CN1725705A - Method for detecting flow attacking message characteristic of network equipment - Google Patents
Method for detecting flow attacking message characteristic of network equipment Download PDFInfo
- Publication number
- CN1725705A CN1725705A CN 200510069473 CN200510069473A CN1725705A CN 1725705 A CN1725705 A CN 1725705A CN 200510069473 CN200510069473 CN 200510069473 CN 200510069473 A CN200510069473 A CN 200510069473A CN 1725705 A CN1725705 A CN 1725705A
- Authority
- CN
- China
- Prior art keywords
- message
- detection
- characteristic value
- network equipment
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title abstract description 11
- 238000001514 detection method Methods 0.000 claims abstract description 105
- 238000012545 processing Methods 0.000 claims description 16
- 238000000605 extraction Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 description 7
- 238000012546 transfer Methods 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 2
- 241000700605 Viruses Species 0.000 description 2
- 230000015654 memory Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method for detecting message character of attacking network device by flow includes selecting at least one detection item from network device port and each field of message masthead , using specific value of detection item in message as character value of said item , counting up total number of message having the same character value as detection item of message processed by network device in preset detecting period , checking out detection item and character value corresponded by message total number exceeding preset attack threshold and using them as character of attack message .
Description
Technical field
The present invention relates to the safeguard protection of the network equipment, relate in particular to a kind of detection method of message characteristic of the flow attacking network equipment.
Background technology
Along with the network equipment is more and more wider in the application of carrier network and enterprise network, inevitably can be in the face of the attack of some virus flows or malicious data flow.
When message passed through the network equipment, the network equipment was mainly finished two kinds of work to message: directly transmit or handle the back and transmit.Wherein, to handling the message that transmit the back, processing unit in the network equipment such as CPU (Central Process Unit, central processing unit) need carry out correlation computations according to the agreement of message, and to message carry out branch with and encapsulation etc.
A topmost class is a flow attacking in the attack at the network equipment, promptly send the message that needs network device processing in a large number, make the processing unit of the network equipment be in hard service, influence the transmission of normal message in the network, even important protocol massages is dropped because of overtime, cause the paralysis of network.For example, if network configuration STP (Spanning Tree Protocol, Spanning-Tree Protocol), and STP BPDUs is dropped, and will occur broadcast storm in network.
A kind of method that detects traffic attack message is disclosed in the U.S. Pat 2004215976, feature according to attack message is added up the message flow that meets feature in the network equipment, when message flow surpasses certain threshold value, promptly think flow attacking has taken place.
This method can only prevent the flow attacking strategy of known features, then can't detect the flow attacking of unknown characteristics.Data flow on the network is ever-changing, and the user can't predict emerging attack message may have for which type of feature.Especially attack message more and more tends to the message that adopts content variable, ceaselessly send IP (Internet Protocol in source during for example red yard virus outburst, Internet protocol) address and/or the address modifiable message of purpose IP, the feature of removing to sum up such attack message by the user is quite time-consuming, and network is in the state of the extremely low even paralysis of performance usually during this period.
Summary of the invention
The technical problem to be solved in the present invention is to detect the feature of traffic attack message in the prior art automatically.
The message characteristic detection method of the flow attacking network equipment of the present invention may further comprise the steps:
A) in the port of each field of header of message and the network equipment, select at least one detection, with the characteristic value of the concrete numerical value of described detection in message as this detection;
B) the identical message total of characteristic value of detection described in the message of described network device processing in the statistics predetermined detection cycle;
C) search above pairing described detection of the described message total of predetermined attack threshold value and described characteristic value, be the feature of attack message.
Preferably, described step b) is specially:
B1) network equipment is received the message of processing;
B2) characteristic value of extraction detection from the header of described message;
B3) statistical counting with the described characteristic value of described detection adds 1;
B4) if all detections have been added up to finish, change step b5); Otherwise commentaries on classics step b2) add up next detection;
B5) whether the timing of judging the predetermined detection cycle finishes, and if not, changes step b1).
Preferably, between described step a) and step b), comprise:
Ab1) determine the total N of the characteristic value of preserving under each described detection;
At described step b2) and step b3) between comprise:
B21) if the characteristic value of described extraction, execution in step b3 are arranged in the characteristic value that described detection is preserved down);
B22) if the characteristic value number that described detection is preserved less than N, is then preserved the characteristic value of extracting, execution in step b3);
B23) characteristic value of current statistical counting minimum under the described detection is revised as the characteristic value of described extraction, with its statistical counting zero clearing, execution in step b3).
Preferably, at described step ab1) and step b) between comprise:
Ab2) arrival rate of the described network device processing message of statistics;
Ab3) judge that whether described arrival rate surpasses the predetermined detection threshold value, if not, changes step ab2); If start the timing in described predetermined detection cycle, execution in step b).
Preferably, comprise between described step b) and step c): whether the message total of judging each characteristic value of each detection is no more than the predetermined attack threshold value, if there is not flow attacking to take place; If not, change step c).
Preferably, also comprise after described step c): the described network equipment is according to the feature outputting alarm of described attack message or issue access control list ACL and filter.
Preferably, described detection is the physical port of source Media Access Control Address, source port number, destination slogan and the network equipment; The described predetermined detection cycle is 1 second, and described predetermined attack threshold value is 300, and the characteristic value sum N that each described detection is preserved down is 5.
Preferably, described message is a TCP TCP/IP message; The header fields of described TCP/IP message comprises source Media Access Control Address, frame type number, source IP address, purpose IP address, protocol class model, source port number and destination slogan;
Preferably, the port of the described network equipment comprises the logic port and the physical port of the described network equipment.
Preferably, the described network equipment comprises switching equipment, routing device, fire compartment wall and intrusion detection device.
Have the message amount of identical detection characteristic value by monitoring, the present invention can discern the feature of traffic attack message automatically, thereby detects the various attack message rapidly and accurately, no matter whether its content constantly changes;
Simultaneously, the present invention only just starts flow attacking and detects after the speed of network device processing message reaches certain threshold value, can not influence the performance of the network equipment substantially.
Description of drawings
Figure 1 shows that the hierarchical structure reference model of ICP/IP protocol;
Figure 2 shows that the field structure schematic diagram of IPv4 protocol massages header portion on the Ethernet;
Figure 3 shows that the flow chart of detection method of the present invention;
Figure 4 shows that the flow chart that among the present invention a message is carried out statistical counting.
Embodiment
For attack message, want on network, to cause very big flow, just must possess the ability of carrying out self-replacation in some way.And the message that duplicates generation will inevitably have the feature identical with former message, even the author of attack message changes feature in reproduction process wittingly, also can not change all features of message.
For the network equipment, these features mainly comprise each field of message header part.The agreement that each field of message header part and this message adopt is relevant with the hierarchical structure of this agreement, below describe for example with TCP/IP (Transmission Control Protocol/Internet Protocol, TCP).
Figure 1 shows that the hierarchical structure reference model of ICP/IP protocol.TCP/IP is considered to one four layers protocol system usually, by link layer, network layer, transport layer and application layer.Wherein, link layer generally includes in the operating system network interface unit corresponding in the device driver and computer, is used to handle the physical interface details relevant with transmission medium, for example Ethernet, token ring and WLAN (wireless local area network) etc.; The transmission of network layer handles message in network, network layer protocol comprises IP, ICMP (Internet Control MessageProtocol, the Internet Internet Control Message Protocol), ARP (Address Resolution Protocol, address resolution protocol) and IGMP (Internet Group Management Protocol, IGMP) etc.; Transport layer is mainly two application programs on the main frame communication end to end is provided, transport layer protocol mainly comprises TCP (Transmission Control Protocol, transmission control protocol) and UDP (UserDatagram Protocol, User Datagram Protoco (UDP)); Application layer is responsible for handling specific application particulars, application layer protocol is very many, as FTP (File Transfer Protocol, file transfer protocol (FTP)), HTTP (Hypertext Transfer Protocol, HTML (Hypertext Markup Language)), DNS (Domain Name Service, domain name service) and SNMP (Simple Network Management Protocol, Simple Network Management Protocol) etc.
Corresponding to the hierarchical structure of ICP/IP protocol, the header of TCP/IP message successively encapsulates according to the order of application layer, transport layer, network layer and link layer.With (the Internet Protocol version4 of the IPv4 on the Ethernet, the 4th edition Internet protocol) message is an example, and each field structure of its header portion sees also Fig. 2, need to prove, do not show complete header structure among Fig. 2, only selected the field in close relations with the present invention.Encapsulated the source port number and the destination slogan of application layer data in the transport layer header, be used to seek the application layer process of making a start with receiving end; Encapsulated protocol class model, source IP address and purpose IP address in the network layer header, wherein the protocol class model is used for identifying that packaged data segment adopts is which kind of agreement; Encapsulated target MAC (Media Access Control) address, source MAC and frame type number in the link layer header, wherein frame type number is used to refer to the network layer protocol that open-birth becomes data segment.
For the IPv4 attack message on the Ethernet, can comprise the above-mentioned field of at least a portion in its header.And to form flow attacking, at least one field can have identical numerical value in these messages.Therefore, if detect the interior identical message amount of value of certain time period, then can detect flow attacking by above-mentioned field in the message of network device processing.
For other types network and other agreements, also can be in the header of its message addressing is relevant between selection and network addressing and each layer protocol field as detection.
Simultaneously, consider that the network equipment sets the convenience of filtration measure, can be with the network equipment port of message process also as the option in the detection.Wherein the port of the network equipment comprises physical port and logic port, wherein, logic port forms by certain agreement of configuration on physical port usually, for example some high-availability protocol are combined as a logic port with plural physical port, some VLAN agreements with a physical port corresponding to a plurality of logic ports.
Figure 3 shows that the flow chart of detection method of the present invention.
At step S10, in each field of header of message and network equipment port, select at least one detection.As previously mentioned, can selection with network addressing and each layer protocol between the relevant field of addressing as detection, can also increase the physical port of the network equipment or logic port as detection.
The detection that network manager is selected is many more, and is just accurate more to the feature description of traffic attack message.Theoretically, select all with network addressing and each layer protocol between the relevant field of addressing can detect all flow attackings basically as detection, but flow attacking detection itself also can cause heavier burden to the network equipment in this case.Therefore, network manager should be taken all factors into consideration the disposal ability, loading level of safe condition, this network equipment of network equipment place network, safety requirements of this network equipment etc. be decided the number and the selection strategy of detection.
At step S20, the arrival rate of monitoring network device processes message, when arrival rate surpasses the predetermined detection threshold value, execution in step S30.
Under normal circumstances, the message flow of network device processing is smaller, detects the influence that the performance to the network equipment causes in order to reduce flow attacking as far as possible, have only when message flow greatly when having the possibility of being attacked, just carry out the attack message detection.Certainly, performance is higher than the network equipment of Network Transmission demand, can omits this step.
At step S30, start the timing in predetermined detection cycle.
At step S40, the network equipment is received the message of processing.
At step S50, the network equipment adds 1 with the pairing statistical counting of characteristic value of each detection in this message.The characteristic value of detection is the concrete numerical value of this detection in arriving message.In the present invention, the network equipment as message characteristic, carries out sum statistics to the message with identical feature with the characteristic value of detection.
At step S60, judge whether the timing in predetermined detection cycle finishes, if finish, execution in step S70; To then changeing step S40, the message that the next one is arrived does not detect in timing.
At step S70, judge whether whether the statistical counting of each characteristic value under each detection all is no more than the predetermined attack threshold value, if flow attacking does not then take place; If not, execution in step S80.The predetermined attack threshold value should be set according to the message flow that this network equipment is generally handled, and when the message flow of generally handling is big, should select higher value.
At step S80, the network equipment detects flow attacking has taken place, and attack message be characterized as pairing this detection of message total that surpasses the predetermined attack threshold value with this characteristic value.
At step S90, according to the feature of detected traffic attack message, the network equipment can outputting alarm, or issues ACL (Access Control List, Access Control List (ACL)) and filter, or adopts other measures defence flow attackings.
Consider that each detection may have very many characteristic values in the message of some core network devices processing, the network equipment need be added up respectively these characteristic values, can take more internal memory like this.Therefore,, can set the number N of the characteristic value of each detection preservation, only N maximum characteristic value of sum be added up the core network device and the little network equipment of some internal memories.The flow process that this moment, the network equipment carried out statistical counting to single message as shown in Figure 4, whole flow process is corresponding to the step S50 among Fig. 3.
At step S51, get the value P (i) of i detection at the header portion of message.The initial value of i is 1.
At step S52, whether the network equipment is searched P (i) in the characteristic value of preserving under this detection, if having, and execution in step S56; If no, execution in step S53.
At step S53, whether the network equipment checks the number of the characteristic value of preserving under this detection less than setting characteristic value number N, if less than, execution in step S54; Otherwise execution in step S55.
At step S54, under this detection, increase statistical counting, and statistical counting Count (i, P (i)) initial value is set is 0 to characteristic value P (i), change step S56.
At step S55, get the characteristic value of current statistical counting minimum under this detection, this characteristic value is revised as P (i), and with statistical counting Count (i, P (i)) zero clearing.Promptly after the characteristic value number of preserving reaches N, be different from the characteristic value of being preserved, then no longer of current statistical counting minimum in the characteristic value of having preserved added up, and change the new characteristic value of statistics into if arrive the value of this detection in the message.
At step S56, statistical counting Count (i, P (i)) is added 1.
At step S57, judge whether this detection is last detection, if then the detection to this message finishes; If not, then make i=i+1, change step S51, next detection is added up.
For example, a switch is operated in the foregoing Ethernet, and the physical port of selecting source MAC, destination slogan, source port number and this switch is as detection, and it is 1 second that the predetermined detection cycle is set, the predetermined attack threshold value is 300, and the characteristic value number of preserving for each detection is 5.This switch starts attack detecting, and a predetermined detection week, the statistical counting result that obtains of after date was as shown in the table:
Detection | Characteristic value | Message total |
Source MAC | 00a6-4513-0011 | 330 |
00e0-fc00-2222 | 11 | |
0030-fc00-2034 | 3 | |
0030-ce00-2034 | 1 | |
0020-2200-2034 | 1 | |
The destination slogan | 3344 | 325 |
23 | 50 | |
130 | 11 | |
139 | 2 | |
138 | 2 | |
Source port number | 23 | 45 |
3345 | 13 | |
3346 | 11 | |
3347 | 9 | |
3348 | 8 | |
The physical port number of switch | 21 | 320 |
1 | 46 | |
3 | 11 | |
19 | 8 | |
8 | 6 |
As seen, among the statistical counting result, the characteristic value of source MAC is that the message total of 00a6-4513-0011 is 330, the destination slogan is 3344 message total for being 325, physical port number is that 21 message total is 320, the statistical counting result of other detection characteristic values then detects attack message characteristics and has following feature less than 300:
Source MAC 00a6-4513-0011;
Destination slogan 3344;
From No. 21 physical ports.
According to these features, switch just can be taked outputting alarm automatically or issue the measure that ACL filters.
The present invention is applicable to the various network equipments that have processing unit, can count the characteristic value of detection, for example switching equipment, routing device, fire compartment wall and IDS (intrusion detection device) etc.
As seen, the present invention not only can detect flow attacking, and can detect the feature of attack message automatically.Simultaneously, because the present invention adopts the protocol fields of header in the message as detection, what have in these detections is exactly that the network equipment need read when handling this message originally, and the present invention only just starts attack detecting when needed, thereby implements the performance that the present invention can not influence the network equipment basically.
Above-described embodiment of the present invention does not constitute the qualification to protection range of the present invention.Any any modification of being done within the spirit and principles in the present invention, be equal to and replace and improvement etc., all should be included within the claim protection range of the present invention.
Claims (10)
1. the message characteristic detection method of a flow attacking network equipment is characterized in that, may further comprise the steps:
A) in the port of each field of header of message and the network equipment, select at least one detection, with the characteristic value of the concrete numerical value of described detection in message as this detection;
B) the identical message total of characteristic value of detection described in the message of described network device processing in the statistics predetermined detection cycle;
C) search above pairing described detection of the described message total of predetermined attack threshold value and described characteristic value, be the feature of attack message.
2. according to the described message characteristic detection method of claim 1, it is characterized in that described step b) is specially:
B1) network equipment is received the message of processing;
B2) characteristic value of extraction detection from the header of described message;
B3) statistical counting with the described characteristic value of described detection adds 1;
B4) if all detections have been added up to finish, change step b5); Otherwise commentaries on classics step b2) add up next detection;
B5) whether the timing of judging the predetermined detection cycle finishes, and if not, changes step b1).
3. according to the described message characteristic detection method of claim 2, it is characterized in that, between described step a) and step b), comprise:
Ab1) determine the total N of the characteristic value of preserving under each described detection;
At described step b2) and step b3) between comprise:
B21) if the characteristic value of described extraction, execution in step b3 are arranged in the characteristic value that described detection is preserved down);
B22) if the characteristic value number that described detection is preserved less than N, is then preserved the characteristic value of extracting, execution in step b3);
B23) characteristic value of current statistical counting minimum under the described detection is revised as the characteristic value of described extraction, with its statistical counting zero clearing, execution in step b3).
4. according to any described message characteristic detection method of claim 1 to 3, it is characterized in that, at described step ab1) and step b) between comprise:
Ab2) arrival rate of the described network device processing message of statistics;
Ab3) judge that whether described arrival rate surpasses the predetermined detection threshold value, if not, changes step ab2); If start the timing in described predetermined detection cycle, execution in step b).
5. according to the described message characteristic detection method of claim 4, it is characterized in that, comprise between described step b) and step c): whether the message total of judging each characteristic value of each detection is no more than the predetermined attack threshold value, if there is not flow attacking to take place; If not, change step c).
6. according to the described message characteristic detection method of claim 5, it is characterized in that, also comprise after described step c): the described network equipment is according to the feature outputting alarm of described attack message or issue access control list ACL and filter.
7. according to the described message characteristic detection method of claim 6, it is characterized in that: described detection is the physical port of source Media Access Control Address, source port number, destination slogan and the network equipment; The described predetermined detection cycle is 1 second, and described predetermined attack threshold value is 300, and the characteristic value sum N that each described detection is preserved down is 5.
8. according to the described message characteristic detection method of claim 1, it is characterized in that: described message is a TCP TCP/IP message; The header fields of described TCP/IP message comprises source Media Access Control Address, frame type number, source IP address, purpose IP address, protocol class model, source port number and destination slogan.
9. according to the described message characteristic detection method of claim 8, it is characterized in that: the port of the described network equipment comprises the logic port and the physical port of the described network equipment.
10. according to the described message characteristic detection method of claim 1, it is characterized in that: the described network equipment comprises switching equipment, routing device, fire compartment wall and intrusion detection device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2005100694738A CN100369416C (en) | 2005-05-09 | 2005-05-09 | Method for detecting flow attacking message characteristic of network equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2005100694738A CN100369416C (en) | 2005-05-09 | 2005-05-09 | Method for detecting flow attacking message characteristic of network equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1725705A true CN1725705A (en) | 2006-01-25 |
CN100369416C CN100369416C (en) | 2008-02-13 |
Family
ID=35924957
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2005100694738A Expired - Fee Related CN100369416C (en) | 2005-05-09 | 2005-05-09 | Method for detecting flow attacking message characteristic of network equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100369416C (en) |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101114938B (en) * | 2007-08-10 | 2010-06-23 | 杭州华三通信技术有限公司 | Statistical method, system and device with threshold restriction in distributed system |
CN101834761A (en) * | 2010-05-21 | 2010-09-15 | 华为技术有限公司 | Degraded attacking detection and defense method, detection device and access device |
CN101286979B (en) * | 2008-06-03 | 2011-02-09 | 电子科技大学 | Network attack detecting method |
CN101202742B (en) * | 2006-12-13 | 2011-10-26 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
CN101123492B (en) * | 2007-09-06 | 2012-01-18 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
CN101640666B (en) * | 2008-08-01 | 2012-06-06 | 北京启明星辰信息技术股份有限公司 | Device and method for controlling flow quantity facing to target network |
CN102882895A (en) * | 2012-10-31 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for identifying message attack |
CN102916940A (en) * | 2012-09-19 | 2013-02-06 | 浪潮(北京)电子信息产业有限公司 | Method and system for realizing network safety of cloud data center |
CN103095603A (en) * | 2013-02-21 | 2013-05-08 | 南京磐能电力科技股份有限公司 | Restraining method for Ethernet storm |
CN103368909A (en) * | 2012-03-30 | 2013-10-23 | 迈普通信技术股份有限公司 | A communication equipment control layer protection apparatus and a communication equipment control layer protection method |
CN103561001A (en) * | 2013-10-21 | 2014-02-05 | 华为技术有限公司 | Safety protection method and routing device |
CN103840971A (en) * | 2014-02-18 | 2014-06-04 | 汉柏科技有限公司 | Method and system for processing cloud cluster abnormities caused by private cloud viruses |
CN104506531A (en) * | 2014-12-19 | 2015-04-08 | 上海斐讯数据通信技术有限公司 | Security defending system and security defending method aiming at flow attack |
WO2015081499A1 (en) * | 2013-12-03 | 2015-06-11 | 北京东土科技股份有限公司 | Method and device for preventing ring network protocol messages from attacking cpu of device |
CN105939328A (en) * | 2016-01-27 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for updating network attack feature library |
CN106130962A (en) * | 2016-06-13 | 2016-11-16 | 浙江宇视科技有限公司 | A kind of message processing method and device |
CN107592243A (en) * | 2017-10-23 | 2018-01-16 | 上海斐讯数据通信技术有限公司 | A kind of method and device for verifying router static binding function |
CN108111472A (en) * | 2016-11-24 | 2018-06-01 | 腾讯科技(深圳)有限公司 | A kind of attack signature detection method and device |
CN110290124A (en) * | 2019-06-14 | 2019-09-27 | 杭州迪普科技股份有限公司 | A kind of interchanger inbound port blocking-up method and device |
CN113285918A (en) * | 2021-04-08 | 2021-08-20 | 锐捷网络股份有限公司 | ACL (access control list) filtering table item establishing method and device for network attack |
CN114143089A (en) * | 2021-11-30 | 2022-03-04 | 迈普通信技术股份有限公司 | Message processing method and device, network equipment and computer readable storage medium |
WO2022057647A1 (en) * | 2020-09-15 | 2022-03-24 | 华为技术有限公司 | Packet processing method, system, and device |
WO2022267490A1 (en) * | 2021-06-23 | 2022-12-29 | 华为技术有限公司 | Attack identification method, apparatus and system, and computer readable storage medium |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103856470B (en) * | 2012-12-06 | 2018-06-19 | 腾讯科技(深圳)有限公司 | Detecting method of distributed denial of service attacking and detection device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1175621C (en) * | 2002-03-29 | 2004-11-10 | 华为技术有限公司 | Method of detecting and monitoring malicious user host machine attack |
US20040054925A1 (en) * | 2002-09-13 | 2004-03-18 | Cyber Operations, Llc | System and method for detecting and countering a network attack |
US7426634B2 (en) * | 2003-04-22 | 2008-09-16 | Intruguard Devices, Inc. | Method and apparatus for rate based denial of service attack detection and prevention |
-
2005
- 2005-05-09 CN CNB2005100694738A patent/CN100369416C/en not_active Expired - Fee Related
Cited By (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101202742B (en) * | 2006-12-13 | 2011-10-26 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
CN101114938B (en) * | 2007-08-10 | 2010-06-23 | 杭州华三通信技术有限公司 | Statistical method, system and device with threshold restriction in distributed system |
CN101123492B (en) * | 2007-09-06 | 2012-01-18 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
CN101286979B (en) * | 2008-06-03 | 2011-02-09 | 电子科技大学 | Network attack detecting method |
CN101640666B (en) * | 2008-08-01 | 2012-06-06 | 北京启明星辰信息技术股份有限公司 | Device and method for controlling flow quantity facing to target network |
CN101834761A (en) * | 2010-05-21 | 2010-09-15 | 华为技术有限公司 | Degraded attacking detection and defense method, detection device and access device |
CN103368909B (en) * | 2012-03-30 | 2016-12-14 | 迈普通信技术股份有限公司 | A kind of communication equipment controls plane protection device and method |
CN103368909A (en) * | 2012-03-30 | 2013-10-23 | 迈普通信技术股份有限公司 | A communication equipment control layer protection apparatus and a communication equipment control layer protection method |
CN102916940A (en) * | 2012-09-19 | 2013-02-06 | 浪潮(北京)电子信息产业有限公司 | Method and system for realizing network safety of cloud data center |
CN102882895A (en) * | 2012-10-31 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for identifying message attack |
CN103095603B (en) * | 2013-02-21 | 2015-07-29 | 南京磐能电力科技股份有限公司 | A kind of Ethernet storm suppressing method |
CN103095603A (en) * | 2013-02-21 | 2013-05-08 | 南京磐能电力科技股份有限公司 | Restraining method for Ethernet storm |
CN103561001A (en) * | 2013-10-21 | 2014-02-05 | 华为技术有限公司 | Safety protection method and routing device |
WO2015081499A1 (en) * | 2013-12-03 | 2015-06-11 | 北京东土科技股份有限公司 | Method and device for preventing ring network protocol messages from attacking cpu of device |
CN103840971A (en) * | 2014-02-18 | 2014-06-04 | 汉柏科技有限公司 | Method and system for processing cloud cluster abnormities caused by private cloud viruses |
CN103840971B (en) * | 2014-02-18 | 2018-01-02 | 汉柏科技有限公司 | Cloud cluster caused by a kind of virus to private clound abnormal processing method and system |
CN104506531A (en) * | 2014-12-19 | 2015-04-08 | 上海斐讯数据通信技术有限公司 | Security defending system and security defending method aiming at flow attack |
CN104506531B (en) * | 2014-12-19 | 2018-05-01 | 上海斐讯数据通信技术有限公司 | For the safety defense system and method for flow attacking |
CN105939328A (en) * | 2016-01-27 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for updating network attack feature library |
CN106130962A (en) * | 2016-06-13 | 2016-11-16 | 浙江宇视科技有限公司 | A kind of message processing method and device |
CN106130962B (en) * | 2016-06-13 | 2020-01-14 | 浙江宇视科技有限公司 | Message processing method and device |
CN108111472A (en) * | 2016-11-24 | 2018-06-01 | 腾讯科技(深圳)有限公司 | A kind of attack signature detection method and device |
CN107592243A (en) * | 2017-10-23 | 2018-01-16 | 上海斐讯数据通信技术有限公司 | A kind of method and device for verifying router static binding function |
CN107592243B (en) * | 2017-10-23 | 2020-12-22 | 王蕴卓 | Method and device for verifying static binding function of router |
CN110290124A (en) * | 2019-06-14 | 2019-09-27 | 杭州迪普科技股份有限公司 | A kind of interchanger inbound port blocking-up method and device |
WO2022057647A1 (en) * | 2020-09-15 | 2022-03-24 | 华为技术有限公司 | Packet processing method, system, and device |
CN113285918A (en) * | 2021-04-08 | 2021-08-20 | 锐捷网络股份有限公司 | ACL (access control list) filtering table item establishing method and device for network attack |
CN113285918B (en) * | 2021-04-08 | 2023-10-24 | 锐捷网络股份有限公司 | ACL filtering table item establishing method and device for network attack |
WO2022267490A1 (en) * | 2021-06-23 | 2022-12-29 | 华为技术有限公司 | Attack identification method, apparatus and system, and computer readable storage medium |
CN114143089A (en) * | 2021-11-30 | 2022-03-04 | 迈普通信技术股份有限公司 | Message processing method and device, network equipment and computer readable storage medium |
CN114143089B (en) * | 2021-11-30 | 2024-02-09 | 迈普通信技术股份有限公司 | Message processing method, device, network equipment and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN100369416C (en) | 2008-02-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1725705A (en) | Method for detecting flow attacking message characteristic of network equipment | |
Barbosa et al. | Flow whitelisting in SCADA networks | |
US8448234B2 (en) | Method and apparatus for deep packet inspection for network intrusion detection | |
US8122494B2 (en) | Apparatus and method of securing network | |
CN102111394B (en) | Network attack protection method, equipment and system | |
WO2017146961A1 (en) | Hybrid hardware-software distributed threat analysis | |
CN101068229A (en) | Content filtering gateway realizing method based on network filter | |
CN1874303A (en) | Method for implementing black sheet | |
US9178851B2 (en) | High availability security device | |
CN106416171A (en) | Method and device for feature information analysis | |
CN101056306A (en) | Network device and its access control method | |
CN1175621C (en) | Method of detecting and monitoring malicious user host machine attack | |
CN105282169A (en) | DDoS attack warning method and system based on SDN controller threshold | |
CN106534068B (en) | Method and device for cleaning counterfeit source IP in DDOS defense system | |
CN103475653A (en) | Method for detecting network data package | |
US20090240804A1 (en) | Method and apparatus for preventing igmp packet attack | |
CN101447996A (en) | Defending method for distributed service-refusing attack and system and device thereof | |
CN101064597A (en) | Network security device and method for processing packet data using the same | |
CN106534394A (en) | NAT port manager used for realizing port mapping by using remainder | |
CN1968180A (en) | Multilevel aggregation-based abnormal flow control method and system | |
Bando et al. | Range hash for regular expression pre-filtering | |
CN107864110A (en) | Botnet main control end detection method and device | |
CN113765849B (en) | Abnormal network flow detection method and device | |
CN1674530A (en) | Method for real-time detecting network worm virus | |
US20100138893A1 (en) | Processing method for accelerating packet filtering |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
CP03 | Change of name, title or address | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080213 |
|
CF01 | Termination of patent right due to non-payment of annual fee |