CN115051847B - Method, device and electronic equipment for determining attack level of denial of service attack - Google Patents

Method, device and electronic equipment for determining attack level of denial of service attack Download PDF

Info

Publication number
CN115051847B
CN115051847B CN202210640737.4A CN202210640737A CN115051847B CN 115051847 B CN115051847 B CN 115051847B CN 202210640737 A CN202210640737 A CN 202210640737A CN 115051847 B CN115051847 B CN 115051847B
Authority
CN
China
Prior art keywords
attack
network
rate
determining
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210640737.4A
Other languages
Chinese (zh)
Other versions
CN115051847A (en
Inventor
卢凯
高宇
李维皓
刘桐菊
李翔
李正
朱广宇
赵蕾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
6th Research Institute of China Electronics Corp
Original Assignee
6th Research Institute of China Electronics Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 6th Research Institute of China Electronics Corp filed Critical 6th Research Institute of China Electronics Corp
Priority to CN202210640737.4A priority Critical patent/CN115051847B/en
Publication of CN115051847A publication Critical patent/CN115051847A/en
Application granted granted Critical
Publication of CN115051847B publication Critical patent/CN115051847B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • H04L43/0829Packet loss
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method, a device and electronic equipment for determining an attack level of a denial of service attack, wherein the method comprises the following steps: periodically acquiring utilization rate data of a plurality of computing resources of a target host under the condition of stable service state; determining the attack starting time and the attack ending time of the target host under the denial of service attack according to the utilization rate data; determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the period before the attack and the utilization rate data of the computing resources in the period during the attack; and determining the attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource aiming at each target computing resource. By the method and the device, the attack level of the denial of service attack on the target host can be accurately determined.

Description

Method, device and electronic equipment for determining attack level of denial of service attack
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, and an electronic device for determining an attack level of a denial of service attack.
Background
Denial of service attacks are one of the major challenges facing the current field of network security. Denial of service attacks are an attack means by which an attacker can not normally provide services to clients by attacking different layers in a network protocol stack. With the rapid development of internet technology, network security has also become particularly important. Therefore, a scheme for determining the attack level of the denial of service attack can be provided, the method has important significance for coping with the denial of service attack, and important basis can be provided for the subsequent construction of a more accurate and in-place security defense system.
The existing method for determining the attack level of the denial of service attack generally analyzes a single computing resource to determine the attack level of the denial of service attack on the target host, for example, only analyzes the condition that the CPU resource is attacked, however, the method for determining the attack level of the denial of service attack is not accurate enough, so that a security defense system constructed based on the attack level is not accurate enough.
Disclosure of Invention
In view of this, an object of the present application is to provide a method, an apparatus, and an electronic device for determining an attack level of a denial of service attack, where evaluation values of a plurality of target computing resources are determined according to utilization data of the plurality of computing resources, and then an attack level evaluation value of the denial of service attack on the target host is determined according to the evaluation values of the plurality of target computing resources, and then an attack level of the denial of service attack on the target host is determined according to the attack level evaluation value. By the method, the attack level of the denial of service attack on the target host can be accurately determined.
In a first aspect, an embodiment of the present application provides a method for determining an attack level of a denial of service attack, where the method includes:
periodically acquiring utilization rate data of a plurality of computing resources of a target host under the condition of stable service state;
determining the attack starting time and the attack ending time of the target host under the denial of service attack according to the utilization rate data;
determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the period before the attack and the utilization rate data of the computing resources in the period during the attack; the pre-attack time period is a time period between the moment when the target host reaches a stable service state and the attack starting moment; the time period in the attack is a time period between the attack starting time and the attack ending time;
and determining the attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource aiming at each target computing resource.
Optionally, the utilization data includes: CPU occupancy rate, memory occupancy rate, network uploading rate, network downloading rate, network bandwidth, network packet loss rate and disk read-write speed; the target computing resource includes: CPU resources, memory resources, network resources and database resources.
Optionally, the determining, according to the utilization data, an attack start time when the target host is attacked by the denial of service includes:
for each acquisition point, determining a first sliding average value of CPU occupancy rates corresponding to the acquisition point according to the following formula;
wherein l 1 Is the length of the first sliding window; r is (r) cpu i The CPU occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
for each acquisition point, determining a first sliding average value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
wherein l 1 Is the length of the first sliding window; r is (r) mem i The memory occupancy rate corresponding to the ith acquisition point in the first sliding window;
for each acquisition point, determining a second sliding average value of the CPU occupancy rate corresponding to the acquisition point according to the following formula;
wherein l 2 Is the length of the second sliding window;
for each acquisition point, determining a second sliding average value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
determining whether a second sliding average value of the CPU occupancy rate or a second sliding average value of the memory occupancy rate corresponding to the acquisition point is larger than a first preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is greater than a first preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is greater than a first preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack starting time of the target host under the denial of service attack.
Optionally, the determining, according to the utilization data, an attack end time when the target host is subjected to the denial of service attack includes:
determining whether a second sliding average value of the CPU occupancy rate or a second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack end time of the target host under the denial of service attack.
Optionally, when the target computing resource is a CPU resource, determining evaluation values of a plurality of target computing resources on the target host according to the utilization data of the computing resource in the period before the attack and the utilization data of the computing resource in the period during the attack, including,
determining the average occupancy rate of the CPU and the maximum occupancy rate of the CPU in a period before attack;
determining the average occupancy rate of the CPU, the maximum occupancy rate of the CPU and the time taken for the maximum occupancy rate of the CPU to be reached from the attack starting time in the attack time period;
Determining the difference value of the average occupancy rate of the CPU in the period before the attack and the average occupancy rate of the CPU in the period during the attack as an average occupancy rate consumption value of the CPU;
determining the difference value of the maximum occupancy rate of the CPU in the period before the attack and the maximum occupancy rate of the CPU in the period during the attack as the maximum occupancy rate consumption value of the CPU;
and determining the consumption value of the CPU resource according to the average occupancy rate consumption value of the CPU, the maximum occupancy rate consumption value of the CPU and the consumed time, and taking the consumption value of the CPU resource as the evaluation value of the CPU resource.
Optionally, when the target computing resource is a database resource, determining the evaluation values of the plurality of target computing resources on the target host according to the utilization rate data of the computing resource in the period before the attack and the utilization rate data of the computing resource in the period during the attack includes:
determining an average value of the disk read-write speed and a maximum value of the disk read-write speed in a period before attack;
determining a use value of a database resource in the time period before attack according to the average value of the disk read-write speed in the time period before attack and the average value of the CPU occupancy rate in the time period before attack;
Determining the difference between the maximum value of the disk read-write speed in the period before attack and the maximum value of the CPU occupancy rate in the period before attack as the loss value of the database resource in the period before attack;
determining an average value of the disk read-write speed and a maximum value of the disk read-write speed in the attack time period;
determining a using value of a database resource in the period of the attack according to the average value of the disk read-write speed in the period of the attack and the average value of the CPU occupancy rate in the period of the attack;
determining a difference value between the maximum value of the disk read-write speed in the in-attack time period and the maximum value of the CPU occupancy rate in the in-attack time period as a loss value of a database resource in the in-attack time period;
and determining the consumption value of the database resource according to the use value of the database resource in the time period before the attack, the use value of the database resource in the time period during the attack, the consumption value of the database resource in the time period before the attack and the consumption value of the database resource in the time period during the attack, and taking the consumption value of the database resource as the evaluation value of the database resource.
Optionally, when the target computing resource is a memory resource, the determining the evaluation values of the plurality of target computing resources on the target host according to the utilization data of the computing resource in the period before the attack and the utilization data of the computing resource in the period during the attack includes,
Determining the average occupancy rate of the memory and the maximum occupancy rate of the memory in a period before attack;
determining the average occupancy rate of the memory, the maximum occupancy rate of the memory and the time taken for the maximum occupancy rate of the memory to be reached from the attack start time in the attack time period;
determining the difference value of the average occupancy rate of the memory in the period before the attack and the average occupancy rate of the memory in the period during the attack as the average occupancy rate consumption value of the memory;
determining the difference value of the maximum occupancy rate of the memory in the period before the attack and the maximum occupancy rate of the memory in the period during the attack as the maximum occupancy rate consumption value of the memory;
and determining the consumption value of the memory resource according to the average occupancy rate consumption value of the memory, the maximum occupancy rate consumption value of the memory and the consumed time, and taking the consumption value of the memory resource as the evaluation value of the memory resource.
Optionally, when the target computing resource is a network resource, the determining the evaluation values of the plurality of target computing resources on the target host according to the utilization data of the computing resource in the period before the attack and the utilization data of the computing resource in the period during the attack includes,
Determining a network average occupancy consumption value according to the network uploading rate, the network downloading rate, the network bandwidth in the period before the attack, the network uploading rate, the network downloading rate and the network bandwidth in the period during the attack;
determining a network maximum occupancy consumption value according to the network maximum transmission rate, the network bandwidth in the period before the attack, the network maximum transmission rate and the network bandwidth in the period during the attack;
determining a network average packet loss rate consumption value according to the network packet loss rate in the period before the attack and the network packet loss rate in the period during the attack;
determining a consumption value of the network maximum packet loss rate according to the network maximum packet loss rate in the period before the attack and the network maximum packet loss rate in the period during the attack;
and determining a blocking value of the network resource according to the network occupancy consumption value, the network maximum occupancy consumption value, the network packet loss rate consumption value and the network maximum packet loss rate consumption value, and taking the blocking value of the network resource as an evaluation value of the network resource.
Optionally, the determining the average occupancy consumption value of the network according to the network upload rate, the network download rate, the network bandwidth in the period before the attack, the network upload rate, the network download rate and the network bandwidth in the period during the attack includes:
Determining the average occupancy rate of the network in the period before the attack according to the network uploading rate, the network downloading rate and the network bandwidth in the period before the attack;
determining the average occupancy rate of the network in the attack time period according to the network uploading rate, the network downloading rate and the network bandwidth in the attack time period;
determining a difference value between the average occupancy rate of the network in the period before the attack and the average occupancy rate of the network in the period during the attack as an average occupancy rate consumption value of the network;
optionally, the determining the maximum occupancy consumption value of the network according to the maximum transmission rate of the network, the network bandwidth in the period before the attack, the maximum transmission rate of the network in the period during the attack and the network bandwidth includes:
determining the maximum occupancy of the network in the period before the attack according to the maximum transmission rate and the network bandwidth of the network in the period before the attack; the network maximum transmission rate in the pre-attack time period is the maximum rate in the network uploading rate and the network downloading rate in the pre-attack time period;
determining the maximum occupancy of the network in the period of attack according to the maximum transmission rate of the network and the network bandwidth in the period of attack; the maximum transmission rate of the network in the period of attack is the maximum rate of the network uploading rate and the network downloading rate in the period of attack;
The difference between the maximum occupancy of the network in the period before the attack and the maximum occupancy of the network in the period during the attack is determined as the maximum occupancy consumption value of the network.
Optionally, the determining the average packet loss rate consumption value of the network according to the network packet loss rate in the period before the attack and the network packet loss rate in the period during the attack includes:
determining the average packet loss rate of the network in the period before the attack according to the packet loss rate of the network in the period before the attack;
determining the average packet loss rate of the network in the attack time period according to the network packet loss rate in the attack time period;
determining a difference value between the average packet loss rate of the network in the period before the attack and the average packet loss rate of the network in the period during the attack as an average packet loss rate consumption value of the network;
the determining the consumption value of the maximum packet loss rate of the network according to the maximum packet loss rate of the network in the period before the attack and the maximum packet loss rate of the network in the period during the attack comprises the following steps:
determining the network maximum packet loss rate in a time period before attack and the network maximum packet loss rate in a time period during attack;
and determining the difference value of the network maximum packet loss rate in the period before the attack and the network maximum packet loss rate in the period during the attack as a network maximum packet loss rate consumption value.
Optionally, for each target computing resource, determining an attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource, including.
For each target computing resource, determining an attack level evaluation value of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource;
and determining the attack level of the denial of service attack on the target host according to the attack level evaluation value.
In a second aspect, an embodiment of the present application provides an apparatus for determining an attack level of a denial of service attack, where the apparatus includes:
the monitoring module is used for periodically acquiring utilization rate data of a plurality of computing resources of the target host under the condition of stable service state;
the determining module is used for determining the attack starting time and the attack ending time of the target host under the denial of service attack according to the utilization rate data;
a computing module for determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the period before the attack and the utilization rate data of the computing resources in the period during the attack; the pre-attack time period is a time period between the moment when the target host reaches a stable service state and the attack starting moment; the time period in the attack is a time period between the attack starting time and the attack ending time;
And the evaluation module is used for determining the attack level of the denial of service attack on the target host according to the evaluation value of each target computing resource and the weight of the target computing resource.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor in communication with the memory over the bus when the electronic device is running, the processor executing the machine-readable instructions to perform the steps of the method of determining an attack level of a denial of service attack of any of the first aspects.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of any of the methods of determining an attack order for a denial of service attack of the first aspect.
According to the method, the device and the electronic equipment for determining the attack level of the denial of service attack, the evaluation values of the target computing resources are determined according to the utilization rate data of the computing resources, the attack level evaluation value of the denial of service attack on the target host is determined according to the evaluation values of the target computing resources, and the attack level of the denial of service attack on the target host is determined according to the attack level evaluation value. By the method, the attack level of the denial of service attack on the target host can be accurately determined.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered limiting the scope, and that other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a flow chart of a method for determining an attack level of a denial of service attack provided by an embodiment of the present application;
FIG. 2 is a flowchart showing steps for determining an evaluation value of a CPU resource according to an embodiment of the present application;
FIG. 3 is a flowchart showing steps for determining an evaluation value of a database resource according to an embodiment of the present application;
FIG. 4 is a flowchart showing steps for determining an evaluation value of a memory resource according to an embodiment of the present application;
FIG. 5 is a flowchart showing steps for determining an evaluation value of a network resource according to an embodiment of the present application;
FIG. 6 is a schematic structural diagram of an apparatus for determining an attack level of a denial of service attack according to an embodiment of the present application;
fig. 7 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. Based on the embodiments of the present application, every other embodiment that a person skilled in the art would obtain without making any inventive effort is within the scope of protection of the present application.
Prior to the present application, the existing method for determining the attack level of the denial of service attack generally analyzes a single computing resource, so as to determine the attack level of the denial of service attack on the target host, for example, only analyze the situation that the CPU resource is attacked alone, however, the method for determining the attack level of the denial of service attack determines the attack level not to be accurate enough, so that a security defense system constructed based on the attack level is also not accurate enough. Based on the above, the embodiment of the application provides a method, a device and electronic equipment for determining an attack level of a denial of service attack.
For the sake of understanding the embodiments of the present application, a detailed description will be given of a method for determining an attack level of a denial of service attack disclosed in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a method for determining an attack level of a denial of service attack according to an embodiment of the present application. As shown in fig. 1, a method for determining an attack level of a denial of service attack according to an embodiment of the present application includes the following steps:
s100, periodically acquiring utilization rate data of a plurality of computing resources of a target host under the condition of stable service state.
As an example, the target host may be a physical host or a virtual host.
Here, the stable service state refers to a state in which the computing resources in the target host are in normal operation when the target host operates within a preset period of time. Here, the preset time period needs to satisfy the conditions of the non-holiday, the special event period, and the peak and valley periods of the flow per day, and may be, for example, a normal working day (for example, monday to friday), 9:30 to 11:30 and 2:00 to 5:00 per day. Here, the computing resource includes hardware or software on the target host, and by way of example, the computing resource may be a CPU, a memory, a network, a disk, a database, and the like.
The above determination of the stable service state of each computing resource in the target host is a precondition for subsequently determining the level of resistance of the target host to denial of service attacks. The method comprises the steps that when a target host computer is in a stable service state, the collection of the utilization rate data of a plurality of computing resources is started, and the influence of all aspects of factors except a denial of service attack program on the computing resources can be eliminated, so that the attack starting time and the attack ending time of a subsequent determined denial of service attack can be more accurate, and further, the determined attack level of the denial of service attack is more accurate.
Here, the utilization data of the computing resources includes: CPU occupancy rate, memory occupancy rate, network uploading rate, network downloading rate, network bandwidth, network packet loss rate and disk reading and writing speed. Wherein the CPU occupancy rate represents the percentage of the CPU occupied by the program in the current target host. The utilization rate data of the computing resources collected in the step can be stored in a traditional database such as MySQL, postgreSQL and the like, and can also be stored in a memory database such as Redis, memcached and the like.
In this step, the recording/playback frequency may be appropriately reduced in order to reduce the influence of the monitoring acquisition program as much as possible. For example, a record drop threshold n and a linked list of temporary cache records are set, and the operations of drop "insert ()" and flush cache "list=new arrayist ()" are performed once every time the length list of the linked list is list.length > =drop threshold n.
Here, the acquisition period is preset, preferably, the acquisition period is set to 5ms.
In this step, illustratively, when the target host reaches a stable service state, the CPU occupancy rate, the memory occupancy rate, the network upload rate, the network download rate, the network bandwidth, the network packet loss rate, and the disk read/write speed of the target host begin to be acquired every 5ms.
And S200, determining the attack starting time and the attack ending time of the target host under the denial of service attack according to the utilization rate data.
Illustratively, the step of determining, according to the utilization data, an attack start time at which the target host is subject to a denial of service attack includes:
s201, determining a first sliding average value of CPU occupancy rates corresponding to each acquisition point according to the following formula;
wherein l 1 Is the length of the first sliding window; r is (r) cpu i The CPU occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;the CPU occupancy rate corresponding to the nth acquisition point;
s202, determining a first sliding average value of the memory occupancy rate corresponding to each acquisition point according to the following formula;
wherein l 1 Is the length of the first sliding window; r is (r) mem i The memory occupancy rate corresponding to the ith acquisition point in the first sliding window; The memory occupancy rate corresponding to the nth acquisition point;
s203, determining a second sliding average value of the CPU occupancy rate corresponding to each acquisition point according to the following formula;
wherein l 2 Is the length of the second sliding window;
s204, determining a second sliding average value of the memory occupancy rate corresponding to each acquisition point according to the following formula;
s205, determining whether a second sliding average value of the CPU occupancy rate or a second sliding average value of the memory occupancy rate corresponding to the acquisition point is larger than a first preset threshold value;
if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is greater than the first preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is greater than the first preset threshold value, in step S206, the acquisition time corresponding to the acquisition point is taken as the attack start time of the target host under denial of service attack.
If the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is greater than the first preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is greater than the first preset threshold value, it is indicated that the first sliding average value corresponding to the acquisition point is obviously raised, and the moment at this time is taken as the attack start moment of the target host under the denial of service attack, which is more reasonable and accurate for evaluating the attack start moment of the denial of service attack.
Next, how to determine the second sliding average value of the CPU occupancy rate corresponding to each acquisition point will be described with reference to a specific example.
In a specific example, assuming that the length of the preset first sliding window is 3, the length of the second sliding window is 4, and CPU occupancy rates corresponding to the first to seventh acquisition points after the target host reaches the steady state are F1 to F7, respectively. With the increase of the number of the acquisition points, for a third acquisition point, the numerical value in the corresponding first sliding window at this time is [ F1, F2 and F3], and then a first sliding average value of the CPU occupancy rate corresponding to the third acquisition point can be determined according to a formula:
according to the principle, with the increase of the number of the acquisition points, the first sliding average value of the CPU occupancy rate corresponding to the fourth acquisition point to the seventh acquisition point can be calculatedAnd->
For the seventh acquisition point, it can be known that the value in the corresponding second sliding window at this time isThen, determining a second sliding average value of the CPU occupancy rate corresponding to the seventh acquisition point according to the formula:
illustratively, the determining, according to the utilization data, an attack end time of the target host under the denial of service attack includes:
S207, determining whether a second sliding average value of the CPU occupancy rate or a second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value;
if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is smaller than the second preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than the second preset threshold value, in step S208, the acquisition time corresponding to the acquisition point is taken as the attack end time of the target host under the denial of service attack.
If the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is smaller than the second preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than the second preset threshold value, it is indicated that the first sliding average value corresponding to the acquisition point is obviously reduced, and the time at this time is taken as the attack end time of the target host under the denial of service attack, which is more reasonable and accurate for evaluating the attack end time of the denial of service attack.
The step of determining the attack starting time and the attack ending time is more accurate than the prior art, so that the attack grade of the denial of service attack determined based on the attack starting time and the attack ending time is more accurate.
S300, determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the period before the attack and the utilization rate data of the computing resources in the period during the attack.
The pre-attack time period is a time period between the moment when the target host reaches a stable service state and the attack starting moment; the in-attack time period is a time period between the attack start time and the attack end time.
Here, since the attack condition of the denial of service attack program on the target host is represented on the consumption condition of the target host on the computing resources, the attack effect of the denial of service attack program can be objectively evaluated by acquiring the change of the consumption condition of each computing resource.
Next, a step of determining evaluation values of a plurality of target computing resources on the target host according to the utilization data of the computing resources in the period before the attack and the utilization data of the computing resources in the period during the attack when the target computing resources are the CPU resources, the database resources, the memory resources, and the network resources will be described with reference to fig. 2, 3, 4, and 5, respectively.
Referring to fig. 2, fig. 2 is a flowchart illustrating a step of determining an evaluation value of a CPU resource according to an embodiment of the present application.
As shown in fig. 2, in step S301, the average occupancy rate of the CPU and the maximum occupancy rate of the CPU in the period before the attack are determined.
For example, the average occupancy of the CPU during the pre-attack period may be determined by the following formula:
wherein n is the number of acquisition points in the time period before attack; i is the number of acquisition points; orate salt cpu i The CPU occupancy rate acquired by the ith acquisition point in the period before attack is used.
For example, the maximum occupancy of the CPU during the pre-attack period may be determined by the following formula:
wherein,and representing the acquisition point corresponding to the attack starting time.
In step S302, the average occupancy rate of the CPU, the maximum occupancy rate of the CPU, and the time taken from the attack start time to reach the maximum occupancy rate of the CPU in the attack time period are determined;
for example, the average occupancy of the CPU during the period of time in an attack may be determined by the following formula;
wherein,the acquisition points corresponding to the attack end time are acquired;
for example, the maximum occupancy of the CPU during the attack period may be determined by the following formula:
in step S303, determining a difference between the average occupancy rate of the CPU in the period before the attack and the average occupancy rate of the CPU in the period during the attack as an average occupancy rate consumption value of the CPU;
In step S304, determining the difference between the maximum value of the CPU occupancy rate in the period before the attack and the maximum value of the CPU occupancy rate in the period during the attack as the maximum occupancy rate consumption value of the CPU;
in step S305, a consumption value of a CPU resource is determined according to the average occupancy consumption value of the CPU, the maximum occupancy consumption value of the CPU, and the consumed time, and the consumption value of the CPU resource is used as an evaluation value of the CPU resource.
In this step, the average occupancy rate consumption value of the CPU, the maximum occupancy rate consumption value of the CPU, and the consumed time are multiplied by the corresponding weights, respectively, to obtain consumption values of CPU resources. Wherein the corresponding weights are preset.
For example, the evaluation value of the CPU resource can be calculated by the following formula:
wherein w1 is the weight corresponding to the average occupancy consumption value of the CPU, w2 is the weight corresponding to the maximum occupancy consumption value of the CPU, t is the time taken from the attack start time to reach the maximum occupancy of the CPU, and w3 is the weight corresponding to the time taken.
Referring to fig. 3, fig. 3 is a flowchart illustrating a step of determining an evaluation value of a database resource according to an embodiment of the present application.
As shown in fig. 3, in step S401, an average value of the disk read-write speed during the period before attack is determinedAnd maximum value of magnetic disk read-write speed +.>
In step S402, determining a value of use of a database resource in the period before the attack according to an average value of the disk read-write speed in the period before the attack and an average value of the cpu occupancy rate in the period before the attack;
for example, the usage value of the database resource in the period before the attack can be determined by the following formula:
in step S403, determining a difference between the maximum value of the disk read-write speed in the period before the attack and the maximum value of the cpu occupancy rate in the period before the attack as a loss value of the database resource in the period before the attack;
for example, the loss value of a database resource during a pre-attack period may be determined by the following equation:
in step S404, an average value of the disk read/write speed in the attack time period is determinedAnd maximum value of magnetic disk read-write speed +.>
In step S405, determining a value of use of a database resource in the period of attack according to an average value of the disk read-write speed in the period of attack and an average value of the cpu occupancy rate in the period of attack;
in step S406, determining a difference between a maximum value of a disk read-write speed in the in-attack time period and a maximum value of a cpu occupancy rate in the in-attack time period as a loss value of a database resource in the in-attack time period;
In step S407, determining a consumption value of the database resource according to the usage value of the database resource in the period before the attack, the usage value of the database resource in the period during the attack, the consumption value of the database resource in the period before the attack and the consumption value of the database resource in the period during the attack, and taking the consumption value of the database resource as an evaluation value of the database resource.
For example, the evaluation value of the database resource may be determined by the following formula:
J cpu =(S db ’-S db )×w1+(C db ’-C db )×w2;
on the one hand, the disk read-write speed and the CPU occupancy rate are utilized to determine the use value of the database resource, and compared with a mode of directly taking the disk read-write speed as the use value of the database resource, the CPU occupancy rate is combined, so that the load condition of the database resource is reflected more truly, the calculated attack grade evaluation value of the denial of service attack on the target host is more accurate, and the actual attack effect of the denial of service attack program can be reflected more accurately.
On the other hand, the consumption value of the database resource is determined by utilizing the disk read-write speed and the CPU occupancy rate, and compared with a mode of directly taking the disk read-write speed as the consumption value of the database resource, the CPU occupancy rate is combined, so that the load condition of the database resource is reflected more truly, the calculated attack grade evaluation value of the denial of service attack on the target host is more accurate, and the actual attack effect of the denial of service attack program can be reflected more accurately.
Referring to fig. 4, fig. 4 is a flowchart illustrating a step of determining an evaluation value of a memory resource according to an embodiment of the present application.
As shown in fig. 4, in step S501, the average occupancy rate of the memory and the maximum occupancy rate of the memory during the period before the attack are determined.
For example, the average occupancy of memory during the pre-attack period may be determined by the following equation:
wherein n is the number of acquisition points in the time period before attack; orate salt mem i The memory occupancy rate acquired by the ith acquisition point in the period before attack.
For example, the maximum occupancy of memory during the pre-attack period may be determined by the following equation:
in step S502, determining an average occupancy rate of the memory, a maximum occupancy rate of the memory, and a time taken from an attack start time to reach the maximum occupancy rate of the memory in the attack time period;
for example, the average occupancy of memory during the period of time in an attack may be determined by the following formula;
for example, the maximum occupancy of memory during the period of an attack may be determined by the following equation:
in step S503, determining a difference between the average occupancy rate of the memory in the period before the attack and the average occupancy rate of the memory in the period during the attack as an average occupancy rate consumption value of the memory;
In step S504, determining a difference between the maximum value of the memory occupancy rate in the period before the attack and the maximum value of the memory occupancy rate in the period during the attack as a maximum occupancy rate consumption value of the memory;
in step S505, according to the average occupancy consumption value of the memory, the maximum occupancy consumption value of the memory and the consumed time, a consumption value of the memory resource is determined, and the consumption value of the memory resource is used as an evaluation value of the memory resource.
In this step, the average occupancy rate consumption value of the memory, the maximum occupancy rate consumption value of the memory, and the consumed time are multiplied by the corresponding weights, respectively, to obtain an evaluation value of the memory resource. Wherein the corresponding weights are preset.
For example, the evaluation value of the memory resource can be calculated by the following formula:
wherein w1 is the weight corresponding to the average occupancy consumption value of the memory, w2 is the weight corresponding to the maximum occupancy consumption value of the memory, t is the time taken for reaching the maximum occupancy of the memory from the attack start time, and w3 is the weight corresponding to the time taken.
Referring to fig. 5, fig. 5 is a flowchart illustrating a step of determining an evaluation value of a network resource according to an embodiment of the present application.
As shown in fig. 5, in step S601, the average occupancy consumption value of the network is determined according to the network upload rate, the network download rate, the network bandwidth, the network upload rate, the network download rate, and the network bandwidth in the period before the attack;
illustratively, in this step, the network average occupancy consumption value may be determined by:
s6011, determining the average occupancy rate of the network in the period before the attack according to the network uploading rate, the network downloading rate and the network bandwidth in the period before the attack;
in the step, firstly, the average uploading rate of the network in the period before the attack is calculated through the uploading rate of the network in the period before the attack, and the average downloading rate of the network in the period before the attack is calculated according to the downloading rate of the network in the period before the attack; then, according to the average uploading rate and the average downloading rate of the network in the period before attack, determining the average transmission rate of the network in the period before attack,
for example, the average transmission rate of the network over the period of time before the attack may be determined by the following formula:
wherein,for the average upload rate of the network during the pre-attack period +. >For the average download rate of the network in the period before attack, w1 is the weight corresponding to the average upload rate of the network, and w2 is the weight corresponding to the average download rate of the network. />
And finally, determining the average occupancy of the network in the period before the attack according to the average transmission rate and the network bandwidth of the network in the period before the attack.
For example, the average occupancy of the network during the pre-attack period may be determined by the following equation:
wherein,b is the network bandwidth, which is the average transmission rate of the network during the period before the attack.
S6012, determining an average occupancy of the network in the attack time period according to the network upload rate, the network download rate, and the network bandwidth in the attack time period.
In the step, firstly, calculating to obtain the average uploading rate of the network in the attack time period according to the uploading rate of the network in the attack time period, and calculating to obtain the average downloading rate of the network in the attack time period; then, according to the average uploading rate and the average downloading rate of the network, determining the average transmission rate of the network in the period of time in attack; finally, determining the average occupancy rate of the network in the period of attack according to the average transmission rate and the network bandwidth of the network in the period of attack The manner of determining the average occupancy of the network in the period during the attack in this step is the same as the manner of determining the average occupancy of the network in the period before the attack, and thus a detailed description thereof will be omitted.
The average transmission speed and the network bandwidth of the network are utilized to determine the average occupancy rate of the network, and compared with the mode of directly taking the average transmission speed of the network as the average occupancy rate of the network, the network bandwidth is combined, so that the actual average occupancy rate of the network is more reasonably reflected, the calculated attack level evaluation value of the denial of service attack on the target host is more accurate, and the actual attack effect of the denial of service attack program can be more accurately reflected.
S6013, determining a difference value between the average occupancy rate of the network in the period before the attack and the average occupancy rate of the network in the period during the attack as an average occupancy rate consumption value;
in step S602, a maximum occupancy consumption value of the network is determined according to the network maximum transmission rate, the network bandwidth in the period before the attack, the network maximum transmission rate and the network bandwidth in the period during the attack.
Illustratively, the maximum occupancy consumption value of the network may be determined by:
S6021, determining the maximum occupancy rate of the network in the period before the attack according to the maximum transmission rate and the network bandwidth of the network in the period before the attack; here, the network maximum transmission rate in the period before attack is the maximum rate in the network uploading rate and the network downloading rate in the period before attack;
for example, the maximum occupancy of the network during the pre-attack period may be determined by the following formula:
wherein s is max Is the maximum transmission rate of the network during the pre-attack period.
S6022, determining the maximum occupancy rate of the network in the attack time period according to the maximum transmission rate and the network bandwidth of the network in the attack time period; here, the network maximum transmission rate in the period of time in attack is the maximum rate in the network uploading rate and the network downloading rate in the period of time in attack;
for example, the maximum occupancy of the network during the period of attack may be determined by the following formula:
wherein s is max ' is the maximum transmission rate of the network during the period of time in the attack.
In the step, the mode of determining the maximum occupancy rate of the network by utilizing the maximum transmission speed of the network and the network bandwidth is combined with the network bandwidth compared with the mode of directly taking the maximum transmission speed of the network as the maximum occupancy rate of the network, so that the real maximum occupancy rate of the network is reflected more reasonably, the calculated attack grade evaluation value of the denial of service attack on the target host is more accurate, and the actual attack effect of the denial of service attack program can be reflected more accurately.
S6023, determining a difference between the maximum occupancy of the network in the period before the attack and the maximum occupancy of the network in the period during the attack as a maximum occupancy consumption value of the network.
Step S603, determining an average packet loss rate consumption value of the network according to the network packet loss rate in the period before the attack and the network packet loss rate in the period during the attack;
illustratively, the average packet loss rate consumption value of the network may be determined by:
s6031, determining the average packet loss rate of the network in the period before the attack according to the packet loss rate of the network in the period before the attack;
s6032, determining the average packet loss rate of the network in the attack time period according to the network packet loss rate in the attack time period;
s6033, determining a difference value between the average packet loss rate of the network in the period before the attack and the average packet loss rate of the network in the period during the attack as an average packet loss rate consumption value of the network;
step S604, determining a consumption value of the network maximum packet loss rate according to the network maximum packet loss rate in the period before the attack and the network maximum packet loss rate in the period during the attack;
illustratively, the average packet loss rate consumption value of the network may be determined by:
S6041, determining the maximum packet loss rate of the network in a time period before attack and the maximum packet loss rate of the network in a time period during attack;
s6042, determining a difference between the maximum packet loss rate of the network in the period before the attack and the maximum packet loss rate of the network in the period during the attack as a maximum packet loss rate consumption value of the network.
In step S605, a blocking value of the network resource is determined according to the occupancy consumption value of the network, the maximum occupancy consumption value of the network, the packet loss rate consumption value of the network, and the maximum packet loss rate consumption value of the network, and the blocking value of the network resource is used as an evaluation value of the network resource.
By way of example, the evaluation value of a network resource may be determined by the following formula:
wherein,the average packet loss rate of the network in the period of attack is set; />The average packet loss rate of the network in the period before attack is set; />The maximum packet loss rate of the network in the period of attack is set; />Is the maximum packet loss rate of the network in the period before attack.
In the step, by adding two indexes of average packet loss rate and maximum packet loss rate, the congestion condition in the network can be truly and objectively obtained, so that the calculated blocking value of the network resource has higher credibility, and the actual attack effect of the denial of service attack program on the network resource, namely the calculation resource, can be more comprehensively reflected.
With continued reference to fig. 1, in step S104, for each target computing resource, an attack level of the denial of service attack on the target host is determined according to the evaluation value of the target computing resource and the weight of the target computing resource.
Illustratively, the attack level at which a denial of service attack attacks the target host may be determined by:
s1041, determining an attack level evaluation value of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource for each target computing resource;
for example, the attack-level-evaluation value of the denial-of-service attack on the target host may be determined by the following formula:
J=J cpu ×w1+J db ×w2+J mem ×w3+J band ×w4;
wherein w1, w2, w3, and w4 are weights of CPU resource, database resource, memory resource, and network resource, respectively.
S1042, determining the attack level of the denial of service attack on the target host according to the attack level evaluation value.
As an example, the step of determining an attack level of the denial of service attack on the target host according to the attack level evaluation value may include: step S10421, determining an attack score of the denial of service attack on the target host according to the attack grade evaluation value; step S10422, determining an attack level of the denial of service attack on the target host according to the attack score.
In one example, determining, in step S10421, an attack score of the denial of service attack on the target host according to the attack rank evaluation value may include:
and inputting the attack grade evaluation value into a preset scoring function to obtain an attack score of the denial of service attack on the target host.
For example, the scoring function may be the following:
wherein j is 1 -j 5 And score is attack score for the preset attack grade evaluation value threshold.
In another example, if there are multiple target hosts, that is, the denial of service attack program attacks multiple hosts in the same period of time, the determining the attack score of the denial of service attack on the target host according to the attack rank evaluation value in step S10421 may include:
and obtaining the attack score of the denial of service attack on the target host according to the normalized data processing mode.
For example, the attack score for a denial of service attack against the target host may be determined by the following equation:
wherein J is Min The minimum attack level evaluation value in a plurality of target hosts; j (J) Max Is the largest attack level evaluation value among a plurality of target hosts.
In this step, the attack level evaluation value may indicate a degree of damage caused by the denial of service attack to the target host, for example, the higher the attack level evaluation value, the greater the influence of the denial of service attack on each computing resource before and after the attack, thereby indicating a higher attack level of the denial of service attack on the target host, or indicating a lower defending level of the target host against the denial of service attack.
For example, in step S10422, the step of determining, according to the attack score, an attack level of the denial of service attack on the target host may include:
and determining the attack level of the denial of service attack on the target host according to the attack score and the attack level comparison table.
For example, the attack level lookup table may be as shown in table 1:
TABLE 1 attack level comparison table
Attack score Attack level
[90,100] Five-stage
[80,90) Four-stage
[70,80) Three stages
[60,70) Second-level
[0,60) First level
Here, the attack level is one level, which indicates that the attack effect of the denial of service attack is failed, the attack level is two levels, which indicates that the attack effect of the denial of service attack is failed, the attack level is three levels, which indicates that the attack effect of the denial of service attack is normal, the attack level is four levels, which indicates that the attack effect of the denial of service attack is good, and the attack level is five levels, which indicates that the attack effect of the denial of service attack is excellent. By the corresponding relation between the attack level and the attack effect, the attack effect can be determined according to the attack level, the actual attack condition of the denial of service attack can be known, and further, a corresponding security defense system can be deployed for the target host according to the attack level or the attack effect.
According to the method for determining the defending grade of the denial of service attack, which is provided by the embodiment of the application, according to the utilization rate data of a plurality of computing resources, the evaluation values of a plurality of target computing resources are determined, then the attack grade evaluation value of the denial of service attack on the target host is determined according to the evaluation values of a plurality of target computing resources, and then the attack grade of the denial of service attack on the target host is determined according to the attack grade evaluation value. By the method, the attack level of the denial of service attack on the target host can be accurately determined.
Based on the same inventive concept, the embodiment of the application also provides a device for determining the attack level of the denial of service attack, which corresponds to the method for determining the attack level of the denial of service attack.
Referring to fig. 6, fig. 6 is a schematic structural diagram of an apparatus for determining an attack level of a denial of service attack according to an embodiment of the present application, where the determining apparatus 600 includes:
the monitoring module 610 is configured to periodically obtain utilization data of a plurality of computing resources of the target host under a stable service state condition;
a determining module 620, configured to determine, according to the utilization data, an attack start time and an attack end time when the target host is under a denial of service attack;
A calculation module 630, configured to determine evaluation values of a plurality of target computing resources on the target host according to the utilization data of the computing resources in the period before the attack and the utilization data of the computing resources in the period during the attack;
and the evaluation module 640 is configured to determine, for each target computing resource, an attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource.
In a possible implementation manner, the determining module 620 includes an attack start time determining unit 621 and an attack end time determining unit 622 (not shown in the figure);
the attack start time determining unit 621 specifically functions to: for each acquisition point, determining a first sliding average value of CPU occupancy rates corresponding to the acquisition point according to the following formula;
wherein l 1 Is the length of the first sliding window; r is (r) cpu i The CPU occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
for each acquisition point, determining a first sliding average value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
wherein l 1 Is the length of the first sliding window; r is (r) mem i The memory occupancy rate corresponding to the ith acquisition point in the first sliding window;
For each acquisition point, determining a second sliding average value of the CPU occupancy rate corresponding to the acquisition point according to the following formula;
wherein l 2 Is the length of the second sliding window;
for each acquisition point, determining a second sliding average value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
determining whether a second sliding average value of the CPU occupancy rate or a second sliding average value of the memory occupancy rate corresponding to the acquisition point is larger than a first preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is greater than a first preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is greater than a first preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack starting time of the target host under the denial of service attack.
The attack end time determining unit 622 is specifically configured to: determining whether a second sliding average value of the CPU occupancy rate or a second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack end time of the target host under the denial of service attack.
In one possible implementation, the computing module 630 is specifically configured to:
determining the average occupancy rate of the CPU and the maximum occupancy rate of the CPU in a period before attack;
determining the average occupancy rate of the CPU, the maximum occupancy rate of the CPU and the time taken for the maximum occupancy rate of the CPU to be reached from the attack starting time in the attack time period;
determining the difference value of the average occupancy rate of the CPU in the period before the attack and the average occupancy rate of the CPU in the period during the attack as an average occupancy rate consumption value of the CPU;
determining the difference value of the maximum occupancy rate of the CPU in the period before the attack and the maximum occupancy rate of the CPU in the period during the attack as the maximum occupancy rate consumption value of the CPU;
and determining the consumption value of the CPU resource according to the average occupancy rate consumption value of the CPU, the maximum occupancy rate consumption value of the CPU and the consumed time, and taking the consumption value of the CPU resource as the evaluation value of the CPU resource.
In one possible implementation, the computing module 630 is further configured to:
determining an average value of the disk read-write speed and a maximum value of the disk read-write speed in a period before attack;
determining a use value of a database resource in the time period before attack according to the average value of the disk read-write speed in the time period before attack and the average value of the CPU occupancy rate in the time period before attack;
Determining the difference between the maximum value of the disk read-write speed in the period before attack and the maximum value of the CPU occupancy rate in the period before attack as the loss value of the database resource in the period before attack;
determining an average value of the disk read-write speed and a maximum value of the disk read-write speed in the attack time period;
determining a using value of a database resource in the period of the attack according to the average value of the disk read-write speed in the period of the attack and the average value of the CPU occupancy rate in the period of the attack;
determining a difference value between the maximum value of the disk read-write speed in the in-attack time period and the maximum value of the CPU occupancy rate in the in-attack time period as a loss value of a database resource in the in-attack time period;
and determining the consumption value of the database resource according to the use value of the database resource in the time period before the attack, the use value of the database resource in the time period during the attack, the consumption value of the database resource in the time period before the attack and the consumption value of the database resource in the time period during the attack, and taking the consumption value of the database resource as the evaluation value of the database resource.
In one possible implementation, the computing module 630 is further configured to:
Determining the average occupancy rate of the memory and the maximum occupancy rate of the memory in a period before attack;
determining the average occupancy rate of the memory, the maximum occupancy rate of the memory and the time taken for the maximum occupancy rate of the memory to be reached from the attack start time in the attack time period;
determining the difference value of the average occupancy rate of the memory in the period before the attack and the average occupancy rate of the memory in the period during the attack as the average occupancy rate consumption value of the memory;
determining the difference value of the maximum occupancy rate of the memory in the period before the attack and the maximum occupancy rate of the memory in the period during the attack as the maximum occupancy rate consumption value of the memory;
and determining the consumption value of the memory resource according to the average occupancy rate consumption value of the memory, the maximum occupancy rate consumption value of the memory and the consumed time, and taking the consumption value of the memory resource as the evaluation value of the memory resource.
In one possible implementation, the computing module 630 is further configured to:
determining a network average occupancy consumption value according to the network uploading rate, the network downloading rate, the network bandwidth in the period before the attack, the network uploading rate, the network downloading rate and the network bandwidth in the period during the attack;
Determining a network maximum occupancy consumption value according to the network maximum transmission rate, the network bandwidth in the period before the attack, the network maximum transmission rate and the network bandwidth in the period during the attack;
determining a network average packet loss rate consumption value according to the network packet loss rate in the period before the attack and the network packet loss rate in the period during the attack;
determining a consumption value of the network maximum packet loss rate according to the network maximum packet loss rate in the period before the attack and the network maximum packet loss rate in the period during the attack;
and determining a blocking value of the network resource according to the network occupancy consumption value, the network maximum occupancy consumption value, the network packet loss rate consumption value and the network maximum packet loss rate consumption value, and taking the blocking value of the network resource as an evaluation value of the network resource.
In one possible implementation, the computing module 630 is further configured to:
for each target computing resource, determining an attack level evaluation value of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource;
and determining the attack level of the denial of service attack on the target host according to the attack level evaluation value.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic device 700 includes a processor 710, a memory 720, and a bus 730.
The memory 720 stores machine-readable instructions executable by the processor 710, when the electronic device 700 is running, the processor 710 communicates with the memory 720 through the bus 730, and when the machine-readable instructions are executed by the processor 710, the steps of the method for determining an attack level of denial of service attack in the above method embodiment may be executed, and detailed description of the method embodiment will be omitted.
The embodiment of the present application further provides a computer readable storage medium, where a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the steps of the method for determining an attack level of a denial of service attack in the foregoing method embodiment may be executed, and a specific implementation manner may refer to the method embodiment and will not be described herein.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Finally, it should be noted that: the foregoing examples are merely specific embodiments of the present application, and are not intended to limit the scope of the present application, but the present application is not limited thereto, and those skilled in the art will appreciate that while the foregoing examples are described in detail, the present application is not limited thereto. Any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or make equivalent substitutions for some of the technical features within the technical scope of the disclosure of the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (14)

1. A method of determining an attack level of a denial of service attack, the method comprising:
periodically acquiring utilization rate data of a plurality of computing resources of a target host under the condition of stable service state;
determining the attack starting time and the attack ending time of the target host under the denial of service attack according to the utilization rate data;
determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the period before the attack and the utilization rate data of the computing resources in the period during the attack; the pre-attack time period is a time period between the moment when the target host reaches a stable service state and the attack starting moment; the time period in the attack is a time period between the attack starting time and the attack ending time;
determining an attack level of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource aiming at each target computing resource;
when the target computing resource is a CPU resource, determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resource in a period before the attack and the utilization rate data of the computing resource in a period during the attack, including:
Determining the average occupancy rate of the CPU and the maximum occupancy rate of the CPU in a period before attack;
determining the average occupancy rate of the CPU, the maximum occupancy rate of the CPU and the time taken for the maximum occupancy rate of the CPU to be reached from the attack starting time in the attack time period;
determining the difference value of the average occupancy rate of the CPU in the period before the attack and the average occupancy rate of the CPU in the period during the attack as an average occupancy rate consumption value of the CPU;
determining the difference value of the maximum occupancy rate of the CPU in the period before the attack and the maximum occupancy rate of the CPU in the period during the attack as the maximum occupancy rate consumption value of the CPU;
and determining the consumption value of the CPU resource according to the average occupancy rate consumption value of the CPU, the maximum occupancy rate consumption value of the CPU and the consumed time, and taking the consumption value of the CPU resource as the evaluation value of the CPU resource.
2. The method of claim 1, wherein the utilization data comprises: CPU occupancy rate, memory occupancy rate, network uploading rate, network downloading rate, network bandwidth, network packet loss rate and disk read-write speed; the target computing resource includes: CPU resources, memory resources, network resources and database resources.
3. The method of claim 2, wherein determining an attack start time for the target host to be attacked by the denial of service based on the utilization data comprises:
for each acquisition point, determining a first sliding average value of CPU occupancy rates corresponding to the acquisition point according to the following formula;
wherein,is the length of the first sliding window; />The CPU occupancy rate corresponding to the ith acquisition point in the first sliding window is obtained;
for each acquisition point, determining a first sliding average value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
wherein,is the length of the first sliding window; />The memory occupancy rate corresponding to the ith acquisition point in the first sliding window;
for each acquisition point, determining a second sliding average value of the CPU occupancy rate corresponding to the acquisition point according to the following formula;
wherein,is the length of the second sliding window;
for each acquisition point, determining a second sliding average value of the memory occupancy rate corresponding to the acquisition point according to the following formula;
determining whether a second sliding average value of the CPU occupancy rate or a second sliding average value of the memory occupancy rate corresponding to the acquisition point is larger than a first preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is greater than a first preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is greater than a first preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack starting time of the target host under the denial of service attack.
4. The method of claim 3, wherein determining an attack end point at which the target host is subject to a denial of service attack based on the utilization data comprises:
determining whether a second sliding average value of the CPU occupancy rate or a second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value;
and if the second sliding average value of the CPU occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value and/or the second sliding average value of the memory occupancy rate corresponding to the acquisition point is smaller than a second preset threshold value, taking the acquisition time corresponding to the acquisition point as the attack end time of the target host under the denial of service attack.
5. The method of claim 1, wherein when the target computing resource is a database resource, determining the evaluation values of the plurality of target computing resources on the target host based on the utilization data of the computing resource during the pre-attack period and the utilization data of the computing resource during the in-attack period comprises:
determining an average value of the disk read-write speed and a maximum value of the disk read-write speed in a period before attack;
determining a use value of a database resource in the time period before attack according to the average value of the disk read-write speed in the time period before attack and the average value of the CPU occupancy rate in the time period before attack;
Determining the difference between the maximum value of the disk read-write speed in the period before attack and the maximum value of the CPU occupancy rate in the period before attack as the loss value of the database resource in the period before attack;
determining an average value of the disk read-write speed and a maximum value of the disk read-write speed in the attack time period;
determining a using value of a database resource in the period of the attack according to the average value of the disk read-write speed in the period of the attack and the average value of the CPU occupancy rate in the period of the attack;
determining a difference value between the maximum value of the disk read-write speed in the in-attack time period and the maximum value of the CPU occupancy rate in the in-attack time period as a loss value of a database resource in the in-attack time period;
and determining the consumption value of the database resource according to the use value of the database resource in the time period before the attack, the use value of the database resource in the time period during the attack, the consumption value of the database resource in the time period before the attack and the consumption value of the database resource in the time period during the attack, and taking the consumption value of the database resource as the evaluation value of the database resource.
6. The method of claim 1, wherein when the target computing resource is a memory resource, the determining the evaluation values of the plurality of target computing resources on the target host according to the utilization data of the computing resource in the period before the attack and the utilization data of the computing resource in the period during the attack comprises:
Determining the average occupancy rate of the memory and the maximum occupancy rate of the memory in a period before attack;
determining the average occupancy rate of the memory, the maximum occupancy rate of the memory and the time taken for the maximum occupancy rate of the memory to be reached from the attack start time in the attack time period;
determining the difference value of the average occupancy rate of the memory in the period before the attack and the average occupancy rate of the memory in the period during the attack as the average occupancy rate consumption value of the memory;
determining the difference value of the maximum occupancy rate of the memory in the period before the attack and the maximum occupancy rate of the memory in the period during the attack as the maximum occupancy rate consumption value of the memory;
and determining the consumption value of the memory resource according to the average occupancy rate consumption value of the memory, the maximum occupancy rate consumption value of the memory and the consumed time, and taking the consumption value of the memory resource as the evaluation value of the memory resource.
7. The method of claim 1, wherein when the target computing resource is a network resource, the determining the evaluation values of the plurality of target computing resources on the target host according to the utilization data of the computing resource in the period before the attack and the utilization data of the computing resource in the period during the attack comprises:
Determining a network average occupancy consumption value according to the network uploading rate, the network downloading rate, the network bandwidth in the period before the attack, the network uploading rate, the network downloading rate and the network bandwidth in the period during the attack;
determining a network maximum occupancy consumption value according to the network maximum transmission rate, the network bandwidth in the period before the attack, the network maximum transmission rate and the network bandwidth in the period during the attack;
determining a network average packet loss rate consumption value according to the network packet loss rate in the period before the attack and the network packet loss rate in the period during the attack;
determining a consumption value of the network maximum packet loss rate according to the network maximum packet loss rate in the period before the attack and the network maximum packet loss rate in the period during the attack;
and determining a blocking value of the network resource according to the network occupancy consumption value, the network maximum occupancy consumption value, the network packet loss rate consumption value and the network maximum packet loss rate consumption value, and taking the blocking value of the network resource as an evaluation value of the network resource.
8. The method of claim 7, wherein determining the average occupancy consumption value based on the network upload rate, the network download rate, the network bandwidth during the pre-attack period, the network upload rate, the network download rate, and the network bandwidth during the during-attack period comprises:
Determining the average occupancy rate of the network in the period before the attack according to the network uploading rate, the network downloading rate and the network bandwidth in the period before the attack;
determining the average occupancy rate of the network in the attack time period according to the network uploading rate, the network downloading rate and the network bandwidth in the attack time period;
and determining the difference value of the average occupancy rate of the network in the period before the attack and the average occupancy rate of the network in the period during the attack as the average occupancy rate consumption value of the network.
9. The method of claim 7, wherein determining the maximum occupancy consumption value of the network based on the network maximum transmission rate during the pre-attack time period, the network bandwidth, the network maximum transmission rate during the in-attack time period, and the network bandwidth comprises:
determining the maximum occupancy of the network in the period before the attack according to the maximum transmission rate and the network bandwidth of the network in the period before the attack; the network maximum transmission rate in the pre-attack time period is the maximum rate in the network uploading rate and the network downloading rate in the pre-attack time period;
determining the maximum occupancy of the network in the period of attack according to the maximum transmission rate of the network and the network bandwidth in the period of attack; the maximum transmission rate of the network in the period of attack is the maximum rate of the network uploading rate and the network downloading rate in the period of attack;
The difference between the maximum occupancy of the network in the period before the attack and the maximum occupancy of the network in the period during the attack is determined as the maximum occupancy consumption value of the network.
10. The method of claim 7, wherein determining the average packet loss rate consumption value of the network based on the network packet loss rate during the pre-attack period and the network packet loss rate during the in-attack period comprises:
determining the average packet loss rate of the network in the period before the attack according to the packet loss rate of the network in the period before the attack;
determining the average packet loss rate of the network in the attack time period according to the network packet loss rate in the attack time period;
determining a difference value between the average packet loss rate of the network in the period before the attack and the average packet loss rate of the network in the period during the attack as an average packet loss rate consumption value of the network;
the determining the consumption value of the maximum packet loss rate of the network according to the maximum packet loss rate of the network in the period before the attack and the maximum packet loss rate of the network in the period during the attack comprises the following steps:
determining the network maximum packet loss rate in a time period before attack and the network maximum packet loss rate in a time period during attack;
And determining the difference value of the network maximum packet loss rate in the period before the attack and the network maximum packet loss rate in the period during the attack as a network maximum packet loss rate consumption value.
11. The method of claim 1, wherein for each target computing resource, determining an attack level for the denial of service attack on the target host based on the evaluation value of the target computing resource and the weight of the target computing resource comprises:
for each target computing resource, determining an attack level evaluation value of the denial of service attack on the target host according to the evaluation value of the target computing resource and the weight of the target computing resource;
and determining the attack level of the denial of service attack on the target host according to the attack level evaluation value.
12. An apparatus for determining an attack level of a denial of service attack, the apparatus comprising:
the monitoring module is used for periodically acquiring utilization rate data of a plurality of computing resources of the target host under the condition of stable service state;
the determining module is used for determining the attack starting time and the attack ending time of the target host under the denial of service attack according to the utilization rate data;
A computing module for determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resources in the period before the attack and the utilization rate data of the computing resources in the period during the attack; the pre-attack time period is a time period between the moment when the target host reaches a stable service state and the attack starting moment; the time period in the attack is a time period between the attack starting time and the attack ending time;
the evaluation module is used for determining the attack level of the denial of service attack on the target host according to the evaluation value of each target computing resource and the weight of the target computing resource;
when the target computing resource is a CPU resource, determining evaluation values of a plurality of target computing resources on the target host according to the utilization rate data of the computing resource in a period before the attack and the utilization rate data of the computing resource in a period during the attack, including:
determining the average occupancy rate of the CPU and the maximum occupancy rate of the CPU in a period before attack;
determining the average occupancy rate of the CPU, the maximum occupancy rate of the CPU and the time taken for the maximum occupancy rate of the CPU to be reached from the attack starting time in the attack time period;
Determining the difference value of the average occupancy rate of the CPU in the period before the attack and the average occupancy rate of the CPU in the period during the attack as an average occupancy rate consumption value of the CPU;
determining the difference value of the maximum occupancy rate of the CPU in the period before the attack and the maximum occupancy rate of the CPU in the period during the attack as the maximum occupancy rate consumption value of the CPU;
and determining the consumption value of the CPU resource according to the average occupancy rate consumption value of the CPU, the maximum occupancy rate consumption value of the CPU and the consumed time, and taking the consumption value of the CPU resource as the evaluation value of the CPU resource.
13. An electronic device, comprising: a processor, a memory and a bus, said memory storing machine-readable instructions executable by said processor, said processor and said memory communicating via said bus when the electronic device is running, said machine-readable instructions when executed by said processor performing the steps of the method of determining an attack level of a denial of service attack according to any of claims 1 to 11.
14. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of the method of determining an attack order of a denial of service attack according to any of claims 1-11.
CN202210640737.4A 2022-06-07 2022-06-07 Method, device and electronic equipment for determining attack level of denial of service attack Active CN115051847B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210640737.4A CN115051847B (en) 2022-06-07 2022-06-07 Method, device and electronic equipment for determining attack level of denial of service attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210640737.4A CN115051847B (en) 2022-06-07 2022-06-07 Method, device and electronic equipment for determining attack level of denial of service attack

Publications (2)

Publication Number Publication Date
CN115051847A CN115051847A (en) 2022-09-13
CN115051847B true CN115051847B (en) 2024-01-19

Family

ID=83160997

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210640737.4A Active CN115051847B (en) 2022-06-07 2022-06-07 Method, device and electronic equipment for determining attack level of denial of service attack

Country Status (1)

Country Link
CN (1) CN115051847B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577642A (en) * 2008-05-08 2009-11-11 吴志军 Method for one-step forecasting Kalman filtering detection of LDoS attack
CN102185847A (en) * 2011-04-22 2011-09-14 南京邮电大学 Malicious code network attack evaluation method based on entropy method
CN102291390A (en) * 2011-07-14 2011-12-21 南京邮电大学 Method for defending against denial of service attack based on cloud computation platform
CN108040062A (en) * 2017-12-19 2018-05-15 湖北工业大学 A kind of network security situation evaluating method based on evidential reasoning rule
CN108900513A (en) * 2018-07-02 2018-11-27 哈尔滨工业大学 A kind of DDOS effect evaluation method based on BP neural network
CN109040113A (en) * 2018-09-04 2018-12-18 海南大学 Detecting method of distributed denial of service attacking and device based on Multiple Kernel Learning
CN109040141A (en) * 2018-10-17 2018-12-18 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN113132373A (en) * 2021-04-14 2021-07-16 北京计算机技术及应用研究所 Web attack defense method of active interference strategy
CN113360898A (en) * 2021-06-03 2021-09-07 中国电子信息产业集团有限公司第六研究所 Index weight determination method, network attack evaluation method and electronic equipment
CN113518057A (en) * 2020-04-09 2021-10-19 腾讯科技(深圳)有限公司 Detection method and device for distributed denial of service attack and computer equipment thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10630410B2 (en) * 2016-05-13 2020-04-21 Telefonaktiebolaget Lm Ericsson (Publ) Network architecture, methods, and devices for a wireless communications network
US10110627B2 (en) * 2016-08-30 2018-10-23 Arbor Networks, Inc. Adaptive self-optimzing DDoS mitigation

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577642A (en) * 2008-05-08 2009-11-11 吴志军 Method for one-step forecasting Kalman filtering detection of LDoS attack
CN102185847A (en) * 2011-04-22 2011-09-14 南京邮电大学 Malicious code network attack evaluation method based on entropy method
CN102291390A (en) * 2011-07-14 2011-12-21 南京邮电大学 Method for defending against denial of service attack based on cloud computation platform
CN108040062A (en) * 2017-12-19 2018-05-15 湖北工业大学 A kind of network security situation evaluating method based on evidential reasoning rule
CN108900513A (en) * 2018-07-02 2018-11-27 哈尔滨工业大学 A kind of DDOS effect evaluation method based on BP neural network
CN109040113A (en) * 2018-09-04 2018-12-18 海南大学 Detecting method of distributed denial of service attacking and device based on Multiple Kernel Learning
CN109040141A (en) * 2018-10-17 2018-12-18 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN113518057A (en) * 2020-04-09 2021-10-19 腾讯科技(深圳)有限公司 Detection method and device for distributed denial of service attack and computer equipment thereof
CN113132373A (en) * 2021-04-14 2021-07-16 北京计算机技术及应用研究所 Web attack defense method of active interference strategy
CN113360898A (en) * 2021-06-03 2021-09-07 中国电子信息产业集团有限公司第六研究所 Index weight determination method, network attack evaluation method and electronic equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"软件定义网络中分布式拒绝服务攻击研究";龚庆祥;《中国优秀硕士学位论文全文数据库》;全文 *
"RTED-SD: A Real-Time Edge Detection Scheme for Sybil DDoS in the Internet of Vehicles";Jiabin Li等;《IEEE Access》;全文 *
"云平台下分布式拒绝服务攻击检测技术与实现";蔡佳义;《中国优秀硕士学位论文全文数据库》;正文第19-36页 *

Also Published As

Publication number Publication date
CN115051847A (en) 2022-09-13

Similar Documents

Publication Publication Date Title
US9531742B2 (en) Detection of malicious network connections
KR102238612B1 (en) DoS/DDoS attack detection method, device, server and storage medium
CN108667856B (en) Network anomaly detection method, device, equipment and storage medium
CN109194680B (en) Network attack identification method, device and equipment
CN113518057B (en) Method and device for detecting distributed denial of service attack and computer equipment thereof
US20170061123A1 (en) Detecting Suspicious File Prospecting Activity from Patterns of User Activity
EP3264310A1 (en) Computer attack model management
CN111857592A (en) Data storage method and device based on object storage system and electronic equipment
CN106302450A (en) A kind of based on the malice detection method of address and device in DDOS attack
EP3100197A1 (en) Predictive analytics utilizing real time events
EP3316550A1 (en) Network monitoring device and method
CN115051847B (en) Method, device and electronic equipment for determining attack level of denial of service attack
EP2357757B1 (en) System and method for capacity planning on a high speed data network
EP3331210B1 (en) Apparatus, method, and non-transitory computer-readable storage medium for network attack pattern determination
CN112788039B (en) DDoS attack identification method, device and storage medium
CN106970832B (en) Information processing method and device and computer equipment
CN109005181A (en) A kind of detection method, system and the associated component of DNS amplification attack
CN117040912A (en) Network security operation and maintenance management method and system based on data analysis
US20100185829A1 (en) Extent consolidation and storage group allocation
CN115801305B (en) Network attack detection and identification method and related equipment
KR101564518B1 (en) Method and apparatus for automatically creating rule for network traffic dection
CN116527336A (en) Internet of vehicles federal learning defense method for Bayesian attack
CN113806753B (en) Intranet host threat prediction method and system based on label calculation
CN108900508B (en) Advanced threat detection method, intelligent probe device and advanced threat detection system
CN110784471A (en) Blacklist collection management method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant