TWI711284B - Method for processing a distributed denial-of-service attack - Google Patents

Method for processing a distributed denial-of-service attack Download PDF

Info

Publication number
TWI711284B
TWI711284B TW108123845A TW108123845A TWI711284B TW I711284 B TWI711284 B TW I711284B TW 108123845 A TW108123845 A TW 108123845A TW 108123845 A TW108123845 A TW 108123845A TW I711284 B TWI711284 B TW I711284B
Authority
TW
Taiwan
Prior art keywords
time
processing
processor
distributed denial
error
Prior art date
Application number
TW108123845A
Other languages
Chinese (zh)
Other versions
TW202103476A (en
Inventor
鮑興國
Original Assignee
動力安全資訊股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 動力安全資訊股份有限公司 filed Critical 動力安全資訊股份有限公司
Priority to TW108123845A priority Critical patent/TWI711284B/en
Application granted granted Critical
Publication of TWI711284B publication Critical patent/TWI711284B/en
Publication of TW202103476A publication Critical patent/TW202103476A/en

Links

Images

Abstract

A method for processing a distributed denial-of-service attack comprises: receiving a plurality of packets sent by an external requesting terminal at a time interval; detecting a plurality of request times of the packets; respectively inputting the request times to a machine learning model to generate a plurality of model output times; respectively calculating a plurality of time error percentages between the model output times and the request times; determining whether the time error percentages continues to rise and determining whether the time error percentage corresponding to the latest packet in the time interval is greater than a threshold interval; and determining the external requesting terminal making the distributed denial-of-service attack and performing a defense process for the external requesting terminal when the time error percentages continues to rise and the time error percentage of the latest packet is greater than the threshold interval.

Description

分散式阻斷服務攻擊的處理方法Treatment method of decentralized denial of service attack

本發明係關於一種網路攻擊處理方法,特別是一種分散式阻斷服務攻擊的處理方法。 The present invention relates to a method for processing network attacks, especially a method for processing distributed denial of service attacks.

隨著電腦網路的快速發展,網站平台已成為企業經營品牌以及電子商務獲利的重要管道。若網路平台遭受駭客攻擊而造成網路平台無法提供服務,將造成難以估計的損失。 With the rapid development of computer networks, website platforms have become an important channel for companies to manage brands and make e-commerce profits. If the network platform is attacked by hackers and the network platform cannot provide services, it will cause unpredictable losses.

分散式阻斷服務攻擊(簡稱DDos攻擊)為目前針對網路平台最盛行的網路攻擊行為之一,DDos攻擊乃是透過網路上的一台或多台電腦同時對網路平台主機發送多個封包,使得網站平台主機同一時間所接收的封包流量遠超過網路平台主機的頻寬,達到阻斷網路平台所提供的服務的目的。目前網站平台主機對於DDos攻擊的防禦方法主要是偵測封包的流量,當外部請求端對網站平台主機發出的封包的流量大於網路平台主機的頻寬時,則視為外部請求端進行DDos攻擊而將外部請求端加以阻斷。然而僅僅透過封包之流量作為判斷外部請求端是否進行屬DDos攻擊仍有許多漏洞,不但沒有效阻斷惡意使用者,反而還阻擋了善意使用者。 Distributed denial of service attack (DDos attack for short) is currently one of the most prevalent cyber attacks against network platforms. DDos attacks use one or more computers on the network to simultaneously send multiple Packets make the packet traffic received by the website platform host at the same time far exceed the bandwidth of the network platform host, achieving the purpose of blocking the services provided by the network platform. At present, the main defense method of the website platform host against DDos attacks is to detect the traffic of the packet. When the traffic of the packet sent by the external requesting end to the website platform host is greater than the bandwidth of the network platform host, it is regarded as the external requesting end carrying out a DDos attack. The external requesting end is blocked. However, there are still many loopholes in judging whether the external requesting end is performing a DDos attack only by using the traffic of the packet. Not only does it fail to block malicious users, but it also blocks well-meaning users.

有鑑於此,在實務上確實需要一種改良的分散式阻斷服務攻擊的處理方法,至少可解決以上缺失 In view of this, there is indeed a need for an improved decentralized denial of service attack processing method in practice, which can at least solve the above shortcomings

本發明在於提供一種分散式阻斷服務攻擊的處理方法,確保網路平台可持續提供網路服務以及提高判斷網路平台是否遭受分散式阻斷服務攻擊的準確率。 The present invention is to provide a method for processing distributed denial of service attacks to ensure that the network platform can continuously provide network services and improve the accuracy of judging whether the network platform is subject to distributed denial of service attacks.

依據本發明一實施例所揭露的分散式阻斷服務攻擊的處理方法,包括:以網路介面接收外部請求端於時間區間所發出的數個封包;以處理器偵測網站平台主機對該些封包的多個處理時間;分別輸入該些處理時間至機器學習模型以產生多個模型輸出時間;以處理器分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差百分比,該些時間誤差百分比於該時間區間具有一時間誤差趨勢;以處理器判斷時間誤差趨勢是否屬於持續上升,若時間誤差趨勢屬於持續上升,則進一步以處理器判斷時間區間內時間最晚的該封包所對應的該時間誤差百分比是否大於閾值區間;以及當時間最晚的封包所對應的時間誤差百分比大於閾值區間時,該處理器判定外部請求端對網站平台主機進行分散式阻斷服務攻擊且處理器於時間區間之後對外部請求端執行防禦程序。 According to an embodiment of the present invention, a method for processing a distributed denial of service attack includes: receiving a number of packets sent by an external requesting terminal in a time interval through a network interface; Multiple processing times of the packet; input the processing times to the machine learning model to generate multiple model output times; use the processor to calculate the multiple time error percentages between the model output times and the processing times, the Some time error percentages have a time error trend in the time interval; the processor determines whether the time error trend is a continuous increase. If the time error trend is a continuous increase, the processor is further used to determine the packet location with the latest time in the time interval. Corresponding to whether the percentage of time error is greater than the threshold interval; and when the time error percentage corresponding to the latest packet is greater than the threshold interval, the processor determines that the external requester performs a distributed denial of service attack on the website platform host and the processor After the time interval, the defense program is executed against the external requester.

依據本發明另一實施例所揭露的一種分散式阻斷服務攻擊的處理方法,包括:以網路介面接收外部請求端於時間區間所發出的數個封包;以處理器偵測網站平台主機對該些封包的多個處理時間;分別輸入該些封包的該些處理時間至機器學習模型以產生多個模型輸出時間;分別輸入該些封包的多個實際流量至機器學習模型以產生多個模型輸出流量;以處理器分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差百分比,該些時間誤差百分比於時間區間內具有一時間誤差趨勢;以處理器分別計算該些模型輸出流量與該些實際流量之間的多個流量誤差百分比,該些流量誤差百分比於時間區間內具有一流量誤差趨勢;以處理器判斷時間誤差趨勢與流量誤差趨勢比是否均屬於持續上升,若均屬於持續上升,則進一步以處理器判斷時間區間內時間最晚的封包所對應的時間誤差百分比以及該流量誤差百分比是否均大於閾值區間;以及當時間最晚的封包所對應的時間誤差百分比以及流量誤差百分比均大於閾值區間時,處理器判定外部請求端對網站平台主機進行分散式阻斷服務攻擊且於時間區間之後對外部請求端執行防禦程序。 A method for processing a distributed denial of service attack disclosed according to another embodiment of the present invention includes: receiving a number of packets sent by an external requesting end in a time interval through a network interface; detecting a host pair of a website platform with a processor Multiple processing times of the packets; input the processing times of the packets to the machine learning model to generate multiple model output times; input multiple actual flows of the packets to the machine learning model to generate multiple models Output flow; the processor calculates multiple time error percentages between the output time of the models and the processing time, and the time error percentages have a time error trend in the time interval; the processor calculates the models respectively There are multiple flow error percentages between the output flow and the actual flow. The flow error percentages have a flow error trend in the time interval; the processor determines whether the ratio of the time error trend and the flow error trend is a continuous increase, if If they all belong to a continuous increase, the processor will further determine whether the time error percentage corresponding to the latest packet in the time interval and whether the traffic error percentage is greater than the threshold interval; and the time error percentage corresponding to the latest packet of the current time and When the traffic error percentages are all greater than the threshold interval, the processor determines that the external requesting terminal performs a distributed denial of service attack on the website platform host and executes a defense program on the external requesting terminal after the time interval.

由於惡意的外部請求端可能會以多個虛擬IP多次失敗登入網站平台主機,即使每一次失敗登入的流量都不會很大,也可癱瘓網站平台主機網站,根據上述本發明所揭露的分散式阻斷服務攻擊的多個實施例,判斷網路平台是否遭受分散式阻斷服務攻擊的依據,不僅是網路流量,還包含網站平台主機對於每一封包的處理時間,所以可有效阻斷上述的分散式阻斷服務攻擊。此外,在一些特別的假期之前,經常會出現較大的網路流量,但並非惡意攻擊。依據處理時間以及網路流量作為判斷分散式阻斷服務攻擊的依據,可避免阻擋善意的外部請求端。如此一來,可確保網路平台可持續提供網路服務以及提高判斷網站平台主機是否遭受分散式阻斷服務攻擊的準確率。 Since a malicious external requester may fail to log in to the website platform host with multiple virtual IPs multiple times, even if the traffic of each failed login is not large, it can also paralyze the website platform host website. According to the above-mentioned dispersion disclosed by the present invention There are multiple embodiments of typed denial of service attacks. The basis for judging whether a network platform has suffered a distributed denial of service attack is not only the network traffic, but also the processing time of the website platform host for each packet, so it can be effectively blocked The aforementioned distributed denial of service attack. In addition, before some special holidays, there will often be larger Internet traffic, but it is not a malicious attack. Based on processing time and network traffic as the basis for judging distributed denial of service attacks, it can avoid blocking benign external requesters. In this way, it can ensure that the network platform can continue to provide network services and improve the accuracy of determining whether the website platform host has suffered a distributed denial of service attack.

以上之關於本發明內容之說明及以下之實施方式之說明係用以示範與解釋本發明之精神與原理,並且提供本發明之專利申請範圍更進一步之解釋。 The above description of the content of the present invention and the description of the following embodiments are used to demonstrate and explain the spirit and principle of the present invention and provide a further explanation of the scope of the patent application of the present invention.

100:分散式阻斷服務攻擊處理系統 100: Distributed denial of service attack processing system

10:網路介面 10: Network interface

12:處理器 12: processor

14:記憶體 14: Memory

16:機器學習模型 16: machine learning model

E:外部請求端 E: External request terminal

S:網站平台主機 S: website platform host

圖1係為根據本發明第一實施例所繪示之分散式阻斷服務攻擊的處理系統的功能方塊圖。 FIG. 1 is a functional block diagram of a processing system for a distributed denial of service attack according to the first embodiment of the present invention.

圖2係為根據本發明第一實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 Fig. 2 is a flowchart of a method for processing a distributed denial of service attack according to the first embodiment of the present invention.

圖3係為根據本發明第二實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 FIG. 3 is a flowchart of a method for processing a distributed denial of service attack according to the second embodiment of the present invention.

圖4係為根據本發明第三實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 FIG. 4 is a flowchart of a method for processing a distributed denial of service attack according to the third embodiment of the present invention.

圖5A及圖5B係為根據本發明第四實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 5A and 5B are flowcharts of a method for processing a distributed denial of service attack according to a fourth embodiment of the present invention.

圖6A及圖6B係為根據本發明第五實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖 6A and 6B are flowcharts of a method for processing a distributed denial of service attack according to the fifth embodiment of the present invention

圖7A及圖7B係為根據本發明第六實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 7A and 7B are flowcharts of a method for processing a distributed denial of service attack according to the sixth embodiment of the invention.

以下在實施方式中詳細敘述本發明之詳細特徵以及優點,其內容足以使任何熟習相關技藝者了解本發明之技術內容並據以實施,且根據本說明書所揭露之內容、申請專利範圍及圖式,任何熟習相關技藝者可輕易地理解本發明相關之目的及優點。以下之實施例係進一步詳細說明本發明之觀點,但非以任何觀點限制本發明之範疇。 The detailed features and advantages of the present invention are described in detail in the following embodiments, and the content is sufficient to enable anyone familiar with the relevant art to understand the technical content of the present invention and implement it accordingly, and according to the content disclosed in this specification, the scope of patent application and the drawings Anyone who is familiar with the relevant art can easily understand the related purpose and advantages of the present invention. The following examples further illustrate the viewpoints of the present invention in detail, but do not limit the scope of the present invention by any viewpoint.

圖1為根據本發明第一實施例所繪示之分散式阻斷服務攻擊處理系統的功能方塊圖。如圖1所示,分散式阻斷服務(後簡稱DDos)攻擊處理系統100設於外部請求端E與網路平台主機S之間的連線網路,DDos攻擊處理系統100係為用於判斷用於管理網站的網站平台主機S是否遭受DDos攻擊的特定裝置。DDos攻擊處理系統100包括一網路介面10、一處理器12及一記憶體14,而處理器12電性連接於網路介面10與記憶體14。當外部請求端E經由網路向網路平台主機S持續傳送封包時,所發出的封包會先由DDos處理系統100接收且針對封包進行分析,接著再由DDos攻擊處理系統100將封包輸出至網站平台主機S。以下所述內容均以一個外部請求端E以及一個網站平台主機S作示例,可以理解本發明的DDos攻擊處理系統及處理方法亦可適用於多個外部請求端E及多個網站平台主機S。 FIG. 1 is a functional block diagram of the distributed denial of service attack processing system according to the first embodiment of the present invention. As shown in Figure 1, the distributed denial of service (hereinafter referred to as DDos) attack processing system 100 is set in the connection network between the external requesting end E and the network platform host S. The DDos attack processing system 100 is used for judgment Whether the website platform host S used to manage the website is a specific device attacked by DDos. The DDos attack processing system 100 includes a network interface 10, a processor 12 and a memory 14, and the processor 12 is electrically connected to the network interface 10 and the memory 14. When the external requesting end E continuously transmits packets to the network platform host S via the network, the sent packets will be received by the DDos processing system 100 and analyzed for the packets, and then the DDos attack processing system 100 will output the packets to the website platform Host S. The content described below takes an external requesting terminal E and a website platform host S as examples. It can be understood that the DDos attack processing system and processing method of the present invention can also be applied to multiple external requesting terminals E and multiple website platform hosts S.

如圖1所示,網路介面10例如包含介於使用者終端與私有網路或公眾網路之間的互接(Interconnection)點、電腦主機上的網路卡、介於公眾交換電話網路(Public Switched Telephone Network)及私有終端間的互接點、或介於兩個網路之間的互接點。處理器12例如包含通用處 理器、數位訊號處理器(DSP)、多個微處理器、與DSP核心相關聯的一個或多個微處理器、控制器、微控制器、專用積體電路(ASIC)、現場可程式設計閘陣列(FPGA)電路或複雜可程式邏輯裝置(CPLD)。記憶體14例如包含隨機存取記憶體(RAM)、唯讀記憶體(ROM)或硬碟。本實施例中,網路介面10為網路卡,處理器12為通用處理器,而記憶體14為RAM。網路介面用於接收外部請求端E所發出的多個封包。處理器12用於偵測網站平台主機S對每一封包的處理時間以及每一封包的實際流量,且將該些處理時間及該些實際流量的資料儲存至記憶體14。記憶體14儲存有機器學習模型16,機器學習模型16用於接收每一封包的處理時間及實際流量的資料。機器學習模型16例如包含自編碼神經網路(Auto encoder)、身心語言程式學(Neuro-Linguistic Programming)、模糊邏輯模型、隱馬爾可夫模型、決策樹、貝氏演算法、條件隨機域或支持向量機。在本實施例中,機器學習模型16為自編碼神經網路(Auto encoder)。 As shown in FIG. 1, the network interface 10 includes, for example, an interconnection point between a user terminal and a private network or a public network, a network card on a computer host, and a public switched telephone network. (Public Switched Telephone Network) and the interconnection point between private terminals, or the interconnection point between two networks. The processor 12 includes a general purpose Processor, digital signal processor (DSP), multiple microprocessors, one or more microprocessors associated with the DSP core, controller, microcontroller, special integrated circuit (ASIC), field programmable design Gate array (FPGA) circuit or complex programmable logic device (CPLD). The memory 14 includes, for example, random access memory (RAM), read-only memory (ROM), or hard disk. In this embodiment, the network interface 10 is a network card, the processor 12 is a general-purpose processor, and the memory 14 is a RAM. The network interface is used to receive multiple packets sent by the external requesting terminal E. The processor 12 is used to detect the processing time of each packet and the actual flow of each packet by the website platform host S, and store the processing time and the data of the actual flow in the memory 14. The memory 14 stores a machine learning model 16, and the machine learning model 16 is used to receive data on the processing time and actual traffic of each packet. The machine learning model 16 includes, for example, Auto encoder, Neuro-Linguistic Programming, Fuzzy Logic Model, Hidden Markov Model, Decision Tree, Bayesian Algorithm, Conditional Random Domain or Support Vector machine. In this embodiment, the machine learning model 16 is an auto encoder neural network (Auto encoder).

自編碼神經網路(Auto encoder)在實際使用前,必須預先經過於一預定期間所收集的多筆訓練資料進行訓練,且所收集的訓練資料已驗證都屬於正常網路行為所發送封包。此外所選擇的訓練資料的屬性還必須具備相當程度的代表性與相互關連性,才能針對正常網路行為所發送的封包建立出準確的模型,其中該些訓練資料的屬性例如包含在連續假期的前一週所傳送的封包、於每個月的第一週所傳送的封包、以及每個月的最後一週所傳送的封包、以及每週的星期五所傳送的封包。當自編碼神經網路經過所選定的訓練資料的訓練後,接著以屬於正常網路行為的不同於訓練資料的新資料輸入至自編碼神經網路進行測試,若自編碼神經網路的輸出與輸入之間的誤差百分比小於預設的閾值區間(例如1%~2%)時,表示自編碼神經網路(Auto encoder)訓練成功。 Before actual use, an auto encoder must be trained in advance through multiple pieces of training data collected during a predetermined period, and the collected training data has been verified to belong to packets sent by normal network behavior. In addition, the attributes of the selected training data must also have a considerable degree of representativeness and interrelationship in order to build an accurate model for the packets sent by normal network behavior. The attributes of the training data include, for example, the Packets transmitted in the previous week, packets transmitted in the first week of each month, packets transmitted in the last week of each month, and packets transmitted on Friday of each week. After the self-encoding neural network has been trained with the selected training data, it is then tested with new data that is different from the training data belonging to the normal network behavior. If the output of the self-encoding neural network is When the error percentage between the inputs is less than the preset threshold interval (for example, 1%~2%), it means that the Auto encoder training is successful.

圖2係為根據本發明第一實施例所繪示之DDos攻擊的處理方法的流程圖。如圖2所示,在步驟S201中,以網路介面10接收外部 請求端E於一時間區間向網站平台主機S連續發出的多個封包,該時間區間可相對於網路介面10的效能作適當調整。在步驟S202中,以處理器12偵測網站平台主機S對該些封包的多個處理時間(request time)。在步驟S203中,以處理器12分別輸入該些處理時間至機器學習模型18以產生多個模型輸出時間,在本實施例中,機器學習模型18為自編碼神經網路(Auto encoder)。在步驟S204中,以處理器12分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差。在步驟S205中,以處理器12分別將該些時間誤差除以該些處理時間以求得多個時間誤差百分比,該些時間誤差百分比於時間區間內具有一時間誤差趨勢。在步驟S206中,以處理器12判斷該時間誤差趨勢是否屬於持續上升,若該時間誤差趨勢不屬於持續上升,則進入步驟S207;若該時間誤差趨勢屬於持續上升,則進入步驟S208。在步驟S207中,以處理器12判定外部請求端E對網站平台主機S進行正常網路行為,而允許外部請求端E發送封包至網站平台主機S。在步驟S208中,進一步判斷在時間區間內時間最晚的封包所對應的時間誤差百分比是否大於一閾值區間,其中該閾值區間例如介於1%~2%,若時間最晚的封包所對應的時間誤差百分比未大於閾值區間時,則進入步驟S209;若時間最晚的封包所對應的時間誤差百分比大於閾值區間時,則進入步驟S210。在步驟S209中,以處理器12判定外部請求端E對網站平台主機S進行正常網路行為,而允許外部請求端E發送封包至網站平台主機S。在步驟S210中,以處理器12判定外部請求端E對網站平台主機S進行DDos攻擊,接著進入步驟S211。在步驟S211中,以處理器12於時間區間之後對外部請求端E執行一防禦程序,其中該防禦程序係延遲網站平台主機S對外部請求端E的回應時間。 FIG. 2 is a flowchart of a method for processing a DDos attack according to the first embodiment of the present invention. As shown in FIG. 2, in step S201, the network interface 10 is used to receive external The requester E continuously sends multiple packets to the website platform host S in a time interval, and the time interval can be appropriately adjusted relative to the performance of the network interface 10. In step S202, the processor 12 detects multiple processing times (request time) of the packets by the website platform host S. In step S203, the processor 12 inputs the processing times to the machine learning model 18 to generate multiple model output times. In this embodiment, the machine learning model 18 is an auto encoder. In step S204, the processor 12 is used to calculate multiple time errors between the output time of the models and the processing time. In step S205, the processor 12 divides the time errors by the processing times to obtain multiple time error percentages. The time error percentages have a time error trend in the time interval. In step S206, the processor 12 determines whether the time error trend is a continuous increase, if the time error trend is not a continuous increase, then step S207 is entered; if the time error trend is a continuous rise, then step S208 is entered. In step S207, the processor 12 determines that the external requesting terminal E performs normal network behavior on the website platform host S, and allows the external requesting terminal E to send packets to the website platform host S. In step S208, it is further determined whether the time error percentage corresponding to the packet with the latest time in the time interval is greater than a threshold interval, where the threshold interval is, for example, between 1% and 2%. When the time error percentage is not greater than the threshold interval, step S209 is entered; if the time error percentage corresponding to the latest packet is greater than the threshold interval, step S210 is entered. In step S209, the processor 12 determines that the external requesting terminal E performs normal network behavior on the website platform host S, and allows the external requesting terminal E to send packets to the website platform host S. In step S210, the processor 12 determines that the external requesting terminal E performs a DDos attack on the website platform host S, and then proceeds to step S211. In step S211, the processor 12 executes a defense procedure on the external requester E after the time interval, wherein the defense procedure delays the response time of the website platform host S to the external requester E.

圖3係為根據本發明第二實施例所繪示之DDos攻擊的處理方法的流程圖。如圖3所示,第二實施例的DDos攻擊的處理方法包括步驟S301至S311,其中步驟S301~S310與第一實施例的步驟S201~S210 相同,差異在於步驟S311中,處理器12對外部請求端E所執行的防禦程序,替換為將網站平台主機S對外部請求端E之處理排序於其他外部請求端之後。詳言之,若網站平台主機S最多可容忍1000個外部請求端同時登入,被處理器12判定為進行DDos攻擊的外部請求端,將被排序在網站平台主機S處理完1000個外部請求端之後,才會對視為進行DDos攻擊的外部請求端進行處理。若有多個外部請求端被視為正進行DDos攻擊,則依據向網站平台主機S發送封包的時間先後進行排隊。 FIG. 3 is a flowchart of the processing method of the DDos attack according to the second embodiment of the present invention. As shown in FIG. 3, the DDos attack processing method of the second embodiment includes steps S301 to S311, wherein steps S301 to S310 are the same as steps S201 to S210 of the first embodiment. The same, the difference is that in step S311, the defense program executed by the processor 12 on the external requesting terminal E is replaced with the processing of the website platform host S on the external requesting terminal E after other external requesting terminals. In detail, if the website platform host S can tolerate up to 1000 external requesting terminals logging in at the same time, the processor 12 determines that it is the external requesting terminal carrying out the DDos attack, and it will be sorted after the website platform host S has processed 1000 external requesting terminals. , The external requesting end deemed to be carrying out DDos attacks will be processed. If multiple external requesters are deemed to be conducting DDos attacks, they will be queued according to the time of sending packets to the website platform host S.

圖4係為根據本發明第三實施例所繪示之DDos攻擊的處理方法的流程圖。如圖4所示,第三實施例的DDos攻擊的處理方法包括步驟S401至S411,其中步驟S401~S410與第一實施例的步驟S201~S210相同,差異在於步驟S411中,處理器12對外部請求端E所執行的防禦程序,替換為阻擋外部請求項E於時間區間之後對網站平台主機S所發出的封包。 FIG. 4 is a flowchart of the processing method of the DDos attack according to the third embodiment of the present invention. As shown in Figure 4, the DDos attack processing method of the third embodiment includes steps S401 to S411, where steps S401 to S410 are the same as steps S201 to S210 of the first embodiment. The difference is that in step S411, the processor 12 responds to external The defense program executed by the requesting end E is replaced by blocking the packet sent by the external request E to the website platform host S after the time interval.

圖5A及圖5B係為根據本發明第四實施例所繪示之DDos攻擊的處理方法的流程圖。如圖5A所示,在步驟S501中,以網路介面10接收外部請求端E於一時間區間向網站平台主機S連續發出的多個封包,接著分別執行步驟S502及步驟S503。在步驟S502中,以處理器12偵測網站平台主機S對該些封包的多個處理時間,接著執行步驟S504。在步驟S503中,以處理器12偵測該些封包的多個實際流量,接著執行步驟S505。在步驟S504中,以處理器12分別輸入該些處理時間至機器學習模型18以產生多個模型輸出時間,在本實施例中,機器學習模型18為自編碼神經網路(Auto encoder),接著執行步驟S506。在步驟S505中,以處理器12分別輸入該些實際流量至機器學習模型18以產生多個模型輸出流量,接著執行步驟S507。在步驟S506中,以處理器12分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差,接著執行步驟S508。在步驟S507中,以處理器12分別計算該些模型輸出流量與該些實際流量之間的多個流 量誤差,接著執行步驟S509。在步驟S508中,以處理器12分別將該些時間誤差除以該些處理時間以求得多個時間誤差百分比,其中該些時間誤差百分比於時間區間內具有一時間誤差趨勢,接著執行步驟S510。在步驟S509中,以處理器12分別將該些流量誤差除以該些實際流量以求得多個流量誤差百分比,其中該些流量誤差百分比於時間區間內具有一流量誤差趨勢,接著執行步驟S510。 5A and 5B are flowcharts of the DDos attack processing method according to the fourth embodiment of the present invention. As shown in FIG. 5A, in step S501, the network interface 10 is used to receive a plurality of packets continuously sent by the external requesting terminal E to the website platform host S in a time interval, and then steps S502 and S503 are respectively performed. In step S502, the processor 12 detects multiple processing times of the packets by the website platform host S, and then step S504 is executed. In step S503, the processor 12 detects multiple actual flows of the packets, and then step S505 is executed. In step S504, the processor 12 inputs these processing times to the machine learning model 18 to generate multiple model output times. In this embodiment, the machine learning model 18 is an auto encoder, and then Step S506 is executed. In step S505, the processor 12 inputs the actual flows to the machine learning model 18 to generate multiple model output flows, and then step S507 is executed. In step S506, the processor 12 respectively calculates multiple time errors between the output time of the models and the processing time, and then step S508 is executed. In step S507, the processor 12 respectively calculates the multiple flows between the model output flows and the actual flows. To measure the error, step S509 is then executed. In step S508, the processor 12 divides the time errors by the processing times to obtain a plurality of time error percentages, where the time error percentages have a time error trend in the time interval, and then step S510 is executed. . In step S509, the processor 12 divides the flow errors by the actual flow rates to obtain a plurality of flow error percentages, where the flow error percentages have a flow error trend in the time interval, and then step S510 is executed. .

如圖5B所示,在步驟S510中,以處理器12判斷該時間誤差趨勢以及該流量誤差趨勢是否均屬於持續上升,若該時間誤差趨勢及該流量誤差趨勢並未均屬於持續上升(其中一個未屬於持續上升或均未屬於持續上升),則進入步驟S511;若該時間誤差趨勢以及該流量誤差趨勢均屬於持續上升,則進入步驟S512。在步驟S511中,以處理器12判定外部請求端E對網站平台主機S進行正常網路行為,而允許外部請求端E繼續發送封包至網站平台主機S。 As shown in FIG. 5B, in step S510, the processor 12 determines whether the time error trend and the flow error trend both belong to a continuous increase. If the time error trend and the flow error trend do not both belong to a continuous increase (one If the time error trend and the flow error trend both belong to a continuous rise, then step S512 is entered. In step S511, the processor 12 determines that the external requesting terminal E performs normal network behavior on the website platform host S, and allows the external requesting terminal E to continue to send packets to the website platform host S.

在步驟S512中,進一步判斷在該時間區間內時間最晚的封包所對應的時間誤差百分比以及流量誤差百分比是否均大於一閾值區間,該閾值區間例如介於1%~2%,若時間最晚的封包所對應的時間誤差百分以及流量誤差百分比並未均大於閾值區間時(其中一個大於閾值區間或均未大於閾值區間),則進入步驟S513;若時間最晚的封包所對應的時間誤差百分以及流量誤差百分比均大於閾值區間時,則進入步驟S514。在步驟S513中,以處理器12判定外部請求端E對網站平台主機S進行正常網路行為,而允許外部請求端E繼續發送封包至網站平台主機S。在步驟S514中,以處理器12判定外部請求端E對網站平台主機S進行DDos攻擊,接著進入步驟S516。在步驟S516中,以處理器12於時間區間之後對外部請求端E執行一防禦程序,其中該防禦程序係延遲網站平台主機S對外部請求端E的回應時間。 In step S512, it is further determined whether the time error percentage and the traffic error percentage corresponding to the packet with the latest time in the time interval are both greater than a threshold interval, for example, the threshold interval is between 1% and 2%. When the time error percentage and the flow error percentage corresponding to the packet of are not both greater than the threshold interval (one of them is greater than the threshold interval or neither is greater than the threshold interval), then go to step S513; if the time error corresponding to the latest packet When both the percentage and the flow error percentage are greater than the threshold interval, step S514 is entered. In step S513, the processor 12 determines that the external requesting terminal E performs normal network behavior on the website platform host S, and allows the external requesting terminal E to continue to send packets to the website platform host S. In step S514, the processor 12 determines that the external requesting terminal E performs a DDos attack on the website platform host S, and then proceeds to step S516. In step S516, the processor 12 executes a defense program on the external requester E after the time interval, wherein the defense program delays the response time of the website platform host S to the external requester E.

圖6A及6B係為根據本發明第五實施例所繪示之DDos攻 擊的處理方法的流程圖。如圖6A及6B所示,第五實施例的DDos攻擊的處理方法包括步驟S601至S616,其中步驟S601~S615與第四實施例的步驟S501~S515相同,差異在於步驟S616中,處理器12對外部請求端E所執行的防禦程序,替換為將網站平台主機S對外部請求端之處理排序於其他外部請求端之後。詳言之,若網站平台主機S最多可容忍1000個外部請求端同時登入,被處理器12判定為正進行DDos攻擊的外部請求端E,將被排序在網站平台主機S處理完1000個的外部請求端之後,才會對進行DDos攻擊的外部請求端進行處理。若有多個外部請求端被視為進行DDos攻擊,則依據這些外部請求端對網站平台主機S發送封包的時間先後進行排隊。 6A and 6B are the DDos attack illustrated in the fifth embodiment of the present invention A flowchart of how to deal with a click. As shown in Figs. 6A and 6B, the DDos attack processing method of the fifth embodiment includes steps S601 to S616, where steps S601 to S615 are the same as steps S501 to S515 of the fourth embodiment. The difference is that in step S616, the processor 12 The defensive program executed on the external requesting end E is replaced by ordering the processing of the external requesting end by the website platform host S after other external requesting ends. In detail, if the website platform host S can tolerate up to 1000 external requesting terminals logging in at the same time, the external requesting terminal E judged by the processor 12 to be carrying out a DDos attack will be sorted in the external platform where the website platform host S has processed 1000. After the requester, the external requester that conducts the DDos attack will be processed. If multiple external requesting ends are deemed to be carrying out DDos attacks, they will be queued according to the time when these external requesting ends send packets to the website platform host S.

圖7A及圖7B係為根據本發明第六實施例所繪示之DDos攻擊的處理方法的流程圖。如圖7A及圖7B所示,第六實施例的DDos攻擊的處理方法包括步驟S701至S716,其中步驟S701~S715與第五實施例的步驟S501~S515相同,差異在於步驟S716中,處理器12對外部請求端E所執行的防禦程序,替換為阻擋外部請求項E於時間區間之後對網站平台主機S所發出的封包。 7A and 7B are flowcharts of the processing method of the DDos attack according to the sixth embodiment of the present invention. As shown in FIG. 7A and FIG. 7B, the DDos attack processing method of the sixth embodiment includes steps S701 to S716, wherein steps S701 to S715 are the same as steps S501 to S515 of the fifth embodiment. The difference is that in step S716, the processor 12 The defense program performed on the external requesting end E is replaced by blocking the packet sent by the external request E to the website platform host S after the time interval.

此外,上述任一實施例中,當處理器12判定外部請求端E進行DDos攻擊之後,更可將外部請求端E的網路位址列入記憶體14所儲存的黑名單資料庫,以利後續之追蹤及分析。 In addition, in any of the above-mentioned embodiments, after the processor 12 determines that the external requesting terminal E is performing a DDos attack, it can further include the network address of the external requesting terminal E in the blacklist database stored in the memory 14 to facilitate Follow-up tracking and analysis.

綜合以上所述,由於惡意的外部請求端可能會以多個虛擬IP多次失敗登入網站平台主機,即使每一次失敗登入的流量都不會很大,也可癱瘓網站平台主機。根據上述本發明所揭露的DDos攻擊的多個實施例,判斷網路平台是否遭受DDos攻擊的依據,不僅是網路流量,還包含網站平台主機對於每一封包的處理時間,所以可有效阻斷上述的DDos攻擊。此外,在一些特別的假期之前,經常會出現較大的網路流量,但並非惡意攻擊。依據處理時間以及網路流量作為判斷DDos攻擊的依據,可避 免阻擋善意的外部請求端。如此一來,可確保網路平台可持續提供網路服務以及提高判斷網站平台主機是否遭受DDos攻擊的準確率。 In summary, since malicious external requesters may fail to log in to the website platform host with multiple virtual IPs multiple times, even if the traffic of each failed login is not large, the website platform host can be paralyzed. According to the multiple embodiments of the DDos attack disclosed in the present invention, the basis for determining whether a network platform is subject to a DDos attack is not only the network traffic, but also the processing time of the website platform host for each packet, so it can be effectively blocked The aforementioned DDos attack. In addition, before some special holidays, there will often be larger Internet traffic, but it is not a malicious attack. Based on processing time and network traffic as the basis for judging DDos attacks, it can be avoided Avoid blocking good-faith external requesters. In this way, it can ensure that the network platform can continue to provide network services and improve the accuracy of determining whether the website platform host has been attacked by DDos.

雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明。在不脫離本發明之精神和範圍內,所為之更動與潤飾,均屬本發明之專利保護範圍。關於本發明所界定之保護範圍請參考所附之申請專利範圍。 Although the present invention is disclosed in the foregoing embodiments, it is not intended to limit the present invention. All changes and modifications made without departing from the spirit and scope of the present invention fall within the scope of patent protection of the present invention. For the scope of protection defined by the present invention, please refer to the attached patent scope.

Claims (15)

一種分散式阻斷服務攻擊的處理方法,包括:以一網路介面接收一外部請求端於一時間區間所發出的數個封包;以一處理器偵測一網站平台主機對該些封包的多個處理時間;分別輸入該些處理時間至一機器學習模型以產生多個模型輸出時間;以該處理器分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差百分比,該些時間誤差百分比於該時間區間具有一時間誤差趨勢,其中該時間誤差趨勢為該些時間誤差百分比的變化趨勢;以該處理器判斷該時間誤差趨勢是否屬於持續上升,若該時間誤差趨勢屬於持續上升,則進一步以該處理器判斷該時間區間內時間最晚的該封包所對應的該時間誤差百分比是否大於一閾值區間;以及當時間最晚的該封包所對應的該時間誤差百分比大於該閾值區間時,該處理器判定該外部請求端對該網站平台主機進行分散式阻斷服務攻擊且該處理器於該時間區間之後對該外部請求端執行一防禦程序。 A method for processing distributed denial of service attacks includes: receiving a number of packets sent by an external requesting terminal in a time interval through a network interface; using a processor to detect the amount of these packets by a website platform host Processing times; input the processing times to a machine learning model to generate a plurality of model output times; use the processor to calculate the percentages of time error between the model output times and the processing times, the The time error percentage has a time error trend in the time interval, where the time error trend is the change trend of the time error percentages; the processor determines whether the time error trend is a continuous increase, if the time error trend is a continuous increase , The processor further determines whether the time error percentage corresponding to the packet with the latest time in the time interval is greater than a threshold interval; and the time error percentage corresponding to the packet with the latest time is greater than the threshold interval At this time, the processor determines that the external requesting terminal performs a distributed denial of service attack on the website platform host and the processor executes a defense program on the external requesting terminal after the time interval. 如請求項1所述之分散式阻斷服務攻擊的處理方法,其中分別計算該些模型輸出時間與該些處理時間之間的該些時間誤差百分比包含:以該處理器分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差;以該處理器分別將該些時間誤差除以該些處理時間以求得該些時間誤差百分比。 The method for processing distributed denial of service attacks according to claim 1, wherein calculating the time error percentages between the model output time and the processing time respectively includes: calculating the model output by the processor respectively The multiple time errors between the time and the processing times; the processor divides the time errors by the processing times to obtain the time error percentages. 如請求項1所述之分散式阻斷服務攻擊的處理方法,其中該閾值區間介於1%~2%。 The method for processing distributed denial of service attacks described in claim 1, wherein the threshold range is between 1% and 2%. 如請求項1所述之分散式阻斷服務攻擊的處理方法,其中該防禦程序包含:延遲該網站平台主機對該外部請求端的一回應時間。 The method for processing distributed denial of service attacks described in claim 1, wherein the defense procedure includes: delaying a response time of the website platform host to the external requesting end. 如請求項1所述之分散式阻斷服務攻擊的處理方法,其中該防禦程序包含:將該網站平台主機對該外部請求端之處理排序於其他外部請求端之後。 The method for processing a distributed denial of service attack as described in claim 1, wherein the defense program includes: ranking the processing of the website platform host on the external requesting terminal after other external requesting terminals. 如請求項1所述之分散式阻斷服務攻擊的處理方法,其中該防禦程序包含:阻擋該外部請求項對該網站平台主機所發出的封包。 The method for processing a distributed denial of service attack described in claim 1, wherein the defense program includes: blocking the external request from the packet sent by the website platform host. 如請求項1所述之分散式阻斷服務攻擊的處理方法,更包括當該處理器判定該外部請求端進行分散式阻斷服務攻擊之後,將該外部請求項的網路位址列入一記憶體所儲存的一黑名單資料庫。 The method for processing a distributed denial of service attack as described in claim 1, further includes, after the processor determines that the external requesting end has carried out a distributed denial of service attack, listing the network address of the external request into a A blacklist database stored in the memory. 一種分散式阻斷服務攻擊的處理方法,包括:以一網路介面接收一外部請求端於一時間區間所發出的數個封包;以一處理器偵測一網站平台主機對該些封包的多個處理時間;以該處理器偵測該些封包的多個實際流量;分別輸入該些處理時間至一機器學習模型以產生多個模型輸出時間;分別輸入該些實際流量至一機器學習模型以產生多個模型輸出流量;以該處理器分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差百分比,該些時間誤差百分比於該時間區間具有一時間誤差趨勢,其中該時間誤差趨勢為該些時間誤差百分比的變化趨勢;以該處理器分別計算該些模型輸出流量與該些實際流量之間的多個流量誤差百分比,該些流量誤差百分比於該時間區間具有一流量誤差趨勢; 以該處理器判斷該時間誤差趨勢以及該流量誤差趨勢是否均屬於持續上升;當該時間誤差趨勢以及該流量誤差趨勢均屬於持續上升,則進一步以該處理器判斷該時間區間內時間最晚的該封包所對應的該時間誤差百分比以及該流量誤差百分比是否均大於一閾值區間;以及當時間最晚的該封包所對應的該時間誤差百分比以及該流量誤差百分比均大於該閾值區間時,以該處理器判定該外部請求端對該網站平台主機進行分散式阻斷服務攻擊且於該時間區間之後對該外部請求端執行一防禦程序。 A method for processing distributed denial of service attacks includes: receiving a number of packets sent by an external requesting terminal in a time interval through a network interface; using a processor to detect the amount of these packets by a website platform host Processing time; using the processor to detect multiple actual flows of the packets; input the processing times to a machine learning model to generate multiple model output times; input the actual flows to a machine learning model to Generate a plurality of model output flows; use the processor to respectively calculate a plurality of time error percentages between the model output time and the processing time, the time error percentages have a time error trend in the time interval, wherein the time The error trend is the change trend of the time error percentages; the processor separately calculates a plurality of flow error percentages between the model output flows and the actual flows, and the flow error percentages have a flow error in the time interval trend; Use the processor to determine whether the time error trend and the flow error trend are both continuously rising; when the time error trend and the flow error trend are both continuously rising, the processor is further used to determine the latest time in the time interval Whether the time error percentage and the flow error percentage corresponding to the packet are both greater than a threshold interval; and when the time error percentage and the flow error percentage corresponding to the latest packet are both greater than the threshold interval, use the The processor determines that the external requesting terminal performs a distributed denial of service attack on the website platform host and executes a defense program on the external requesting terminal after the time interval. 如請求項8所述之分散式阻斷服務攻擊的處理方法,其中分別計算該些模型輸出時間與該些處理時間之間的該些時間誤差百分比包含:以該處理器分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差;以該處理器分別將該些時間誤差除以該些處理時間以求得該些時間誤差百分比。 The method for processing distributed denial of service attacks according to claim 8, wherein calculating the time error percentages between the model output times and the processing times respectively includes: calculating the model outputs separately by the processor The multiple time errors between the time and the processing times; the processor divides the time errors by the processing times to obtain the time error percentages. 如請求項8所述之分散式阻斷服務攻擊的處理方法,其中別計算該些模型輸出流量與該些實際流量之間的該些流量誤差百分比包含:以該處理器分別計算該些模型輸出流量與該些實際流量之間的多個流量誤差;以該處理器分別將該些流量誤差除以該些實際流量以求得該些流量誤差百分比。 The method for processing distributed denial of service attacks as described in claim 8, wherein not calculating the error percentages between the model output traffic and the actual traffic includes: using the processor to calculate the model outputs separately The flow rate errors between the flow rate and the actual flow rates; the processor divides the flow rate errors by the actual flow rates to obtain the flow rate error percentages. 如請求項8所述之分散式阻斷服務攻擊的處理方法,其中該閾值區間介於1%~2%。 The method for processing distributed denial of service attacks described in claim 8, wherein the threshold range is between 1% and 2%. 如請求項8所述之分散式阻斷服務攻擊的處理方法,其中該防禦程序包含:延遲該網站平台主機對該外部請求端的一回應時間。 The method for processing distributed denial of service attacks described in claim 8, wherein the defense procedure includes: delaying a response time of the website platform host to the external requesting end. 如請求項8所述之分散式阻斷服務攻擊的處理方法,其中該防禦程序包含:將該網站平台主機對該外部請求端之處理排序於其他外部請求端之後。 The method for processing a distributed denial of service attack as described in claim 8, wherein the defense procedure includes: ranking the processing of the website platform host on the external requesting terminal after other external requesting terminals. 如請求項8所述之分散式阻斷服務攻擊的處理方法,其中該防禦程序包含:阻擋該外部請求項對該網站平台主機所發出的封包。 The method for processing a distributed denial of service attack described in claim 8, wherein the defense program includes: blocking the external request from the external request to the website platform host. 如請求項8所述之分散式阻斷服務攻擊的處理方法,更包括當該處理器判定該外部請求端進行分散式阻斷服務攻擊之後,將該外部請求項的網路位址列入一記憶體所儲存的一黑名單資料庫。 The method for processing distributed denial-of-service attacks as described in claim 8, further includes, after the processor determines that the external requesting end has conducted a distributed denial-of-service attack, including the network address of the external request A blacklist database stored in the memory.
TW108123845A 2019-07-05 2019-07-05 Method for processing a distributed denial-of-service attack TWI711284B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108123845A TWI711284B (en) 2019-07-05 2019-07-05 Method for processing a distributed denial-of-service attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108123845A TWI711284B (en) 2019-07-05 2019-07-05 Method for processing a distributed denial-of-service attack

Publications (2)

Publication Number Publication Date
TWI711284B true TWI711284B (en) 2020-11-21
TW202103476A TW202103476A (en) 2021-01-16

Family

ID=74202155

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108123845A TWI711284B (en) 2019-07-05 2019-07-05 Method for processing a distributed denial-of-service attack

Country Status (1)

Country Link
TW (1) TWI711284B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100370757C (en) * 2004-07-09 2008-02-20 国际商业机器公司 Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack
CN107800727A (en) * 2017-12-12 2018-03-13 蔡昌菊 A kind of DDoS detection methods

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100370757C (en) * 2004-07-09 2008-02-20 国际商业机器公司 Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack
CN107800727A (en) * 2017-12-12 2018-03-13 蔡昌菊 A kind of DDoS detection methods

Also Published As

Publication number Publication date
TW202103476A (en) 2021-01-16

Similar Documents

Publication Publication Date Title
US10348739B2 (en) Automated data risk assessment
Thapngam et al. Discriminating DDoS attack traffic from flash crowd through packet arrival patterns
US10284580B2 (en) Multiple detector methods and systems for defeating low and slow application DDoS attacks
US11184387B2 (en) Network attack defense system and method
US9282116B1 (en) System and method for preventing DOS attacks utilizing invalid transaction statistics
Saleh et al. A novel protective framework for defeating HTTP-based denial of service and distributed denial of service attacks
Kalluri et al. Simulation and impact analysis of denial-of-service attacks on power SCADA
US20210099484A1 (en) Phishing website detection
WO2017020712A1 (en) Method, apparatus and system for quantizing defence result
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
TW201242313A (en) Detecting and mitigating denial of service attacks
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
US20210144172A1 (en) Early detection of dedicated denial of service attacks through metrics correlation
Wiefling et al. Pump up password security! Evaluating and enhancing risk-based authentication on a real-world large-scale online service
CN112839017A (en) Network attack detection method and device, equipment and storage medium thereof
US20220174075A1 (en) Identifying malicious client network applications based on network request characteristics
CN110290122B (en) Intrusion response strategy generation method and device
TWI711284B (en) Method for processing a distributed denial-of-service attack
AU2012260619B2 (en) Supervised data transfer
CN107454069B (en) Inter-domain routing system mimicry protection method based on AS security alliance
TWI717454B (en) Method, device and system for quantifying defense results
CN115037537A (en) Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium
US20200067973A1 (en) Safer Password Manager, Trusted Services, and Anti-Phishing Process
Sivabalan et al. Detecting IoT zombie attacks on web servers
AU2007351385B2 (en) Detecting and interdicting fraudulent activity on a network