CN115811428A - Defense method, system, equipment and storage medium for resisting DDoS attack - Google Patents
Defense method, system, equipment and storage medium for resisting DDoS attack Download PDFInfo
- Publication number
- CN115811428A CN115811428A CN202211504042.XA CN202211504042A CN115811428A CN 115811428 A CN115811428 A CN 115811428A CN 202211504042 A CN202211504042 A CN 202211504042A CN 115811428 A CN115811428 A CN 115811428A
- Authority
- CN
- China
- Prior art keywords
- access terminal
- transfer
- server
- authentication
- transfer unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 86
- 230000007123 defense Effects 0.000 title claims abstract description 46
- 238000012546 transfer Methods 0.000 claims abstract description 197
- 238000012795 verification Methods 0.000 claims abstract description 23
- 230000006399 behavior Effects 0.000 claims description 18
- 229910000831 Steel Inorganic materials 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 6
- 239000010959 steel Substances 0.000 claims description 6
- 239000000126 substance Substances 0.000 claims description 3
- 238000004422 calculation algorithm Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 16
- 238000001914 filtration Methods 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 6
- 239000000243 solution Substances 0.000 description 6
- 230000004044 response Effects 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 230000003137 locomotive effect Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000013178 mathematical model Methods 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 208000012260 Accidental injury Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 208000014674 injury Diseases 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides a defense method, a system, equipment and a storage medium for resisting DDoS attack, wherein the defense method comprises the following steps: and the authentication server receives the identity request of the access terminal and performs identity authentication on the identity information of the access terminal. And the verification server judges whether the condition of being capable of distributing the transfer unit for the access terminal is met or not according to the result of the identity verification. The transfer machine is arranged between the application server and the access terminal, so that the hiding of the application server can be realized, the application server is hidden behind the transfer machine, an attacker cannot find an attack target, and the transfer machine set is generated by the transfer machine in a mode of randomly combining areas, so that the number of the transfer machine sets which can be fully utilized is far more than the total number of the transfer machines. When the access amount is very large, m transfer machines can be selected from n transfer machines to be converted into transfer machines, and the number of the distributable machines is effectively increased.
Description
Technical Field
The present invention relates to the field of network security protection technologies, and in particular, to a method, a system, a device, and a storage medium for defending against DDoS attacks.
Background
DDoS (Distributed Denial of Service) is called as a Distributed Denial of Service attack, and the Distributed Denial of Service attack can make many computers be attacked at the same time, so that the targets of the attacks cannot be used normally, and further, many large websites cannot be operated, which not only affects the normal use of users, but also causes huge economic loss. And aiming at large-scale distributed denial of service attacks, the cloud server is utilized to filter network traffic, and the method has the advantages of strong protection, low cost and the like, so that the cloud server is utilized to filter the network traffic, and the method becomes a preferred scheme for resisting DDoS attacks gradually.
The publication numbers are: the Chinese patent invention of CN109088941A mainly discloses: the method comprises the steps of integrating node resources distributed at different geographic positions into cloud resources, judging the health state of a cloud server according to system parameters such as the load state, the hardware utilization rate, the cloud resource allocation rate and the cleaning amount of the node resources, and dynamically transferring an application service to the cloud server with a good running state to guarantee the availability of the application service. In particular, application services are dynamically pulled onto different cloud servers. It should be noted that the operating states of different cloud servers are monitored in real time, and the application service is migrated to a cloud server with a good operating state according to the operating states of different cloud servers. However, the patent invention mainly has the following problems: firstly, the safety of the application service cannot be ensured, and particularly for the application service with higher confidentiality degree, the application service cannot be allowed to be migrated to an external cloud server; secondly, the consistency of the application service cannot be ensured, and the application service cannot normally operate once the running state of the cloud server where the application service is located is poor in a short time interval before the application service is migrated to the cloud server with a good state; finally, the address and the port number of the cloud server running the application service are still exposed on the internet, and the risk of network attack is still faced.
The publication numbers are: in the invention of CN110138783A, it can ensure that the application service runs on the same cloud server, but dynamically change the IP address of the cloud server according to the situation that the cloud server is attacked by the network. Specifically, when an attacker wants to attack a certain network target, the attacker first collects attack traffic from a controlled puppet computer to a backbone network of a network operator, enters an IDC (internet data center) room along a line of the network operator, and then reaches an attacked cloud server. When the operator of the IDC detects attack traffic that exceeds the rated threshold, it reports the attack traffic containing the specific IP address to the network operator, who is responsible for discarding the attack traffic. Meanwhile, the IDC operator is responsible for replacing the IP address for the attacked cloud server, and the attacker is prevented from carrying out subsequent attack on the original IP address. That is, in the invention, the DDoS defense is performed by using the network operator to control the whole network, and further, a cooperative agreement needs to be signed with the network operator, so the price of the defense method is expensive. Moreover, after a DDoS attack is encountered, an IDC operator needs to update a new IP address for the attacked cloud server, which may cause an interruption of application service during an IP address switching process.
The publication numbers are: the invention discloses Chinese patent application CN104869118A, which mainly discloses: a safety tunnel is established between the access terminal and the tunnel gateway, and the tunnel gateway forwards the service request of the access terminal to the application server. Specifically, before the access terminal establishes a connection with the tunnel gateway, the access terminal sends a tunnel gateway request to the service controller, and the service controller is responsible for identifying the identity of the access terminal. After the identity identification, the service controller sends a plurality of tunnel gateways sequenced according to a certain priority rule to the access terminal at one time, and the access terminal preferentially selects to establish a security tunnel with the first tunnel gateway. And when the access terminal detects that the service quality of the current tunnel is reduced, selecting to establish a safe tunnel with the next tunnel gateway. In the patent invention, the access terminal can freely switch among a plurality of different tunnel gateways, which is equivalent to a preposed firewall using a plurality of tunnel gateways as an application server. However, this technique has at least two disadvantages: the first point is that when a group of tunnel gateways distributed to the access terminal are all in a service quality degradation state, the access terminal does not have the tunnel gateway available; the second point is how many tunnel gateways should be prepared when the number of access terminals is very large, which becomes a difficult problem. If different access terminals are allocated with different tunnel gateways, the system needs a huge number of tunnel gateways, which greatly increases the defense cost; if each access terminal is distributed with the same group of tunnel gateways, an attacker only needs to attack the group of tunnel gateways at the same time to realize the attack effect, and the safety factor is reduced.
Disclosure of Invention
Technical problem to be solved
In view of the above disadvantages and shortcomings of the prior art, the present invention provides a defense method, system, device and storage medium for defending against DDoS attacks, which solves the problem that DDoS attacks with ultra-large traffic cannot be defended, and has high defense cost and is unacceptable for ordinary users. In addition, the technical problems of high misjudgment rate, high missing report rate and the like exist in the prior art scheme.
(II) technical scheme
In order to achieve the purpose, the invention adopts the main technical scheme that:
in a first aspect, an embodiment of the present invention provides a defense method for defending against DDoS attacks, where the defense method includes the following steps:
the authentication server receives an identity request of the access terminal and performs identity authentication on identity information of the access terminal;
the authentication server judges whether the condition of being capable of distributing the transfer unit for the access terminal is met or not according to the result of the identity authentication;
if the identity verification of the access terminal meets the condition, a transfer unit is distributed to the access terminal; before the transfer units are distributed, the verification server is required to generate the transfer units in advance, and m transfer units are selected from n transfer units to form one group, if any, the transfer units are distributed in the group
Each transfer unit can be used as an allocation unit to be allocated to the access terminal.
Optionally, the result of the identity verification is determined by the following method:
according to the identity identification information of the access terminal, whether the identity information meets the condition is determined; if the identity information meets the condition, checking the request record of the access terminal to determine whether the request record exists in the request record table of the current access terminal; and if the request record of the current access terminal does not exist in the request record table, generating the request record and distributing the transfer unit.
Optionally, if the request record of the current access terminal exists in the request record table, checking an authentication period of the request record to determine whether the current request record reaches an authentication period; if the authentication period of the request record reaches one authentication period, continuously judging whether the number of transfer machines killed by the current access terminal is larger than or equal to a system parameter K; if the number of the dead transfer machines is more than or equal to K, the current access terminal is brought into a blacklist; and if the number of the dead transfer machines is less than K, allocating a transfer unit.
Optionally, the method further includes a calculation method for calculating a false positive rate of the result of identity verification, where the false positive method includes the following steps:
firstly, the visitor who accesses through the access terminal is divided into normal users C N And attacker C M Suppose the visitor is a normal user C N Is p, then the visitor is attacker C M Has a probability of 1-p, with S down Representing a crash event for the transit unit due to attacker C M The system can lead to the halt of the transfer unit, and the following formula is established:
suppose normal user C N If the probability of causing the transfer to be halted is q, the normal userThe probability of not causing a transit crash is 1-q, then the following formula holds:
assuming that only one user accesses through the access terminal, when the user of the access terminal causes the 1 transfer machine in the transfer machine group to be dead, the user is judged to be the attacker C M The misjudgment rate is as follows:
assuming that only one user accesses the application server through the access terminal, when the user causes the halt of the k-channel transfer of the transfer unit, the user of the access terminal is judged to be an attacker C M The misjudgment rate is as follows:
if a plurality of users access through the access terminal, and when the user of the access terminal causes 1 transfer machine in the transfer machine set to crash, the user is judged to be an attacker C M The misjudgment rate is as follows:
wherein the content of the first and second substances,
therefore, the temperature of the molten steel is controlled,
assuming that a plurality of users access the application server through the access terminal, when the users cause the halt of the k-channel transfer of the transfer unit, the users of the access terminal are judged to be an attacker C M The misjudgment rate is as follows:
therefore, the temperature of the molten steel is controlled,
optionally, if the access terminal obtains the transfer unit allocated by the verification server, the access terminal establishes a secure connection with a transfer unit in the transfer unit.
Optionally, the connection protocols between the authentication server and the access terminal and between the transfer unit and the access terminal both use an HTTPS protocol, and the HTTPS protocol can automatically complete management of the key and encryption of the data.
Optionally, if the identity information of the access terminal does not meet the condition, the authentication server denies the service.
In a second aspect, an embodiment of the present invention further provides a defense system for defending against DDoS attacks, including an application server, a verification server, a database server, a transit engine, and an access terminal;
the application server is used for providing service for the outside;
the verification server consists of one or more cloud servers, can verify the identity information of the access terminal, distributes a transfer unit for the access terminal, and can establish safe connection with the access terminal and identify the attack behavior of the access terminal;
the database server is used for storing the transit unit, the access terminal identification code and the access behavior of the access terminal;
the relay machine can provide relay service for the service request of the access terminal.
Optionally, the system further comprises a cache server, which is capable of caching the transfer unit distributed by the verification server to the access terminal.
In a third aspect, a computer device includes a memory and a processor, where the memory stores a computer program, and the computer program can implement the defense method against DDoS attacks when executed by the processor.
(III) advantageous effects
The invention has the beneficial effects that: according to the defense method, the defense system, the defense device and the defense storage medium for resisting DDoS attack, the transfer machine is arranged between the application server and the access terminal, so that the hiding of the application server can be realized, the application server is hidden behind the transfer machine, and an attacker cannot find an attack target. In addition, since the relay units are generated by arbitrarily combining the relay units in the areas, the number of the relay units that can be sufficiently used far exceeds the total number of the relay units. Compared with the prior art, the method and the device have the advantages that in the case of very large access amount, m transfer machines can be selected from n transfer machines to be converted into transfer machines, the number of the distributable machines is effectively increased, and the problem that DDoS attack of ultra-large flow cannot be resisted is solved. In addition, the defense cost of the system can be effectively reduced in the mode.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 shows a flowchart of a defense method for defending against DDoS attacks provided by an embodiment of the present invention;
fig. 2 shows a specific flowchart of a defense method for defending against DDoS attacks provided by the embodiment of the present invention;
fig. 3 shows a schematic structural diagram of a defense system for defending against DDoS attacks provided by the embodiment of the present invention.
[ description of reference ]:
in the figure: 1: accessing a terminal; 2: a transfer machine; 3: an application server; 4: a database server; 5: an authentication server; 6: and a cache server.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it should be understood that the drawings in the present invention are for illustrative and descriptive purposes only and do not limit the scope of the present invention. Additionally, it should be understood that the schematic drawings are not necessarily drawn to scale. The flowcharts used in this disclosure illustrate operations implemented according to some embodiments of the present invention. It should be understood that the operations of the flow diagrams may be performed out of order, and that steps without logical context may be performed in reverse order or concurrently. One skilled in the art, under the direction of this summary, may add one or more other operations to, or remove one or more operations from, the flowchart.
In addition, the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
To enable those skilled in the art to utilize the present teachings in connection with a particular application scenario "defending against DDoS attacks," the following embodiments are presented, and it will be apparent to those skilled in the art that the general principles defined herein may be applied to other embodiments and application scenarios without departing from the spirit and scope of the present teachings.
The method, the system and the server storage medium provided by the embodiment of the invention can be applied to any scene needing to access the terminal identity identification information, the embodiment of the invention does not limit the specific application scene, and any defense method, system, equipment and storage medium scheme for resisting DDoS attack by using the judgment on the access terminal identity identification information provided by the embodiment of the invention are all in the protection scope of the invention.
It is noted that, before the present invention is proposed, a reliable defense method for large-scale DDoS (Distributed Denial of Service) attack is still lacking. The existing commonly used defense methods are mainly classified into two types, one type is a high-defense method, and the method improves the self-defense capability of the server by increasing the performance and the network bandwidth of the server, thereby achieving the purpose of defending DDoS attacks. Namely the invention of Chinese patent CN109088941A in the background art. The other is a filtering method, sometimes called as traffic cleansing, that is, a defense method of filtering traffic with a network device, discarding attack traffic, and retaining normal traffic. The filtering method can be divided into two schemes of IDC (Internet Data Center) machine room filtering and cloud filtering. The former is to use the hardware device of the machine room where the application server is located to filter the network flow; the latter is to pull the flow sent by the access terminal to the cloud end, and then to filter the flow by the cloud server. Namely the invention of Chinese patents CN110138783A and CN104869118A in the background art. The high-defense method and the hardware filtering method have higher cost and cannot resist DDoS attack of overlarge flow. The filtering by using the cloud server has the advantages of strong protection, low cost and the like, and gradually becomes a preferred scheme for resisting DDoS attacks.
Based on this, the embodiment of the invention provides a defense method, a defense system, a defense device and a defense storage medium for resisting DDoS attack. And the access terminal can select one transfer machine from the transfer machine group and establish a secure connection with the transfer machine, and the transfer machine forwards the access request of the access terminal to the application server. By the method, the application server can be hidden behind the relay unit, so that an attacker of DDoS attack cannot find the application server to be attacked. Further, since the relay units are generated by arbitrarily combining the relay units in regions, the number of available relay units is far greater than the total number of the relay units, for example, 100 relay units are provided in a certain region, the 100 relay units are evenly distributed in five different regions, 3 relay units are optionally generated in 20 relay units 2 in each region, and it can be known from the generation process of the relay units that 5700 relay units can be generated. Therefore, the defense cost of the system can be effectively reduced in this way.
By the method for calculating the number of the dead transfer machines of the access terminal 1, the defense method for resisting DDoS attack can not only filter out all DDoS behaviors by 100 percent, so that the report missing rate of a defense system for resisting DDoS attack is zero, the misjudgment rate is low, but also any ultra-large-scale flow can be resisted.
For the convenience of understanding the present invention, the technical solutions provided by the present invention will be described in detail with reference to specific examples.
Referring to fig. 1, fig. 1 is a flowchart illustrating a flow of a defense method for defending against DDoS attacks according to an embodiment of the present invention. As shown in fig. 1, an embodiment of the present invention provides a defense method for defending against DDoS attacks, where the defense method includes the following steps:
s1, the authentication server 5 receives the identity request of the access terminal 1 and performs identity authentication on the identity information of the access terminal 1.
In this step, the access terminal 1 accesses the application server 3 in order to obtain the transfer unit. It is required that the access terminal 1 must be authenticated by the authentication server 5 and obtain the result of the authentication. Specifically, the data format of the authentication information between the access terminal 1 and the verification server 5 is: the method comprises the steps that 1, the access terminal has a hardware identification code (N1 bit) + Timestamp (system time N2 bit) + an application service provider (a merchant providing network application service) ID (N3 bit) + an authentication code + and the like; where N1, N2, N3 are system parameters and "+" indicates a connection.
It is worth noting that, as shown in fig. 2, the authentication server 5 takes the form of a listening request (i.e. module 1) to the access terminal 1. Moreover, the verification server 5 and the access terminal 1 and the transfer machine 2 and the access terminal 1 are all established with a HTTPS protocol, and data therein cannot be tampered with in a network monitoring manner, so that the method can defend not only against DDoS attacks of a common type, but also against CC (Challenge Collapsar) attacks, and further, the defense effect is better.
And S2, the authentication server 5 judges whether the condition of being capable of distributing the transfer unit for the access terminal 1 is met or not according to the authentication result.
Referring to fig. 2, an algorithm capable of identifying the result of authentication, i.e. the access terminal attack behavior, is used to identify the malicious connection request of the access terminal 1, and add the corresponding access terminal 1 with malicious connection to the blacklist. The black list is a record table of the malicious access terminal 1 which changes dynamically, and the malicious access terminal 1 is restored to be normal after being locked by the lockout period. blockInterval is a system parameter.
In this step, after the authentication, it is determined whether a transfer unit needs to be allocated to the access terminal 1 through the authentication server 5 according to the result of the authentication.
Further, the result of the authentication (i.e., the attack behavior recognition algorithm of the access terminal 1) is determined by the following method:
the identity information is determined to be eligible based on checking the identity information of the access terminal 1.
Here, the identification information includes a branch judgment a, that is, whether the access terminal can meet the conditions of the four checks, and the process of the branch judgment a for the four checks is specifically as follows:
1) The black list is checked, and a table blackList (black list table) is looked up based on clientID (field name in request record table reqRecord, indicating hardware identification code of access terminal 1) and appProviderID (field name in request record table reqRecord, indicating ID of application service provider), and it is determined whether the current time of the blackList (black list table) minus revocationbeacon (field in black list table, indicating start time of being added to the black list) exists. That is, the system time minus the starting time added into the blacklist is greater than the blocking period, the request record is removed from the blacklist and transferred to the blacklist history table). It is noted that the blocking period represents the time that the access terminal 1 has elapsed from entering the black list to being cleared from the black list.
2) The time stamp information transmitted from the access terminal 1 is checked, and whether or not the difference obtained by subtracting the time stamp information from the current time is larger than deltaT (the time difference is exceeded by the playback request parameter, and it is considered as a playback request) is determined.
3) The authentication code information is checked, and whether the authentication code information sent from the access terminal 1 is consistent with the contents of the authorization code field (field name in the transaction record table, which indicates the authorization code issued by the defense system to the application service provider) in the transaction record (transaction record table) is compared.
4) Checking the authorization period: it is checked whether the current time is less than the authorized period specified in the transactionRecord.
If the identity information meets the condition, the request record of the access terminal 1 is checked to determine whether the current access terminal 1 has the request record in the request record table. And if the request record of the current access terminal 1 does not exist in the request record table, generating the request record and distributing the transfer unit.
Specifically, referring to fig. 2, if all of the above four checks pass, branch decision b is entered, and if at least one of the above four checks fails, the provision of the authentication service is denied (i.e., block 3). And b, branch judgment: the record checking module is used for checking a reqRecord (request record table), and if the request record table has a record, entering a branch judgment c; if the request record table does not have the record, generating a new request record, namely inserting the new request record into the reqRecord (request record table); and allocates a transfer unit to the current access terminal 1, and transfers the transfer unit from the working pool to the cache pool (i.e. into the module 2).
Further, if there is a request record of the current access terminal 1 in the request record table, checking an authentication cycle of the request record to determine whether the current request record reaches an authentication cycle (branch judgment c);
if the authentication period requested to be recorded reaches an authentication period, it is continuously determined whether the number of transfer machines 2 deadened by the current access terminal 1 is greater than or equal to the system parameter K (branch determination d). And if the number of the dead transfer machines 2 is more than or equal to K, executing the instruction of the module 5 by the current access terminal 1. The instructions of the module 5 are specifically: and if the cache pool has the transfer unit corresponding to the current access terminal, determining whether the transfer unit is transferred to the working pool or the dead pool according to the dead number (namely the number of downtime) of the transfer units 2 in the cache pool. When all the transfer machines 2 in the cache pool are dead (crash), transferring the transfer machine set into a dead pool; otherwise, the transfer unit is transferred to a working pool (the process is a cache clearing process), and the current access terminal 1 is written into a blackList, namely, a blackList (black list table); and transfers the current request record into reqHistory (request record archive Table). If the number of the dead transfer machines 2 is less than K, the current access terminal 1 executes the instruction of the module 4. The instructions of the module 4 specifically include: filing the request record of the current access terminal 1, namely transferring the current request record into a reqHistory (request record filing table); generating a new request record, namely inserting the new request record into a reqRecord (request record table); and can allocate a relay group to the current access terminal 1. Further, if the allocated transfer unit is not the transfer unit corresponding to the current access terminal 1, the transfer unit corresponding to the current access terminal 1 needs to be transferred from the working pool to the cache pool at the same time. The available transfer units exist in the cache pool instead of all dead (down) transfer units, and therefore the availability of the transfer units in the cache pool is improved.
If the authentication period recorded by the request does not reach one authentication period, branch judgment e is carried out, specifically, whether the current access terminal 1 has a cache on the cache server 6 is judged, that is, whether a transit unit corresponding to the current access terminal 1 exists in a cache pool is judged, if so, branch judgment g is carried out, and if not, branch judgment f is carried out.
Further, under the condition that the cache pool does not belong to the transfer unit corresponding to the current access terminal 1, judging whether the number of the transfer machines 2 killed by the current access terminal 1 is greater than or equal to a system parameter K through a branch judgment f, if so, executing a module 5 instruction by the current access terminal 1, wherein it needs to be noted that the judgment is performed under the condition that no cache is available, that is, the cache pool does not have the transfer unit corresponding to the current access terminal 1, and therefore, the cache clearing process in the module 5 is not needed, and other processes are not changed. If the current value is less than the system parameter K, the current access terminal 1 executes the module 6 instruction. Specifically, the working instruction of the module 6 is to allocate a new transfer unit to the current access terminal 1 from the working pool; updating the number of dead transfer machines 2 in the current request record, namely, halfedsum (field name in reqRecord of the request record table, indicating the accumulated number of dead transfer machines 2 which are dead in the current access terminal 1, and the initial value is equal to 0) = the number of dead machines (number of dead machines) in the cache pool) -halfednumber (field name in reqRecord of the request record table, indicating the number of dead machines (number of dead machines) in the transfer machine group allocated to the access terminal 1), and if the number of dead machines (number of dead machines) in the cache pool) -halfednumber <0, taking zero (a condition smaller than zero is possible because the transfer machine 2 originally marked as dead (dead) in the cache pool may have a condition of revival); and then, setting the haltedNumber as the dead number (number of downtime) in the currently and newly distributed transfer unit, and transferring the transfer unit from the working pool to the cache pool.
Under the condition that the cache pool has a transit unit corresponding to the current access terminal 1, judging and checking whether the current transit unit is in the database through a branch judgment g, namely, checking whether the current unit is in a transfer tuple table, if the current transit unit is in the database, executing an instruction of the module 8 by the current access terminal 1, wherein the module 8 can calculate and update the number of dead transit machines 2 in the current request record, namely, halfdsum = halfdsum + [ the number of dead transit machines (number of dead machines) in the cache pool) -halfnumber ], if [ the number of dead machines (number of dead machines) in the cache pool) -halfnumber ] <0, taking the number of dead machines as zero (the case of being smaller than zero is possible, because the transit machines 2 originally marked as dead machines (dead machines) in the cache pool are possibly in a revived state), and if the current transit unit is not in the database, judging h.
Further, branch judgment h: judging whether the number of transfer machines 2 killed by the current access terminal 1 is greater than or equal to a system parameter K, if so, executing a module 7 instruction by the current access terminal 1, namely, removing the current transfer machine set from a cache; writing the current access terminal 1 into a blackList table, namely a blackList table; if the current request record is transferred into the reqHistory table and is less than the system parameter K, the module 12 is entered to delete the current transit unit in the cache pool.
Wherein, the number of dead transfer machines 2 in the current request record is calculated and updated in the module 8, and the judgment of the branch judgment i is carried out: judging whether the number of the transfer machines 2 killed by the current access terminal 1 is more than or equal to a system parameter K, if so, entering a module 5, and if the number of the transfer machines 2 killed by the current access terminal 1 is less than the system parameter K, entering a branch judgment j.
Specifically, branch judgment j: and checking whether the cache is overdue or not, namely whether the current time minus the writing time of the cache is greater than or equal to a cache period cachePeriod (the cache time represents the time that the transit unit passes from entering a cache pool to being cleared from the cache), if the cache is overdue, turning to a branch judgment l, and if the cache is not overdue, turning to a branch judgment k.
Further, a judgment of the branch judgment k is made: checking whether the transfer machines 2 in the cache pool are all dead, if the transfer machines 2 in the cache pool are all dead, transferring the current access terminal 1 to a module 9, namely transferring the current transfer machine set to the dead pool; if all the transfer machines 2 in the cache pool are not dead, the transfer module 11 executes to return the units in the cache pool to the current access terminal 1 (also called as an access terminal).
And if the cache exceeds the period, judging by adopting a branch judgment method: specifically, whether all the transfer machines 2 in the cache are dead is checked, and if all the transfer machines are dead, the current access terminal 1 executes a module 9 instruction to transfer the current transfer machine set to a dead pool; if not, the current access terminal 1 executes the module 10 instruction, specifically, resets the timeout time of the cache pool unit, updates the request record table, i.e., updates the values of the fields of the haltNumber and the haledsum, and returns the unit in the cache pool to the current access terminal 1.
S3, if the identity verification of the access terminal 1 meets the condition, allocating a transfer unit for the access terminal 1; wherein, before allocating the transfer units, the authentication server 5 is required to generate the transfer units in advance, and if m transfer units are selected from the n transfer units 2 to form a group, there are
Each of the relay units can be used as an allocation unit to be allocated to the access terminal 1.
Further, the attack behavior recognition algorithm of the access terminal 1 can roughly estimate the misjudgment rate of the attack behavior recognition algorithm through the following calculation manner.
It should be noted that the access terminal 1 as an attacker may cause the relay unit to be halted (down) as long as there is an attack, and therefore, the attack recognition algorithm of the access terminal 1 can recognize all malicious attacks. However, the normal user may also cause the relay unit to crash (crash) through the access terminal 1 making a normal access request, so that the algorithm has a certain misjudgment rate, and a mathematical model of the misjudgment rate of the algorithm is provided herein in order to scientifically and accurately evaluate the misjudgment rate of the algorithm.
Namely, a method for calculating a false positive rate of the result of the identity authentication, the false positive method comprising the steps of: refers to the probability that a normal user accesses through an access terminal as an attacker accesses through the access terminal, thereby incorporating the access terminal into a blacklist. The method for calculating the misjudgment rate is a probability formula provided by the application, and the probability formula comprises the following steps: a probability calculation method for taking the access of a normal user through an access terminal as an attacker to access through the terminal, thereby incorporating the access terminal into a blacklist, namely a calculation method for a misjudgment rate, wherein the calculation method for the misjudgment rate comprises the following steps:
that is, we first classify the system visitor through the access terminal 1 as a normal user C N And attacker C M Suppose the visitor is a normal user C N Is p, then the visitor is attacker C M Has a probability of 1-p, with S down Representing a crash event of the transit group due to attacker C M The system will cause the transfer machine to crash, so the following formula is established:
unlike the attacker, normal user C N Generally, the transfer unit will not be halted, but there is also a case where the event causing the transfer unit to halt occurs. Suppose normal user C N If the probability of causing the transit crash is q, the probability that the normal user does not cause the transit crash 2 is 1-q, and the following formula holds:
first, assuming that only one user accesses the application server through the access terminal 1, when the user of the access terminal 1 causes the 1 relay devices 2 in the relay device group to crash, it can be determined that the user is the attacker C M The misjudgment rate is as follows:
secondly, assuming that only one user accesses the application server through the access terminal 1, when the user causes the k relay devices 2 of the relay group to crash, it is determined that the user accessing the terminal 1 is the attacker C M The misjudgment rate is as follows:
wherein p is r (s 1,down s 2,down …s k,down |C N )=q k ,p r (s 1,down s 2,down …s k,down |C M )=1。
Finally, the misjudgment rate in the case that n users use the server is specifically analyzed, and we discuss the misjudgment rate in three cases.
(1) Judging normal user C only resulting in 1 transfer machine and 2 dead machines N As an attacker C M The misjudgment rate is as follows:
(2) p in computational equations r (S down ):
Wherein the content of the first and second substances,
therefore, the temperature of the molten steel is controlled,
(3) when the transfer machine 2 of the k stations is halted, the normal user C is judged N As an attacker C M The misjudgment rate is as follows:
therefore, the temperature of the molten steel is controlled,
suppose that the system has n =1000 visitors, which is a normal user C N Is p =0.9, normal user C N The probability of causing the transfer machine to be 2 halted is q =0.01, and when the user causes k =3 transfer machines to be 2 halted, the current user is judged to be an attacker C M If so, the misjudgment rate is 0.0000009, and thus the misjudgment rate of the algorithm is very small. Actually, the denominator of the formula of the misjudgment rate approaches to 1, and the parameter actually influencing the misjudgment rate is the normal user C N Probability p of normal user C N The probability q of causing the set of the transfer units to crash, and a system parameter k.
In this embodiment, the method further includes an auxiliary process of the algorithm, where the auxiliary process includes a blacklist removal process, a state conversion process of the transfer unit, a cache periodic check program, and a scan program of the transfer unit 2.
In the blackList release process, when the access terminal 1 requests to enter the branch judgment a for four checks, if the access terminal 1 is judged to be in the blackList, the blackList expiration time of the access terminal 1 is calculated, a temporary variable m _ temp is set, and if m _ temp = current time-revocations begin time is greater than a system parameter blockInterval (blockade period), the access terminal 1 is removed from the blackList table and is transferred to the blackList history table blackList.
The state conversion process of the transfer unit mainly comprises the conversion from a working pool to a dead pool: scanning the transfer machines 2 in the working pool by a scanning program, and if all the transfer machines 2 of a certain transfer machine set are dead (crash), transferring the transfer machine set into a dead pool; the scanning program scans the special intermediate locomotives 2 in the dead halt pool, and if the intermediate locomotives 2 of a certain special intermediate locomotive group are reactivated, the intermediate locomotive group is transferred to the working pool.
Normal pool to cache pool: when the attack behavior recognition algorithm allocates a new transfer unit to the access terminal 1, the corresponding transfer unit is transferred from the normal pool to the cache pool.
Caching the pool to a dead pool: the attack behavior recognition algorithm is carried out in the module 5, the module 6 and the module 9; and a special cache pool regular inspection program transfers all dead (down) transfer units in the cache pool, which are larger than the cache period, from the cache pool to the dead pool.
Conversion of the cache pool to the normal pool: the attack behavior recognition algorithm is carried out in the module 5; and a special buffer pool regular inspection program transfers the transfer unit which is larger than the buffer period in the buffer pool and still has the transfer machine 2 to normally work into a normal pool.
And the cache regular checking program is responsible for regularly checking the cache and transferring the transfer unit with the overdue cache pool to a normal pool or a dead pool. However, before the transfer, the total number of the transit machines 2 that the access terminal 1 dies needs to be calculated and updated to the request record table. The program runs regularly in the form of tasks.
The relay device 2 scanning program polls each relay device 2 (specific port), and sets a status (status refers to a field in the transfer and indicates the survival status of the relay device 2) in the transfer (relay device table, which stores the generated relay device) according to the scanning result.
The configuration process of the transfer machine 2 specifically includes setting values of fields in a transfer (transfer unit table, storing generated transfer units), and setting a default value of a status field (field in transfer, indicating the survival state of the transfer machine 2) to 1. When the transfer machine 2 is newly added in batch, the serial numbers are sequentially increased; when the repeaters 2 are deleted in batches, the remaining repeaters 2 are renumbered.
In this step, it is responsible for generating the relay units, and if n is the total number of the relay units 2 and m is the number of the relay units 2 in each group, they are shared
One transit group is available and the default value of m is 3. When generating the transfer unit, a plurality of large areas are divided according to the region where the transfer machine 2 is located, the transfer machine 2 of each large area generates the transfer unit independently, for example, 5 large areas are provided, and the number of the transfer machines 2 of each large area is n 1 ,n 2 ,…,n 5 Then respectively generate
A transfer unit. Although the total number of available relay units generated by the combination method is relatively small, the close source scheduling of the relay units can be realized, that is, when the attack line identification algorithm selects the relay unit for the access terminal 1, a group of relay units 2 is preferentially selected from the relay units in the area where the access terminal is located. Through the near-source scheduling of the transit unit, the attack behavior recognition algorithm can realize the quick connection between the access terminal 1 and the transit machine 2, and the response speed of the system is improved.
According to the defense method for resisting DDoS attack, the transfer machine 2 is arranged between the application server 3 and the access terminal 1, namely the application server 3 can be hidden, the application server 1 is hidden behind the transfer machine 2, and an attacker cannot find an attack target. In addition, since the relay units are generated by arbitrarily combining the relay units 2 in areas, the number of relay units that can be sufficiently used far exceeds the total number of relay units 2. Compared with the prior art, the method has the advantages that in the case of very large access amount, the m transfer machines 2 can be selected from the n transfer machines 2 to form the transfer machine set, the number of the distributable machine sets is effectively increased, and the problem that DDoS attack of ultra-large flow cannot be resisted is solved. In addition, the defense cost of the system can be effectively reduced in the mode. Specifically, by using the technical scheme of the invention, m transfer machines 2 can be selected from n transfer machines 2 to form a transfer unit, so that the number of the units which can be distributed is effectively increased. The transfer unit is formed according to the regional distribution of the transfer machines 2, and by using the method, the near-source distribution of the transfer unit can be realized, and the response speed of the system is improved. Further, whether the access terminal 1 is an attacker or not is judged by a method of judging whether the number of the transit machines 2 killed by a certain access terminal 1 exceeds a threshold value K or not, whether the access terminal is added into a blacklist or not is determined, accordingly, the system can be guaranteed to resist malicious attacks of flow at any level, and zero false negative rate and low false positive rate are guaranteed. When the time for adding a certain access terminal 1 into the blacklist is longer than the blocking interval, the access terminal is removed from the blacklist and is transferred to the historical blacklist, and the misjudgment rate is reduced by the method. The transfer unit is divided into a working pool, a cache pool and a crash pool, so that the distribution speed of the transfer unit is effectively improved, and the response speed of the system is improved. HTTPS protocols are adopted between the access terminal 1 and the verification server 5 and between the access terminal 1 and the transfer machine 2, and transmitted data cannot be tampered in a network eavesdropping mode, so that the method can not only defend DDoS attacks, but also effectively resist injection, tampering and other attack behaviors aiming at the application server 3. The protocol used automatically performs the management of the keys and the encryption of the data (the details of which do not belong to the present invention). In order to prevent the exposure of the authentication server, the access terminal hides the IP address or domain name of the authentication server by adopting a CDN (Content Distribution Network) technology when establishing a secure connection with the authentication server, thereby effectively protecting the security of the authentication server.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a defense system for defending against DDoS attacks according to an embodiment of the present invention, as shown in fig. 3, the system includes:
the system comprises an application server 3, a verification server 5, a database server 4, a transfer machine 2 and an access terminal 1;
the application server 3 is used for providing business services to the outside.
The verification server 5 is composed of one or more cloud servers, can authenticate the identity information of the access terminal 1, distributes a transfer unit for the access terminal 1, and can establish a secure connection with the access terminal 1 and identify the attack behavior of the access terminal.
The database server 4 is used for storing the transit unit, the access terminal identification code and the access behavior of the access terminal 1.
The relay server 2 can provide a relay service to the service request of the access terminal 1.
Further, the system further comprises a cache server 6 capable of caching the relay group assigned to the access terminal 1 by the authentication server 5. The purpose is to improve the distribution efficiency of the transfer unit.
Compared with the prior art, the system for resisting DDoS attack provided by the embodiment of the invention can hide the application server 3, so that the application server 3 is hidden behind the transfer machine 2, and an attacker cannot find an attack target. The attack behavior identification algorithm is used for judging whether the access terminal 1 is a malicious attacker according to the number of the killed transfer machines 2, so that the system can effectively resist malicious attacks of flow of any level, and ensures that no report is missed and the misjudgment rate is extremely low. The response delay of the system is very small through a near-source scheduling algorithm. In a word, the system has the characteristics of strong protection, low accidental injury, quick response and the like.
Moreover, a mathematical model of the misjudgment rate of the attack behavior recognition algorithm of the access terminal 1 is established, and a misjudgment rate calculation formula is given:
a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, is capable of implementing a method of defending against DDoS attacks.
Based on the same inventive concept, the embodiment of the invention also provides a computer storage medium, which stores a computer program, and the program can realize a defense method for resisting DDoS attack when being executed by a processor.
In particular toThe storage medium may be a general storage medium, such as a mobile disk, a hard disk, and the like, and when the computer program on the storage medium is executed, the defense method for resisting DDoS attack may be executed, and the identity information of the access terminal 1 may be authenticated by receiving the identity request of the access terminal 1. The authentication server 5 determines whether the condition that the transfer unit can be allocated to the access terminal 1 is satisfied according to the result of the authentication. If the identity verification of the access terminal 1 meets the condition, allocating a transfer unit for the access terminal 1; wherein, before allocating the transfer units, the authentication server 5 is required to generate the transfer units in advance, and if m transfer units are selected from the n transfer units 2 to form a group, there are
Each transfer unit can be used as a distribution unit to be distributed to the access terminal 1, and the embodiment provided by the invention solves the problem that DDoS attack of ultra-large flow cannot be resisted, has higher defense cost and is difficult to accept by common users. In addition, the prior art scheme also has the defects of high misjudgment rate, high missing report rate and the like. Compared with the prior art, the invention provides a mathematical formula for calculating the misjudgment rate, and the misjudgment rate of the system is extremely low through the misjudgment rate formula.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. In the several embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some communication interfaces, indirect coupling or communication connection between devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and the present invention shall be covered thereby. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A defense method for defending against DDoS attack is characterized by comprising the following steps:
the authentication server receives an identity request of the access terminal and performs identity authentication on identity information of the access terminal;
the authentication server judges whether the condition of being capable of distributing the transfer unit for the access terminal is met or not according to the result of the identity authentication;
if the identity verification of the access terminal meets the condition, a transfer unit is distributed to the access terminal; before the transfer units are distributed, the verification server is required to generate the transfer units in advance, and m transfer units are selected from n transfer units to form one group, if any, the transfer units are distributed in the group
Each transfer unit can be used as an allocation unit to be allocated to the access terminal.
2. A method of defending against DDoS attacks according to claim 1, wherein the result of authentication is determined by:
according to the identity identification information of the access terminal, whether the identity information meets the condition is determined; if the identity information meets the condition, checking the request record of the access terminal to determine whether the request record exists in the request record table of the current access terminal; and if the request record of the current access terminal does not exist in the request record table, generating the request record and distributing the transfer unit.
3. The method of claim 2, wherein if there is a request record of the current access terminal in the request record table, checking an authentication period of the request record to determine whether the current request record reaches an authentication period; if the authentication period of the request record reaches one authentication period, continuously judging whether the number of transfer machines deadened by the current access terminal is more than or equal to a system parameter K; if the number of the dead transfer machines is more than or equal to K, the current access terminal is brought into a blacklist; and if the number of the dead transfer machines is less than K, allocating a transfer unit.
4. A defense method against DDoS attacks according to claim 3, further comprising a calculating method for calculating a false positive rate of the result of the identity verification, wherein the false positive method comprises the following steps:
firstly, the visitors who visit through the visit terminal are divided into normal users C N And attacker C M Suppose the visitor is a normal user C N Is p, then the visitor is attacker C M Has a probability of 1-p, with S down Representing a crash event for the transit unit due to attacker C M The system can lead to the halt of the transfer unit, and the following formula is established:
suppose normal user C N If the probability of causing the transfer crash is q, the probability that the normal user does not cause the transfer crash is 1-q, and the following formula is established:
assuming that only one user accesses through the access terminal, when the user of the access terminal causes the 1 transfer machine in the transfer machine group to be dead, the user is judged to be the attacker C M The misjudgment rate is as follows:
assuming that only one user accesses the application server through the access terminal, when the user causes the halt of the k-channel transfer of the transfer unit, the user of the access terminal is judged to be an attacker C M The misjudgment rate is as follows:
if a plurality of users access through the access terminal, if the user of the access terminal causes the 1 transfer machine in the transfer machine set to be dead, the user is judged to be an attacker C M The misjudgment rate is as follows:
wherein the content of the first and second substances,
therefore, the temperature of the molten steel is increased,
assuming that a plurality of users access the application server through the access terminal, when the users cause the halt of the k-channel transfer of the transfer unit, the users of the access terminal are judged to be an attacker C M The misjudgment rate is as follows:
therefore, the temperature of the molten steel is controlled,
5. the method of defending against a DDoS attack of claim 2,
and if the access terminal obtains the transfer unit distributed by the verification server, the access terminal establishes a secure connection with a transfer machine in the transfer unit.
6. The method as claimed in claim 5, wherein the connection protocols between the authentication server and the access terminal and between the relay set and the access terminal are HTTPS protocols, and the HTTPS protocols are capable of automatically completing management of keys and encryption of data.
7. The method of claim 2, wherein the authentication server denies service if the identity information of the access terminal is not eligible.
8. A defense system for defending against DDoS attack is characterized by comprising an application server, a verification server, a database server, a transfer machine and an access terminal;
the application server is used for providing service for the outside;
the verification server consists of one or more cloud servers, can verify the identity information of the access terminal, distributes a transfer unit for the access terminal, and can establish safe connection with the access terminal and identify the attack behavior of the access terminal;
the database server is used for storing the transfer unit, the access terminal identification code and the access behavior of the access terminal;
the relay machine can provide relay service for the service request of the access terminal.
9. A system for defending against DDoS attacks according to claim 8, further comprising a cache server capable of caching the transit unit assigned to the access terminal by the authentication server.
10. A computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, implements the method of defending against DDoS attacks of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211504042.XA CN115811428A (en) | 2022-11-28 | 2022-11-28 | Defense method, system, equipment and storage medium for resisting DDoS attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211504042.XA CN115811428A (en) | 2022-11-28 | 2022-11-28 | Defense method, system, equipment and storage medium for resisting DDoS attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115811428A true CN115811428A (en) | 2023-03-17 |
Family
ID=85484340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211504042.XA Pending CN115811428A (en) | 2022-11-28 | 2022-11-28 | Defense method, system, equipment and storage medium for resisting DDoS attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115811428A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116915486A (en) * | 2023-08-14 | 2023-10-20 | 福泰克(连云港)电子有限公司 | Cloud service communication system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040098618A1 (en) * | 2002-11-14 | 2004-05-20 | Kim Hyun Joo | System and method for defending against distributed denial-of-service attack on active network |
| CN101834875A (en) * | 2010-05-27 | 2010-09-15 | 华为技术有限公司 | Method, device and system for defending DDoS (Distributed Denial of Service) attacks |
| US20180302438A1 (en) * | 2017-04-18 | 2018-10-18 | Vencore Labs, Inc. | Identifying and deceiving adversary nodes and maneuvers for attack deception and mitigation |
| CN109617865A (en) * | 2018-11-29 | 2019-04-12 | 中国电子科技集团公司第三十研究所 | A kind of network security monitoring and defence method based on mobile edge calculations |
| CN110602697A (en) * | 2018-06-13 | 2019-12-20 | 华为技术有限公司 | Method and device for limiting terminal equipment access |
| CN113015989A (en) * | 2018-06-08 | 2021-06-22 | 通信安全集团公司 | Block chain supervision |
-
2022
- 2022-11-28 CN CN202211504042.XA patent/CN115811428A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040098618A1 (en) * | 2002-11-14 | 2004-05-20 | Kim Hyun Joo | System and method for defending against distributed denial-of-service attack on active network |
| CN101834875A (en) * | 2010-05-27 | 2010-09-15 | 华为技术有限公司 | Method, device and system for defending DDoS (Distributed Denial of Service) attacks |
| US20180302438A1 (en) * | 2017-04-18 | 2018-10-18 | Vencore Labs, Inc. | Identifying and deceiving adversary nodes and maneuvers for attack deception and mitigation |
| CN113015989A (en) * | 2018-06-08 | 2021-06-22 | 通信安全集团公司 | Block chain supervision |
| CN110602697A (en) * | 2018-06-13 | 2019-12-20 | 华为技术有限公司 | Method and device for limiting terminal equipment access |
| CN109617865A (en) * | 2018-11-29 | 2019-04-12 | 中国电子科技集团公司第三十研究所 | A kind of network security monitoring and defence method based on mobile edge calculations |
Non-Patent Citations (2)
| Title |
|---|
| 刘彬;: "Dos/DDos攻击的防御策略研究", 计算机与信息技术, no. 09, 20 September 2008 (2008-09-20) * |
| 石太伟;郭陟;顾明;: "一种基于移动Agent的分布式应用系统架构", 计算机工程, no. 24, 20 December 2005 (2005-12-20), pages 61 - 63 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116915486A (en) * | 2023-08-14 | 2023-10-20 | 福泰克(连云港)电子有限公司 | Cloud service communication system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2545680B1 (en) | Behavior-based security system | |
| CN109413000B (en) | Anti-stealing-link method and anti-stealing-link network relation system | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| CN112887105B (en) | Conference security monitoring method and device, electronic equipment and storage medium | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| CN110620777A (en) | Smoke monitoring data uplink method and system of Internet of things on block chain | |
| CN107046516B (en) | Wind control method and device for identifying mobile terminal identity | |
| CN115811428A (en) | Defense method, system, equipment and storage medium for resisting DDoS attack | |
| CN112434304A (en) | Method, server and computer readable storage medium for defending network attack | |
| CN108924086A (en) | A kind of host information acquisition method based on TSM Security Agent | |
| RU2601147C2 (en) | System and method for detection of target attacks | |
| NL2034989A (en) | Method for detecting network abnormal behavior based on data multi-dimensional entropy fingerprint | |
| CN116170806B (en) | Smart power grid LWM2M protocol security access control method and system | |
| CN111131192A (en) | Bypass protection method and device | |
| CN114500020B (en) | Network security management method based on big data | |
| CN113596147B (en) | Message pushing method, device, equipment and storage medium | |
| CN112929347B (en) | Frequency limiting method, device, equipment and medium | |
| CN115603938A (en) | Attack protection method, terminal device and computer readable storage medium | |
| CN112202821B (en) | Identification defense system and method for CC attack | |
| CN114915534A (en) | Network deployment architecture facing trust enhancement and network access method thereof | |
| CN113824738A (en) | Method and system for node communication management in block chain | |
| DE102021126869A1 (en) | Permissions for backup-related operations | |
| CN116846687B (en) | Network security monitoring method, system, device and storage medium | |
| CN109510828B (en) | Method and system for determining threat disposal effect in network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |