CN117014232A - Defending method, device, equipment and medium for denial of service attack - Google Patents
Defending method, device, equipment and medium for denial of service attack Download PDFInfo
- Publication number
- CN117014232A CN117014232A CN202311281207.6A CN202311281207A CN117014232A CN 117014232 A CN117014232 A CN 117014232A CN 202311281207 A CN202311281207 A CN 202311281207A CN 117014232 A CN117014232 A CN 117014232A
- Authority
- CN
- China
- Prior art keywords
- service
- data
- user behavior
- attack
- denial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000006399 behavior Effects 0.000 claims abstract description 151
- 230000002159 abnormal effect Effects 0.000 claims abstract description 80
- 238000001514 detection method Methods 0.000 claims abstract description 78
- 238000013500 data storage Methods 0.000 claims abstract description 43
- 238000003860 storage Methods 0.000 claims description 50
- 238000012544 monitoring process Methods 0.000 claims description 33
- 230000007123 defense Effects 0.000 claims description 19
- 230000004044 response Effects 0.000 claims description 15
- 238000012795 verification Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 8
- 238000012360 testing method Methods 0.000 claims description 4
- 230000010485 coping Effects 0.000 abstract description 8
- 238000010586 diagram Methods 0.000 description 8
- 230000005856 abnormality Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 206010000117 Abnormal behaviour Diseases 0.000 description 6
- 238000001914 filtration Methods 0.000 description 6
- 230000036541 health Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 238000005265 energy consumption Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000009897 systematic effect Effects 0.000 description 3
- 238000003062 neural network model Methods 0.000 description 2
- 230000007958 sleep Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000005520 cutting process Methods 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000005059 dormancy Effects 0.000 description 1
- 238000004134 energy conservation Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses a defending method, a defending device, defending equipment and defending media for denial of service attacks, and relates to the technical field of computers. The method comprises the steps of firstly receiving a service request carrying user behavior data, then carrying out abnormal detection on the service request according to the acquired real-time access quantity corresponding to the user identifier, the user behavior data and a predetermined normal user behavior data range, detecting a service network when the service request is detected to be abnormal, determining an attack type rejecting service attack according to a network state detection result, the real-time access quantity and the user behavior data, and finally determining and executing a control scheme of a service data storage according to the attack type and the predetermined corresponding relation between the attack type and the service data storage control scheme. After the service request is identified as the denial of service attack according to the user behavior data, the corresponding defending strategy can be automatically selected according to the identified attack type, so that the efficiency and the instantaneity for coping with the denial of service attack are improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for defending against denial of service attacks.
Background
In general, common denial of service attacks (DoS attacks) include a computer network bandwidth attack and a connectivity attack, which are aimed at making a computer or a network unable to provide normal services, and according to different attack targets, the denial of service attacks can be classified into an attack application service program, an attack operating system, an attack network protocol, an attack bandwidth or link, and an attack network key facility.
The prior art can generally combat denial of service attacks by repairing vulnerability optimization systems in time, providing additional bandwidth to enhance tolerance, deploying firewalls, and the like.
However, for complex denial of service attacks, the existing scheme only selects corresponding means to solve according to the type of attack of the denial of service attack currently faced by the service platform, lacks a systematic defense method for the denial of service attack, and has low efficiency and instantaneity for the denial of service attack.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, apparatus, device, and medium for defending against denial of service attacks.
The technical scheme adopted in the specification is as follows:
the specification provides a defending method for denial of service attack, which comprises the following steps:
receiving a service request carrying user behavior data, wherein the service request at least comprises a user identifier;
acquiring a real-time access amount corresponding to the user identifier, and performing abnormal detection on the service request according to the real-time access amount, the user behavior data and a predetermined normal user behavior data range;
when detecting that the service request is abnormal, detecting the network state of the service network, and judging the attack type of the denial of service attack according to the network state detection result, the real-time access quantity, the data of abnormal connection contained in the user behavior data and the data of abnormal source;
and determining and executing the control scheme of the service data storage according to the attack type and the corresponding relation between the predetermined attack type and the control scheme of the service data storage.
Optionally, the detecting the abnormality of the service request specifically includes:
when the real-time access quantity is determined to be larger than a preset access threshold value, determining that the service request is abnormal;
when the real-time access amount is determined to be smaller than the preset access threshold value, checking whether the user behavior data is in a normal user behavior data range or not according to each item of user behavior data;
Determining a user behavior score according to the test result of each item of user behavior data, and judging whether the user behavior score is larger than a preset abnormal threshold value or not;
if yes, determining that the service request is normal;
if not, fault-tolerant detection is carried out according to the user behavior data, the service request is determined to be abnormal when the fault-tolerant detection fails, and the service request is determined to be normal when the fault-tolerant detection is successful.
Optionally, the fault tolerance detection specifically includes:
taking all user behavior data which are not in the normal user behavior data range as data to be checked, checking all the data to be checked in real time, and receiving a checking result;
updating the user behavior score according to each verification result, and judging whether the updated user behavior score is greater than a preset abnormal threshold value;
if yes, determining that fault-tolerant detection is successful;
if not, determining that the fault-tolerant detection fails.
Optionally, the service data storage includes a main memory and an extension memory;
the corresponding relation between the predetermined attack type and the business data storage control scheme specifically comprises the following steps:
when the attack type is the Land attack type, sending an enabling instruction to the extension memory to expand the capacity so as to store the service data through the extension memory;
When the attack type is SYN attack type, detecting the running speed of the main memory, if the running speed is smaller than a preset speed threshold, sending a restarting instruction to the main memory, and sending an enabling instruction to the extension memory so as to store the service data through the extension memory.
Optionally, the method further comprises:
detecting each storage container in the main memory, and determining the storage state of each storage container in the main memory;
when the number of the storage containers with abnormal storage states is larger than a preset abnormal number threshold, sending a restarting instruction to a main memory, and sending an enabling instruction to an extension memory so as to store business data through the extension memory;
when the memory occupation amount of the main memory is larger than a preset warning threshold value, an enabling instruction is sent to the extension memory to expand the capacity so as to store the service data through the extension memory.
Optionally, the method further comprises:
forwarding the determined attack type of the denial of service attack to a monitoring user, and prompting the monitoring user to determine a current control instruction for the service data storage;
and receiving a current control instruction for the service data storage and forwarding the current control instruction to the service data storage, so that the service data storage executes the current control instruction to defend against denial of service attack.
Optionally, the method further comprises:
when the service request is determined to be abnormal, not responding to the service request, and returning a service termination result;
and when the service request is determined to be normal, responding to the service request, and returning a response result.
The present specification provides a defending device for denial of service attack, including:
the receiving module is used for receiving a service request carrying user behavior data, wherein the service request at least comprises a user identifier;
the detection module is used for acquiring the real-time access quantity corresponding to the user identifier and carrying out abnormal detection on the service request according to the real-time access quantity, the user behavior data and the predetermined normal user behavior data range;
the type determining module is used for detecting the network state of the service network when detecting that the service request is abnormal, and judging the attack type of the denial of service attack according to the network state detection result, the real-time access quantity, the data of abnormal connection contained in the user behavior data and the data of abnormal source;
and the defense module is used for determining and executing the control scheme of the service data storage according to the attack type and the corresponding relation between the predetermined attack type and the control scheme of the service data storage.
The present specification provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the defending method of denial of service attacks described above.
The present specification provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the above-described denial of service attack protection method when executing the program.
The above-mentioned at least one technical scheme that this specification adopted can reach following beneficial effect:
the invention firstly receives the service request carrying the user behavior data, the service request at least comprises a user identification, then acquires the real-time access quantity corresponding to the user identification, thereby carrying out the abnormality detection of the service request according to the real-time access quantity, the user behavior data and the predetermined normal user behavior data range, when detecting the abnormality of the service request, detecting the service network, judging the attack type of refusing service attack according to the network state detection result, the real-time access quantity, the data of abnormal connection and the data of abnormal source contained in the user behavior, and finally determining the control scheme of the service data memory and executing according to the judged attack type and the predetermined corresponding relation between the attack type and the control scheme of the service data memory.
The application can accurately identify whether the received service request is a denial of service attack according to the real-time access quantity, the user behavior data and the predetermined normal user behavior data range, and can accurately identify the specific attack type according to the network state detection result, the real-time access quantity and the user behavior data after the denial of service attack is identified, so as to automatically select the corresponding defending strategy according to the attack type, thereby realizing automatic attack detection and defending. Therefore, the method does not need to manually judge whether the denial of service attack is faced or not and the type of the attack is faced, the hysteresis of coping with the denial of service attack is avoided, and the efficiency and the instantaneity of coping with the denial of service attack are improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
fig. 1 is a schematic flow chart of a defending method for denial of service attack provided in the present specification;
FIG. 2 is a schematic diagram of a data security system for protecting against denial of service attacks according to the present disclosure;
FIG. 3 is a schematic illustration of the user behavior analysis defense denial of service attack protection data security system mind;
fig. 4 is a schematic diagram of a defending device for denial of service attack provided in the present specification;
fig. 5 is a schematic diagram of a computer device for implementing a defending method for denial of service attack provided in the present specification.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present specification more apparent, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present specification and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art without the exercise of inventive faculty, are intended to be within the scope of the application, based on the embodiments in the specification.
Currently, countering denial of service attacks is generally mainly addressed by detecting denial of service attacks, providing additional bandwidth to enhance tolerance, and tracking the source of the denial of service attack. The precautionary measures include verification of defending means such as request source, firewall defending and router defending, but the systematic design of combining self-healing and energy-saving synergy after the occurrence of automatic defending and denial of service attack is lacking, and only after the occurrence of denial of service attack, corresponding means are selected for solving according to the type of denial of service attack currently faced.
The scheme provides a method for defending denial of service attack to protect data safety based on user behavior analysis, and aims to realize defending, processing, self-healing denial of service attack and energy saving and efficiency improvement by using system automation. According to the scheme, from the user behavior, access defense is performed by utilizing the characteristics of the user behavior, a fault tolerance mechanism is added for the access defense, the user experience of a normal user is guaranteed, a set of interception and defense countermeasures are formed for real denial of service attack, the defense means is automated, and after the attack is received, the service data storage can be self-tested and regulated, so that self-healing is realized. The system can reduce the risks of service interruption and data loss, and simultaneously combines the data preheating, the dormancy of an extended storage server, DOS defense, self-healing and energy conservation and emission reduction to form a complementary automatic system.
The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of a defending method of denial of service attack in the present specification, which specifically includes the following steps:
s101: and receiving a service request carrying user behavior data, wherein the service request at least comprises a user identifier.
In practical applications, a server of a service platform can provide specific service through interaction with a client of a user side. Thus, the user can initiate a service request to the server through the web page at the client, and the server can receive the service request initiated by the user and respond according to specific service data in the service request.
In particular, in one or more embodiments of the present description, a user-initiated service request may carry a variety of service data, including, but not limited to, user id identification, user behavior data, and service demand data, among others. The specific service request includes what kind of data can be determined according to the service implementation requirement, which is not limited in this specification.
The user behavior data may include information such as login, submission, deletion and other page interaction behaviors, operation time period of a user, request frequency, request interval time length, user source, common equipment, user characteristic data, web page information, web page source, user ip address and the like, and specific user behavior data may be determined according to service implementation requirements, which is not limited in this specification.
The user source may include different source information such as applet registration, mailbox registration, web page registration, APP registration, etc.
The user characteristic data may include user characteristic information of a general user, a VIP user, a PC end user, a mobile end user, a new user, an old user, and the like.
The web page information may include information of which page of the product link the current user operation page belongs to, such as whether the page is a public page or a private page of the user, whether the page information matches the request information, and the like.
web page sources may include PC side, mobile side, domestic, overseas, etc. request terminal information, regional information, etc.
The above list of types of various data is merely illustrative, and specific various data may be determined according to the service implementation requirements, which is not limited in this specification.
The server mentioned in the present specification may be a hardware storage server, a cloud server, etc. provided on the service platform, and includes an electronic device such as a desktop, a notebook, etc. capable of executing the solution of the present specification, which supports the operation of a software system. For convenience of explanation, only the repository server is used as the execution subject.
S102: and acquiring the real-time access quantity corresponding to the user identifier, and performing abnormal detection on the service request according to the real-time access quantity, the user behavior data and the predetermined normal user behavior data range.
After receiving the service request of the user, the server can perform anomaly detection on the current user and the service request to judge whether the access event of the current service request is a denial of service attack or not.
Specifically, in one or more embodiments of the present disclosure, the server may first further obtain, according to the user identifier, a real-time access amount of the current user, so as to monitor the access amount. The real-time access amount may refer to an access amount within a preset time interval recently by the current user, for example, may be an access amount of the first 5 seconds when the real-time access amount is collected, or an access amount of the first 10 seconds. The specific size of the preset time interval can be set according to needs, and the specification does not limit the specific size.
Of course, the server can collect the real-time access amount of the current user according to the preset time interval, and can monitor the real-time access amount through the third party platform, for example, through third party monitoring tools such as Solarwinds Pingdom and Pylot, which is not limited in the specification.
When the server determines that the real-time access amount of the current user is greater than the preset access amount threshold, the server can directly determine that the access event of the current request service is a denial of service attack, namely the current service request is abnormal, so that the denial of service attack is further dealt with. The specific size of the preset access amount threshold can be set according to the service scale requirement, and the specification does not limit the specific size.
When the server determines that the real-time access amount of the current user is smaller than the preset access threshold, checking whether the user behavior data is in the normal user behavior data range or not according to each item of user behavior data, determining a user behavior score according to the checking result of each item of user behavior data, judging whether the user behavior score is larger than the preset abnormal threshold, if so, determining that the service request is normal, if not, performing fault-tolerant detection according to the user behavior data, determining that the service request is abnormal when the fault-tolerant detection fails, and determining that the service request is normal when the fault-tolerant detection is successful. The service request detection is specifically shown in table 1 and table 2.
TABLE 1 normal behavior judgment schematic table when user frequently logs in
TABLE 2 abnormal behavior determination schematic Table when user frequently logs in
Table 1 is a normal behavior judgment schematic table provided in the specification when a user logs in frequently. The first column of user behavior evaluation factors in table 1, that is, each item of user behavior data examples carried in the service request received in step S101, the second column is a normal user behavior data range example, and the subsequent columns are user behavior data determination examples in table 1. The last behavior of table 1 corresponds to a preset anomaly threshold value of 14 and the final user behavior score of 17, and it can be seen that the user behavior score in the example of table 1 is greater than the preset anomaly threshold value, that is, the service request in the example is normal.
Table 2 is a schematic diagram for judging abnormal behavior when a user logs in frequently. It can be seen from table 2 that the final user behavior score in the example is 2 points, and the user behavior score in the example of table 2 is less than the preset anomaly threshold, i.e. the service request in the example is anomalous.
Further, in one or more embodiments of the present disclosure, fault-tolerant detection may be fault-tolerant processing including threshold expansion, behavior reclassification, limiting the total number of requests that a single source address may be processed, user source address verification, and the like. When the server performs fault-tolerant detection, each item of user behavior data which is not in the normal user behavior data range can be used as data to be checked, each item of data to be checked is checked in real time, and a check result is received. And then updating the behavior score of the user according to each verification result, judging whether the updated behavior score of the user is larger than a preset abnormal threshold, if so, determining that the fault-tolerant detection is successful, and if not, determining that the fault-tolerant detection fails.
The real-time verification can be performed on each item of data to be verified, taking the user characteristics as an example, when the last time user behavior data shows that the current user is a common user and the current abnormal user behavior data shows that the current user is a VIP user, the server can perform user identity upgrade verification, and if the user identity upgrade verification, the user characteristic data can be considered to pass the real-time verification, so that the user behavior score of the current user is correspondingly updated. By checking the data to be checked item by item in real time, the user experience of a normal user can be ensured, and the recognition accuracy of the abnormal service request is further improved.
Table 3 shows a fault tolerance detection success indicator of abnormal behavior of a user provided in the specification. As can be seen from the column information corresponding to the fault-tolerant processing in table 3, for each item of user behavior data that is not within the normal user behavior data range, real-time verification can be performed respectively. And each item of data to be checked passes the check, updating strategies according to the user behavior scores corresponding to the fault tolerance check, and adding 5 to the user behavior scores through statistics. Then, as can be seen from the last line of table 3, the user behavior score corresponding to the abnormal user behavior data before the fault tolerance test is 13, which is smaller than the abnormal threshold. And the data to be checked after fault tolerance checking passes the checking, and the user behavior score is updated to 18 and is larger than the abnormal threshold value, so that the normal service request of the current user can be determined, and the normal service response can be given.
Table 3 user fault tolerance detection success indicator
Table 4 is a fault tolerant failure detection schematic table of abnormal behavior of the user provided in the specification. Wherein, 4 items of data to be checked are not checked, 1 item of data to be checked is checked, the user behavior score is subtracted by 4 according to the user behavior score updating strategy corresponding to the fault tolerance check, so that the content of the last row of the table 4 indicates that the user behavior score corresponding to the abnormal user behavior data is 13 and is smaller than the abnormal threshold before the fault tolerance check. After fault tolerance inspection, most data to be inspected cannot pass inspection, the user behavior score is updated to 9 and still smaller than an abnormal threshold value, so that the service request abnormality of the current user can be determined, whether the current real-time access quantity is abnormal or not can be detected, whether a large number of abnormal requests exist or not is detected by a network, whether the network detection is normal or not is detected, if a large number of abnormal requests or network abnormality exist, namely, the current service request is a denial of service attack, and a corresponding defense strategy needs to be further executed.
Table 4 user abnormal behavior fault tolerance detection failure schematic table
Of course, what updating strategy is specifically adopted for scoring the user behavior in fault tolerance test can be determined according to the requirement, and the specification does not limit the updating strategy.
S103: when detecting that the service request is abnormal, detecting the network state of the service network, and judging the attack type of the denial of service attack according to the network state detection result, the real-time access quantity, the data of abnormal connection contained in the user behavior data and the data of abnormal source.
S104: and determining and executing the control scheme of the service data storage according to the attack type and the corresponding relation between the predetermined attack type and the control scheme of the service data storage.
After the service request is detected in the step S102, when the server determines that the service request is abnormal, the service network of the service platform may be detected in real time, and then the network state detection result, the real-time access amount corresponding to the user identifier, the data of abnormal connection and the data of abnormal source contained in the user behavior data are transmitted into the denial of service attack identification model, and the denial of service attack type is determined through the denial of service attack model. The attack types of denial of service attacks include broadband attacks, connectivity attacks (synchronous flooding, land attacks, ping flooding, UDP attacks, OOB, etc.).
The denial of service attack recognition model can be a neural network model trained by the service platform in advance, or can be a neural network model provided by a third party platform, and can be determined according to the needs. And the identification of the attack type of the denial of service attack is realized by a mature technology, which is not described herein.
After determining the attack type of the denial of service attack corresponding to the abnormal service request, the server can further determine and execute the control scheme of the service data storage according to the pre-stored attack type and the pre-determined corresponding relation between the attack type and the control scheme of the service data storage, and can return a service termination result to the user client.
It is to be appreciated that the service platform can store service data through a number of service data stores, wherein the service data store control scheme includes, but is not limited to: checking the storage state of the target memory, shutting down the target memory, enabling the target memory, restarting the target memory, switching memory usage, and so forth. Specifically, for how to deal with each denial of service attack, a mature technology exists, and the server can determine the corresponding relation between the type of the denial of service attack and the control scheme of the memory according to the existing coping scheme, so that after the type of the facing denial of service attack is determined, the control scheme of the memory is automatically determined and executed through the corresponding relation, and further, automatic systematic DOS defense is realized. And simultaneously, returning a response result of service termination execution to the client, and terminating to provide service for the user or the pseudo user who launches the denial of service attack.
Of course, when the server determines that the service request is normal, the server may perform a corresponding data operation in response to the service request and return a response result.
Based on the defending method of denial of service attack shown in fig. 1, firstly, a service request carrying user behavior data is received, the service request at least comprises a user identifier, then, the real-time access quantity corresponding to the user identifier is obtained, so that abnormal detection of the service request is carried out according to the real-time access quantity, the user behavior data and a predetermined normal user behavior data range, when the service request is detected to be abnormal, network state detection is carried out on a service network, the attack type of the denial of service attack is judged according to a network state detection result, the real-time access quantity, the data of connection abnormality contained in the user behavior data and the data of source abnormality, and finally, a control scheme of a service data storage is determined and executed according to the attack type and the predetermined corresponding relation between the attack type and the control scheme of the service data storage.
The invention can accurately identify whether the received service request is a denial of service attack according to the real-time access quantity, the user behavior data and the predetermined normal user behavior data range, and can accurately identify the specific attack type according to the network state detection result, the real-time access quantity and the user behavior data after the denial of service attack is identified, so as to automatically select the corresponding defending strategy according to the attack type, thereby realizing automatic attack detection and defending. Therefore, the method does not need to manually judge whether the denial of service attack is faced or not and the type of the attack is faced, avoids the hysteresis of coping with the denial of service attack, and improves the efficiency and the instantaneity of coping with the denial of service attack
When the defending method of denial of service attack provided in the present specification is applied, the steps may be executed according to the order of the steps shown in fig. 1, and the specific execution order of the steps may be determined according to need, which is not limited in the present specification.
In addition, in one or more embodiments of the present disclosure, service data generated by the service platform in response to the service request may be stored by the main memory and the extension memory, i.e., the service data memory includes the main memory and the extension memory. The main memory is responsible for storing important data information of a user, is used as a main carrier for storing data, comprises different storage containers which are divided according to data relations, and forms a storage set, so that the main memory is convenient to control integrally and finely. The extended memory ensures that when traffic on the service line is increased suddenly and the cpu water level of the cluster exceeds a certain threshold value and exceeds the service capacity warning line of the main server, the extended memory can be started to ensure the normal operation of the access of service data, the data backup and other works in time no matter the service is increased suddenly or the service is refused, the service of the service data is not interrupted, and the extended memory can sleep according to the sleep instruction during the period of no need of using the extended memory, thereby saving energy consumption.
Correspondingly, the corresponding relationship between the predetermined attack type and the service data storage control scheme in step S104 may be that when the attack type of the denial of service attack is a Land attack type, the main memory is affected by the attack during the attack period, and the server may send an enabling instruction to the extension memory to expand the capacity, so as to store the service data through the extension memory. By extending the memory and enabling the capacity expansion storage and the bandwidth resources, the business activity is ensured not to be interrupted. Of course, other defensive measures can be employed in addition to the control of the memory. For example, limiting network traffic, avoiding excessive TCP requests, strengthening firewalls, detecting and repairing system vulnerabilities, immediately notifying the monitoring user of this attack event, and so forth.
When the attack type of the denial of service attack is SYN attack type, the server can detect the running speed of the main memory, and if the running speed of the main memory is found to be smaller than a preset speed threshold value, the main memory is greatly affected by the attack, and the main memory needs to be restarted. The server may then send a restart instruction to the main memory and an enable instruction to the extension memory to store the traffic data through the extension memory. Thereby ensuring the normal operation of the access of the service data, the data backup and the like and the service of the service platform not to be interrupted. Of course, other defensive measures can be employed in addition to the control of the memory. Such as rule filtering of data packets, fingerprint detection filtering of data streams, custom filtering of data packet content, etc.
Further, in one or more embodiments of the present disclosure, service data generated by a service platform in response to a service request may also be stored by a cache memory, where the cache memory may cache frequently used data in a service, and when the data needs to be used, a server may directly read from the cache memory, thereby improving data use efficiency, reducing use pressure of a main storage server, accelerating response of the service data, and saving energy consumption of the main server. Meanwhile, when the main memory is restarted or expanded, business activities can be performed based on the cache memory, so that service is provided for users without interruption, and user experience is improved.
Still further, in one or more embodiments of the present disclosure, before determining the control scheme for the memory and executing the control scheme, that is, before step S104, the server may further detect each storage container in the main memory, and determine the storage state of each storage container in the main memory. The storage state of each storage container in the main memory can reflect whether denial of service attack is encountered at present to a certain extent. The server may perform round checking on the storage states of the storage containers in the main memory at preset time intervals, or may detect the storage states of the storage containers in the main memory when determining that the service request is abnormal according to the network state detection result, the real-time access amount, the user behavior data and the predetermined normal user behavior data range, so as to immediately perform denial of service attack defense coping according to the storage states.
The detection of each storage container in the main memory may use detection software provided by a memory manufacturer, or may use technical support provided by accessing a third party platform, for example, third party software such as weavescope, icinga, etc.
Specifically, when the detection result of the storage state shows that the number of abnormal storage containers is greater than the preset abnormal number threshold, the server may send a restart instruction to the main memory and send an enable instruction to the extension memory, so as to store the service data through the extension memory. When the detection result of the storage state shows that the memory occupation amount of the main memory is larger than the preset warning threshold value, the server can send an enabling instruction to the extension memory to expand the capacity so as to store the service data through the extension memory and support the service process. Thus, the response efficiency to denial of service attacks can be further improved.
In addition, in one or more embodiments of the present disclosure, after obtaining the attack type of the denial of service attack corresponding to the current service request in step S103, before determining and executing the control scheme for the memory, the server may further forward the determined attack type to the monitoring user, so as to prompt the monitoring user to determine the current control instruction for the memory. The monitoring user refers to a monitoring technician for the service addition, and after receiving the attack type sent by the server, the monitoring user can send a control instruction of the service data storage to the server according to experience in real time to cope with the denial of service attack, so that the server can receive the current control instruction of the service data storage and forward the current control instruction to the service data storage, and the service data storage executes the current control instruction to defend against the denial of service attack. The real-time operation of the monitoring user can further improve the coping effect of denial of service attack and ensure the healthy operation of business activities.
The defending method for the denial of service attack is described based on the view angle of the server by taking the server as an execution subject, and the description of the response from the view angle of the software system is also provided in the specification, which is specifically as follows.
Fig. 2 is a schematic diagram of a data security system for protecting against denial of service attacks by user behavior analysis provided in the present specification. As can be seen from fig. 2, the present system comprises three subsystems: the system comprises a 101-WEB application layer primary defense protection system, a 102-server data protection layer secondary defense and a 103-data energy-saving efficiency system.
The 101-WEB application layer first-level defense protection system comprises a WEB user page, an access pressure monitoring module, a user behavior access analysis module and a service module which is responsible for processing a service request of a user and a user behavior fault tolerance module.
Specifically, for a web user page, a user can initiate a service request to a server through the web user page, and the web user page initiating the service request carries user behavior data (such as login, submitting, deleting and other page interaction behaviors), user characteristic data (common user, VIP user, PC end user, mobile end user, new user, old user and the like) and service requirement data together to request a back end interface, and records the behavior data in a user behavior module, and simultaneously transmits the request data to an access pressure monitoring module and a user behavior access pressure analysis module.
For the access pressure monitoring module, the server can monitor the access quantity of the user through the access pressure monitoring module (a third party access performance monitoring tool such as Solarwinds Pingdom, pylot and the like can be used integrally), and the server directly informs the subsequent network detection module of the service request exceeding the normal access threshold, namely the access event, and the monitoring result is transmitted to the user behavior access analysis module for the user access at the normal access threshold.
For the user behavior access analysis module, the server can combine the received monitoring result with the user behavior data through the user behavior access analysis module, calculate whether the user behavior data is in the normal user behavior data range, if the user behavior data is judged to be in the normal user behavior data range, determine that the service request is normal, further access the service module, if the user behavior data is judged not to be in the normal user behavior data range, determine that the service request is abnormal, possibly for denial of service attack, and further transmit the service request into the user behavior fault tolerance module to perform fault tolerance processing.
For the service module, the server can process the normal service request of the user through the service module, request data or store the data to the data preheating module, the main storage server and the extended storage server according to the requirement of the service request and the current network condition of the server, and return the response result to the web user page.
For the user behavior fault-tolerant module, the server can perform fault-tolerant processing on abnormal behavior data, normal user behavior data range and access pressure detection results of the user through the user behavior fault-tolerant module, wherein the fault-tolerant processing modes comprise threshold expansion, behavior reclassification, total request number limiting single source address to be processed, user source address verification and the like, calculate new results of user access validity judgment, access the service module if the new results are normal, and notify the subsequent network detection module of further confirmation if the new results are abnormal, wherein the new results are classified as suspected denial of service attacks.
The 102-server data protection layer secondary defense comprises a network detection module, a denial of service attack identification module, an alarm module, a server control module, a container health check module and a web control monitoring terminal.
Specifically, for the network detection module, the server may detect, through the network detection module, abnormal information, where the abnormal information includes: whether bandwidth (the capacity of a communication line to transmit data, i.e. the highest data rate per unit time through a point in the network) is consumed too high. SYN attacks alarm information (whether external access traffic is normal or not is judged through rule filtering of data packets, fingerprint detection and filtering of data streams, customized filtering of data packet contents and the like). LAND attack alarm information (malformed message attack early warning, namely detecting whether the source address and the destination address of the TCP SYN message are the same or not, and if so, judging the same as the malformed message alarm information). The network detection module may be an integrated third party tool: netcat, tcpping, and the like, detecting the network by the network detection module, and transmitting the network state detection result, the user behavior information, the access pressure and other information into the denial of service attack model. The heartbeat program of the application layer can be self-defined and developed, the RPC (remote procedure call) is regularly called, the logic judgment is carried out on the returned result of the RPC, if the returned result is abnormal, the problem of network connection is indicated, and the result of the problem is transmitted into the denial of service attack model.
For the denial of service attack recognition model, the server can receive the abnormal information detected by the network detection module through the denial of service attack recognition model, process the abnormal information to make the attack type judgment of the denial of service attack, such as broadband attack, connectivity attack (synchronous flooding, land attack, ping flooding, UDP attack, OOB and the like), determine the control scheme of the memory through the judgment of the attack type, and send out alarm information to the alarm module. The denial of service attack recognition model can be a third party data model, and can also be built by itself according to the requirements of own service, so that the model data can be continuously improved according to own service characteristics, and the method has more pertinence.
For the alert module, the server may receive denial of service attack information through the alert module, thereby asynchronously sending out information, which sends information to the web control monitor terminal, informing the supervising technician. The server control module sends information to the memory control module, and the server control module instructs the container health check module to check whether the main server is healthy or not. The three-way access pressure monitoring module sends alarm information, the access pressure monitoring module informs the user behavior module, and the service provided for the fake user who launches the denial of service attack is stopped, so that the data service rights and interests of the legal user are ensured.
For the memory control module, the server can automatically control and ensure the healthy operation of the server through the memory control module and also support manual operation instructions. And after receiving the alarm information, the memory control module immediately starts the container health check module to check whether the main memory is healthy or not, and feeds the information back to the web control monitoring terminal. If the container is unhealthy, before the instruction of the monitoring terminal is not received, judging whether the main memory is restarted or not according to custom defense program agreements (such as conditions that unhealthy containers exceed 3 and the memory occupation amount of the main memory exceeds a certain threshold value) and whether continuous operation of the extended memory guarantee service is required to be started or not. The memory control module not only informs the web control monitoring terminal of the server condition, but also supports the instruction of the web control monitoring terminal to control the memory.
For the container health checking module, the server can check the use condition of each container of the main memory through the container health checking module and feed back the container information of whether the main memory runs normally to the memory control module.
For the web control monitoring terminal, the server can inform monitoring information of system operation in the modes of a large screen, a PC end, a mobile end, mails and the like through the web control monitoring terminal, monitoring technicians can check conditions of monitoring data, equipment, system operation and the like through web terminal pages, and can send instructions for controlling the inspection, cutting, starting and the like of a main memory and an extension memory to a memory control module through web pages, so that visual defense and solving of denial of service attacks of users are achieved.
The 103-data energy-saving efficiency system comprises a main storage server, an extended storage server and a data preheating module.
Specifically, for the main memory, the server can store important data information of a user through the main memory, the main memory is used as a main carrier for storing data, and the main memory can comprise different storage containers which are divided according to data relations to form a storage set, so that the data can be conveniently controlled integrally and finely.
For the extended memory, when the traffic on the service line is increased suddenly and the cpu water level of the cluster exceeds a certain threshold value and exceeds the service capacity warning line of the main server, the extended memory can be automatically started by the memory control module, the normal operation of the access of service data, the data backup and other works can be timely ensured through the extended memory when the service is increased suddenly or the service is refused, the service of the service data is not interrupted, and the memory control module can instruct the dormant extended memory during the period of not using the extended memory, so that the energy consumption is saved.
For the data preheating module, the server can improve the data efficiency through the data preheating module, logically preheat according to service characteristics, buffer frequently used data in service, improve the data use efficiency, reduce the use pressure of the main memory, accelerate the response of service data of the main memory, and save the energy consumption of the main memory. And when the main memory is restarted or expanded, the uninterrupted service is realized, the service is provided for the user, and the user experience is improved.
The present disclosure further provides a user behavior analysis and defense denial of service attack protection data security system thinking guide diagram, as shown in fig. 3, and the description of specific modules in fig. 3 may refer to the corresponding description, which is not repeated herein.
The foregoing is a method for defending a denial of service attack provided by one or more embodiments of the present disclosure, and based on the same concept, the present disclosure further provides a corresponding defending device for a denial of service attack, as shown in fig. 4.
Fig. 4 is a schematic diagram of a defending device for denial of service attack provided in the present specification, including:
a receiving module 201, configured to receive a service request carrying user behavior data, where the service request at least includes a user identifier;
the detection module 202 is configured to obtain a real-time access amount corresponding to the user identifier, and perform abnormal detection on the service request according to the real-time access amount, the user behavior data, and a predetermined normal user behavior data range;
the type determining module 203 is configured to detect a network state of the service network when detecting that the service request is abnormal, and determine an attack type of denial of service attack according to a network state detection result, a real-time access amount, data of abnormal connection and data of abnormal source contained in user behavior data;
And the defending module 204 is configured to determine and execute a control scheme for the service data storage according to the attack type and a predetermined correspondence between the attack type and the control scheme for the service data storage.
Optionally, the detection module 202 determines that the service request is abnormal when determining that the real-time access amount is greater than the preset access threshold, checks whether the user behavior data is within the normal user behavior data range for each item of user behavior data when determining that the real-time access amount is less than the preset access threshold, determines a user behavior score according to the checking result of each item of user behavior data, determines whether the user behavior score is greater than the preset abnormal threshold if yes, determines that the service request is normal if no, performs fault-tolerant detection according to the user behavior data, determines that the service request is abnormal when fault-tolerant detection fails, and determines that the service request is normal when fault-tolerant detection is successful.
Optionally, the detection module 202 performs real-time verification on each piece of data to be verified, which is not in the normal user behavior data range, and receives the verification results, updates the user behavior score according to each verification result, determines whether the updated user behavior score is greater than a preset abnormal threshold, if yes, determines that the fault-tolerant detection is successful, and if not, determines that the fault-tolerant detection fails.
Optionally, the service data storage includes a main memory and an extension memory.
The defending module 204 sends an enabling instruction to the extended memory to expand the capacity when the attack type is the Land attack type, so as to store the service data through the extended memory, detects the running speed of the main memory when the attack type is the SYN attack type, and sends a restarting instruction to the main memory and sends an enabling instruction to the extended memory to store the service data through the extended memory if the running speed is less than a preset speed threshold.
Optionally, the apparatus further comprises: the storage detection module 205 is configured to determine a control scheme for the service data storage and detect each storage container in the main memory before the control scheme is executed, determine a storage state of each storage container in the main memory, send a restart instruction to the main memory and send an enable instruction to the extension memory to store the service data through the extension memory when the number of storage containers with abnormal storage states is greater than a preset abnormal number threshold, and send an enable instruction to the extension memory to expand the service data through the extension memory when the memory occupation amount of the main memory is greater than a preset alert threshold.
Optionally, the apparatus further comprises: and the alarm module 206 is configured to forward the determined attack type of the denial of service attack to the monitoring user before determining and executing the control scheme for the service data storage, prompt the monitoring user to determine a control instruction for the service data storage, receive the control instruction for the service data storage, and forward the control instruction to the service data storage, so that the service data storage defends against the denial of service attack according to the control instruction.
Optionally, the apparatus further comprises: the service execution module 207 is configured to, when it is determined that the service request is abnormal, not respond to the service request and return a service termination result, and when it is determined that the service request is normal, execute a corresponding data operation in response to the service request and return a response result.
For specific limitations on the defending means for denial of service attacks, reference may be made to the limitations on the defending method for denial of service attacks hereinabove, and will not be described in detail herein. The above-described individual modules in the denial of service attack prevention apparatus may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
The present specification also provides a computer readable storage medium storing a computer program operable to perform the defending method of denial of service attack provided in fig. 1 described above.
The present specification also provides a schematic structural diagram of the computer device shown in fig. 5, where, as shown in fig. 5, the computer device includes a processor, an internal bus, a network interface, a memory, and a nonvolatile memory, and may include hardware required by other services in a hardware level. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to realize the defending method of the denial of service attack provided by the figure 1.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
Claims (10)
1. A method for defending against denial of service attacks, the server performing the steps comprising:
receiving a service request carrying user behavior data, wherein the service request at least comprises a user identifier;
acquiring a real-time access amount corresponding to the user identifier, and performing abnormal detection on the service request according to the real-time access amount, the user behavior data and a predetermined normal user behavior data range;
when detecting that the service request is abnormal, detecting the network state of the service network, and judging the attack type of the denial of service attack according to the network state detection result, the real-time access quantity, the data of abnormal connection contained in the user behavior data and the data of abnormal source;
and determining and executing the control scheme of the service data storage according to the attack type and the corresponding relation between the predetermined attack type and the control scheme of the service data storage.
2. The method for defending against denial of service attacks as set forth in claim 1, wherein the performing anomaly detection of the service request specifically includes:
when the real-time access quantity is determined to be larger than a preset access threshold value, determining that the service request is abnormal;
when the real-time access amount is determined to be smaller than the preset access threshold value, checking whether the user behavior data is in a normal user behavior data range or not according to each item of user behavior data;
determining a user behavior score according to the test result of each item of user behavior data, and judging whether the user behavior score is larger than a preset abnormal threshold value or not;
if yes, determining that the service request is normal;
if not, fault-tolerant detection is carried out according to the user behavior data, the service request is determined to be abnormal when the fault-tolerant detection fails, and the service request is determined to be normal when the fault-tolerant detection is successful.
3. The method for defending against denial of service attacks as set forth in claim 2, wherein the performing fault-tolerant detection specifically includes:
taking all user behavior data which are not in the normal user behavior data range as data to be checked, checking all the data to be checked in real time, and receiving a checking result;
updating the user behavior score according to each verification result, and judging whether the updated user behavior score is greater than a preset abnormal threshold value;
If yes, determining that fault-tolerant detection is successful;
if not, determining that the fault-tolerant detection fails.
4. The defending method against denial of service attacks as set forth in claim 1, wherein the service data storage includes a main storage and an extension storage;
the corresponding relation between the predetermined attack type and the business data storage control scheme specifically comprises the following steps:
when the attack type is the Land attack type, sending an enabling instruction to the extension memory to expand the capacity so as to store the service data through the extension memory;
when the attack type is SYN attack type, detecting the running speed of the main memory, if the running speed is smaller than a preset speed threshold, sending a restarting instruction to the main memory, and sending an enabling instruction to the extension memory so as to store the service data through the extension memory.
5. The method of defending against denial of service attacks of claim 4, further comprising:
detecting each storage container in the main memory, and determining the storage state of each storage container in the main memory;
when the number of the storage containers with abnormal storage states is larger than a preset abnormal number threshold, sending a restarting instruction to a main memory, and sending an enabling instruction to an extension memory so as to store business data through the extension memory;
When the memory occupation amount of the main memory is larger than a preset warning threshold value, an enabling instruction is sent to the extension memory to expand the capacity so as to store the service data through the extension memory.
6. The method of defending against denial of service attacks as set forth in claim 1, further comprising:
forwarding the determined attack type of the denial of service attack to a monitoring user, and prompting the monitoring user to determine a current control instruction for the service data storage;
and receiving a current control instruction for the service data storage and forwarding the current control instruction to the service data storage, so that the service data storage executes the current control instruction to defend against denial of service attack.
7. The method of defending against denial of service attacks as set forth in claim 1, further comprising:
when the service request is determined to be abnormal, not responding to the service request, and returning a service termination result;
and when the service request is determined to be normal, responding to the service request, and returning a response result.
8. A denial of service attack defending apparatus, comprising:
the receiving module is used for receiving a service request carrying user behavior data, wherein the service request at least comprises a user identifier;
The detection module is used for acquiring the real-time access quantity corresponding to the user identifier and carrying out abnormal detection on the service request according to the real-time access quantity, the user behavior data and the predetermined normal user behavior data range;
the type determining module is used for detecting the network state of the service network when detecting that the service request is abnormal, and judging the attack type of the denial of service attack according to the network state detection result, the real-time access quantity, the data of abnormal connection contained in the user behavior data and the data of abnormal source;
and the defense module is used for determining and executing the control scheme of the service data storage according to the attack type and the corresponding relation between the predetermined attack type and the control scheme of the service data storage.
9. A computer readable storage medium storing a computer program which, when executed by a processor, implements the denial of service attack protection method of any of claims 1 to 7.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the denial of service attack protection method of any of the preceding claims 1-7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311281207.6A CN117014232B (en) | 2023-10-07 | 2023-10-07 | Defending method, device, equipment and medium for denial of service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311281207.6A CN117014232B (en) | 2023-10-07 | 2023-10-07 | Defending method, device, equipment and medium for denial of service attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117014232A true CN117014232A (en) | 2023-11-07 |
| CN117014232B CN117014232B (en) | 2024-01-26 |
Family
ID=88569426
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311281207.6A Active CN117014232B (en) | 2023-10-07 | 2023-10-07 | Defending method, device, equipment and medium for denial of service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117014232B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103248607A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | IPv4 and IPv6-based detection method and system for denial of service attacks |
| CN106101066A (en) * | 2016-05-27 | 2016-11-09 | 中国联合网络通信集团有限公司 | A kind of monitoring method of server service and monitoring system |
| CN106953833A (en) * | 2016-01-07 | 2017-07-14 | 无锡聚云科技有限公司 | A kind of ddos attack detecting system |
| CN109120592A (en) * | 2018-07-09 | 2019-01-01 | 四川大学 | A kind of Web abnormality detection system based on user behavior |
| CN109274637A (en) * | 2017-07-17 | 2019-01-25 | 卡巴斯基实验室股份制公司 | The system and method for determining distributed denial of service attack |
| CN109413022A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of method and apparatus based on user behavior detection HTTP FLOOD attack |
| CN111142549A (en) * | 2019-12-30 | 2020-05-12 | 北京航空航天大学 | Anti-interference attack detection and self-healing controller and control method for unmanned aerial vehicle attitude control system |
| CN112866281A (en) * | 2021-02-07 | 2021-05-28 | 辽宁科技大学 | Distributed real-time DDoS attack protection system and method |
| CN114095258A (en) * | 2021-11-23 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Attack defense method and device, electronic equipment and storage medium |
| CN114584363A (en) * | 2022-03-01 | 2022-06-03 | 北信源系统集成有限公司 | Network attack detection method, device, equipment and computer readable storage medium |
| CN116015842A (en) * | 2022-12-23 | 2023-04-25 | 中能融合智慧科技有限公司 | Network attack detection method based on user access behaviors |
-
2023
- 2023-10-07 CN CN202311281207.6A patent/CN117014232B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103248607A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | IPv4 and IPv6-based detection method and system for denial of service attacks |
| CN106953833A (en) * | 2016-01-07 | 2017-07-14 | 无锡聚云科技有限公司 | A kind of ddos attack detecting system |
| CN106101066A (en) * | 2016-05-27 | 2016-11-09 | 中国联合网络通信集团有限公司 | A kind of monitoring method of server service and monitoring system |
| CN109274637A (en) * | 2017-07-17 | 2019-01-25 | 卡巴斯基实验室股份制公司 | The system and method for determining distributed denial of service attack |
| CN109413022A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of method and apparatus based on user behavior detection HTTP FLOOD attack |
| CN109120592A (en) * | 2018-07-09 | 2019-01-01 | 四川大学 | A kind of Web abnormality detection system based on user behavior |
| CN111142549A (en) * | 2019-12-30 | 2020-05-12 | 北京航空航天大学 | Anti-interference attack detection and self-healing controller and control method for unmanned aerial vehicle attitude control system |
| CN112866281A (en) * | 2021-02-07 | 2021-05-28 | 辽宁科技大学 | Distributed real-time DDoS attack protection system and method |
| CN114095258A (en) * | 2021-11-23 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Attack defense method and device, electronic equipment and storage medium |
| CN114584363A (en) * | 2022-03-01 | 2022-06-03 | 北信源系统集成有限公司 | Network attack detection method, device, equipment and computer readable storage medium |
| CN116015842A (en) * | 2022-12-23 | 2023-04-25 | 中能融合智慧科技有限公司 | Network attack detection method based on user access behaviors |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117014232B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107809433B (en) | Asset management method and device | |
| US10298598B1 (en) | Countering service enumeration through imposter-driven response | |
| CN110213199B (en) | Method, device and system for monitoring database collision attack and computer storage medium | |
| US20060288414A1 (en) | Method and system for preventing virus infection | |
| US20090007266A1 (en) | Adaptive Defense System Against Network Attacks | |
| CN101626368A (en) | Device, method and system for preventing web page from being distorted | |
| CN107666473B (en) | Attack detection method and controller | |
| CN105791033A (en) | Method, device and system for regulating operating state of server | |
| US20160277417A1 (en) | Method and apparatus for communication number update | |
| CN106506559A (en) | Access Behavior- Based control method and device | |
| CN114095258B (en) | Attack defense method, attack defense device, electronic equipment and storage medium | |
| Uemura et al. | Availability analysis of an intrusion tolerant distributed server system with preventive maintenance | |
| GB2532630A (en) | Network intrusion alarm method and system for nuclear power station | |
| CN111669371A (en) | Network attack restoration system and method suitable for power network | |
| CN103973749A (en) | Cloud server and website processing method based on same | |
| CN112788035A (en) | Network attack warning method of UPF terminal under 5G and terminal | |
| CN117014232B (en) | Defending method, device, equipment and medium for denial of service attack | |
| US20140317718A1 (en) | IPS Detection Processing Method, Network Security Device, and System | |
| CN113965406A (en) | Network blocking method, device, electronic device and storage medium | |
| KR101657180B1 (en) | System and method for process access control system | |
| CN106911680B (en) | Strategy issuing method and device | |
| CN116232875B (en) | Remote office method, device, equipment and medium | |
| CN111669352B (en) | Method and device for preventing denial of service attack | |
| CN108471427B (en) | Method and device for defending attack | |
| CN112153036B (en) | Security defense method and system based on proxy server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |