering user datagram protocol data packet |
| CN107404459A (en) * | 2016-05-19 | 2017-11-28 | 华为技术有限公司 | Obtain the method and the network equipment of the fingerprint characteristic of network attack message |
| KR101896267B1 (en) * | 2017-09-28 | 2018-09-10 | 큐비트시큐리티 주식회사 | System and method for detecting attack based on real-time log analysis |
| US20210029113A1 (en) * | 2019-07-24 | 2021-01-28 | Konica Minolta, Inc. | Authentication system, assistance server and non-transitory computer-readable recording medium encoded with assistance program |
| CN112559824A (en) * | 2020-12-24 | 2021-03-26 | 北京嘀嘀无限科技发展有限公司 | Message processing method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101291323B (en) | Using partly determination finite automatic mode matching for network attack detection | |
| CN106330944B (en) | Malicious system vulnerability scanner identification method and device | |
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| CN106470214B (en) | Attack detection method and device | |
| CN109495521B (en) | Abnormal flow detection method and device | |
| US20060119486A1 (en) | Apparatus and method of detecting network attack situation | |
| US8336098B2 (en) | Method and apparatus for classifying harmful packet | |
| CN114666162B (en) | Flow detection method, device, equipment and storage medium | |
| Coskun et al. | Mitigating sms spam by online detection of repetitive near-duplicate messages | |
| CN110798426A (en) | Method and system for detecting flood DoS attack behavior and related components | |
| CN110868379B (en) | Intrusion threat index expanding method and device based on DNS (Domain name System) analysis message and electronic equipment | |
| US20130304690A1 (en) | Reducing false positives in data validation using statistical heuristics | |
| CN114095274A (en) | Attack studying and judging method and device | |
| CN113486343A (en) | Attack behavior detection method, device, equipment and medium | |
| JP2008052637A (en) | Abnormality detector, abnormality detection program, and recording medium | |
| CN112583827B (en) | Data leakage detection method and device | |
| Giacinto et al. | Alarm clustering for intrusion detection systems in computer networks | |
| Zali et al. | Real-time intrusion detection alert correlation and attack scenario extraction based on the prerequisite-consequence approach | |
| CN114124562A (en) | Defense method, defense device, electronic equipment and storage medium | |
| CN117319001A (en) | Network security assessment method, device, storage medium and computer equipment | |
| US9391936B2 (en) | System and method for spam filtering using insignificant shingles | |
| US11647046B2 (en) | Fuzzy inclusion based impersonation detection | |
| CN113987489A (en) | Method and device for detecting unknown threat of network, electronic equipment and storage medium | |
| TWI777766B (en) | System and method of malicious domain query behavior detection | |
| CN115022034A (en) | Attack message identification method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |