TWI489826B - Method for ddos detection based on flow motion model - Google Patents
Method for ddos detection based on flow motion model Download PDFInfo
- Publication number
- TWI489826B TWI489826B TW102101373A TW102101373A TWI489826B TW I489826 B TWI489826 B TW I489826B TW 102101373 A TW102101373 A TW 102101373A TW 102101373 A TW102101373 A TW 102101373A TW I489826 B TWI489826 B TW I489826B
- Authority
- TW
- Taiwan
- Prior art keywords
- score
- new packet
- packet
- traffic
- pass
- Prior art date
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Description
本發明係為一種基於流量統計的封包頭偵測分散式阻斷之方法。The invention is a method for detecting distributed blocking by a packet head based on flow statistics.
一般來說,阻斷服務(Denial of Service)攻擊是駭客試圖阻止合法使用者存取網路上某項服務所發動的攻擊,也就是利用洪水般的流量來癱瘓網路交通,藉此阻斷兩台主機之間的連結,並造成特定網路服務無法供使用者存取的情況。In general, a Denial of Service attack is an attempt by a hacker to prevent legitimate users from accessing a service on the network, that is, using flood-like traffic to intercept network traffic. A connection between two hosts and causing a specific network service to be unavailable to the user.
阻斷服務攻擊可以簡單地分為三種類型。第一種是「消耗不足的資源」,第二種是「破壞或更改系統網路的設定」,以及第三種「實體的破壞或變更網路元件」。請參閱圖一,圖一係為習知的喪屍網路之示意圖。分散式阻斷服務攻擊(通常簡稱為DDoS或DoS(Distributed Denial of Service))就是承襲上述第一種的攻擊方式,駭客係透過電腦主機91會再集合透過將大量被植入程式碼之使用者組成一喪屍網路9以達到更強大的破壞,再利用分散於不同網域的多部電腦主機,來發送偽造來源地址的封包,以阻斷使用者所在的網路電腦主機92,93,94,95,進而使得正常的接通率之效能急速降低,導致無法正常服務使用者,如圖一所示。Blocking service attacks can be easily divided into three types. The first is "under-consumption resources", the second is "destroy or change the system network settings", and the third "entity destruction or change network components." Please refer to FIG. 1. FIG. 1 is a schematic diagram of a conventional zombie network. Decentralized blocking service attacks (commonly referred to as DDoS or DoS (Distributed Denial of Service)) are the first type of attack. The hacker will reassemble through the host computer 91 to use a large number of embedded code. They form a corpse network 9 to achieve more powerful damage, and then use multiple computer hosts scattered in different domains to send fake source address packets to block the user's network computer host 92, 93, 94,95, and thus the performance of the normal connection rate is rapidly reduced, resulting in the failure to serve the user, as shown in Figure 1.
DDos攻擊方式在於它是利用網路上之多台主機同時間發動類似DoS的攻擊行為,被駭的主機將同時面對數以百計來自不同網域主機的攻擊。這樣的攻擊方式與DoS一樣,不在於盜取被駭主機的資料,而是要籍由同時發送遠超過網路負荷或是被駭主機所能允許的最大連線數量封包,來達到阻斷目標的效果。The DDos attack method is that it uses multiple hosts on the network to launch DoS-like attacks at the same time. The hosted host will face hundreds of attacks from different domain hosts at the same time. This kind of attack is the same as DoS. It is not to steal the data of the host. Instead, it must block the target by sending packets that exceed the network load or the maximum number of connections allowed by the host. Effect.
此外,DDoS攻擊的特性在於可輕易發動大規模攻擊而且難以防禦與追蹤,因為駭客往往會隱藏自己實體位置,因此即便追朔回去頂多也只是殭屍網路下的電腦主機而已。In addition, the DDoS attack is characterized by the ability to easily launch large-scale attacks and is difficult to defend and track, because hackers tend to hide their physical location, so even if they go back at most, it is just a computer host under the botnet.
當使用者電腦遭受攻擊時,入侵偵測程式可以適時地做出反應與預警並對未經授權或濫用的攻擊程式,採取適當的反應措施。針對一般性的入侵偵測,大略可區分為「誤用偵測」與「異常偵測」兩類,一開始系統會建構出正面列表與負面列表之樣板,藉此運用分析目標是否有任何遭受入侵攻擊的徵兆或是有任何違反安全政策的事件發生,來作為判斷的決策性考量。When a user's computer is attacked, the intrusion detection program can respond and alert in a timely manner and take appropriate action against unauthorized or abusive attack programs. For general intrusion detection, it can be roughly divided into two types: "misuse detection" and "abnormal detection". At first, the system will construct a template of positive list and negative list, so as to analyze whether the target has any invasion. The sign of the attack or any incident that violates the security policy occurs as a decision-making consideration for judgment.
「誤用偵測」是駭客知道使用者電腦主機系統或其程式上的弱點瑕疵,故意從中攻擊其弱點。這類型的防禦方式,是利用已知的攻擊,建立起攻擊行為模式並存放在攻擊資料庫中。如果比對後的結果,與建立的樣板(attack Pattern)相似,就會判定目前系統可能遭受入侵攻擊。此一類似黑名單的比對方式,只是針對具有進一步的範圍定義之每個不同的攻擊方式來進行檢測,若是落在此區間內才會被視為異常行為。這種做法的缺點就是沒有學習能力,所定義出的負面列表只是針對目前所知道的攻擊方式,若未來有一個攻擊手法不再列表之中,系統就會崩潰。"Misson detection" is a hacker who knows the weaknesses of the user's computer system or its program and deliberately attacks its weaknesses. This type of defense is to use known attacks to establish an attack behavior pattern and store it in the attack database. If the result of the comparison is similar to the established attack pattern, it will be determined that the current system may be subject to an intrusion attack. This blacklist-like comparison method only detects each different attack mode with a further scope definition, and if it falls within this interval, it will be regarded as an abnormal behavior. The disadvantage of this approach is that there is no learning ability. The negative list defined is only for the currently known attack mode. If there is an attack method in the future, the system will collapse.
「異常偵測」是上述的反作用方式,其是採取間接的設計,此作法不再定義各種入侵攻擊的樣板行為,而改以定義正常使用者模式。這樣的做法會比較合理,同時在蒐集資料上有更好的效果,只要抓取正常的特徵做為比對,當一旦有不符合正常使用者模式出現,便判定發生異常行為。這樣的優點在於系統管理員不需經常更新入侵攻擊的行為模式,能夠有效降低成本,通常稱這種行為為正面表列。"Exception detection" is the above-mentioned reaction mode. It adopts an indirect design. This method no longer defines the template behavior of various intrusion attacks, but instead defines the normal user mode. Such an approach would be more reasonable, and at the same time have a better effect in collecting data, as long as the normal features are captured as a comparison, and when there is a non-conforming normal user mode, an abnormal behavior is determined. The advantage of this is that the system administrator does not need to update the behavior mode of the intrusion attack frequently, which can effectively reduce the cost. This behavior is usually called a positive list.
以上的方式都會有某種程度上的FPR(False Positive Rate)和FNR(False Negative Rate),根據其所制訂樣板臨界值將會有不同的變化效果,因而如何取得一個中間值來降低兩者誤判情形,以使得兩者能達到最佳解的效益,即為本發明所欲解決的最主要的問題。The above methods will have some degree of FPR (False Positive Rate) and FNR (False Negative Rate), according to the model threshold value will have different changes, so how to obtain an intermediate value to reduce the misjudgment situation, so that the two can achieve the best solution benefits, That is, the most important problem to be solved by the present invention.
本發明之目的在於提供一種基於流量統計的封包頭偵測分散式阻斷之方法,以解決上述問題。The object of the present invention is to provide a method for detecting distributed blocking by a packet header based on traffic statistics to solve the above problem.
本發明係揭露一種基於流量統計的封包頭偵測分散式阻斷之方法,係先建立黑名單及白名單的數據模型的數據模型資料庫,該方法包括:當一新封包進來;利用流量變化模型(Flow Motion Model)計算出一上限值;比較此時的該新封包流量是否大過於該上限值;若高過該上限值的話,計算一第一分數;比較該第一分數是否高過於該黑名單的及格分數;若高過黑名單的及格分數的話,該新封包就會被擋住;更新該黑名單的及格分數;以及更新該上限值。The invention discloses a method for detecting distributed blocking based on traffic statistics, which is to first establish a data model database of a blacklist and a whitelist data model, the method comprising: when a new packet comes in; using traffic changes The flow motion model calculates an upper limit value; compares whether the new packet flow rate at this time is greater than the upper limit value; if the upper limit value is higher than the upper limit value, calculates a first score; compares whether the first score is The pass score is higher than the blacklist; if the pass score is higher than the blacklist, the new packet will be blocked; the pass score of the blacklist will be updated; and the upper limit will be updated.
此外,本發明基於流量統計的封包頭偵測分散式阻斷之方法,於比較該第一分數之後更包括:若低過該黑名單的及格分數的話,再計算一第二分數;以及該第二分數低過該白名單的及格分數,則該新封包就會被擋住。In addition, the present invention is based on the method for detecting the distributed blocking of the packet header by using the traffic statistics. After comparing the first score, the method further includes: if the pass score of the blacklist is lower, calculating a second score; and the first If the second score is lower than the passing score of the white list, the new packet will be blocked.
此外,本發明基於流量統計的封包頭偵測分散式阻斷之方法,於比較此時的該新封包流量之後更包括:若低過該上限值的話,計算一第三分數;比較該第三分數是否高過於該白名單的及格分數;若高過該白名單的及格分數的話,該新封包就不會被擋住;以及更新該白名單的及格分數。In addition, the method for detecting a decentralized blocking of a packet header based on traffic statistics, after comparing the new packet traffic at this time, further comprises: if the upper limit value is lower, calculating a third score; comparing the first Whether the three scores are higher than the pass score of the white list; if the pass score is higher than the white list, the new package will not be blocked; and the pass score of the white list is updated.
再者,本發明基於流量統計的封包頭偵測分散式阻斷之方法,於比較該第三分數之後更包括:若低過該白名單的及格分數的話,再計算一第四分數;以及該第四分數高過該黑名單 的及格分數,該新封包就會被擋住。Furthermore, the method for detecting a distributed block based on the flow statistics of the present invention, after comparing the third score, further comprises: if the pass score of the white list is lower, calculating a fourth score; The fourth score is higher than the blacklist The passing score will block the new packet.
在此需先說明的是,儘管在本案說明書全文(包括請求項)中使用了某些特定詞彙來指稱特定的元件,本案所屬技術領域中具有通常知識者當可理解到,某些製造商可能會以不同的名詞來稱呼同一個元件。因此,在理解本案說明書全文(包括申請專利範圍)時不應以名稱的差異來作為區分元件的方式,而應該以元件在功能上的差異來作為區分的標準。另外,在本案說明書全文中所使用的「包括」及「具有」二詞皆為開放式的用語,因此應該被解釋成「包括但不限定於」。It should be noted that, although some specific terms are used in the full text of the present specification (including claims) to refer to specific components, those having ordinary knowledge in the technical field of the present disclosure can understand that some manufacturers may The same component will be referred to by a different noun. Therefore, in understanding the full text of the present specification (including the scope of patent application), the difference in name should not be used as a means of distinguishing components, but the difference in function of components should be used as a criterion for differentiation. In addition, the terms "including" and "having" used throughout the present specification are all open-ended terms and should be interpreted as "including but not limited to".
本發明之實施例係為基於流量統計的封包頭偵測分散式阻斷之方法,該方法先需要建立一資料庫。也就是在每當一個封包進來時,就會與在當下時間點時經由流量變化模型(Flow Motion Model)所計算的上限值(Threshold)來進行比較,如果此時的流量大於臨界值,便將此封包的標頭資訊(包含有封包存活的時間、封包大小、協定方式、封包來源位址、及封包連接埠等等資訊)存取到黑名單的數據模型中;相反的,如果當前流量小於上限值的話,就把封包屬性存取到白名單的數據模型。The embodiment of the present invention is a method for detecting distributed blocking based on traffic statistics, and the method first needs to establish a database. That is, whenever a packet comes in, it is compared with the upper limit value (Threshold) calculated by the Flow Motion Model at the current time point. If the flow rate at this time is greater than the critical value, then The header information of the packet (including the packet survival time, packet size, protocol mode, packet source address, and packet connection information) is accessed into the blacklisted data model; conversely, if the current traffic If it is less than the upper limit, the packet attribute is accessed to the whitelisted data model.
接著,請參考圖二。圖二係為本發明實施例之方法的流程圖。Next, please refer to Figure 2. 2 is a flow chart of a method in accordance with an embodiment of the present invention.
在上述之黑名單的數據模型及白名單的數據模型資料庫建立完成後,開始進行下一時間點之新封包的偵測。After the blacklist data model and the whitelist data model database are established, the detection of the new packet at the next time point is started.
當一新封包進來(S1)後,就會與在當下時間點時經由流量變化模型(Flow Motion Model)計算的上限值(S2)進行比較(S3),如果此時的流量大於上限值,而所算出來的分數(Pocket Score)(S4)又高過於黑名單所計算出來的及格分數的話,新封 包就會被擋住(S5);反之,如果其是低於及格分數的話,就會再一次的比對白名單之數據模型,此時計算出的分數(S6)確實是高於白名單之及格分數,就會暫且不阻擋此封包,但如果分數又低於白名單的及格分數的話,則會直接剔除新封包(S7)。接著,只要新封包被擋住的話就再更新黑名單的及格分數資料庫(S8)。最後,更新上限值(S9)。When a new packet comes in (S1), it is compared with the upper limit value (S2) calculated by the Flow Motion Model at the current time point (S3), if the flow rate at this time is greater than the upper limit value. , and the calculated score (Pocket Score) (S4) is higher than the passing score calculated by the blacklist, the new seal The package will be blocked (S5); conversely, if it is lower than the passing score, the data model of the whitelist will be compared again, and the calculated score (S6) is indeed higher than the passing score of the whitelist. This packet will not be blocked for the time being, but if the score is lower than the passing score of the whitelist, the new packet will be directly removed (S7). Then, as long as the new packet is blocked, the blacklisted pass score database is updated (S8). Finally, the upper limit value (S9) is updated.
相反的,只要新封包沒有超過上限值,新封包就會依所算出來的分數(S10)直接與白名單所計算出來的及格分數作比較,若其高於白名單的及格分數則屬為正常封包(S11),相對地若低於及格分數則再次的和黑名單進行比對(S12),如果期也高過於黑名單的分數就阻擋此新封包(S13),反之就留下新封包。接著,就再更新白名單的及格分數資料庫(S14)。最後,更新上限值(S9)Conversely, as long as the new packet does not exceed the upper limit, the new packet will be directly compared with the calculated score by the whitelist based on the calculated score (S10). If it is higher than the whitelist, the score is Normal packet (S11), if it is lower than the pass score, it is compared with the blacklist again (S12), if the score is higher than the blacklist, the new packet is blocked (S13), otherwise the new packet is left. . Then, the white list passing score database is updated (S14). Finally, update the upper limit (S9)
以下再次說明資料庫的建立過程。本實施例係將流量大小作為一判別的特徵點(亦即上述的上限值),以分出兩個資料庫儲存封包資訊,其中一個資料庫係被稱為白名單的數據模型,其負責儲存在正常環境下封包分配情形;另一個資料庫則稱為黑名單的數據模型,其負責存取攻擊發生後的封包資訊。The following describes the process of establishing the database again. In this embodiment, the traffic size is used as a distinguishing feature point (that is, the above upper limit value), so that two databases are used to store packet information, and one of the databases is called a whitelist data model, which is responsible for Stores the packet allocation situation under normal circumstances; another database is called the blacklist data model, which is responsible for accessing the packet information after the attack occurs.
本發明之最主要目的就是希望得到一純淨的資料庫,以避免FPR(False Positive Rate)的發生。但要如何去定義伺服器的負載上限值就是一個很大的困難點,因為對於不同的伺服器處理能力並不相同,流量也有尖離峰的不同變化。如果只是定義出固定的流量上限來區分出白名單和黑名單的數據模型,就會失去適應網路變化的能力,在對於判斷上也會有很大的偏差。而如果把上限值定義的過大,在白名單的數據模型中所收集之資料就會過多。換句話說,其就會發生部分的惡意封包還是會跑進白名單的數據模型的情況,這樣並沒有達到改進此系統的目標。相反的,如果把上限值定義的過小,就會在黑名單的數據模型出現過多的正常封包存取情況,這樣也會造就 偏移現象,而使得誤判的情形依然存在。The main purpose of the present invention is to obtain a pure database to avoid the occurrence of FPR (False Positive Rate). However, how to define the load upper limit of the server is a big difficulty, because the processing power is different for different servers, and the flow also has different changes from sharp peaks. If you only define a fixed traffic cap to distinguish between the whitelist and the blacklist data model, you will lose the ability to adapt to network changes, and there will be a large deviation in the judgment. If the upper limit is too large, too much data will be collected in the whitelisted data model. In other words, it will happen when some malicious packets will still run into the whitelisted data model, which does not achieve the goal of improving the system. Conversely, if the upper limit is too small, there will be too many normal packet accesses in the blacklisted data model. The phenomenon of offset, and the case of misjudgment still exists.
接著,更進一步說明本發明之流量變化模型(Flow Motion Model)的建立方式。本發明提出了一種時間序列模型,以模擬網路流量的變化,然後算出信賴區間以定義適合的流量上限值,其之詳細說明如下。Next, the manner in which the flow motion model of the present invention is established will be further explained. The present invention proposes a time series model to simulate changes in network traffic and then calculate confidence intervals to define appropriate flow upper limits, as detailed below.
建立模型標準程序可依照以下四點進行:The establishment of model standard procedures can be carried out according to the following four points:
1.大略地觀察封包之實際資料對流量時間序列的描述與非量化分析。1. Observe the description and non-quantitative analysis of the flow time series by observing the actual data of the packet.
2.建立模型列表。2. Create a model list.
3.透過時間序列分析來估計參數(例如:漂移項)。3. Estimate parameters (eg, drift terms) by time series analysis.
4.比較預測結果並選擇最適當的模型。4. Compare the predictions and select the most appropriate model.
根據參考實際流量資料後,可發現網路流量具有兩特性:According to the actual traffic data, it can be found that the network traffic has two characteristics:
1.變動都維持在一個平均水準上下波動。1. Changes are maintained at an average level.
2.同時流量的需求又依所處時段而會有大小不同的現象。2. At the same time, the demand for traffic will vary depending on the time period.
根據以上四點的標準程序與兩特性,本發明提出了一個非常符合直覺的流量變化模型(Flow Motion Model),其在經過一連串的推導並利用歷史資料後,可以把以下計算式參數算出來,觀察其動態過程為:dX =α (m -X t )dt +σdZ t According to the above four standard procedures and two characteristics, the present invention proposes a very intuitive flow motion model (Flow Motion Model), after a series of derivation and use of historical data, the following calculation formula parameters can be calculated. Observe the dynamic process as: dX = α ( m - X t ) dt + σdZ t
其中,X 為流量,α 為流量離開均值的回復速度,m 為流量均值,σ 為網路流量的瞬間波動度,dZ t 為Brownian motion,dZ t ~N (0,dt )。當中要計算的參數有三個,分別是回復速度、流量均值及變異數。Where X is the flow rate, α is the recovery velocity of the flow leaving the mean, m is the mean value of the flow, σ is the instantaneous fluctuation of the network flow, dZ t is Brownian motion, dZ t ~ N (0, dt ). There are three parameters to be calculated, namely the recovery speed, the flow mean and the variance.
詳言之,利用過往的歷史資料,可以計算適合當下網路 流量變化。由此可知,上述所制定的網路流量公式,是隨時在學習當下的網路變化,因為使用最近且最新的資料去計算出新的參數,公式會隨著時間而有所變化,如此可達到較高的準確度。In detail, using historical data from the past, you can calculate the current network. The flow changes. It can be seen that the above formula for network traffic is to learn the current network changes at any time. Because the latest and latest data is used to calculate new parameters, the formula will change with time. Higher accuracy.
最後更說明有關上述分數(Pocket Score)的部份。本發明實施例是分別以封包在低流量進入時及封包在高流量進入時,利用下列簡單的計算公式來加以描述。Finally, the part about the above score (Pocket Score) is explained. In the embodiment of the present invention, the following simple calculation formula is used to describe the packet when the packet enters at a low flow rate and when the packet enters at a high flow rate.
當封包在低流量進入時的數學公式描述如下。The mathematical formula when the packet enters at low flow is described below.
其中,P L 係為封包在低流量時進入所計算的分數,n 係為屬性的總數量,i 係為第幾個屬性。Among them, P L is the packet that enters the calculated score at low flow, n is the total number of attributes, and i is the first attribute.
當封包在高流量進入時的數學公式描述如下。The mathematical formula when the packet enters at high flow is described below.
其中,P H 係為封包在高流量時進入所計算的分數,n 係為屬性的總數量,i 係為第幾個屬性。Among them, P H is the packet entering the calculated score at high flow rate, n is the total number of attributes, and i is the first attribute.
綜上所述,本發明基於流量統計的封包頭偵測分散式阻斷之方法,係在伺服器流量已超過所計算的上限值,而當下進入伺服器的封包所夾帶的封包屬性,又大於黑名單資料庫所制定的封包及格分數時,即代表在高流量的情況之下,伺服器常接收此類型封包,因此就可以合理的懷疑,此封包是分散式阻斷攻擊的一員。相反的,如果封包流入的時間點係大過於上限值,但卻不符合封包屬性的黑名單資料庫(也就是分數小於及格分數),那就代表此封包可能是正常使用者所發出的封包,只是剛好在惡意攻擊的時問點進入伺服器而已,因此可以就判定此封包不是惡意封包。In summary, the method for detecting distributed deblocking of a packet header based on traffic statistics is that the server traffic has exceeded the calculated upper limit value, and the packet attribute entrained in the packet entering the server at the moment is When the packet passing score is greater than the blacklist database, it means that the server often receives this type of packet under high traffic conditions, so it is reasonable to suspect that this packet is a member of the distributed blocking attack. Conversely, if the packet inflow time is greater than the upper limit, but does not meet the blacklist database of the packet attribute (that is, the score is less than the pass score), it means that the packet may be a packet sent by a normal user. It just happens to enter the server at the time of the malicious attack, so it can be determined that the packet is not a malicious packet.
S1~S14‧‧‧步驟S1~S14‧‧‧Steps
圖一係為習知喪屍網路之示意圖。Figure 1 is a schematic diagram of a conventional corpse network.
圖二係為本發明實施例基於流量統計的封包頭偵測分散式阻斷之方法之流程圖。FIG. 2 is a flowchart of a method for detecting distributed blocking of a packet header based on traffic statistics according to an embodiment of the present invention.
S1~S14‧‧‧步驟S1~S14‧‧‧Steps
Claims (6)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW102101373A TWI489826B (en) | 2013-01-14 | 2013-01-14 | Method for ddos detection based on flow motion model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW102101373A TWI489826B (en) | 2013-01-14 | 2013-01-14 | Method for ddos detection based on flow motion model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201429191A TW201429191A (en) | 2014-07-16 |
| TWI489826B true TWI489826B (en) | 2015-06-21 |
Family
ID=51726237
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW102101373A TWI489826B (en) | 2013-01-14 | 2013-01-14 | Method for ddos detection based on flow motion model |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI489826B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI616771B (en) | 2016-04-25 | 2018-03-01 | 宏碁股份有限公司 | Botnet detection system and method thereof |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060010389A1 (en) * | 2004-07-09 | 2006-01-12 | International Business Machines Corporation | Identifying a distributed denial of service (DDoS) attack within a network and defending against such an attack |
| TW200949570A (en) * | 2008-05-23 | 2009-12-01 | Univ Nat Taiwan Science Tech | Method for filtering e-mail and mail filtering system thereof |
| TW201141155A (en) * | 2010-05-14 | 2011-11-16 | Nat Univ Chin Yi Technology | Alliance type distributed network intrusion prevention system and method thereof |
-
2013
- 2013-01-14 TW TW102101373A patent/TWI489826B/en not_active IP Right Cessation
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060010389A1 (en) * | 2004-07-09 | 2006-01-12 | International Business Machines Corporation | Identifying a distributed denial of service (DDoS) attack within a network and defending against such an attack |
| TW200949570A (en) * | 2008-05-23 | 2009-12-01 | Univ Nat Taiwan Science Tech | Method for filtering e-mail and mail filtering system thereof |
| TW201141155A (en) * | 2010-05-14 | 2011-11-16 | Nat Univ Chin Yi Technology | Alliance type distributed network intrusion prevention system and method thereof |
Non-Patent Citations (1)
| Title |
|---|
| 蕭富方, "遠端伺服器監控管理系統設計與實作",國立屏東教育大學資訊科學應用期刊,第3卷第1期,2007年7月 * |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201429191A (en) | 2014-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Moustafa et al. | A holistic review of network anomaly detection systems: A comprehensive survey | |
| CN106713371B (en) | Fast Flux botnet detection method based on DNS abnormal mining | |
| Lu et al. | Clustering botnet communication traffic based on n-gram feature selection | |
| US10075461B2 (en) | Detection of anomalous administrative actions | |
| US20060129810A1 (en) | Method and apparatus for evaluating security of subscriber network | |
| Bohara et al. | Intrusion detection in enterprise systems by combining and clustering diverse monitor data | |
| CN110839019A (en) | Network security threat tracing method for power monitoring system | |
| JP6290659B2 (en) | Access management method and access management system | |
| Dabbagh et al. | Slow port scanning detection | |
| TW201926948A (en) | Monitor apparatus, method, and computer program prouct thereof | |
| CN104168272A (en) | Trojan horse detection method based on communication behavior clustering | |
| JP2006512856A (en) | System and method for detecting and tracking DoS attacks | |
| WO2021253899A1 (en) | Targeted attack detection method and apparatus, and computer-readable storage medium | |
| Ireland | Intrusion detection with genetic algorithms and fuzzy logic | |
| CN104135474A (en) | Network anomaly behavior detection method based on out-degree and in-degree of host | |
| Dong et al. | Overview of botnet detection based on machine learning | |
| Siregar et al. | Intrusion prevention system against denial of service attacks using genetic algorithm | |
| Songma et al. | Classification via k-means clustering and distance-based outlier detection | |
| Shamsolmoali et al. | C2DF: High rate DDOS filtering method in cloud computing | |
| Elhalabi et al. | A review of peer-to-peer botnet detection techniques | |
| TWI489826B (en) | Method for ddos detection based on flow motion model | |
| Oo et al. | Enhancement of preventing application layer based on DDoS attacks by using hidden semi-Markov model | |
| Roshna et al. | Botnet detection using adaptive neuro fuzzy inference system | |
| KR20140014784A (en) | A method for detecting abnormal patterns of network traffic by analyzing linear patterns and intensity features | |
| Xue et al. | Research of worm intrusion detection algorithm based on statistical classification technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MM4A | Annulment or lapse of patent due to non-payment of fees |