CN115051847A - Method and device for determining attack level of denial of service attack and electronic equipment - Google Patents

Method and device for determining attack level of denial of service attack and electronic equipment Download PDF

Info

Publication number
CN115051847A
CN115051847A CN202210640737.4A CN202210640737A CN115051847A CN 115051847 A CN115051847 A CN 115051847A CN 202210640737 A CN202210640737 A CN 202210640737A CN 115051847 A CN115051847 A CN 115051847A
Authority
CN
China
Prior art keywords
attack
time period
network
rate
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210640737.4A
Other languages
Chinese (zh)
Other versions
CN115051847B (en
Inventor
卢凯
高宇
李维皓
刘桐菊
李翔
李正
朱广宇
赵蕾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
6th Research Institute of China Electronics Corp
Original Assignee
6th Research Institute of China Electronics Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 6th Research Institute of China Electronics Corp filed Critical 6th Research Institute of China Electronics Corp
Priority to CN202210640737.4A priority Critical patent/CN115051847B/en
Publication of CN115051847A publication Critical patent/CN115051847A/en
Application granted granted Critical
Publication of CN115051847B publication Critical patent/CN115051847B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • H04L43/0829Packet loss
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method, a device and electronic equipment for determining the attack level of a denial of service attack, wherein the method comprises the following steps: periodically acquiring utilization rate data of a plurality of computing resources of a target host under a stable service state condition; determining attack starting time and attack ending time of the target host under the denial of service attack according to the utilization rate data; determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the time period before the attack and the utilization rate data of the computing resources in the time period during the attack; and aiming at each target computing resource, determining the attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource. By the method and the device, the attack level of the target host attacked by the denial of service attack can be accurately determined.

Description

Method and device for determining attack level of denial of service attack and electronic equipment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for determining an attack level of a denial of service attack, and an electronic device.
Background
Denial of service attacks are one of the major challenges facing the current field of network security. Denial of service attacks are attack means by which an attacker attacks different layers in a network protocol stack, so that a target machine cannot normally provide services for a client. With the rapid development of internet technology, network security also becomes particularly important. Therefore, the scheme for determining the attack level of the denial of service attack can be provided, has important significance for coping with the denial of service attack, and can provide important basis for the subsequent construction of a more accurate and in-place security defense system.
The existing method for determining the attack level of the denial of service attack generally analyzes a single computing resource so as to determine the attack level of the denial of service attack on the target host, for example, only the condition that the CPU resource is attacked is analyzed separately, however, the determined attack level of the method for determining the attack level of the denial of service attack is not accurate enough, so that a security defense system constructed based on the attack level is not accurate enough.
Disclosure of Invention
In view of this, an object of the present application is to provide a method, an apparatus, and an electronic device for determining an attack level of a denial of service attack, where evaluation values of a plurality of target computing resources are determined according to utilization data of the plurality of computing resources, an attack level evaluation value of the denial of service attack on a target host is determined according to the evaluation values of the plurality of target computing resources, and an attack level of the denial of service attack on the target host is determined according to the attack level evaluation value. By the method, the attack level of the target host attacked by the denial of service attack can be accurately determined.
In a first aspect, an embodiment of the present application provides a method for determining an attack level of a denial of service attack, where the method includes:
periodically acquiring utilization rate data of a plurality of computing resources of a target host under a stable service state condition;
determining attack starting time and attack ending time of the target host under the denial of service attack according to the utilization rate data;
determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the time period before the attack and the utilization rate data of the computing resources in the time period during the attack; wherein the time period before the attack is a time period between the time when the target host reaches a stable service state and the attack starting time; the attack time period is a time period between the attack starting time and the attack ending time;
and aiming at each target computing resource, determining the attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource.
Optionally, the utilization data includes: CPU occupancy rate, memory occupancy rate, network uploading rate, network downloading rate, network bandwidth, network packet loss rate and disk reading and writing speed; the target computing resource includes: CPU resources, memory resources, network resources, and database resources.
Optionally, the determining, according to the utilization data, an attack start time at which the target host is attacked by the denial of service attack includes:
for each acquisition point, determining a first sliding mean value of CPU occupancy rates corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000021
wherein l 1 Is the length of the first sliding window; r is cpu i The CPU occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
for each acquisition point, determining a first sliding mean value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000031
wherein l 1 Is the length of the first sliding window; r is mem i The memory occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
for each acquisition point, determining a second sliding mean value of the CPU occupancy rate corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000032
wherein l 2 Is the length of the second sliding window;
for each acquisition point, determining a second sliding mean value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000033
determining whether a second sliding mean value of the CPU occupancy rate or a second sliding mean value of the memory occupancy rate corresponding to the acquisition point is greater than a first preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is larger than the first preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is larger than the first preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack starting time of the target host subjected to the denial of service attack.
Optionally, the determining, according to the utilization data, an attack end time at which the target host is attacked by the denial of service attack includes:
determining whether a second sliding average value of the CPU occupancy rate or a second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack ending time of the target host subjected to the denial of service attack.
Optionally, when the target computing resource is a CPU resource, determining evaluation values of a plurality of target computing resources on the target host according to the utilization data of the computing resources in the pre-attack time period and the utilization data of the computing resources in the attack time period, including,
determining the average occupancy rate of the CPU and the maximum occupancy rate of the CPU in a time period before attack;
determining the average occupancy rate of the CPU in the attack time period, the maximum occupancy rate of the CPU and the time consumed for reaching the maximum occupancy rate of the CPU from the attack starting time;
determining the difference value between the average occupancy rate of the CPU in the time period before the attack and the average occupancy rate of the CPU in the time period during the attack as the average occupancy rate consumption value of the CPU;
determining the difference value between the maximum occupancy rate of the CPU in the time period before the attack and the maximum occupancy rate of the CPU in the time period during the attack as the maximum occupancy rate consumption value of the CPU;
and determining the consumption value of the CPU resource according to the average occupancy rate consumption value of the CPU, the maximum occupancy rate consumption value of the CPU and the consumed time, and taking the consumption value of the CPU resource as the evaluation value of the CPU resource.
Optionally, when the target computing resource is a database resource, determining the evaluation values of the plurality of target computing resources on the target host according to the utilization data of the computing resources in the pre-attack time period and the utilization data of the computing resources in the attack time period includes:
determining the average value of the disk read-write speed and the maximum value of the disk read-write speed in a time period before attack;
determining the use value of the database resources in the time period before the attack according to the average value of the disk read-write speed in the time period before the attack and the average value of the CPU occupancy rate in the time period before the attack;
determining the difference value between the maximum value of the disk read-write speed in the time period before the attack and the maximum value of the CPU occupancy rate in the time period before the attack as the loss value of the database resources in the time period before the attack;
determining the average value of the disk read-write speed and the maximum value of the disk read-write speed in the attack time period;
determining the use value of the database resources in the attack time period according to the average value of the disk read-write speed in the attack time period and the average value of the CPU occupancy rate in the attack time period;
determining the difference value between the maximum value of the reading and writing speed of the magnetic disk in the attack time period and the maximum value of the CPU occupancy rate in the attack time period as the loss value of the database resources in the attack time period;
and determining the consumption value of the database resource according to the use value of the database resource in the time period before the attack, the use value of the database resource in the time period during the attack, the loss value of the database resource in the time period before the attack and the loss value of the database resource in the time period during the attack, and taking the consumption value of the database resource as the evaluation value of the database resource.
Optionally, when the target computing resource is a memory resource, determining the evaluation values of the plurality of target computing resources on the target host according to the utilization data of the computing resources in the pre-attack time period and the utilization data of the computing resources in the attack time period, including,
determining the average occupancy rate of the memory and the maximum occupancy rate of the memory in a time period before attack;
determining the average occupancy rate of the memory in the attack time period, the maximum occupancy rate of the memory and the time consumed for reaching the maximum occupancy rate of the memory from the attack starting time;
determining the difference value between the average occupancy rate of the memory in the time period before the attack and the average occupancy rate of the memory in the time period during the attack as the average occupancy rate consumption value of the memory;
determining the difference value between the maximum occupancy rate of the memory in the time period before the attack and the maximum occupancy rate of the memory in the time period during the attack as the maximum occupancy rate consumption value of the memory;
and determining the consumption value of the memory resource according to the average occupancy rate consumption value of the memory, the maximum occupancy rate consumption value of the memory and the consumed time, and taking the consumption value of the memory resource as the evaluation value of the memory resource.
Optionally, when the target computing resource is a network resource, the determining evaluation values of a plurality of target computing resources on the target host according to the utilization data of the computing resources in the pre-attack time period and the utilization data of the computing resources in the attack time period includes,
determining an average network occupancy consumption value according to the network uploading rate, the network downloading rate, the network bandwidth in the time period before the attack, the network uploading rate, the network downloading rate and the network bandwidth in the time period during the attack;
determining a consumption value of the maximum occupancy rate of the network according to the maximum transmission rate of the network in the time period before the attack, the network bandwidth, the maximum transmission rate of the network in the time period during the attack and the network bandwidth;
determining a network average packet loss rate consumption value according to the network packet loss rate in the time period before the attack and the network packet loss rate in the time period during the attack;
determining a consumption value of the maximum packet loss rate of the network according to the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack;
determining a blocking value of the network resource according to the network occupancy consumption value, the network maximum occupancy consumption value, the network packet loss rate consumption value and the network maximum packet loss rate consumption value, and taking the blocking value of the network resource as an evaluation value of the network resource.
Optionally, the determining the average network occupancy consumption value according to the network upload rate, the network download rate, the network bandwidth in the pre-attack time period, the network upload rate, the network download rate, and the network bandwidth in the attack time period includes:
determining the average network occupancy rate in the time period before attack according to the network uploading rate, the network downloading rate and the network bandwidth in the time period before attack;
determining the average network occupancy rate in the attack time period according to the network uploading rate, the network downloading rate and the network bandwidth in the attack time period;
determining the difference value of the average network occupancy in the time period before the attack and the average network occupancy in the time period during the attack as the consumption value of the average network occupancy;
optionally, the determining a maximum occupancy consumption value of the network according to the maximum transmission rate of the network in the pre-attack time period, the network bandwidth, the maximum transmission rate of the network in the attack time period, and the network bandwidth includes:
determining the maximum occupation rate of the network in the time period before attack according to the maximum transmission rate and the network bandwidth of the network in the time period before attack; the maximum network transmission rate in the time period before attack is the maximum rate of the network uploading rate and the network downloading rate in the time period before attack;
determining the maximum occupation rate of the network in the attack time period according to the maximum transmission rate and the network bandwidth of the network in the attack time period; the maximum network transmission rate in the attack time period is the maximum rate of the network uploading rate and the network downloading rate in the attack time period;
and determining the difference value of the maximum occupancy rate of the network in the time period before the attack and the maximum occupancy rate of the network in the time period during the attack as the maximum occupancy consumption value of the network.
Optionally, the determining, according to the network packet loss rate in the pre-attack time period and the network packet loss rate in the attack time period, an average packet loss rate consumption value of the network includes:
determining the average packet loss rate of the network in the time period before the attack according to the network packet loss rate in the time period before the attack;
determining the average packet loss rate of the network in the attack time period according to the network packet loss rate in the attack time period;
determining the difference value between the average packet loss rate of the network in the time period before the attack and the average packet loss rate of the network in the time period during the attack as the average packet loss rate consumption value of the network;
the determining the maximum packet loss rate consumption value of the network according to the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack includes:
determining the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack;
and determining the difference value of the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack as the consumption value of the maximum packet loss rate of the network.
Optionally, for each target computing resource, determining an attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource, including.
Aiming at each target computing resource, determining an attack level evaluation value of the target host attacked by the denial of service attack according to the evaluation value of the target computing resource and the weight of the target computing resource;
and determining the attack level of the attack of the denial of service attack on the target host according to the attack level evaluation value.
In a second aspect, an embodiment of the present application provides an apparatus for determining an attack level of a denial of service attack, where the apparatus includes:
the monitoring module is used for periodically acquiring utilization rate data of a plurality of computing resources of the target host under the condition of a stable service state;
the determining module is used for determining the attack starting time and the attack ending time of the target host under the denial of service attack according to the utilization rate data;
the computing module is used for determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the time period before the attack and the utilization rate data of the computing resources in the time period during the attack; wherein the time period before the attack is a time period between the time when the target host reaches a stable service state and the attack starting time; the attack time period is a time period between the attack starting time and the attack ending time;
and the evaluation module is used for determining the attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource aiming at each target computing resource.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is operating, the processor executing the machine-readable instructions to perform the steps of the method of determining a level of attack of a denial of service attack according to any of the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs the steps of the method for determining a denial of service attack level according to any one of the first aspect.
According to the method, the device and the electronic equipment for determining the attack level of the denial of service attack, provided by the embodiment of the application, the evaluation values of a plurality of target computing resources are determined according to the utilization rate data of the plurality of computing resources, the attack level evaluation value of the target host attacked by the denial of service attack is determined according to the evaluation values of the plurality of target computing resources, and the attack level of the target host attacked by the denial of service attack is determined according to the attack level evaluation value. By the method, the attack level of the target host attacked by the denial of service attack can be accurately determined.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 is a flow chart illustrating a method for determining a level of attack of a denial of service attack according to an embodiment of the present application;
FIG. 2 is a flowchart illustrating a step of determining an evaluation value of a CPU resource according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating steps of determining an evaluation value of a database resource according to an embodiment of the present application;
fig. 4 is a flowchart illustrating a step of determining an evaluation value of a memory resource according to an embodiment of the present application;
fig. 5 is a flowchart illustrating a step of determining an evaluation value of a network resource according to an embodiment of the present application;
fig. 6 is a schematic structural diagram illustrating an apparatus for determining an attack level of a denial of service attack according to an embodiment of the present application;
fig. 7 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. Every other embodiment that can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present application falls within the protection scope of the present application.
Before the application provides, the existing method for determining the attack level of the denial of service attack generally analyzes a single computing resource so as to determine the attack level of the denial of service attack on the target host, for example, only analyzes the condition that the CPU resource is attacked alone, however, the determined attack level is not accurate enough by the method for determining the attack level of the denial of service attack, so that a security defense system constructed based on the attack level is not accurate enough. Based on this, the embodiment of the application provides a method and a device for determining the attack level of a denial of service attack, and an electronic device.
For the convenience of understanding the embodiments of the present application, a method for determining an attack level of a denial of service attack disclosed in the embodiments of the present application will be described in detail first.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for determining an attack level of a denial of service attack according to an embodiment of the present disclosure. As shown in fig. 1, a method for determining an attack level of a denial of service attack provided in an embodiment of the present application includes the following steps:
s100, periodically acquiring utilization rate data of a plurality of computing resources of the target host under the condition of the stable service state.
As an example, the target host may be a physical host or a virtual host.
Here, the stable service state refers to a state in which the computing resources in the target host are in normal operation when the target host operates within a preset time period. Here, the preset time period is required to satisfy the conditions of non-holidays, special event periods, and peak and valley periods of daily traffic, and may be, for example, a normal working day (for example, monday to friday), 9:30 to 11:30 and 2:00 to 5:00 per day. Here, the computing resource includes hardware or software on the target host, and may be, for example, a CPU, a memory, a network, a disk, a database, and the like.
The above-mentioned determination of the stable service state of each computing resource in the target host is a precondition for subsequently determining the level of resistance of the target host to the denial of service attack. When the target host is in a stable service state, the utilization rate data of a plurality of computing resources are collected, and the influence of various factors except the denial of service attack program on the computing resources can be eliminated, so that the subsequently determined attack starting time and the attack ending time of the denial of service attack can be more accurate, and further, the determined attack level of the denial of service attack is more accurate.
Here, the utilization data of the computing resources includes: CPU occupancy rate, memory occupancy rate, network uploading rate, network downloading rate, network bandwidth, network packet loss rate and disk reading and writing speed. Wherein, the CPU occupancy rate represents the percentage of the CPU occupied by the programs in the current target host. The utilization rate data of the computing resources collected in this step may be stored in a conventional database such as MySQL, PostgreSQL, or in a memory database such as Redis and Memcached.
It should be noted that, in this step, in order to reduce the influence of the monitoring acquisition procedure as much as possible, the recording drop frequency may be appropriately reduced. For example, a recording-drop threshold n and a linked list of temporary-buffer records are set, and the operations of "insert ()" of dropping the disk and "list ()" of emptying the buffer are performed once every time the length of the linked list, length >, is equal to the drop threshold n.
Here, the acquisition period is set in advance, and preferably, the acquisition period is set to 5 ms.
In this step, for example, when the target host reaches a stable service state, the CPU occupancy, the memory occupancy, the network upload rate, the network download rate, the network bandwidth, the network packet loss rate, and the disk read-write speed of the target host are obtained every 5 ms.
S200, determining the attack starting time and the attack ending time of the target host under the denial of service attack according to the utilization rate data.
Illustratively, the step of determining an attack start time of the target host under the denial of service attack according to the utilization rate data includes:
s201, aiming at each acquisition point, determining a first sliding mean value of the CPU occupancy rate corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000121
wherein l 1 Is the length of the first sliding window; r is cpu i The CPU occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
Figure BDA0003682135380000125
the CPU occupancy rate corresponding to the nth acquisition point;
s202, determining a first sliding mean value of the memory occupancy rate corresponding to each acquisition point according to the following formula;
Figure BDA0003682135380000122
wherein l 1 Is the length of the first sliding window; r is mem i The memory occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
Figure BDA0003682135380000123
the memory occupancy rate corresponding to the nth acquisition point;
s203, aiming at each acquisition point, determining a second sliding mean value of the CPU occupancy rate corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000124
wherein l 2 Is the length of the second sliding window;
s204, determining a second sliding mean value of the memory occupancy rate corresponding to each acquisition point according to the following formula;
Figure BDA0003682135380000131
s205, determining whether a second sliding average of the CPU occupancy rate or a second sliding average of the memory occupancy rate corresponding to the acquisition point is larger than a first preset threshold value;
if the second sliding average of the CPU occupancy rates corresponding to the collection points is greater than the first preset threshold and/or the second sliding average of the memory occupancy rates corresponding to the collection points is greater than the first preset threshold, in step S206, the collection time corresponding to the collection points is used as the attack start time of the target host under the denial of service attack.
Here, if the second sliding mean of the CPU occupancy rate corresponding to the acquisition point is greater than the first preset threshold and/or the second sliding mean of the memory occupancy rate corresponding to the acquisition point is greater than the first preset threshold, it indicates that the first sliding mean corresponding to the acquisition point is significantly increased, and the time at this time is more reasonable and accurate for evaluating the attack start time of the denial of service attack as the attack start time of the target host under the denial of service attack.
How to determine the second sliding average of the CPU occupancy corresponding to each acquisition point will be described below with reference to a specific example.
In a specific example, assuming that the preset length of the first sliding window is 3 and the length of the second sliding window is 4, the CPU occupancy rates from the first acquisition point to the seventh acquisition point after the target host reaches the steady state are F1-F7, respectively. With the increase of the number of the acquisition points, for a third acquisition point, the values in the corresponding first sliding window at this time may be known as [ F1, F2, and F3], and then a first sliding mean value of the CPU occupancy rate corresponding to the third acquisition point may be determined according to the formula:
Figure BDA0003682135380000132
according to the principle, with the increase of the number of the acquisition points, the first sliding average value of the CPU occupancy rates corresponding to the fourth acquisition point to the seventh acquisition point can be respectively calculated
Figure BDA0003682135380000133
And
Figure BDA0003682135380000134
for the seventh acquisition Point, it can be known that the value in the corresponding second sliding window at this time is
Figure BDA0003682135380000141
Then, determining a second sliding average value of the CPU occupancy rate corresponding to the seventh acquisition point according to a formula:
Figure BDA0003682135380000142
illustratively, the determining an attack end time of the target host under the denial of service attack according to the utilization rate data includes:
s207, determining whether a second sliding mean value of the CPU occupancy rate or a second sliding mean value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value;
if the second sliding average of the CPU occupancy rates corresponding to the collection points is smaller than the second preset threshold and/or the second sliding average of the memory occupancy rates corresponding to the collection points is smaller than the second preset threshold, in step S208, the collection time corresponding to the collection points is used as the attack end time when the target host is under the denial of service attack.
Here, if the second sliding mean of the CPU occupancy rate corresponding to the acquisition point is smaller than the second preset threshold and/or the second sliding mean of the memory occupancy rate corresponding to the acquisition point is smaller than the second preset threshold, it is described that the first sliding mean corresponding to the acquisition point is significantly decreased, and the time at this time is more reasonable and accurate for evaluating the attack end time of the denial of service attack as the attack end time of the target host under the denial of service attack.
In the step of determining the attack start time and the attack end time, the determined attack start time and the determined attack end time are more accurate than those in the prior art, so that the attack level of the denial of service attack determined based on the attack start time and the attack end time can be more accurate.
S300, determining evaluation values of the plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the time period before the attack and the utilization rate data of the computing resources in the time period during the attack.
Wherein the time period before the attack is a time period between the time when the target host reaches a stable service state and the attack starting time; the attack time period is a time period between the attack starting time and the attack ending time.
Here, since the attack on the target host by the denial-of-service attack program is reflected in the consumption of the computing resources, the attack effect of the denial-of-service attack program can be objectively evaluated by acquiring the change in the consumption of each computing resource.
Next, with reference to fig. 2, fig. 3, fig. 4, and fig. 5, a description will be given of a procedure for determining evaluation values of a plurality of target computing resources on a target host according to utilization rate data of the computing resources in a time period before an attack and utilization rate data of the computing resources in a time period during an attack when the target computing resources are CPU resources, database resources, memory resources, and network resources, respectively.
Referring to fig. 2, fig. 2 is a flowchart illustrating a procedure for determining an evaluation value of a CPU resource according to an embodiment of the present application.
As shown in fig. 2, in step S301, the average occupancy of the CPU and the maximum occupancy of the CPU in the pre-attack period are determined.
For example, the average occupancy of the CPU during the pre-attack period may be determined by the following formula:
Figure BDA0003682135380000155
wherein n is the number of acquisition points in the time period before attack; i is the first acquisition point; orate cpu i The CPU occupancy rate acquired by the ith acquisition point in the time period before the attack.
For example, the maximum occupancy of the CPU during the pre-attack period may be determined by the following equation:
Figure BDA0003682135380000151
wherein,
Figure BDA0003682135380000152
and showing the acquisition point corresponding to the attack starting time.
In step S302, the average occupancy of the CPU, the maximum occupancy of the CPU, and the time taken from the attack start time to the maximum occupancy of the CPU in the attack period are determined;
for example, the average occupancy of the CPU in the attack time period may be determined by the following formula;
Figure BDA0003682135380000153
wherein,
Figure BDA0003682135380000154
the acquisition point is corresponding to the attack end time;
for example, the maximum occupancy of the CPU during the period of time in the attack may be determined by the following formula:
Figure BDA0003682135380000161
in step S303, determining a difference between the average occupancy rate of the CPU in the pre-attack time period and the average occupancy rate of the CPU in the attack time period as an average occupancy rate consumption value of the CPU;
in step S304, determining a difference between the maximum value of the CPU occupancy in the pre-attack time period and the maximum value of the CPU occupancy in the attack time period as a maximum occupancy consumption value of the CPU;
in step S305, determining a consumption value of the CPU resource according to the average occupancy consumption value of the CPU, the maximum occupancy consumption value of the CPU, and the elapsed time, and using the consumption value of the CPU resource as an evaluation value of the CPU resource.
In this step, the average occupancy consumption value of the CPU, the maximum occupancy consumption value of the CPU, and the consumed time need to be multiplied by the corresponding weights, respectively, to obtain the consumption value of the CPU resource. Wherein the corresponding weight is preset.
For example, the evaluation value of the CPU resource can be calculated by the following formula:
Figure BDA0003682135380000162
where w1 is a weight corresponding to the average occupancy consumption value of the CPU, w2 is a weight corresponding to the maximum occupancy consumption value of the CPU, t is the time taken to reach the maximum occupancy of the CPU from the attack start time, and w3 is a weight corresponding to the time taken.
Referring to fig. 3, fig. 3 is a flowchart illustrating a procedure for determining an evaluation value of a database resource according to an embodiment of the present application.
As shown in FIG. 3, in step S401, the average value of the disk read-write speed in the pre-attack period is determined
Figure BDA0003682135380000163
And maximum value of disk read-write speed
Figure BDA0003682135380000164
In step S402, determining the use value of the database resource in the time period before the attack according to the average value of the disk read-write speed in the time period before the attack and the average value of the cpu occupancy rate in the time period before the attack;
for example, the usage value of the database resource in the pre-attack time period may be determined by the following formula:
Figure BDA0003682135380000171
in step S403, determining a difference between the maximum value of the disk read-write speed in the pre-attack time period and the maximum value of the cpu occupancy rate in the pre-attack time period as a loss value of the database resource in the pre-attack time period;
for example, the loss value of the database resource in the period before the attack can be determined by the following formula:
Figure BDA0003682135380000172
in step S404, an average value of the disk read-write speed in the attack time period is determined
Figure BDA0003682135380000173
And maximum value of disk read-write speed
Figure BDA0003682135380000174
In step S405, determining the use value of the database resource in the attack time period according to the average value of the disk read-write speed in the attack time period and the average value of the cpu occupancy rate in the attack time period;
Figure BDA0003682135380000175
in step S406, determining a difference between the maximum value of the read-write speed of the disk in the attack time period and the maximum value of the cpu occupancy rate in the attack time period as a loss value of the database resource in the attack time period;
Figure BDA0003682135380000176
in step S407, determining a consumption value of the database resource according to the usage value of the database resource in the time period before the attack, the usage value of the database resource in the time period during the attack, the consumption value of the database resource in the time period before the attack, and the consumption value of the database resource in the time period during the attack, and taking the consumption value of the database resource as an evaluation value of the database resource.
For example, the evaluation value of the database resource can be determined by the following formula:
J cpu =(S db ’-S db )×w1+(C db ’-C db )×w2;
on one hand, the use value of the database resource is determined by utilizing the disk read-write speed and the CPU occupancy rate, and compared with a mode of directly taking the disk read-write speed as the use value of the database resource, the CPU occupancy rate is combined, so that the load condition of the database resource is reflected more truly, the computed attack level evaluation value of the denial of service attack on the target host is more accurate, and the actual attack effect of the denial of service attack program can be reflected more accurately.
On the other hand, the loss value of the database resource is determined by utilizing the disk read-write speed and the CPU occupancy rate, and compared with a mode of directly taking the disk read-write speed as the loss value of the database resource, the CPU occupancy rate is combined, so that the load condition of the database resource is reflected more truly, the computed attack level evaluation value of the denial-of-service attack on the target host is more accurate, and the actual attack effect of the denial-of-service attack program can be reflected more accurately.
Referring to fig. 4, fig. 4 is a flowchart illustrating a step of determining an evaluation value of a memory resource according to an embodiment of the present application.
As shown in fig. 4, in step S501, the average occupancy rate of the memory and the maximum occupancy rate of the memory in the period before the attack are determined.
For example, the average occupancy of the memory during the pre-attack time period may be determined by the following equation:
Figure BDA0003682135380000181
wherein n is the number of acquisition points in the time period before attack; orate (R) mem i The memory occupancy rate is acquired by the ith acquisition point in the time period before the attack.
For example, the maximum occupancy of the memory during the pre-attack time period may be determined by the following formula:
Figure BDA0003682135380000182
in step S502, the average occupancy rate of the memory, the maximum occupancy rate of the memory, and the time consumed for reaching the maximum occupancy rate of the memory from the attack start time are determined during the attack period;
for example, the average occupancy rate of the memory in the attack time period can be determined by the following formula;
Figure BDA0003682135380000183
for example, the maximum occupancy of the memory during the period of time under attack may be determined by the following formula:
Figure BDA0003682135380000184
in step S503, determining the difference between the average occupancy rate of the memory in the time period before the attack and the average occupancy rate of the memory in the time period during the attack as the average occupancy rate consumption value of the memory;
in step S504, determining a difference between the maximum value of the memory occupancy rate in the pre-attack time period and the maximum value of the memory occupancy rate in the attack time period as a maximum occupancy rate consumption value of the memory;
in step S505, the consumption value of the memory resource is determined according to the average occupancy consumption value of the memory, the maximum occupancy consumption value of the memory, and the consumed time, and the consumption value of the memory resource is used as the evaluation value of the memory resource.
In this step, the average occupancy consumption value of the memory, the maximum occupancy consumption value of the memory, and the consumed time need to be multiplied by the corresponding weights respectively to obtain the evaluation value of the memory resource. Wherein the corresponding weight is preset.
For example, the evaluation value of the memory resource can be calculated by the following formula:
Figure BDA0003682135380000191
wherein w1 is the weight corresponding to the average occupancy consumption value of the memory, w2 is the weight corresponding to the maximum occupancy consumption value of the memory, t is the time taken from the attack start time to the maximum occupancy of the memory, and w3 is the weight corresponding to the time taken.
Referring to fig. 5, fig. 5 is a flowchart illustrating a procedure of determining an evaluation value of a network resource according to an embodiment of the present application.
As shown in fig. 5, in step S601, a network average occupancy consumption value is determined according to a network upload rate, a network download rate, a network bandwidth in a pre-attack time period, a network upload rate, a network download rate, and a network bandwidth in an attack time period;
illustratively, in this step, the network average occupancy consumption value may be determined by:
s6011, determining the average occupancy rate of the network in the time period before the attack according to the network uploading rate, the network downloading rate and the network bandwidth in the time period before the attack;
as an example, in this step, first, the network average upload rate in the time period before attack is calculated and obtained according to the network upload rate in the time period before attack, and the network average download rate in the time period before attack is calculated and obtained according to the network download rate in the time period before attack; then, according to the average uploading rate and the average downloading rate of the network in the time period before the attack, the average transmission rate of the network in the time period before the attack is determined,
for example, the average transmission rate of the network over the period of time before the attack may be determined by the following formula:
Figure BDA0003682135380000201
wherein,
Figure BDA0003682135380000202
the average upload rate of the network over the period of time prior to the attack,
Figure BDA0003682135380000203
is the average download rate of the network during the pre-attack period, and w1 is the average upload rate of the networkCorresponding weight, w2 is the weight corresponding to the average download rate of the network.
And finally, determining the average occupation rate of the network in the time period before the attack according to the average transmission rate and the network bandwidth of the network in the time period before the attack.
For example, the average occupancy of the network over the pre-attack period may be determined by the following formula:
Figure BDA0003682135380000204
wherein,
Figure BDA0003682135380000205
the average transmission rate of the network in the period before attack, and B is the network bandwidth.
S6012, determining the average network occupancy rate in the attack time period according to the network uploading rate, the network downloading rate and the network bandwidth in the attack time period.
As an example, in this step, first, the network average upload rate in the attack time period is calculated through the network upload rate in the attack time period, and the network average download rate in the attack time period is calculated according to the network download rate in the attack time period; then, determining the average transmission rate of the network in the attack time period according to the average network uploading rate and the average network downloading rate; finally, according to the average transmission rate and the network bandwidth of the network in the attack time period, the average occupation rate of the network in the attack time period is determined
Figure BDA0003682135380000206
The manner of determining the average occupancy of the network in the time period during the attack in this step is the same as the manner of determining the average occupancy of the network in the time period before the attack, and therefore, the details are not repeated.
The average occupation rate of the network is determined by utilizing the average transmission speed of the network and the network bandwidth, and compared with a mode of directly taking the average transmission speed of the network as the average occupation rate of the network, the method combines the network bandwidth, so that the actual average occupation rate of the network is more reasonably reflected, the computed attack level evaluation value of the denial of service attack on the target host is more accurate, and the actual attack effect of the denial of service attack program can be more accurately reflected.
S6013, determining a difference value between the average network occupancy in the time period before the attack and the average network occupancy in the time period during the attack as a consumption value of the average network occupancy;
in step S602, a maximum occupancy consumption value of the network is determined according to the maximum transmission rate of the network in the pre-attack time period, the network bandwidth, the maximum transmission rate of the network in the under-attack time period, and the network bandwidth.
Illustratively, the maximum occupancy consumption value for the network may be determined by:
s6021, determining the maximum occupation rate of the network in the time period before the attack according to the maximum transmission rate and the network bandwidth of the network in the time period before the attack; here, the maximum network transmission rate in the time period before the attack is the maximum rate of the network uploading rate and the network downloading rate in the time period before the attack;
for example, the maximum occupancy of the network during the pre-attack period may be determined by the following formula:
Figure BDA0003682135380000211
wherein s is max Is the maximum transmission rate of the network during the period prior to the attack.
S6022, determining the maximum occupation rate of the network in the attack time period according to the maximum transmission rate and the network bandwidth of the network in the attack time period; here, the maximum transmission rate of the network in the attack time period is the maximum rate of the network upload rate and the network download rate in the attack time period;
for example, the maximum occupancy of the network for the period of time under attack may be determined by the following formula:
Figure BDA0003682135380000212
wherein s is max ' is the maximum transmission rate of the network during the period of time in the attack.
In the step, the maximum occupation rate of the network is determined by utilizing the maximum transmission speed of the network and the network bandwidth, and compared with a mode of directly taking the maximum transmission speed of the network as the maximum occupation rate of the network, the method combines the network bandwidth, so that the real maximum occupation rate of the network is reflected more reasonably, the attack level evaluation value of the attack of the denial of service attack on the target host obtained by calculation is more accurate, and the actual attack effect of the denial of service attack program can be reflected more accurately.
And S6023, determining the difference value of the maximum occupancy of the network in the period before the attack and the maximum occupancy of the network in the period during the attack as the maximum occupancy consumption value of the network.
In step S603, determining an average packet loss rate consumption value of the network according to the network packet loss rate in the pre-attack time period and the network packet loss rate in the under-attack time period;
illustratively, the average packet loss rate consumption value of the network may be determined by:
s6031, determining the average packet loss rate of the network in the time period before the attack according to the network packet loss rate in the time period before the attack;
s6032, determining the average packet loss rate of the network in the attack time period according to the network packet loss rate in the attack time period;
s6033, determining the difference value between the average packet loss rate of the network in the time period before the attack and the average packet loss rate of the network in the time period during the attack as the average packet loss rate consumption value of the network;
in step S604, determining a maximum packet loss rate consumption value of the network according to the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack;
illustratively, the average packet loss rate consumption value of the network may be determined by:
s6041, determining the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack;
s6042 determines a difference between the maximum packet loss rate of the network in the pre-attack time period and the maximum packet loss rate of the network in the attack time period as a maximum packet loss rate consumption value of the network.
In step S605, a blocking value of the network resource is determined according to the occupancy consumption value of the network, the maximum occupancy consumption value of the network, the packet loss rate consumption value of the network, and the maximum packet loss rate consumption value of the network, and the blocking value of the network resource is used as an evaluation value of the network resource.
Illustratively, the evaluation value of the network resource may be determined by the following formula:
Figure BDA0003682135380000231
wherein,
Figure BDA0003682135380000232
the average packet loss rate of the network in the time period of the attack;
Figure BDA0003682135380000233
the average packet loss rate of the network in the time period before the attack;
Figure BDA0003682135380000234
the maximum packet loss rate of the network in the time period during the attack is obtained;
Figure BDA0003682135380000235
is the maximum packet loss rate of the network in the time period before the attack.
In the step, the congestion condition in the network can be truly and objectively obtained by adding two indexes, namely the average packet loss rate and the maximum packet loss rate, so that the calculated blocking value of the network resource has higher reliability, and the actual attack effect of the denial of service attack program on the network resource, namely the calculation resource, can be more comprehensively reflected.
With continued reference to fig. 1, in step S104, for each target computing resource, an attack level of the denial of service attack on the target host is determined according to the evaluation value of the target computing resource and the weight of the target computing resource.
Illustratively, the level of attack of the denial of service attack on the target host may be determined by:
s1041, aiming at each target computing resource, determining an attack level evaluation value of the attack of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource;
for example, the attack level evaluation value of the target host attacked by the denial of service attack can be determined by the following formula:
J=J cpu ×w1+J db ×w2+J mem ×w3+J band ×w4;
wherein, w1, w2, w3 and w4 are the weights of the CPU resource, the database resource, the memory resource and the network resource, respectively.
S1042, according to the attack level evaluation value, determining the attack level of the denial of service attack on the target host.
As an example, the step of determining the attack level of the denial of service attack on the target host according to the attack level evaluation value may include: step S10421, determining an attack score of the denial of service attack on the target host according to the attack level evaluation value; and step S10422, determining the attack level of the denial of service attack on the target host according to the attack score.
In an example, the step S10421 of determining, according to the attack level evaluation value, an attack score of the target host attacked by the denial of service attack may include:
and inputting the attack level evaluation value into a preset scoring function to obtain an attack score of the target host attacked by the denial of service attack.
For example, the scoring function may be the following function:
Figure BDA0003682135380000241
wherein j is 1 -j 5 Score is an attack score for a preset attack level evaluation value threshold.
In another example, if there are multiple target hosts, that is, if the denial of service attack program attacks multiple hosts at the same time, the step S10421 of determining, according to the attack level evaluation value, an attack score for the target host attacked by the denial of service attack may include:
and obtaining an attack score of the denial of service attack on the target host according to the normalized data processing mode.
For example, an attack score for a denial of service attack on the target host may be determined by the following equation:
Figure BDA0003682135380000242
wherein, J Min Evaluating a value for a minimum attack level among the plurality of target hosts; j. the design is a square Max The evaluation value is the maximum attack level in the plurality of target hosts.
In this step, the attack level evaluation value may indicate a degree of damage to the target host caused by the denial of service attack, for example, a higher attack level evaluation value indicates that the influence of the denial of service attack on each computing resource is greater before and after the attack, and thus indicates that the attack level of the denial of service attack on the target host is higher), or indicates that the defense level of the target host against the denial of service attack is lower.
For example, in step S10422, the step of determining, according to the attack score, an attack level of a denial of service attack on the target host may include:
and determining the attack level of the denial of service attack on the target host according to the attack score and the attack level comparison table.
For example, the attack level comparison table may be as shown in table 1:
TABLE 1 attack level comparison Table
Attack score Level of attack
[90,100] Five stages
[80,90) Four stages
[70,80) Three-stage
[60,70) Second stage
[0,60) First stage
Here, the first level of the attack level indicates that the attack effect of the denial of service attack is not good, the second level of the attack level indicates that the attack effect of the denial of service attack is good, the third level of the attack level indicates that the attack effect of the denial of service attack is general, the fourth level of the attack level indicates that the attack effect of the denial of service attack is good, and the fifth level of the attack level indicates that the attack effect of the denial of service attack is excellent. According to the corresponding relation between the attack level and the attack effect, the attack effect can be determined according to the attack level, the actual attack condition of the denial of service attack can be known, and then a corresponding security defense system can be deployed for the target host according to the attack level or the attack effect.
According to the method for determining the defense level of the denial of service attack, provided by the embodiment of the application, the evaluation values of a plurality of target computing resources are determined according to the utilization rate data of the plurality of computing resources, the attack level evaluation value of the target host attacked by the denial of service attack is determined according to the evaluation values of the plurality of target computing resources, and the attack level of the target host attacked by the denial of service attack is determined according to the attack level evaluation value. By the method, the attack level of the target host attacked by the denial of service attack can be accurately determined.
Based on the same inventive concept, the embodiment of the application also provides a device for determining the attack level of the denial of service attack, which corresponds to the method for determining the attack level of the denial of service attack.
Referring to fig. 6, fig. 6 is a schematic structural diagram of an apparatus for determining an attack level of a denial of service attack according to an embodiment of the present application, where the apparatus 600 for determining includes:
a monitoring module 610, configured to periodically obtain utilization rate data of a plurality of computing resources of a target host under a stable service state condition;
a determining module 620, configured to determine, according to the utilization rate data, an attack start time and an attack end time of the target host under the denial of service attack;
a calculating module 630, configured to determine evaluation values of multiple target computing resources on the target host according to the utilization data of the computing resources in the pre-attack time period and the utilization data of the computing resources in the in-attack time period;
the evaluation module 640 is configured to determine, for each target computing resource, an attack level of the denial-of-service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource.
In one possible implementation, the determining module 620 includes an attack start time determining unit 621 and an attack end time determining unit 622 (not shown in the figure);
the attack start time determination unit 621 is specifically configured to: for each acquisition point, determining a first sliding mean value of CPU occupancy rates corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000261
wherein l 1 Is the length of the first sliding window; r is cpu i The CPU occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
for each acquisition point, determining a first sliding mean value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000271
wherein l 1 Is the length of the first sliding window; r is mem i The memory occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
for each acquisition point, determining a second sliding mean value of the CPU occupancy rate corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000272
wherein l 2 Is the length of the second sliding window;
for each acquisition point, determining a second sliding mean value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
Figure BDA0003682135380000273
determining whether a second sliding mean value of the CPU occupancy rate or a second sliding mean value of the memory occupancy rate corresponding to the acquisition point is greater than a first preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is larger than a first preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is larger than the first preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack start time of the target host suffering from the denial of service attack.
The attack end time determining unit 622 is specifically configured to: determining whether a second sliding mean value of the CPU occupancy rate or a second sliding mean value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack ending time of the target host subjected to the denial of service attack.
In a possible implementation, the calculating module 630 is specifically configured to:
determining the average occupancy rate of the CPU and the maximum occupancy rate of the CPU in a time period before attack;
determining the average occupancy rate of the CPU in the attack time period, the maximum occupancy rate of the CPU and the time consumed for reaching the maximum occupancy rate of the CPU from the attack starting time;
determining the difference value between the average occupancy rate of the CPU in the time period before the attack and the average occupancy rate of the CPU in the time period during the attack as the average occupancy rate consumption value of the CPU;
determining the difference value between the maximum occupancy rate of the CPU in the time period before the attack and the maximum occupancy rate of the CPU in the time period during the attack as the maximum occupancy rate consumption value of the CPU;
and determining the consumption value of the CPU resource according to the average occupancy rate consumption value of the CPU, the maximum occupancy rate consumption value of the CPU and the consumed time, and taking the consumption value of the CPU resource as the evaluation value of the CPU resource.
In a possible implementation, the calculating module 630 is further configured to:
determining the average value of the disk read-write speed and the maximum value of the disk read-write speed in a time period before attack;
determining the use value of the database resources in the time period before the attack according to the average value of the disk read-write speed in the time period before the attack and the average value of the CPU occupancy rate in the time period before the attack;
determining the difference value between the maximum value of the disk read-write speed in the time period before the attack and the maximum value of the CPU occupancy rate in the time period before the attack as the loss value of the database resources in the time period before the attack;
determining the average value of the disk read-write speed and the maximum value of the disk read-write speed in the attack time period;
determining the use value of the database resources in the attack time period according to the average value of the disk read-write speed in the attack time period and the average value of the CPU occupancy rate in the attack time period;
determining the difference value between the maximum value of the reading and writing speed of the magnetic disk in the attack time period and the maximum value of the CPU occupancy rate in the attack time period as the loss value of the database resources in the attack time period;
and determining the consumption value of the database resource according to the use value of the database resource in the time period before the attack, the use value of the database resource in the time period during the attack, the loss value of the database resource in the time period before the attack and the loss value of the database resource in the time period during the attack, and taking the consumption value of the database resource as the evaluation value of the database resource.
In a possible implementation, the calculating module 630 is further configured to:
determining the average occupancy rate of the memory and the maximum occupancy rate of the memory in a time period before attack;
determining the average occupancy rate of the memory in the attack time period, the maximum occupancy rate of the memory and the time consumed for reaching the maximum occupancy rate of the memory from the attack starting time;
determining the difference value between the average occupancy rate of the memory in the time period before the attack and the average occupancy rate of the memory in the time period during the attack as the average occupancy rate consumption value of the memory;
determining the difference value between the maximum occupancy rate of the memory in the time period before the attack and the maximum occupancy rate of the memory in the time period during the attack as the maximum occupancy rate consumption value of the memory;
and determining the consumption value of the memory resources according to the average occupancy rate consumption value of the memory, the maximum occupancy rate consumption value of the memory and the consumed time, and taking the consumption value of the memory resources as the evaluation value of the memory resources.
In a possible implementation, the calculating module 630 is further configured to:
determining an average network occupancy consumption value according to the network uploading rate, the network downloading rate, the network bandwidth in the time period before the attack, the network uploading rate, the network downloading rate and the network bandwidth in the time period during the attack;
determining a consumption value of the maximum occupancy rate of the network according to the maximum transmission rate of the network in the time period before the attack, the network bandwidth, the maximum transmission rate of the network in the time period during the attack and the network bandwidth;
determining a network average packet loss rate consumption value according to the network packet loss rate in the time period before the attack and the network packet loss rate in the time period during the attack;
determining a consumption value of the maximum packet loss rate of the network according to the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack;
determining a blocking value of the network resource according to the network occupancy consumption value, the network maximum occupancy consumption value, the network packet loss rate consumption value and the network maximum packet loss rate consumption value, and taking the blocking value of the network resource as an evaluation value of the network resource.
In a possible implementation, the calculating module 630 is further configured to:
aiming at each target computing resource, determining an attack level evaluation value of the target host attacked by the denial of service attack according to the evaluation value of the target computing resource and the weight of the target computing resource;
and determining the attack level of the attack of the denial of service attack on the target host according to the attack level evaluation value.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 7, the electronic device 700 includes a processor 710, a memory 720, and a bus 730.
The memory 720 stores machine-readable instructions executable by the processor 710, when the electronic device 700 runs, the processor 710 communicates with the memory 720 through the bus 730, and when the machine-readable instructions are executed by the processor 710, the steps of the method for determining the attack level of the denial of service attack in the foregoing method embodiment may be executed.
The embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for determining an attack level of a denial of service attack in the foregoing method embodiments may be executed.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (15)

1. A method of determining a level of attack of a denial of service attack, the method comprising:
periodically acquiring utilization rate data of a plurality of computing resources of a target host under a stable service state condition;
determining attack starting time and attack ending time of the target host under the denial of service attack according to the utilization rate data;
determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the time period before the attack and the utilization rate data of the computing resources in the time period during the attack; wherein the time period before the attack is a time period between the time when the target host reaches a stable service state and the attack starting time; the attack time period is a time period between the attack starting time and the attack ending time;
and aiming at each target computing resource, determining the attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource.
2. The method of claim 1, wherein the utilization data comprises: CPU occupancy rate, memory occupancy rate, network uploading rate, network downloading rate, network bandwidth, network packet loss rate and disk reading and writing speed; the target computing resource comprises: CPU resources, memory resources, network resources, and database resources.
3. The method of claim 2, wherein determining the attack start time of the target host under the denial of service attack based on the utilization data comprises:
for each acquisition point, determining a first sliding mean value of CPU occupancy rates corresponding to the acquisition point according to the following formula;
Figure FDA0003682135370000011
wherein l 1 Is the length of the first sliding window; r is cpu i The CPU occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
for each acquisition point, determining a first sliding mean value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
Figure FDA0003682135370000021
wherein l 1 Is the length of the first sliding window; r is a radical of hydrogen mem i The memory occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
for each acquisition point, determining a second sliding mean value of the CPU occupancy rate corresponding to the acquisition point according to the following formula;
Figure FDA0003682135370000022
wherein l 2 Is the length of the second sliding window;
for each acquisition point, determining a second sliding mean value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
Figure FDA0003682135370000023
determining whether a second sliding mean value of the CPU occupancy rate or a second sliding mean value of the memory occupancy rate corresponding to the acquisition point is greater than a first preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is larger than the first preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is larger than the first preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack starting time of the target host subjected to the denial of service attack.
4. The method of claim 3, wherein determining an attack termination time of the target host for the denial of service attack based on the utilization data comprises:
determining whether a second sliding mean value of the CPU occupancy rate or a second sliding mean value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack ending time of the target host subjected to the denial of service attack.
5. The method of claim 1, wherein determining the evaluation values of the plurality of target computing resources on the target host based on the utilization data of the computing resources in the pre-attack time period and the utilization data of the computing resources in the in-attack time period when the target computing resources are CPU resources comprises:
determining the average occupancy rate of the CPU and the maximum occupancy rate of the CPU in a time period before attack;
determining the average occupancy rate of the CPU in the attack time period, the maximum occupancy rate of the CPU and the time consumed for reaching the maximum occupancy rate of the CPU from the attack starting time;
determining the difference value between the average occupancy rate of the CPU in the time period before the attack and the average occupancy rate of the CPU in the time period during the attack as the average occupancy rate consumption value of the CPU;
determining the difference value between the maximum occupancy rate of the CPU in the time period before the attack and the maximum occupancy rate of the CPU in the time period during the attack as the maximum occupancy rate consumption value of the CPU;
and determining the consumption value of the CPU resource according to the average occupancy rate consumption value of the CPU, the maximum occupancy rate consumption value of the CPU and the consumed time, and taking the consumption value of the CPU resource as the evaluation value of the CPU resource.
6. The method of claim 5, wherein determining the evaluation values of the plurality of target computing resources on the target host based on the utilization data of the computing resources in the pre-attack time period and the utilization data of the computing resources in the in-attack time period when the target computing resources are database resources comprises:
determining the average value of the disk read-write speed and the maximum value of the disk read-write speed in a time period before attack;
determining the use value of the database resources in the time period before the attack according to the average value of the disk read-write speed in the time period before the attack and the average value of the CPU occupancy rate in the time period before the attack;
determining the difference value between the maximum value of the disk read-write speed in the time period before the attack and the maximum value of the CPU occupancy rate in the time period before the attack as the loss value of the database resources in the time period before the attack;
determining the average value of the disk read-write speed and the maximum value of the disk read-write speed in the attack time period;
determining the use value of the database resources in the attack time period according to the average value of the disk read-write speed in the attack time period and the average value of the CPU occupancy rate in the attack time period;
determining the difference value between the maximum value of the reading and writing speed of the magnetic disk in the attack time period and the maximum value of the CPU occupancy rate in the attack time period as the loss value of the database resources in the attack time period;
and determining the consumption value of the database resource according to the use value of the database resource in the time period before the attack, the use value of the database resource in the time period during the attack, the loss value of the database resource in the time period before the attack and the loss value of the database resource in the time period during the attack, and taking the consumption value of the database resource as the evaluation value of the database resource.
7. The method of claim 1, wherein when the target computing resource is a memory resource, determining the evaluation values of the plurality of target computing resources on the target host according to the utilization data of the computing resources in the pre-attack time period and the utilization data of the computing resources in the attack time period comprises:
determining the average occupancy rate of the memory and the maximum occupancy rate of the memory in a time period before attack;
determining the average occupancy rate of the memory in the attack time period, the maximum occupancy rate of the memory and the time consumed for reaching the maximum occupancy rate of the memory from the attack starting time;
determining the difference value between the average occupancy rate of the memory in the time period before the attack and the average occupancy rate of the memory in the time period during the attack as the average occupancy rate consumption value of the memory;
determining the difference value between the maximum occupancy rate of the memory in the time period before the attack and the maximum occupancy rate of the memory in the time period during the attack as the maximum occupancy rate consumption value of the memory;
and determining the consumption value of the memory resources according to the average occupancy rate consumption value of the memory, the maximum occupancy rate consumption value of the memory and the consumed time, and taking the consumption value of the memory resources as the evaluation value of the memory resources.
8. The method of claim 1, wherein when the target computing resource is a network resource, determining the evaluation values of the plurality of target computing resources on the target host according to the utilization data of the computing resources in the pre-attack time period and the utilization data of the computing resources in the attack time period comprises:
determining an average network occupancy consumption value according to the network uploading rate, the network downloading rate, the network bandwidth in the time period before the attack, the network uploading rate, the network downloading rate and the network bandwidth in the time period during the attack;
determining a consumption value of the maximum occupancy rate of the network according to the maximum transmission rate of the network in the time period before the attack, the network bandwidth, the maximum transmission rate of the network in the time period during the attack and the network bandwidth;
determining a network average packet loss rate consumption value according to the network packet loss rate in the time period before the attack and the network packet loss rate in the time period during the attack;
determining a consumption value of the maximum packet loss rate of the network according to the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack;
determining a blocking value of the network resource according to the network occupancy consumption value, the network maximum occupancy consumption value, the network packet loss rate consumption value and the network maximum packet loss rate consumption value, and taking the blocking value of the network resource as an evaluation value of the network resource.
9. The method of claim 8, wherein determining the network average occupancy consumption value based on the network upload rate, the network download rate, the network bandwidth during the pre-attack time period, the network upload rate, the network download rate, and the network bandwidth during the in-attack time period comprises:
determining the average network occupancy rate in the time period before attack according to the network uploading rate, the network downloading rate and the network bandwidth in the time period before attack;
determining the average network occupancy rate in the attack time period according to the network uploading rate, the network downloading rate and the network bandwidth in the attack time period;
and determining the difference value of the average network occupancy in the time period before the attack and the average network occupancy in the time period during the attack as the consumption value of the average network occupancy.
10. The method of claim 8, wherein determining the maximum occupancy consumption value for the network based on the maximum transmission rate for the network during the pre-attack time period, the network bandwidth, the maximum transmission rate for the network during the in-attack time period, and the network bandwidth comprises:
determining the maximum occupation rate of the network in the time period before attack according to the maximum transmission rate and the network bandwidth of the network in the time period before attack; the maximum network transmission rate in the time period before attack is the maximum rate of the network uploading rate and the network downloading rate in the time period before attack;
determining the maximum occupation rate of the network in the attack time period according to the maximum transmission rate and the network bandwidth of the network in the attack time period; the maximum network transmission rate in the attack time period is the maximum rate of the network uploading rate and the network downloading rate in the attack time period;
and determining the difference value of the maximum occupancy rate of the network in the time period before the attack and the maximum occupancy rate of the network in the time period during the attack as the maximum occupancy consumption value of the network.
11. The method according to claim 8, wherein determining the average packet loss rate consumption value of the network according to the network packet loss rate in the pre-attack time period and the network packet loss rate in the under-attack time period comprises:
determining the average packet loss rate of the network in the time period before the attack according to the network packet loss rate in the time period before the attack;
determining the average packet loss rate of the network in the attack time period according to the network packet loss rate in the attack time period;
determining the difference value between the average packet loss rate of the network in the time period before the attack and the average packet loss rate of the network in the time period during the attack as the average packet loss rate consumption value of the network;
the determining the maximum packet loss rate consumption value of the network according to the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack includes:
determining the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack;
and determining the difference value of the maximum packet loss rate of the network in the time period before the attack and the maximum packet loss rate of the network in the time period during the attack as the consumption value of the maximum packet loss rate of the network.
12. The method of claim 1, wherein determining, for each target computing resource, an attack level of a denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource comprises:
aiming at each target computing resource, determining an attack level evaluation value of the target host attacked by the denial of service attack according to the evaluation value of the target computing resource and the weight of the target computing resource;
and determining the attack level of the attack of the denial of service attack on the target host according to the attack level evaluation value.
13. An apparatus for determining a level of attack of a denial of service attack, the apparatus comprising:
the monitoring module is used for periodically acquiring utilization rate data of a plurality of computing resources of the target host under the condition of a stable service state;
the determining module is used for determining the attack starting time and the attack ending time of the target host under the denial of service attack according to the utilization rate data;
the computing module is used for determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the time period before the attack and the utilization rate data of the computing resources in the time period during the attack; wherein the time period before the attack is a time period between the time when the target host reaches a stable service state and the attack starting time; the attack time period is a time period between the attack starting time and the attack ending time;
and the evaluation module is used for determining the attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource aiming at each target computing resource.
14. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over the bus when the electronic device is run, the machine-readable instructions when executed by the processor performing the steps of the method of determining a level of attack of a denial of service attack as set forth in any of claims 1 to 12.
15. A computer-readable storage medium, having stored thereon a computer program for performing, when being executed by a processor, the steps of the method for determining a level of attack of a denial of service attack as set forth in any one of claims 1 to 12.
CN202210640737.4A 2022-06-07 2022-06-07 Method, device and electronic equipment for determining attack level of denial of service attack Active CN115051847B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210640737.4A CN115051847B (en) 2022-06-07 2022-06-07 Method, device and electronic equipment for determining attack level of denial of service attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210640737.4A CN115051847B (en) 2022-06-07 2022-06-07 Method, device and electronic equipment for determining attack level of denial of service attack

Publications (2)

Publication Number Publication Date
CN115051847A true CN115051847A (en) 2022-09-13
CN115051847B CN115051847B (en) 2024-01-19

Family

ID=83160997

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210640737.4A Active CN115051847B (en) 2022-06-07 2022-06-07 Method, device and electronic equipment for determining attack level of denial of service attack

Country Status (1)

Country Link
CN (1) CN115051847B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577642A (en) * 2008-05-08 2009-11-11 吴志军 Method for one-step forecasting Kalman filtering detection of LDoS attack
CN102185847A (en) * 2011-04-22 2011-09-14 南京邮电大学 Malicious code network attack evaluation method based on entropy method
CN102291390A (en) * 2011-07-14 2011-12-21 南京邮电大学 Method for defending against denial of service attack based on cloud computation platform
US20170331577A1 (en) * 2016-05-13 2017-11-16 Telefonaktiebolaget Lm Ericsson (Publ) Network Architecture, Methods, and Devices for a Wireless Communications Network
US20180063187A1 (en) * 2016-08-30 2018-03-01 Arbor Networks, Inc. Adaptive self-optimzing ddos mitigation
CN108040062A (en) * 2017-12-19 2018-05-15 湖北工业大学 A kind of network security situation evaluating method based on evidential reasoning rule
CN108900513A (en) * 2018-07-02 2018-11-27 哈尔滨工业大学 A kind of DDOS effect evaluation method based on BP neural network
CN109040141A (en) * 2018-10-17 2018-12-18 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN109040113A (en) * 2018-09-04 2018-12-18 海南大学 Detecting method of distributed denial of service attacking and device based on Multiple Kernel Learning
CN113132373A (en) * 2021-04-14 2021-07-16 北京计算机技术及应用研究所 Web attack defense method of active interference strategy
CN113360898A (en) * 2021-06-03 2021-09-07 中国电子信息产业集团有限公司第六研究所 Index weight determination method, network attack evaluation method and electronic equipment
CN113518057A (en) * 2020-04-09 2021-10-19 腾讯科技(深圳)有限公司 Detection method and device for distributed denial of service attack and computer equipment thereof

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577642A (en) * 2008-05-08 2009-11-11 吴志军 Method for one-step forecasting Kalman filtering detection of LDoS attack
CN102185847A (en) * 2011-04-22 2011-09-14 南京邮电大学 Malicious code network attack evaluation method based on entropy method
CN102291390A (en) * 2011-07-14 2011-12-21 南京邮电大学 Method for defending against denial of service attack based on cloud computation platform
US20170331577A1 (en) * 2016-05-13 2017-11-16 Telefonaktiebolaget Lm Ericsson (Publ) Network Architecture, Methods, and Devices for a Wireless Communications Network
US20180063187A1 (en) * 2016-08-30 2018-03-01 Arbor Networks, Inc. Adaptive self-optimzing ddos mitigation
CN108040062A (en) * 2017-12-19 2018-05-15 湖北工业大学 A kind of network security situation evaluating method based on evidential reasoning rule
CN108900513A (en) * 2018-07-02 2018-11-27 哈尔滨工业大学 A kind of DDOS effect evaluation method based on BP neural network
CN109040113A (en) * 2018-09-04 2018-12-18 海南大学 Detecting method of distributed denial of service attacking and device based on Multiple Kernel Learning
CN109040141A (en) * 2018-10-17 2018-12-18 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN113518057A (en) * 2020-04-09 2021-10-19 腾讯科技(深圳)有限公司 Detection method and device for distributed denial of service attack and computer equipment thereof
CN113132373A (en) * 2021-04-14 2021-07-16 北京计算机技术及应用研究所 Web attack defense method of active interference strategy
CN113360898A (en) * 2021-06-03 2021-09-07 中国电子信息产业集团有限公司第六研究所 Index weight determination method, network attack evaluation method and electronic equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
JIABIN LI等: ""RTED-SD: A Real-Time Edge Detection Scheme for Sybil DDoS in the Internet of Vehicles"", 《IEEE ACCESS》 *
蔡佳义: ""云平台下分布式拒绝服务攻击检测技术与实现"", 《中国优秀硕士学位论文全文数据库》, pages 19 - 36 *
龚庆祥: ""软件定义网络中分布式拒绝服务攻击研究"", 《中国优秀硕士学位论文全文数据库》 *

Also Published As

Publication number Publication date
CN115051847B (en) 2024-01-19

Similar Documents

Publication Publication Date Title
CN108667856B (en) Network anomaly detection method, device, equipment and storage medium
US20050114429A1 (en) Method and apparatus for load balancing of distributed processing units based on performance metrics
US20040236757A1 (en) Method and apparatus providing centralized analysis of distributed system performance metrics
EP3544250A1 (en) Method and device for detecting dos/ddos attack, server, and storage medium
EP2924554A1 (en) Storage management apparatus, performance adjusting method, and performance adjusting program
EP3001345A2 (en) Targeted attack discovery
CN109039819B (en) Time delay statistical method, device, system and storage medium
KR20100109368A (en) System for determining server load capacity
CN111104303A (en) Server index data acquisition method, device and medium
CN109996258A (en) Wireless network utilization appraisal procedure, calculates equipment and storage medium at device
EP3316550A1 (en) Network monitoring device and method
CN112416888B (en) Dynamic load balancing method and system for distributed file system
CN110944016A (en) DDoS attack detection method, device, network equipment and storage medium
CN113518057A (en) Detection method and device for distributed denial of service attack and computer equipment thereof
JP5157846B2 (en) Load distribution program, capture device, and load distribution method
CN111125222B (en) Data testing method and device
CN109062514B (en) Bandwidth control method and device based on namespace and storage medium
US10169132B2 (en) Predicting a likelihood of a critical storage problem
CN115051847A (en) Method and device for determining attack level of denial of service attack and electronic equipment
US10972500B2 (en) Detection system, detection apparatus, detection method, and detection program
CN108897494B (en) Processing method of data operation in block storage system and related device
Reddyvari et al. Mode-suppression: A simple and provably stable chunk-sharing algorithm for p2p networks
US20110246615A1 (en) Dynamic intelligent mirror host selection
JP4934660B2 (en) Communication bandwidth calculation method, apparatus, and traffic management method
CN114079619B (en) Port traffic sampling method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant