CN116248329A - Anti-riot cracking method, terminal equipment and storage medium - Google Patents
Anti-riot cracking method, terminal equipment and storage medium Download PDFInfo
- Publication number
- CN116248329A CN116248329A CN202211618634.4A CN202211618634A CN116248329A CN 116248329 A CN116248329 A CN 116248329A CN 202211618634 A CN202211618634 A CN 202211618634A CN 116248329 A CN116248329 A CN 116248329A
- Authority
- CN
- China
- Prior art keywords
- login
- cracking
- login information
- riot
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention relates to an anti-riot cracking method, terminal equipment and a storage medium, wherein the method comprises the following steps: s1: configuring a security policy; s2: analyzing the protocol according to a protocol analysis mode corresponding to the configured security policy to obtain corresponding login information; s3: based on the configured security policy and the parsed login information, different anti-riot cracking algorithms are respectively adopted to detect in real time, and whether the login information is cracked by violence or not is judged. The invention combines multiple detection algorithms, can effectively improve the capacity of the server for preventing violent cracking, and can timely give an alarm to users and intercept attackers after violent cracking is detected.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to an anti-riot cracking method, a terminal device, and a storage medium.
Background
With the development of the Internet, a large number of foolproof hacking tools are developed, the threshold of any hacking means is reduced greatly, and the tool production of brute force cracking is very easy. The software technology content of brute force cracking is not high, the principle is that the software is tested one by one until the correct password is tested, but the cracking mode is not high in success probability and long in time consumption. In the actual situation of the network, although many servers have undergone layer-by-layer security protection, the attacker can also apply brute force cracking to quickly break through after simply adjusting the attack mode.
The existing server is resistant to violent cracking, mainly through the following means:
1) Limiting bandwidth to narrow the network from outside to inside and delaying the cracking process of an attacker;
2) Setting a security policy, limiting connection frequency, defining the connection times of the same user in a specific time period, and refusing connection if the connection times exceeds the limit;
3) Setting a security policy to limit the number of trial and error, and rejecting the connection of the user for a short period of time after the number of password trials of the user exceeds a prescribed number.
Based on the anti-riot cracking means, an attacker often initiates distributed riot cracking to the target, and through a plurality of zombie computers, attacks the target at the same time, and controls a certain attack frequency, so that a certain difficulty is caused to the limitation of the riot cracking.
Disclosure of Invention
In order to solve the problems, the invention provides an anti-riot cracking method, a terminal device and a storage medium.
The specific scheme is as follows:
an anti-violent breaking method comprising the steps of:
s1: configuring a security policy;
s2: analyzing the protocol according to a protocol analysis mode corresponding to the configured security policy to obtain corresponding login information;
s3: based on the configured security policy and the parsed login information, different anti-riot cracking algorithms are respectively adopted to detect in real time, and whether the login information is cracked by violence or not is judged.
Further, the security policy is configured at the client in a manner of being downloaded to the client after the cloud configuration.
Further, the security policy includes: configuring a monitoring port, configuring a time period, configuring a failure logging time threshold, configuring a distributed attack time period, configuring the failure logging time of the distributed attack, configuring whether an alarm is given, configuring whether interception and interception time length are set, and configuring a protocol analysis mode.
Further, the protocol analysis mode comprises a packet grabbing mode and a log mode;
the analysis process of the packet grabbing mode comprises the following steps: establishing an original socket, setting bpf filter rules on the original socket, analyzing a network data packet head to obtain data types, and capturing network data packets with the data types of 0x0800 and 0x86 dd; analyzing the captured network data packet and extracting login information;
the log mode parsing process includes: acquiring a log file storage path of a service through a configuration file of the service; analyzing the obtained log file and extracting login information.
Further, the login information includes a login user name, a source ip address, a source port, a destination ip address, and a destination port.
Further, the anti-riot cracking algorithm comprises an anti-riot cracking algorithm of a single attacker, comprising the following steps:
s301: extracting the following parameters based on the configured security policy and the parsed login information: time period, failure login frequency threshold value, login user name, source ip address and source port;
s302: two cache dictionary tables are constructed, namely: dictionary table 1 with source ip port as key and login user name as value, dictionary table 2 with source ip as key and login user name login times as value;
s303: cleaning the databank of the dictionary table 2 at regular time according to the time interval corresponding to the time period;
s304: based on the analyzed login information, searching whether a key exists in the dictionary table 1 as a source ip port in the login information, and if so, updating a corresponding value into a login user name in the login information; otherwise, the source ip port in the login information is used as a key, and the login user name in the login information is used as a value to be added to the dictionary table 1;
s305: based on the analyzed login information, searching whether a key exists in the dictionary table 2 as a source ip in the login information, if so, adding 1 to login times of login user names in the corresponding value, and entering S316; otherwise, the source ip in the login information is used as a key, the value of the login times of the login user name in the value is set to be 1, and then the value is added to the dictionary table 2, and the S316 is entered;
s306: judging whether the login times of the login user names corresponding to the source ip in the login information in the dictionary table 2 are larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
Further, the alarming content comprises: the generation time of the brute force cracking behavior, a login user name, an attacker ip address, an attacker port, an attacker ip address and an attacker port.
Further, a source ip address in login information is obtained, and the ip address interception rule is written into a firewall policy of the system; and according to the set interception duration, the firewall policy of the system is queried regularly, and after the interception duration is met, the ip address interception rule is deleted from the firewall policy, so that the purpose of deblocking is achieved.
Further, the anti-riot cracking algorithm includes an anti-riot cracking algorithm of a distributed attacker, including: extracting parameters based on configured security policies: time period and failed login frequency threshold; judging whether the sum of the failed login times of a plurality of IPs in the time period is larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
Further, the anti-riot cracking algorithm includes an anti-riot cracking algorithm of a distributed attacker, including: and classifying and caching the currently acquired failed log according to the ips, and reading all the failed log of each ip from the cache when a set time threshold is reached, and identifying whether the failed log is violently cracked or not according to a single attacker violent cracking detection algorithm.
An anti-riot cracking terminal device comprises a processor, a memory and a computer program stored in the memory and capable of running on the processor, wherein the steps of the method according to the embodiment of the invention are realized when the processor executes the computer program.
A computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method described above for embodiments of the present invention.
By adopting the technical scheme, the violent cracking behavior can be found in time through the combination of multiple detection means and algorithms, and the user is notified to automatically intercept and block an attacker.
Drawings
Fig. 1 is a flowchart of a first embodiment of the present invention.
Figure 2 is a flow chart of an anti-brute force algorithm for a single attacker in this embodiment.
FIG. 3 is a flow chart of an anti-riot hacking algorithm of a distributed attacker in this embodiment.
Detailed Description
For further illustration of the various embodiments, the invention is provided with the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments and together with the description, serve to explain the principles of the embodiments. With reference to these matters, one of ordinary skill in the art will understand other possible embodiments and advantages of the present invention.
The invention will now be further described with reference to the drawings and detailed description.
Embodiment one:
the embodiment of the invention provides an anti-riot cracking method, as shown in fig. 1, comprising the following steps:
s1: and configuring a security policy.
In the embodiment, the security policy is configured at the client in a manner of being downloaded to the client after the cloud configuration, so that the simultaneous configuration of a plurality of clients can be facilitated.
The security policy configured in this embodiment includes:
■ Configuration of a monitoring port: the service ports are configured, so that a plurality of service ports can be monitored simultaneously for packet grabbing analysis, and the method can be suitable for a host and a docker environment;
■ Configuration time period: configuring the connection time of the same user in a specific time period;
■ Configuring a failure login frequency threshold value: configuring a frequency threshold value of failed login of the same user, and intercepting and blocking if the frequency threshold value is exceeded;
■ Configuring a distributed attack time period: configuring the duration of connection in a specific time period for distributed attack;
■ Configuring the number of failed login times of distributed attack: configuring the number of failed login times of a user for distributed attack;
■ Whether the configuration alarms: when detecting violent cracking, a user can select various alarm modes including forms of logs, short messages, mails and the like;
■ Whether interception is configured, and the interception duration is as follows: when the violent cracking is detected, the system intercepts and blocks the ip subjected to the violent cracking for a certain period of time, and then the ip is unsealed;
■ Configuration protocol parsing mode: parsing may be performed using one of a packet grabbing mode and a log mode.
S2: and resolving the protocol according to a protocol resolving mode corresponding to the configured security policy to obtain corresponding login information.
According to the configured protocol analysis mode, the embodiment supports analysis of a packet grabbing mode and a log mode. The two analysis modes can respectively cope with different system environments, and when the network environment is relatively simple, the requirement on system response is higher, and a packet grabbing mode can be adopted; when the network environment is complex, the requirement on the system response is low, and a log mode can be adopted.
(1) Bag grabbing mode
■ Establishing an original socket, setting bpf filter rules (namely configured monitoring ports) on the original socket, analyzing a network data packet head to obtain data types, and capturing network data packets with the data types of 0x0800 and 0x86 dd;
■ And analyzing the captured network data packet and extracting login information. The login information comprises login user name, source ip address, source port, destination ip address, destination port and other information.
(2) Log mode
■ Acquiring a log file storage path of a service through a configuration file of the service;
■ Analyzing the obtained log file in real time, and extracting login information.
S3: based on the configured security policy and the parsed login information, different anti-riot cracking algorithms are respectively adopted to detect in real time, and whether the login information is cracked by violence or not is judged.
In this embodiment, two anti-riot cracking algorithms are provided, namely an anti-riot cracking algorithm for a single attacker and an anti-riot cracking algorithm for distributed attackers. The embodiment combines the two anti-riot cracking algorithms to perform real-time detection, so that high operation and low delay can be realized, and the anti-riot cracking capability of the system is effectively improved.
(1) As shown in fig. 2, the single attacker's anti-riot cracking algorithm comprises the following steps:
s301: extracting the following parameters based on the configured security policy and the parsed login information: time period, failure login frequency threshold value, login user name, source ip address and source port;
s302: two cache dictionary tables are constructed, namely: dictionary table 1 with source ip port as key and login user name as value, dictionary table 2 with source ip as key and login user name login times as value;
s303: cleaning the databank of the dictionary table 2 at regular time according to the time interval corresponding to the time period;
s304: based on the analyzed login information, searching whether a key exists in the dictionary table 1 as a source ip port in the login information, and if so, updating a corresponding value into a login user name in the login information; otherwise, the source ip port in the login information is used as a key, and the login user name in the login information is used as a value to be added to the dictionary table 1;
s305: based on the analyzed login information, searching whether a key exists in the dictionary table 2 as a source ip in the login information, if so, adding 1 to login times of login user names in the corresponding value, and entering S316; otherwise, the source ip in the login information is used as a key, the value of the login times of the login user name in the value is set to be 1, and then the value is added to the dictionary table 2, and the S316 is entered;
s306: judging whether the login times of the login user names corresponding to the source ip in the login information in the dictionary table 2 are larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
(2) Referring to fig. 3, the main flow of the anti-riot cracking algorithm for distributed aggressors is as follows:
the distributed violent cracking can be performed by a plurality of computers to launch attacks on the target server in a short time, and an attacker can control a certain attack frequency in order to bypass the security policy, for example, each computer attacks once at intervals of a plurality of seconds, so that the violent cracking algorithm of a single attacker can be invalid. From the practical attack result, a large number of failed log entries of different ips are generated in a short time, and the log entries are repeated after a certain frequency interval. Therefore, when detecting data, if the sum of a plurality of ip failed logins exceeds the threshold of the failed logins in a set time period, the distributed violent cracking can be considered to be currently carried out, and the warning and interception can be carried out. However, if the attacker controls the distributed brute force cracking force (i.e. the number of attacking computers), multiple user names are adopted to crack simultaneously, and at this time, the total threshold value of the failed login times of multiple ips may not be reached, so that the currently acquired failed login logs need to be classified and cached according to ips, and when the preset time threshold value is reached, all the failed login logs of each ip are read from the cache, and whether the identification is brute force cracking is performed according to a single attacker brute force cracking detection algorithm.
When the system detects the violent cracking behavior, the user can be informed in time in the forms of alarm logs, short messages, mails and the like according to the configuration of the user. The alarm content comprises: the generation time of the brute force cracking behavior, the login user name, the attacker ip address, the attacker port and other detailed information.
When the system detects the violent cracking behavior, the attacker can be blocked and intercepted according to the configuration of the user, and the main steps are as follows:
■ Obtaining an attacker ip address, namely a source ip address in login information, and writing the ip address interception rule into a firewall policy of the system;
■ And according to the set interception duration, the firewall policy of the system is queried regularly, and after the interception duration is met, the ip address rule is deleted from the firewall policy, so that the purpose of deblocking is achieved.
The embodiment of the invention combines multiple detection algorithms, can effectively improve the capacity of the server for preventing violent cracking, timely gives an alarm to users and intercepts attackers after violent cracking is detected, can realize automation in the whole flow, and meets the demands of the current market for the products.
Embodiment two:
the invention also provides a terminal device for preventing violent cracking, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the steps in the method embodiment of the first embodiment of the invention are realized when the processor executes the computer program.
Further, as an executable scheme, the anti-riot-breaking terminal device may be a computing device such as a desktop computer, a notebook computer, a palm computer, and a cloud server. The anti-riot cracking terminal device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that the above-described composition structure of the anti-riot cracking terminal device is merely an example of the anti-riot cracking terminal device, and does not constitute limitation of the anti-riot cracking terminal device, and may include more or fewer components than the above-described components, or may combine some components, or different components, for example, the anti-riot cracking terminal device may further include an input/output device, a network access device, a bus, and the like, which is not limited by the embodiment of the present invention.
Further, as an implementation, the processor may be a central processing unit (Central Processing Unit, CPU), other general purpose processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc. The general processor may be a microprocessor or the processor may be any conventional processor or the like, which is a control center of the anti-riot cracking terminal device, and various interfaces and lines are used to connect various parts of the entire anti-riot cracking terminal device.
The memory may be used to store the computer program and/or the module, and the processor may implement various functions of the anti-violent breaking terminal device by running or executing the computer program and/or the module stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for a function; the storage data area may store data created according to the use of the cellular phone, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The present invention also provides a computer readable storage medium storing a computer program which when executed by a processor implements the steps of the above-described method of an embodiment of the present invention.
The modules/units integrated in the anti-riot terminal device may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as a stand alone product. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a software distribution medium, and so forth.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (12)
1. A method of preventing violent cracking comprising the steps of:
s1: configuring a security policy;
s2: analyzing the protocol according to a protocol analysis mode corresponding to the configured security policy to obtain corresponding login information;
s3: based on the configured security policy and the parsed login information, different anti-riot cracking algorithms are respectively adopted to detect in real time, and whether the login information is cracked by violence or not is judged.
2. The method of claim 1, wherein: the security policy is configured at the client in a manner of being downloaded to the client after cloud configuration.
3. The method of claim 1, wherein: the security policy includes: configuring a monitoring port, configuring a time period, configuring a failure logging time threshold, configuring a distributed attack time period, configuring the failure logging time of the distributed attack, configuring whether an alarm is given, configuring whether interception and interception time length are set, and configuring a protocol analysis mode.
4. The method of claim 1, wherein: the protocol analysis mode comprises a packet grabbing mode and a log mode;
the analysis process of the packet grabbing mode comprises the following steps: establishing an original socket, setting bpf filter rules on the original socket, analyzing a network data packet head to obtain data types, and capturing network data packets with the data types of 0x0800 and 0x86 dd; analyzing the captured network data packet and extracting login information;
the log mode parsing process includes: acquiring a log file storage path of a service through a configuration file of the service; analyzing the obtained log file and extracting login information.
5. The method of claim 1, wherein: the login information includes a login user name, a source ip address, a source port, a destination ip address, and a destination port.
6. The method of claim 1, wherein: the anti-riot cracking algorithm comprises an anti-riot cracking algorithm of a single attacker, and comprises the following steps:
s301: extracting the following parameters based on the configured security policy and the parsed login information: time period, failure login frequency threshold value, login user name, source ip address and source port;
s302: two cache dictionary tables are constructed, namely: dictionary table 1 with source ip port as key and login user name as value, dictionary table 2 with source ip as key and login user name login times as value;
s303: cleaning the databank of the dictionary table 2 at regular time according to the time interval corresponding to the time period;
s304: based on the analyzed login information, searching whether a key exists in the dictionary table 1 as a source ip port in the login information, and if so, updating a corresponding value into a login user name in the login information; otherwise, the source ip port in the login information is used as a key, and the login user name in the login information is used as a value to be added to the dictionary table 1;
s305: based on the analyzed login information, searching whether a key exists in the dictionary table 2 as a source ip in the login information, if so, adding 1 to login times of login user names in the corresponding value, and entering S316; otherwise, the source ip in the login information is used as a key, the value of the login times of the login user name in the value is set to be 1, and then the value is added to the dictionary table 2, and the S316 is entered;
s306: judging whether the login times of the login user names corresponding to the source ip in the login information in the dictionary table 2 are larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
7. The method of claim 6, wherein: the content of the alarm includes: the generation time of the brute force cracking behavior, a login user name, an attacker ip address, an attacker port, an attacker ip address and an attacker port.
8. The method of claim 6, wherein: the interception mode is as follows: acquiring a source ip address in login information, and writing the ip address interception rule into a firewall policy of the system; and according to the set interception duration, the firewall policy of the system is queried regularly, and after the interception duration is met, the ip address interception rule is deleted from the firewall policy, so that the purpose of deblocking is achieved.
9. The method of claim 1, wherein: the anti-riot cracking algorithm comprises an anti-riot cracking algorithm of a distributed attacker, comprising: extracting parameters based on configured security policies: time period and failed login frequency threshold; judging whether the sum of the failed login times of a plurality of IPs in the time period is larger than a threshold value of the failed login times, and if so, generating an alarm and intercepting.
10. The method of claim 1, wherein: the anti-riot cracking algorithm comprises an anti-riot cracking algorithm of a distributed attacker, comprising: and classifying and caching the currently acquired failed log according to the ips, and reading all the failed log of each ip from the cache when a set time threshold is reached, and identifying whether the failed log is violently cracked or not according to a single attacker violent cracking detection algorithm.
11. An anti-riot cracking terminal device, characterized in that: comprising a processor, a memory and a computer program stored in the memory and running on the processor, which processor, when executing the computer program, carries out the steps of the method according to any one of claims 1 to 10.
12. A computer-readable storage medium storing a computer program, characterized in that: the computer program implementing the steps of the method according to any one of claims 1 to 10 when executed by a processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211618634.4A CN116248329A (en) | 2022-12-15 | 2022-12-15 | Anti-riot cracking method, terminal equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211618634.4A CN116248329A (en) | 2022-12-15 | 2022-12-15 | Anti-riot cracking method, terminal equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116248329A true CN116248329A (en) | 2023-06-09 |
Family
ID=86623221
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211618634.4A Pending CN116248329A (en) | 2022-12-15 | 2022-12-15 | Anti-riot cracking method, terminal equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116248329A (en) |
-
2022
- 2022-12-15 CN CN202211618634.4A patent/CN116248329A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6894003B2 (en) | Defense against APT attacks | |
CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
US9106680B2 (en) | System and method for protocol fingerprinting and reputation correlation | |
Yu et al. | Discriminating DDoS flows from flash crowds using information distance | |
US20170257339A1 (en) | Logical / physical address state lifecycle management | |
US10110627B2 (en) | Adaptive self-optimzing DDoS mitigation | |
WO2021139643A1 (en) | Method and apparatus for detecting encrypted network attack traffic, and electronic device | |
US20160381070A1 (en) | Protocol based detection of suspicious network traffic | |
US20030115485A1 (en) | Hash-based systems and methods for detecting, preventing, and tracing network worms and viruses | |
WO2018099206A1 (en) | Apt detection method, system, and device | |
US9253153B2 (en) | Anti-cyber hacking defense system | |
US10951649B2 (en) | Statistical automatic detection of malicious packets in DDoS attacks using an encoding scheme associated with payload content | |
US20180248908A1 (en) | Algorithmically detecting malicious packets in ddos attacks | |
US20090178140A1 (en) | Network intrusion detection system | |
US20230283631A1 (en) | Detecting patterns in network traffic responses for mitigating ddos attacks | |
Steadman et al. | Dnsxd: Detecting data exfiltration over dns | |
Manna et al. | Review of syn-flooding attack detection mechanism | |
US10142360B2 (en) | System and method for iteratively updating network attack mitigation countermeasures | |
CN111526121A (en) | Intrusion prevention method and device, electronic equipment and computer readable medium | |
US7469418B1 (en) | Deterring network incursion | |
Liu et al. | Loocipher ransomware detection using lightweight packet characteristics | |
CN111131309A (en) | Distributed denial of service detection method and device and model creation method and device | |
US11330011B2 (en) | Avoidance of over-mitigation during automated DDOS filtering | |
US8819285B1 (en) | System and method for managing network communications | |
Hategekimana et al. | Hardware isolation technique for irc-based botnets detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |