TW201441861A - Network attack-proof sampling detection system and method - Google Patents

Network attack-proof sampling detection system and method Download PDF

Info

Publication number
TW201441861A
TW201441861A TW102115390A TW102115390A TW201441861A TW 201441861 A TW201441861 A TW 201441861A TW 102115390 A TW102115390 A TW 102115390A TW 102115390 A TW102115390 A TW 102115390A TW 201441861 A TW201441861 A TW 201441861A
Authority
TW
Taiwan
Prior art keywords
query packet
query
malicious
packet information
information
Prior art date
Application number
TW102115390A
Other languages
Chinese (zh)
Inventor
Fan-Chieh Lin
Shih-Yuan Fang
Cheng-Hsin Chou
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW102115390A priority Critical patent/TW201441861A/en
Publication of TW201441861A publication Critical patent/TW201441861A/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed is a network attack-proof sampling detection system and method, including a monitoring device, a plurality of servers and judging devices, wherein the monitoring device receives a plurality of inquiry data packets; at least one of the servers is provided with a detection module and the at least one of the servers with the detection module receives at least one of the inquiry data packets from the monitoring device for the detection modules to proceed sampling detection, thereby analyzing the packet to detect any suspicious information; the judging devices receive the suspicious packet information by the at least one of the servers thereof to analyze the suspicious information and detect any malicious packet information for the control of the monitoring device, thereby reducing whole system operational workload to achieve attack-proof effects.

Description

防禦網路攻擊之抽樣偵測系統及方法 Sampling detection system and method for defending against network attacks

本發明係關於一種網路安全技術,尤係關於一種防禦網路攻擊之抽樣偵測系統及方法。 The present invention relates to a network security technology, and more particularly to a sample detection system and method for defending against network attacks.

DNS是一個用於管理主機名稱和網路位址資訊映射的分散式資料庫系統,以便於將主機名稱與網路位址資訊聯繫起來,因此DNS服務是Internet的基礎,對DNS服務的攻擊將對整個網路造成嚴重的影響。 DNS is a decentralized database system for managing host name and network address information mapping, so that the host name is associated with the network address information. Therefore, the DNS service is the basis of the Internet, and the attack on the DNS service will be It has a serious impact on the entire network.

針對DNS的各種網路攻擊方式中,分散式拒絕服務攻擊(DDoS)是攻擊者常用之手法,其中,受到此類型攻擊的DNS將無法正常的進行網域名稱解析,例如於2009年5月19日由於DNS攻擊導致中國大陸出現罕見的斷網故障。 Among various network attack methods for DNS, distributed denial of service (DDoS) is a common method used by attackers. DNS that is attacked by this type of attack cannot perform domain name resolution normally, for example, on May 19, 2009. Due to DNS attacks, a rare network failure occurred in mainland China.

目前,針對如DDoS之網路攻擊的防範方法有很多,然而習知的防範方法對於如DDoS之網路攻擊的DNS異常流量的判斷精準度不足。此外,先前技術中通常利用DNS伺服器前端之防範裝置(如各種入侵偵測系統)進行防範作業,由於防範裝置身兼多種任務,因此當流量過大時,容易導致防範裝置的負載過重,且具有系統擴充性較差、成 本較高的缺點。 At present, there are many methods for preventing network attacks such as DDoS. However, the conventional prevention method is insufficient for the accuracy of DNS abnormal traffic such as DDoS network attacks. In addition, in the prior art, the defense device of the DNS server front end (such as various intrusion detection systems) is generally used for the prevention operation. Since the prevention device has multiple tasks, when the traffic is too large, the protection device is likely to be overloaded and has System expansion is poor, into This is a higher disadvantage.

因此,需要一種可減輕整體系統負載,具有較佳系統擴充性、較佳判斷精準度,以及降低成本之防禦網路攻擊之抽樣偵測系統及方法。 Therefore, there is a need for a sample detection system and method for mitigating network attacks that can reduce overall system load, have better system scalability, better judgment accuracy, and lower cost.

本發明之一目的在於提供一種可減輕整體系統負載,具有較佳系統擴充性,以及降低成本之防禦網路攻擊之抽樣偵測系統及方法。 It is an object of the present invention to provide a sample detection system and method for mitigating network attacks that can reduce overall system load, have better system scalability, and reduce cost.

本發明之另一目的在於提供一種可提升防禦效果,降低誤判風險之防禦網路攻擊之抽樣偵測系統及方法。 Another object of the present invention is to provide a sample detection system and method for defending against cyber attacks that can improve the defense effect and reduce the risk of misjudgment.

本發明係揭露一種防禦網路攻擊之抽樣偵測系統,係包括控管裝置、複數個伺服器及判斷裝置,其中,該控管裝置係用以接收複數個查詢封包,該複數個伺服器中之至少一伺服器係具有偵測模組,而具有該偵測模組之該伺服器係自該控管裝置接收該複數個查詢封包中之至少一查詢封包,以使該偵測模組對該至少一查詢封包進行抽樣偵測,進而分析該至少一查詢封包以獲得可疑查詢封包資訊,且判斷裝置係用以自該伺服器接收該可疑查詢封包資訊,分析該可疑查詢封包資訊以獲得惡意查詢封包資訊,進而透過該控管裝置對該惡意查詢封包資訊進行控管。 The invention discloses a sampling detection system for defending against network attacks, which comprises a control device, a plurality of servers and a judging device, wherein the control device is configured to receive a plurality of query packets, and the plurality of servers are in the plurality of servers. At least one server has a detection module, and the server having the detection module receives at least one of the plurality of query packets from the control device, so that the detection module is The at least one query packet is sampled and detected, and then the at least one query packet is analyzed to obtain suspicious query packet information, and the determining device is configured to receive the suspicious query packet information from the server, and analyze the suspicious query packet information to obtain malicious The packet information is queried, and the malicious query packet information is controlled by the control device.

此外,本發明另揭露一種防禦網路攻擊之抽樣偵測方法,係包括下列步驟:接收複數個查詢封包、對該複數個查詢封包中之至少一查詢封包進行抽樣偵測,進而分析該至少一查詢封包以獲得可疑查詢封包資訊、分析該可疑查 詢封包資訊以獲得惡意查詢封包資訊、以及對該惡意查詢封包資訊進行控管。 In addition, the present invention further discloses a method for detecting a spoofing network attack, comprising the steps of: receiving a plurality of query packets, performing sample detection on at least one of the plurality of query packets, and analyzing the at least one Query the packet to obtain suspicious query packet information, analyze the suspect The packet information is obtained to obtain malicious inquiry packet information and to control the malicious inquiry packet information.

在一實施例中,該複數個伺服器係為DNS伺服器或DNSSEC伺服器。此外,該偵測模組係利用腳本程式(script)於特定時間對該至少一查詢封包進行抽樣偵測。 In an embodiment, the plurality of servers are DNS servers or DNSSEC servers. In addition, the detection module uses a script to sample the at least one query packet at a specific time.

在另一實施例中,該偵測模組係分析該至少一查詢封包之來源位址或網域名稱,以獲得該可疑查詢封包資訊。此外,該判斷裝置係分析該來源位址或該網域名稱之查詢流量,以獲得該惡意查詢封包資訊。再者,該判斷裝置另分析該查詢流量對該伺服器之負載影響,以獲得該惡意查詢封包資訊。 In another embodiment, the detecting module analyzes a source address or a domain name of the at least one query packet to obtain the suspicious query packet information. In addition, the determining device analyzes the query traffic of the source address or the domain name to obtain the malicious query packet information. Moreover, the determining device further analyzes the impact of the query traffic on the server to obtain the malicious query packet information.

在又一實施例中,該控管裝置復包括整合模組,用以從其他判斷裝置接收其他惡意查詢封包資訊,進而透過該控管裝置對該惡意查詢封包資訊與該其他惡意查詢封包資訊進行控管。 In another embodiment, the control device includes an integration module for receiving other malicious query packet information from the other determining device, and then performing the malicious query packet information and the other malicious query packet information through the control device. Control.

本發明所揭露的防禦網路攻擊之抽樣偵測系統及方法係利用複數個伺服器負載平衡的特性,以抽樣方式偵測該複數個伺服器中之其中一伺服器所接收到的查詢封包,藉以預防伺服器受到如DDoS之網路攻擊,相較於先前技術,本發明所採取的抽樣偵測系統及方法可減輕整體系統負載,從而提高偵測效率,並可降低誤判之風險,且具有較佳的系統擴充性。 The sampling detection system and method for defending against network attacks disclosed by the present invention utilizes a plurality of server load balancing characteristics to detect, by sampling, a query packet received by one of the plurality of servers. In order to prevent the server from being attacked by a network such as DDoS, the sampling detection system and method adopted by the present invention can reduce the overall system load, thereby improving the detection efficiency and reducing the risk of misjudgment. Better system scalability.

1、3‧‧‧抽樣偵測系統 1, 3‧‧‧Sampling detection system

10、30‧‧‧控管裝置 10, 30‧‧‧Control device

12、32‧‧‧伺服器群 12, 32‧‧‧ server group

14、34‧‧‧判斷裝置 14, 34‧‧‧ judgment device

102、302‧‧‧整合模組 102, 302‧‧‧ integrated modules

122、124、126、322、324、326‧‧‧伺服器 122, 124, 126, 322, 324, 326‧‧ ‧ servers

1225、3225‧‧‧偵測模組 1225, 3225‧‧‧Detection Module

S20、S22、S24、S26‧‧‧步驟 S20, S22, S24, S26‧‧ steps

第1圖為本發明之防禦網路攻擊之抽樣偵測系統的系 統架構圖;第2圖為本發明之防禦網路攻擊之抽樣偵測方法的步驟流程圖;以及第3圖為本發明之防禦網路攻擊之抽樣偵測系統的另一系統架構圖。 Figure 1 is a diagram of a system for sampling detection of defensive network attacks of the present invention. FIG. 2 is a flow chart of steps of a sample detection method for defending against network attacks according to the present invention; and FIG. 3 is another system architecture diagram of a sample detection system for defending against network attacks according to the present invention.

以下藉由特定的具體實施例說明本發明之技術內容,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之其他優點及功效,亦可藉由其他不同的具體實施例加以施行或應用。 The other embodiments of the present invention will be readily understood by those skilled in the art from this disclosure. Or application.

請參閱第1圖,其為本發明之防禦網路攻擊之抽樣偵測系統1的系統架構圖,其中主要係防禦如DDos之網路攻擊。如圖所示,本案係應用於ISP之伺服端,其具有控管裝置(如路由器、入侵預防系統等)10、由多台伺服器122、124及126所組成之伺服器群(DNS Server Farm)12,以及判斷裝置14。要說明的是,上述伺服器的數量僅為例示說明,且上述伺服器係為DNS伺服器或DNSSEC伺服器。 Please refer to FIG. 1 , which is a system architecture diagram of the sample detection system 1 for defending against network attacks according to the present invention, which mainly defends against network attacks such as DDos. As shown in the figure, the case is applied to the server of the ISP, which has a control device (such as a router, an intrusion prevention system, etc.) 10. A server group composed of a plurality of servers 122, 124, and 126 (DNS Server Farm) 12) and the judging device 14. It should be noted that the number of the above servers is merely an illustration, and the above server is a DNS server or a DNSSEC server.

如第1圖所示,控管裝置10係用以接收如DNS或DNSSEC之複數個查詢封包,其中,該複數個查詢封包中之至少一查詢封包係傳送至具有偵測模組之伺服器,其餘查詢封包係傳送至不具有偵測模組之伺服器(以下將詳細說明)。 As shown in FIG. 1, the control device 10 is configured to receive a plurality of query packets, such as DNS or DNSSEC, wherein at least one of the plurality of query packets is transmitted to a server having a detection module. The remaining query packets are transmitted to a server that does not have a detection module (described in more detail below).

此外,伺服器群12中之至少一伺服器122係具有偵測模組1225,其中,該伺服器122係自該控管裝置10接收 該至少一查詢封包。要說明的是,上述偵測模組的位置與數量僅為例示說明,但並不以此為限。 In addition, at least one server 122 of the server group 12 has a detection module 1225, wherein the server 122 receives from the control device 10 The at least one query packet. It should be noted that the location and number of the above detection modules are merely illustrative, but are not limited thereto.

接著,接收該至少一查詢封包之偵測模組1225係對該至少一查詢封包進行抽樣偵測,進而分析該至少一查詢封包以判斷該至少一查詢封包是否為可疑查詢封包而獲得可疑查詢封包資訊。具體而言,該偵測模組1225係利用自行開發之腳本程式於特定時間針對該至少一查詢封包進行抽樣偵測,也就是說該偵測模組1225並非針對所有查詢封包進行偵測,而是利用腳本程式於特定時間啟動偵測模組1225進行偵測以使伺服器122兼職進行偵測,而其他伺服器124、126仍維持原本作業,其中,特定時間可依實際狀況設定。 Then, the detecting module 1225 that receives the at least one query packet performs sampling detection on the at least one query packet, and then analyzes the at least one query packet to determine whether the at least one query packet is a suspicious query packet and obtains a suspicious query packet. News. Specifically, the detection module 1225 performs a sample detection on the at least one query packet at a specific time by using a self-developed script program, that is, the detection module 1225 does not detect all the query packets. The detection module 1225 is activated at a specific time by the script program to enable the server 122 to perform part-time detection, while the other servers 124 and 126 maintain the original operation, wherein the specific time can be set according to the actual situation.

於本實施例中,該偵測模組1225的偵測手段主要包括分析該至少一查詢封包之來源位址是否大量來自相同或相似的網路位址,或該至少一查詢封包是否大量包括查詢相同或相似的網域名稱來判斷該查詢封包是否為可疑查詢封包,以獲得如來源位址或網域名稱等流量特徵之可疑查詢封包資訊。 In this embodiment, the detecting means of the detecting module 1225 mainly includes analyzing whether the source address of the at least one query packet is from a same or similar network address, or whether the at least one query packet includes a large number of queries. The same or similar domain name is used to determine whether the query packet is a suspicious query packet to obtain suspicious query packet information such as a source address or a domain name.

接著,判斷裝置14係用以自該伺服器122接收該可疑查詢封包資訊,分析該可疑查詢封包資訊以判斷該至少一查詢封包是否為惡意查詢封包而獲得惡意查詢封包資訊。具體而言,該判斷裝置14係分析上述來源位址或上述網域名稱之查詢流量以判斷該查詢流量是否過高,而判斷該至少一查詢封包是否為惡意查詢封包,以獲得如來源位址或 網域名稱之惡意查詢封包資訊。此外,該判斷裝置14也可分析該查詢流量對該伺服器122之負載影響程度是否過高,而判斷該查詢封包是否為惡意查詢封包,以獲得如來源位址或網域名稱等流量特徵之惡意查詢封包資訊。 Next, the determining device 14 is configured to receive the suspicious query packet information from the server 122, and analyze the suspicious query packet information to determine whether the at least one query packet is a malicious query packet to obtain malicious query packet information. Specifically, the determining device 14 analyzes the query traffic of the source address or the domain name to determine whether the query traffic is too high, and determines whether the at least one query packet is a malicious query packet to obtain, for example, a source address. or Malicious query packet information for domain name. In addition, the determining device 14 can also analyze whether the impact of the query traffic on the load of the server 122 is too high, and determine whether the query packet is a malicious query packet to obtain a traffic characteristic such as a source address or a domain name. Malicious query packet information.

於本實施例中,該判斷裝置14可分析於單位時段內針對上述網域名稱(或其特徵值)的查詢流量是否超過預設之流量臨界值,來判斷該至少一查詢封包是否為惡意查詢封包。需說明的是,該流量臨界值必須一併考慮個別網域之查詢量常態,例如,若該網域名稱(或其特徵值)所對應的是一個名不見經傳的個人網站,則每秒超過10次的查詢流量就可視為是異常流量,然而,若針對的是一個熱門的網域名稱如google.com,則每秒超過100次的查詢流量也完全是正常的。此外,該判斷裝置14亦可分析於單位時段內針對上述網域名稱(或其特徵值)的相對查詢量(比例)或變化趨勢來進行判斷。 In this embodiment, the determining device 14 may analyze whether the query traffic for the domain name (or its feature value) exceeds a preset traffic threshold value in a unit time period to determine whether the at least one query packet is a malicious query. Packet. It should be noted that the traffic threshold must take into account the normality of the query of individual domains. For example, if the domain name (or its characteristic value) corresponds to a personal website that is not known, it exceeds every second. 10 times of query traffic can be considered as abnormal traffic, however, if it is for a popular domain name such as google.com, query traffic of more than 100 times per second is completely normal. In addition, the judging device 14 may also analyze the relative query amount (proportion) or the change trend for the domain name (or its feature value) within the unit time period.

接著,判斷裝置14係透過該控管裝置10對該惡意查詢封包資訊進行控管。具體而言,判斷裝置14將該惡意查詢封包資訊提供給該控管裝置10以即時更新控管裝置之控管名單,因此該控管裝置10可針對該惡意查詢封包資訊(如來源位址或網域名稱等流量特徵)進行即時過濾與控管。也就是說,對於正常的查詢封包,伺服器係提供正常的查詢服務,然對於惡意查詢封包,控管裝置會過濾以進行控管。 Next, the judging device 14 controls the malicious enquiry packet information through the control device 10. Specifically, the determining device 14 provides the malicious query packet information to the control device 10 to instantly update the control list of the control device, so the control device 10 can block the information (such as the source address or Instant traffic filtering and control for traffic characteristics such as domain name. That is to say, for a normal query packet, the server provides a normal query service, but for a malicious query packet, the control device filters for control.

第2圖係顯示本發明之防禦網路攻擊之抽樣偵測方法 的步驟流程圖,包括以下步驟:於步驟S20中,令控裝置裝置接收複數個查詢封包,接著進至步驟S22。 Figure 2 is a sampling detection method for defending against cyber attacks of the present invention. The step flow chart includes the following steps: In step S20, the control device device receives a plurality of query packets, and then proceeds to step S22.

於步驟S22中,令伺服器群之至少一伺服器對該複數個查詢封包中之至少一查詢封包進行抽樣偵測,進而分析該至少一查詢封包以獲得可疑查詢封包資訊,接著進至步驟S24。 In step S22, at least one server of the server group performs sampling detection on at least one query packet of the plurality of query packets, and then analyzes the at least one query packet to obtain suspicious query packet information, and then proceeds to step S24. .

在本實施例中,該伺服器具有偵測模組以利用腳本程式於特定時間對該至少一查詢封包進行抽樣偵測。此外,該偵測模組係分析該至少一查詢封包之來源位址或網域名稱以獲得該可疑查詢封包資訊。 In this embodiment, the server has a detection module to perform sampling detection on the at least one query packet at a specific time by using a script program. In addition, the detecting module analyzes the source address or the domain name of the at least one query packet to obtain the suspicious query packet information.

於步驟S24中,令判斷裝置分析該可疑查詢封包資訊以獲得惡意查詢封包資訊,接著進至步驟S26。 In step S24, the determining means analyzes the suspicious query packet information to obtain malicious query packet information, and then proceeds to step S26.

在本實施例中,該判斷裝置係分析該來源位址或該網域名稱之查詢流量,以獲得該惡意查詢封包資訊。此外,該判斷裝置係分析該查詢流量對該伺服器之負載影響,以獲得該惡意查詢封包資訊。 In this embodiment, the determining device analyzes the source address or the query traffic of the domain name to obtain the malicious query packet information. In addition, the determining device analyzes the impact of the query traffic on the server to obtain the malicious query packet information.

於步驟S26中,令控管裝置對該惡意查詢封包資訊進行控管。 In step S26, the control device controls the malicious query packet information.

請參閱第3圖,其為本發明之防禦網路攻擊之抽樣偵測系統3的另一系統架構圖,其中第3圖與第1圖的主要差異在於控管裝置10、30復具有整合模組102、302,用以在獲得惡意查詢封包資訊後,從其他判斷裝置接收其他惡意查詢封包資訊,進而透過該控管裝置對該惡意查詢封 包資訊與該其他惡意查詢封包資訊進行控管。也就是說,控管裝置10除了接收判斷裝置14所提供之控管名單外,也可接收其他判斷裝置(如判斷裝置34)所提供之控管名單,以整合上述控管名單即時更新控管裝置10之控管名單。詳言之,由於抽樣偵測系統可能設置於不同地區,因此為了考量不同地區之查詢封包的差異性,藉以獲得不同地區的控管名單,進而整合成一份可因應較廣域之網路攻擊的控管名單。 Please refer to FIG. 3 , which is another system architecture diagram of the sample detection system 3 for defending against network attacks according to the present invention. The main difference between FIG. 3 and FIG. 1 is that the control device 10 , 30 has an integrated mode. The group 102, 302 is configured to receive other malicious query packet information from other determining devices after obtaining the malicious query packet information, and then block the malicious query through the control device. The package information is controlled by the other malicious query packet information. That is to say, in addition to receiving the control list provided by the judging device 14, the control device 10 can also receive the control list provided by other judging devices (such as the judging device 34) to integrate the control list and update the control. The list of controls for device 10. In particular, since the sampling detection system may be set up in different regions, in order to consider the differences in query packets in different regions, it is possible to obtain a control list for different regions and integrate them into a network attack that can respond to a wider area. Control list.

綜上所述,本發明之防禦網路攻擊的抽樣偵測系統及方法係利用伺服器負載平衡之特性,以抽樣方式選擇至少一台伺服器進行抽樣偵測,並藉由判斷可疑查詢封包與惡意查詢封包以進行控管,因此本發明不僅可降低系統的運作負載,提高偵測效率,亦可降低誤判之風險,且具有較佳的系統擴充性。同時,本發明之防禦網路攻擊的抽樣偵測系統及方法可針對來源位址或網域名稱進行分析,亦可針對查詢流量或負載影響進行分析,不但可分析較多且多元之對象與項目,以及所需的時間也較為減少。 In summary, the sampling detection system and method for defending against cyber attacks of the present invention utilizes the characteristics of server load balancing to select at least one server for sampling detection by sampling, and by judging suspicious query packets and The malicious query packet is controlled to control, so the invention not only can reduce the operating load of the system, improve the detection efficiency, but also reduce the risk of misjudgment, and has better system scalability. At the same time, the sampling detection system and method for defending against network attacks of the present invention can analyze the source address or the domain name, and can also analyze the query traffic or load impact, and can analyze not only more and diverse objects and projects. And the time required is also reduced.

此外,本發明的防禦網路攻擊之抽樣偵測系統及方法另具有可相容於不同協定(如IPv4、IPv6或/及DNS、DNSSEC),且具有較低成本與較佳系統擴充性之優點。 In addition, the sample detection system and method for defending against network attacks of the present invention have the advantages of being compatible with different protocols (such as IPv4, IPv6 or/and DNS, DNSSEC), and having lower cost and better system scalability. .

然而,上述實施例係用以例示性說明本發明之原理及其功效,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施例進行修改。因此本發明之權利保護範圍,應如後述之申請專利 範圍所列。 However, the above-described embodiments are intended to exemplify the principles of the invention and its effects, and are not intended to limit the invention. Any of the above-described embodiments may be modified by those skilled in the art without departing from the spirit and scope of the invention. Therefore, the scope of protection of the present invention should be patented as described later. Listed in the scope.

1‧‧‧抽樣偵測系統 1‧‧‧Sampling detection system

10‧‧‧控管裝置 10‧‧‧Control device

12‧‧‧伺服器群 12‧‧‧Server group

14‧‧‧判斷裝置 14‧‧‧Judgement device

122、124、126‧‧‧伺服器 122, 124, 126‧‧‧ server

1225‧‧‧偵測模組 1225‧‧‧Detection module

Claims (12)

一種防禦網路攻擊之抽樣偵測系統,係包括:控管裝置,係用以接收複數個查詢封包;複數個伺服器,該複數個伺服器之至少一伺服器係具有偵測模組,其中,具有該偵測模組之該伺服器係自該控管裝置接收該複數個查詢封包中之至少一查詢封包,以使該偵測模組對該至少一查詢封包進行抽樣偵測,進而分析該至少一查詢封包以獲得可疑查詢封包資訊;判斷裝置,係用以自該伺服器接收該可疑查詢封包資訊,以分析該可疑查詢封包資訊以獲得惡意查詢封包資訊,進而透過該控管裝置對該惡意查詢封包資訊進行控管。 A sampling detection system for defending against network attacks includes: a control device for receiving a plurality of query packets; and a plurality of servers, wherein at least one of the plurality of servers has a detection module, wherein The server having the detection module receives at least one of the plurality of query packets from the control device, so that the detection module performs sampling detection on the at least one query packet, and further analyzes The at least one query packet obtains suspicious query packet information; the determining device is configured to receive the suspicious query packet information from the server to analyze the suspicious query packet information to obtain malicious query packet information, and then pass the control device pair The malicious query packet information is controlled. 如申請專利範圍第1項所述之抽樣偵測系統,其中,該複數個伺服器係為DNS伺服器或DNSSEC伺服器。 The sample detection system of claim 1, wherein the plurality of servers are DNS servers or DNSSEC servers. 如申請專利範圍第1項所述之抽樣偵測系統,其中,該偵測模組係分析該至少一查詢封包之來源位址或網域名稱,以獲得該可疑查詢封包資訊。 The sample detection system of claim 1, wherein the detection module analyzes a source address or a domain name of the at least one query packet to obtain the suspicious query packet information. 如申請專利範圍第3項所述之抽樣偵測系統,其中,該判斷裝置係分析該來源位址或該網域名稱之查詢流量,以獲得該惡意查詢封包資訊。 The sample detection system of claim 3, wherein the determining device analyzes the source address or the query traffic of the domain name to obtain the malicious query packet information. 如申請專利範圍第4項所述之抽樣偵測系統,其中,該判斷裝置係分析該查詢流量對該伺服器之負載影響,以獲得該惡意查詢封包資訊。 The sampling detection system of claim 4, wherein the determining device analyzes the impact of the query traffic on the server to obtain the malicious query packet information. 如申請專利範圍第1項所述之抽樣偵測系統,其中,該控管裝置復包括整合模組,用以從其他判斷裝置接收其他惡意查詢封包資訊,進而透過該控管裝置對該惡意查詢封包資訊與該其他惡意查詢封包資訊進行控管。 The sampling detection system of claim 1, wherein the control device comprises an integration module for receiving other malicious inquiry packet information from other determining devices, and then the malicious query is obtained through the control device. The packet information is controlled by the other malicious query packet information. 一種防禦網路攻擊之抽樣偵測方法,係包括下列步驟:接收複數個查詢封包;對該複數個查詢封包中之至少一查詢封包進行抽樣偵測,進而分析該至少一查詢封包以獲得可疑查詢封包資訊;分析該可疑查詢封包資訊以獲得惡意查詢封包資訊;以及對該惡意查詢封包資訊進行控管。 A sampling detection method for defending against network attacks includes the steps of: receiving a plurality of query packets; performing sampling detection on at least one of the plurality of query packets, and analyzing the at least one query packet to obtain a suspicious query Packet information; analyze the suspicious query packet information to obtain malicious query packet information; and control the malicious query packet information. 如申請專利範圍第7項所述之抽樣偵測方法,其中,在對該至少一查詢封包進行抽樣偵測之步驟中,係利用腳本程式於特定時間對該至少一查詢封包進行抽樣偵測。 The sampling detection method of claim 7, wherein in the step of performing sampling detection on the at least one query packet, the script program is used to perform sampling detection on the at least one query packet at a specific time. 如申請專利範圍第7項所述之抽樣偵測方法,其中,在分析該至少一查詢封包以獲得可疑查詢封包資訊之步驟中,係分析該至少一查詢封包之來源位址或網域名稱,以獲得該可疑查詢封包資訊。 The method for sampling detection according to claim 7, wherein in analyzing the at least one query packet to obtain suspicious query packet information, analyzing a source address or a domain name of the at least one query packet, Get the information of the suspicious query packet. 如申請專利範圍第9項所述之抽樣偵測方法,其中,在分析該可疑查詢封包資訊以獲得惡意查詢封包資訊之步驟中,係分析該來源位址或該網域名稱之查詢流 量,以獲得該惡意查詢封包資訊。 For example, in the sampling detection method described in claim 9, wherein in the step of analyzing the suspicious query packet information to obtain malicious query packet information, analyzing the source address or the query flow of the domain name Amount to get the information of the malicious query packet. 如申請專利範圍第10項所述之抽樣偵測方法,其中,係分析該查詢流量對伺服器之負載影響,以獲得該惡意查詢封包資訊。 For example, the sampling detection method described in claim 10, wherein the impact of the query traffic on the server is analyzed to obtain the malicious query packet information. 如申請專利範圍第7項所述之抽樣偵測方法,其中,在分析該可疑查詢封包資訊以獲得惡意查詢封包資訊之步驟後,進一步接收其他惡意查詢封包資訊,進而對該惡意查詢封包資訊與該其他惡意查詢封包資訊進行控管。 For example, in the sampling detection method described in claim 7, wherein after analyzing the suspicious query packet information to obtain the information of the malicious query packet, further receiving the information of the other malicious query packet, and then the information of the malicious query packet is The other malicious query packet information is controlled.
TW102115390A 2013-04-30 2013-04-30 Network attack-proof sampling detection system and method TW201441861A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW102115390A TW201441861A (en) 2013-04-30 2013-04-30 Network attack-proof sampling detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW102115390A TW201441861A (en) 2013-04-30 2013-04-30 Network attack-proof sampling detection system and method

Publications (1)

Publication Number Publication Date
TW201441861A true TW201441861A (en) 2014-11-01

Family

ID=52422926

Family Applications (1)

Application Number Title Priority Date Filing Date
TW102115390A TW201441861A (en) 2013-04-30 2013-04-30 Network attack-proof sampling detection system and method

Country Status (1)

Country Link
TW (1) TW201441861A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205105A (en) * 2020-09-01 2022-03-18 威联通科技股份有限公司 Network malicious behavior detection method and switching system using same

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205105A (en) * 2020-09-01 2022-03-18 威联通科技股份有限公司 Network malicious behavior detection method and switching system using same

Similar Documents

Publication Publication Date Title
US11057404B2 (en) Method and apparatus for defending against DNS attack, and storage medium
WO2021008028A1 (en) Network attack source tracing and protection method, electronic device and computer storage medium
US10097578B2 (en) Anti-cyber hacking defense system
US9674222B1 (en) Method and system for detecting network compromise
US10095866B2 (en) System and method for threat risk scoring of security threats
US8943586B2 (en) Methods of detecting DNS flooding attack according to characteristics of type of attack traffic
KR101077135B1 (en) Apparatus for detecting and filtering application layer DDoS Attack of web service
US9628508B2 (en) Discovery of suspect IP addresses
US20160182542A1 (en) Denial of service and other resource exhaustion defense and mitigation using transition tracking
JP2020515962A (en) Protection against APT attacks
Hussein et al. SDN security plane: An architecture for resilient security services
Bailey et al. Data reduction for the scalable automated analysis of distributed darknet traffic
US8918838B1 (en) Anti-cyber hacking defense system
Kambourakis et al. A fair solution to DNS amplification attacks
KR20080056548A (en) Apparatus and method of securing network of supporting detection and interception of dynamic attack based hardware
CN114830112A (en) Detection and mitigation of DDoS attacks performed over QUIC communication protocols
TWI492090B (en) System and method for guarding against dispersive blocking attacks
Shuaib et al. Resiliency of smart power meters to common security attacks
Steadman et al. Dnsxd: Detecting data exfiltration over dns
CN110061998B (en) Attack defense method and device
Satrya et al. The detection of ddos flooding attack using hybrid analysis in ipv6 networks
Etemad et al. Real-time botnet command and control characterization at the host level
Oo et al. Enhancement of preventing application layer based on DDoS attacks by using hidden semi-Markov model
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
TW201441861A (en) Network attack-proof sampling detection system and method