NL2033657A - Active defense system and method for network intrusion based on dynamic ip blacklist - Google Patents
Active defense system and method for network intrusion based on dynamic ip blacklist Download PDFInfo
- Publication number
- NL2033657A NL2033657A NL2033657A NL2033657A NL2033657A NL 2033657 A NL2033657 A NL 2033657A NL 2033657 A NL2033657 A NL 2033657A NL 2033657 A NL2033657 A NL 2033657A NL 2033657 A NL2033657 A NL 2033657A
- Authority
- NL
- Netherlands
- Prior art keywords
- attack
- address
- module
- dynamic
- blacklist
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000007123 defense Effects 0.000 title claims description 22
- 238000001514 detection method Methods 0.000 claims abstract description 51
- 230000000903 blocking effect Effects 0.000 claims abstract description 38
- 238000004364 calculation method Methods 0.000 claims abstract description 15
- 238000011045 prefiltration Methods 0.000 claims abstract description 11
- 230000009471 action Effects 0.000 claims description 28
- 230000000007 visual effect Effects 0.000 claims description 17
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 7
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 claims description 5
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 230000001010 compromised effect Effects 0.000 claims 2
- 230000000694 effects Effects 0.000 abstract description 4
- 238000001914 filtration Methods 0.000 abstract description 2
- 230000006399 behavior Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000002238 attenuated effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000009828 non-uniform distribution Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Disclosed is an active defence system and method for network intrusion based on a dynamic 5 IP blacklist. The system includes an IP blocking module, an IP address locking module, an Http/Https request receiving module, a prefiltration module, an active defence detection module and a threat degree calculation module. Through the IP blocking module, the prefiltration module and the active defence detection module, multi-level defence detection of initialization blocking, preliminary detection and filtering and active detection is carried out in sequence for an access 10 request of a malicious IP address, thereby reducing active defence missing reporting and error reporting rates, and meeting high-performance requirements. Through the threat degree calculation module, the dynamic IP blacklist is dynamically updated in real time, so that the defence effect and the execution efficiency can be improved.
Description
ACTIVE DEFENSE SYSTEM AND METHOD FOR NETWORK INTRUSION BASED ON
DYNAMIC IP BLACKLIST
The present invention relates to the technical field of network security, and more particularly relates to an active defence system and method for network intrusion based on a dynamic IP blacklist.
With rapid development and popularization of computer network technology, informatization has become the general trend of the human society development. However, since computer networks have characteristics such as diversified connection forms, non-uniform distribution of terminals, and openness and interconnection of the networks, the networks are susceptible to attacks of hackers, malicious software and other illegal behaviours, which threatens the security of the network information.
Most of the traditional security defence measures analyse and monitor attack behaviours that already happened by analysing logs of some security devices, which are basically passive defence thoughts, and lack of capability of awareness of the network security state and the linked early warning, so that the defence effect is poor, and intrusion details cannot be counted automatically and displayed visually.
Therefore, an urgent problem to be solved by those skilled in the art is how to provide an active defence system and method capable of conducting dynamic real-time active defence for the networks and capable of visually displaying the intrusion details.
In view of this, the present invention provides an active defence system and method for network intrusion based on a dynamic IP blacklist, which can carry out dynamic real-time active defence for web networks, visually display intrusion details, and can improve the defence effect and execution efficiency.
To realize the above purpose, the present invention adopts the following technical solution:
An active defence system for network intrusion based on a dynamic IP blacklist includes an
IP blocking module, an IP address locking module, an Http/Https request receiving module, a prefiltration module, an active defence detection module and a threat degree calculation module.
The IP blocking module is arranged in a firewall and used for carrying out initialization blocking for a client, and adding a client address to an IP address shared pool in a first IP address locking module.
The Http/Https request receiving module is used for capturing an access request of the client, carrying out SSL decryption and encryption for Https protocols, standardizing various codes and character sets, and caching the access request to an accept queue to be detected.
The prefiltration module is used for preliminarily detecting the client address, blocking the access request if the access request does not pass the preliminary detection, and sending the access request to the active defence detection module if the access request passes the preliminary detection.
The active defence detection module is used for analysing network abnormal behaviours and
WEB content in the access request of a current period, blocking the client address if a suspected attack intrusion action is detected, and simultaneously caching and storing the suspected attack intrusion action in a log form.
The threat degree calculation module is used for analysing the logs cached in the same period, calculating the threat coefficient of the client address, and adding the client address and the corresponding threat coefficient into the dynamic IP blacklist.
The IP address locking module is used for locking the address in the dynamic IP blacklist and storing the locked address into the firewall IP blocking module.
Further, in the active defence system for the network intrusion based on the dynamic IP blacklist, the active defence detection module includes an active defence detection unit, an IP address locking unit, a log caching unit, a log storage unit and a forwarding unit.
The active defence detection unit is used for acquiring the access request to be detected in a message queue, analysing the network abnormal behaviour and web content in the access request of the current period, and sending the access request to a WEB server through the forwarding unit if no suspected attack intrusion action is detected.
The IP address locking unit is used for blocking the client address when the active defence detection unit detects the suspected attack intrusion action.
The log caching unit is used for caching the suspected attack intrusion action in a log form when the active defence detection unit detects the suspected attack intrusion action.
The log storage unit is used for storing the suspected attack intrusion action in a log form when the active defence detection unit detects the suspected attack intrusion action, to obtain an attack log.
Further, the active defence system for the network intrusion based on the dynamic IP blacklist also includes a visual displaying module.
The visual displaying module is used for analysing the stored log to obtain a visual image; and the visible image is composed of an entrance file image, an active defence time-sharing statistical chart, an intrusion IP address statistical chart and an intruded website statistical chart.
The entrance file image is used for counting the number of time-sharing attacks for an entrance file and visually displaying related file names.
The active defence time-sharing statistical chart is used for visually displaying the number of active defence attacks in real time.
The intrusion IP address statistical chart is used for visually displaying an IP address and number of intrusions in real time.
The intruded website statistical chart is used for visually displaying intruded websites and times in real time.
Further, in the active defence system for the network intrusion based on the dynamic IP blacklist, the prefiltration module is used for judging whether the client address exists in the dynamic IP blacklist, if so, comparing a threat coefficient value of the client address with a pre- set value, blocking the access request if the threat coefficient value is greater than the pre-set value, and sending the access request to the active defence detection module for further detection if the threat coefficient value is less than the pre-set value or the client address does not exist in the dynamic IP blacklist.
Further, in the active defence system for the network intrusion based on the dynamic IP blacklist, the threat degree calculation module is also used for removing the IP address from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero.
The present invention further discloses an active defence method for network intrusion based on a dynamic IP blacklist, which includes: carrying out initialization blocking for a client, locking a client address, and storing the client address into an IP address shared pool; capturing an access request of the client, carrying out SSL decryption and encryption for
Https protocols, standardizing various codes and character sets, and caching the access request to an accept queue to be detected; preliminarily detecting the client address, blocking the access request if the access request does not pass the preliminary detection, and carrying out active defence detection for the access request if the access request passes the preliminary detection; analysing network abnormal behaviours and WEB content in the access request of a current period; and if a suspected attack intrusion action is detected, blocking the client address, and caching and storing the suspected attack intrusion action in a log form; analysing the logs cached in the same period, calculating a threat coefficient of the client address, and adding the client address and the corresponding threat coefficient into the dynamic
IP blacklist; and locking the address in the dynamic IP blacklist, storing the locked address into a firewall, and carrying out direct blocking if the locked address accesses the firewall subsequently.
Further, the active defence method for the network intrusion based on the dynamic IP blacklist also includes:
forwarding the access request to a WEB server if no suspected attack intrusion action is detected when the network abnormal behaviours and WEB content in the access request of the current period are analysed.
Further, in the active defence method for the network intrusion based on the dynamic IP blacklist, a calculation process of the threat coefficient of the client address is as follows: analysing the stored attack intrusion action log, and determining attack event subsets A1,
A2, … Ai corresponding to different attack source addresses IP1, IP2, IP3, ..., Fi; determining threat coefficients of an attack frequency, an attack time period, an attack region and an attack rule of the current period in the attack event subset Ai corresponding to IPi respectively according to the importance of different frequencies, different time periods, different regions and different rules in the attack event subset Ai corresponding to IPi; assigning threat coefficient weights respectively to the attack frequency, the attack time period, the attack region and the attack rule of the current period in the attack event subset Ai corresponding to IPi according to an influence degree of different frequencies, different time periods, different regions and different rules in the attack event subset Ai corresponding to IPi on the WEB network; performing weighted summation for the threat coefficients and threat coefficient weights of the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset Ai corresponding to IPi of the current period to obtain the threat coefficient of the current period of the client having an attack source address of IPi, wherein a calculation formula of the threat coefficient is as follows:
Threat(IPi) = AF(IPi) + A2T{IPi) + ASS(IPi) + AMR(IPi)
In the formula, F(IPi) = Frequency/N; T(IPi) = Time/N; S(IPi) = Region/N; R(IPi}y =
Rule/N; N indicates a total number of different target host machines; Frequency, Time, Region and Rule indicate the threat coefficients of the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset Ai corresponding to IPi respectively; A1, A2,
A3 and A4 respectively indicate the threat coefficient weights of the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset Ai corresponding to
IPi,and A1+A2+A3+M = 1.
Further, the active defence method for the network intrusion based on the dynamic IP blacklist also includes: removing the IP address from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero.
Further, the active defence method for the network intrusion based on the dynamic IP blacklist also includes: analysing the stored logs to obtain a visual image; and the visual image is composed of an entrance file image, an active defence time-sharing statistical chart, an intrusion IP address statistical chart and an intruded website statistical chart.
The entrance file image is used for counting the number of time-sharing attacks for an entrance file and visually displaying related file names.
The active defence time-sharing statistical chart is used for visually displaying the number of active defence attacks in real time. 5 The intrusion IP address statistical chart is used for visually displaying an IP address and number of intrusions in real time.
The intruded website statistical chart is used for visually displaying intruded websites and times in real time.
It may be seen from the above technical solutions that compared with the prior art, the active defence system and method for the network intrusion based on the dynamic IP blacklist provided by the present invention can carry out the dynamic real-time active defence for the WEB networks, and solve the attack to the HT TPs protocols and different variant attacks to WEB application layers. At the same time, the present invention provides strong analysis and processing capacity; the whole detection process includes multi-level defence detection of the initialized blocking, preliminary detection and filtering and active detection for the access request of the malicious IP address, thereby reducing active defence missing reporting and error reporting rates, and meeting the high-performance requirement. By dynamically updating the dynamic IP blacklist in real time, the malicious address is added into the blacklist in real time so as to carry out the blocking at the very beginning of the next access, thereby improving the defence effect and the execution efficiency. The present invention also provides a visual intrusion monitoring measure, so that the intrusion details can be intuitively and visually displayed.
To more clearly describe the technical solutions in the embodiments of the present invention or in the prior art, the drawings required to be used in the description of the embodiments or the prior art will be simply presented below. Apparently, the drawings in the following description are merely the embodiments of the present invention, and for those ordinary skilled in the art, other drawings can also be abtained according to the provided drawings without contributing creative labour.
Fig. 1 is a structural schematic diagram of an active defence system for network intrusion based on a dynamic IP blacklist provided by the present invention;
Fig. 2 is an active defence time-sharing statistical chart provided by the present invention; and
Fig. 3 is a block diagram of implementation modules of the active defence system for the network intrusion based on the dynamic IP blacklist provided by the present invention.
The technical solutions in the embodiments of the present invention will be clearly and fully described below in combination with the drawings in the embodiments of the present invention.
Apparently, the described embodiments are merely part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments in the present invention, all other embodiments obtained by those ordinary skilled in the art without contributing creative labour will belong to the protection scope of the present invention.
As shown in Fig. 1, an embodiment of the present invention discloses an active defence system for network intrusion based on a dynamic IP blacklist, which includes an IP blocking module, an IP address locking module, an Http/Https request receiving module, a prefiltration module, an active defence detection module and a threat degree calculation module.
The IP blocking module is arranged in a firewall and used for carrying out initialization blocking for a client, and adding a client address to an IP address shared pool in a first IP address locking module.
The Http/Https request receiving module is used for capturing an access request of the client, carrying out SSL decryption and encryption for Https protocols, standardizing various codes and character sets, and caching the access request to an accept queue to be detected.
The prefiltration module is used for preliminarily detecting the client address, blocking the access request if the access request does not pass the preliminary detection, and sending the access request to the active defence detection module if the access request passes the preliminary detection.
The active defence detection module is used for analysing network abnormal behaviours and
WEB content in the access request of a current period, blocking the client address if a suspected attack intrusion action is detected, and caching and storing the suspected attack intrusion action in a log form.
The threat degree calculation module is used for analysing the logs cached in the same period, calculating a threat coefficient of the client address, and adding the client address and the corresponding threat coefficient into the dynamic IP blacklist.
The IP address locking module is used for locking the address in the dynamic IP blacklist and storing the locked address into the firewall IP blocking module so as to carry out the direct blocking in the subsequent access of the client.
In a specific embodiment, the active defence detection module includes an active defence detection unit, an IP address locking unit, a log caching unit, a log storage unit and a forwarding unit.
The active defence detection unit is used for acquiring the access request to be detected in a message queue, analysing the network abnormal behaviour and WEB content in the access request of the current period, and sending the access request to a WEB server through the forwarding unit if no suspected attack intrusion action is detected.
The IP address locking unit is used for blocking the client address when the active defence detection unit detects the suspected attack intrusion action.
The log caching unit is used for caching the suspected attack intrusion action in a log form when the active defence detection unit detects the suspected attack intrusion action.
The log storage unit is used for storing the suspected attack intrusion action in a log form when the active defence detection unit detects the suspected attack intrusion action, to obtain an attack log.
In an embodiment, the active defence system also includes a visual displaying module.
The visual displaying module is used for analysing the stored logs to obtain a visual image; and the visual image is composed of an entrance file image, an active defence time-sharing statistical chart, an intrusion IP address statistical chart and an intruded website statistical chart.
The entrance file image is used for counting the number of time-sharing attacks for an entrance file and visually displaying related file names.
The active defence time-sharing statistical chart is used for visually displaying the number of active defence attacks, as shown in Fig. 2.
The intrusion IP address statistical chart is used for visually displaying an IP address and number of intrusions in real time.
The intruded website statistical chart is used for visually displaying intruded websites and times in real time.
In an embodiment, the prefiltration module is used for judging whether the client address exists in the dynamic IP blacklist, if so, comparing a threat coefficient value of the client address with a pre-set value, blocking the access request if the threat coefficient value is greater than the pre-set value, and sending the access request to the active defence detection module for further detection if the threat coefficient value is less than the pre-set value or the client address does not exist in the dynamic IP blacklist.
In other embodiments, the threat degree calculation module is also used for removing the IP address from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero.
Specifically, as shown in Fig. 3, implementation modules of the active defence system for the network intrusion based on the dynamic IP blacklist include a configuration module, a protocol resolution module, a rule module, an action module, an error processing module and a log module.
The configuration module is used for realizing global setting of rules, global setting of protocol resolution, running setting of rule engines, Active setting and log record granularity.
The rule module realizes rule processing, rule resolution and rule detection.
The action module realizes interception/disconnection/locking of IP, re-direction, URL rewriting agent, setting of verification codes, shielding of malicious content, self-definition of response bodies and JS codes, and re-setting of reply id.
The log module completes a firewall log and an active defence log.
An embodiment of the present invention also discloses an active defence method for network intrusion based on a dynamic IP blacklist, which includes: initialization blocking is carried out for a client, and a client address is locked and stored in an IP address shared pool; an access request of the client is captured; SSL decryption and encryption are carried out for Https protocols; various codes and character sets are standardized; and the access request is cached to an accept queue to be detected; the client address is preliminarily detected; if the client address does not pass the preliminary detection, the access request is blocked; and if the client address passes the preliminary detection, the active defence detection is carried out for the access request; and abnormal network behaviours and WEB content in the access request of a current period are analysed; if a suspected attack intrusion action is detected, the client address is blocked, and the suspected attack intrusion action is cached and stored in a log form; and if no suspected attack intrusion action is detected, the access request is forwarded to a WEB server.
The logs cached in the same period are analysed; a threat coefficient of the client address is calculated; and the client address and the corresponding threat coefficient are added into the dynamic IP blacklist.
The address in the dynamic IP blacklist is locked; and the locked address is stored into a firewall, and direct blocking is carried out when the locked address accesses the firewall subsequently.
In an embodiment, a calculation process of the threat coefficient of the client address is as follows:
The stored attack intrusion action log is analysed, and attack event subsets A1, A2,.. Ai corresponding to different attack source addresses IP1, IP2, IP3, …, IPi are determined respectively; and specifically, by studying different influence degrees of attack events of different frequencies, different time periods, different regions and different rules on a target host machine, the attack event subsets belonging to attack sources of different frequencies, different time periods, different regions and different rules are classified according to different attack attributes
H.
Threat coefficients corresponding to the attack frequency, attack time period, attack region and attack rule of the current period in the attack event subset Ai corresponding to IPi are determined respectively according to the importance of different frequencies, different time periods, different regions and different rules in the attack event subset Ai corresponding to IPi.
Threat coefficient weights are assigned respectively to the attack frequency, the attack time period, the attack region and the attack rule of the current period in the attack event subset Ai corresponding to IPi according to the influence degree of different frequencies, different time periods, different regions and different rules in the attack event subset Ai corresponding to IPi on the WEB network.
Weighted summation is carried out for the threat coefficients and threat coefficient weights corresponding to the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset Ai corresponding to IPi of the current period to obtain the threat coefficient of the current period of the client having an attack source address of IPi, wherein a calculation formula is as follows:
Threat(IPi) = AMF(IPi) + A2T{IPi) + A3S(IPi) + MR(IPi)
In the formula, F(IPi) = Frequency/N; T(IPi) = Time/N; S(IPi) = Region/N; R(IPi) =
Rule/N; N indicates a total number of different target host machines (equivalent to a plurality of servers), Frequency, Time, Region and Rule indicate the threat coefficients of the attack frequency, the attack time period, the attack region and the attack rule in the attack event subset
Ai corresponding to the IPi respectively; A1, A2, A3 and A4 respectively indicate the threat coefficient weights of the attack frequency, attack time period, attack region and attack rule in the attack event subset Ai corresponding to IP i, and A1 + A2 + A3 + AM = 1.
In one embodiment, the method also includes:
The IP address is removed from the dynamic IP blacklist if the threat coefficient value corresponding to the IP address in the dynamic blacklist is less than or equal to zero.
Specifically, (1) when IPieX, X indicates the dynamic IP blacklist:
Threati = Threat lasti + Threat(IP i) - ThreatA ;
Threat lasti indicates the threat coefficient of a previous period of IPi, and Threat (IP) indicates the threat coefficient of the current period; and ThreatA indicates an attenuation degree of the threat coefficient of the attack IPi after a fixed period T of time, and the value may be set according an actual situation of the network. Threati indicates the threat coefficient of an attack source IPI. (2) When IPi iX (that is, the IPi does not exist in the set X), there is: Threati = Threat(IPi); and at the time, the threat coefficient Threati is calculated by a thread function Threat {IPi). (3) If IPi does not exist in the set X, the threat coefficient value Threati and the IPi address are added into X simultaneously; and if the threat coefficient value corresponding to IPi is less than or equal to zero, the IPi address may be removed from the set X. The greater the ThreatA value is, the higher the attenuation speed of the threat coefficient of an attacker; and when the threat coefficient value of the IP in the blacklist is attenuated to be less than 0, the IP address is automatically removed from the dynamic IP blacklist.
In another embodiment, the method also includes:
The stored logs are analysed to obtain a visual image; and the visual image is composed of an entrance file image, an active defence time-sharing statistical chart, an intrusion IP address statistical chart and an intruded website statistical chart.
The entrance file image is used for counting the number of time-sharing attacks for an entrance file, and visually displaying related file names.
The active defence time-sharing statistical chart is used for visually displaying the number of active defence attacks in real time.
The intrusion IP address statistical chart is used for visually displaying an IP address and number of intrusions in real time.
The intruded website statistical chart is used for visually displaying intruded websites and times in real time.
Each embodiment in the description is described in a progressive way. The difference of each embodiment from each other is the focus of explanation. The same and similar parts among all of the embodiments can be referred to each other. For a device disclosed by the embodiments, because the device corresponds to a method disclosed by the embodiments, the device is simply described. Refer to the description of the method part for the related part.
The above description of the disclosed embodiments enables those skilled in the art to realize or use the present invention. Many modifications to these embodiments will be apparent to those skilled in the art. The general principle defined herein can be realized in other embodiments without departing from the spirit or scope of the present invention. Therefore, the present invention will not be limited to these embodiments shown herein, but will conform to the widest scope consistent with the principle and novel features disclosed herein.
Claims (10)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210645186.0A CN115102727A (en) | 2022-06-08 | 2022-06-08 | Network intrusion active defense system and method based on dynamic IP blacklist |
Publications (1)
Publication Number | Publication Date |
---|---|
NL2033657A true NL2033657A (en) | 2023-12-14 |
Family
ID=83289911
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
NL2033657A NL2033657A (en) | 2022-06-08 | 2022-12-02 | Active defense system and method for network intrusion based on dynamic ip blacklist |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN115102727A (en) |
NL (1) | NL2033657A (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116582366B (en) * | 2023-07-12 | 2023-09-15 | 中国电信股份有限公司 | Web attack prevention method, device and system and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110035060A (en) * | 2019-03-07 | 2019-07-19 | 北京华安普特网络科技有限公司 | The Web firewall of effective anti-hacker attacks |
CN110290148A (en) * | 2019-07-16 | 2019-09-27 | 深圳乐信软件技术有限公司 | A kind of defence method, device, server and the storage medium of WEB firewall |
-
2022
- 2022-06-08 CN CN202210645186.0A patent/CN115102727A/en active Pending
- 2022-12-02 NL NL2033657A patent/NL2033657A/en unknown
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110035060A (en) * | 2019-03-07 | 2019-07-19 | 北京华安普特网络科技有限公司 | The Web firewall of effective anti-hacker attacks |
CN110290148A (en) * | 2019-07-16 | 2019-09-27 | 深圳乐信软件技术有限公司 | A kind of defence method, device, server and the storage medium of WEB firewall |
Non-Patent Citations (1)
Title |
---|
NANCY AGARWAL ET AL: "A closer look at Intrusion Detection System for web applications", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 16 March 2018 (2018-03-16), XP081259668 * |
Also Published As
Publication number | Publication date |
---|---|
CN115102727A (en) | 2022-09-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111800395A (en) | Threat information defense method and system | |
US10735455B2 (en) | System for anonymously detecting and blocking threats within a telecommunications network | |
CN103701795B (en) | The recognition methods of the attack source of Denial of Service attack and device | |
CN110071941B (en) | Network attack detection method, equipment, storage medium and computer equipment | |
JP2019512761A (en) | Reactive and preemptive security system for protection of computer networks and systems | |
CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
CN109962891A (en) | Monitor method, apparatus, equipment and the computer storage medium of cloud security | |
US20140047543A1 (en) | Apparatus and method for detecting http botnet based on densities of web transactions | |
JP7204247B2 (en) | Threat Response Automation Methods | |
CN107682345B (en) | IP address detection method and device and electronic equipment | |
CN106850647B (en) | Malicious domain name detection algorithm based on DNS request period | |
JP2004030286A (en) | Intrusion detection system and intrusion detection program | |
Zhang et al. | User intention-based traffic dependence analysis for anomaly detection | |
CN113676449A (en) | Network attack processing method and device | |
CN115766235A (en) | Network security early warning system and early warning method | |
NL2033657A (en) | Active defense system and method for network intrusion based on dynamic ip blacklist | |
Myers et al. | Log-based distributed security event detection using simple event correlator | |
Yu et al. | TRINETR: an intrusion detection alert management systems | |
CN101453363A (en) | Network intrusion detection system | |
Efe et al. | Comparison of the host based intrusion detection systems and network based intrusion detection systems | |
Beigh et al. | Performance evaluation of different intrusion detection system: An empirical approach | |
CN114257403B (en) | False alarm detection method, equipment and readable storage medium | |
Whyte et al. | Exposure Maps: Removing Reliance on Attribution During Scan Detection. | |
US11184369B2 (en) | Malicious relay and jump-system detection using behavioral indicators of actors | |
Lu et al. | An adaptive real-time intrusion detection system using sequences of system call |