WO2016201996A1 - Method of adaptively blocking network attack and device utilizing same - Google Patents

Method of adaptively blocking network attack and device utilizing same Download PDF

Info

Publication number
WO2016201996A1
WO2016201996A1 PCT/CN2016/073642 CN2016073642W WO2016201996A1 WO 2016201996 A1 WO2016201996 A1 WO 2016201996A1 CN 2016073642 W CN2016073642 W CN 2016073642W WO 2016201996 A1 WO2016201996 A1 WO 2016201996A1
Authority
WO
WIPO (PCT)
Prior art keywords
path
packet
traffic
network element
port
Prior art date
Application number
PCT/CN2016/073642
Other languages
French (fr)
Chinese (zh)
Inventor
惠卫锋
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016201996A1 publication Critical patent/WO2016201996A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the present invention relates to the field of communication security technologies, and in particular, to an adaptive anti-attack method and apparatus.
  • a telecommunication device In a telecommunication device, different network elements are implemented by devices, ports, such as routers, switches, Fast Ethernet (FE) interfaces, and Gigabit Ethernet (GE) interfaces. Interoperability provides users with a variety of telecommunications services. With the continuous integration of IT and CT networks, the situation of external abnormal packet attacks on the telecom network is constantly appearing, which causes problems such as board reset and service congestion.
  • FE Fast Ethernet
  • GE Gigabit Ethernet
  • a common network attack defense solution is to deploy a firewall at the NE portal.
  • the access data packets are identified by the firewall's preset policy. Packets that meet the preset policy are allowed to access the network. Packets that do not meet the preset policy are discarded.
  • the preset policy needs to be manually configured and generated, and the flexibility of the service change scenario is insufficient.
  • the firewall unit is independent of the service unit and does not have the ability to identify and analyze the service type, the ability to identify the abnormal service packets of the "smart design" is weak. For this type of attack behavior, the firewall passes the abnormal traffic. Techniques such as behavior and fragmentation message recognition can only achieve partial protection. Therefore, how to eliminate the cumbersome operation links of manually configuring the firewall and effectively improve the dynamic identification and interception effect of the network attack is a problem that needs to be solved currently.
  • the invention provides an adaptive anti-attack method and device, which can adaptively defend against abnormal packets and effectively improve the dynamic identification and interception effect of network attacks.
  • an adaptive anti-attack method including:
  • the first path is path information that is experienced in the network element system when the first packet passes through the network element system
  • the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is the same as all the service types of the second packet.
  • the second path is path information that is performed inside the network element system when the second packet passes the network element system, and the second path includes the second packet At least one node that passes through the network element system in chronological order;
  • the first Setting the threshold is set according to the tolerance of the service type to the bit error rate or the communication delay
  • the at least one node included in the first path and the at least one node included in the second path are respectively sorted in a chronological order. Then, nodes located in the first path and having the same order in the second path correspond to each other.
  • the first set threshold is in a range of 60% to 70%.
  • the method further includes:
  • the Each of the nodes included in the first path is matched with a corresponding node that is included in the second path, to obtain a first matching degree of the second path and the first path, and specifically includes:
  • a path includes n1 nodes
  • the method further includes:
  • the second path includes n2 nodes
  • the method further includes:
  • the performing the node included in the first path and the corresponding node included in the second path respectively The matching, to obtain the first matching degree of the second path and the first path specifically includes:
  • the method after the acquiring the traffic of each of the n1 nodes included in the first path, the method also includes:
  • f x is the traffic of node x after normalization
  • x ranges from 1 to n1
  • F x is the traffic of node x.
  • the method after the acquiring the traffic of each of the n2 nodes included in the second path, the method also includes:
  • the allowed access traffic of the first port is reduced, which specifically includes:
  • the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second packet passing through the second packet.
  • the maximum value of the actual access traffic of the first port is the product of the first ratio, wherein the first reduction value is not lower than the preset minimum of the first port.
  • the access rate is allowed to be allowed, and the first ratio value ranges from 1/5 to 1/2.
  • the method further includes:
  • the third path is path information that is performed inside the network element system when the third packet passes through the network element system, and the third path includes the third packet At least one node that passes through the network element system in chronological order.
  • the method further includes:
  • each of the nodes included in the third path is matched with a corresponding node included in the first path, where the service type of the third packet is the same as the service type of the first packet, Obtaining a second matching degree of the third path and the first path; or
  • the fourth path is obtained, where the fourth path is when the fourth packet passes the network element system.
  • the nodes respectively match the corresponding nodes included in the fourth path to obtain the second matching degree of the third path and the fourth path.
  • the method further includes:
  • the second matching degree is lower than or equal to the first set threshold, reducing the allowed access traffic of the first port to a second reduced value, and the second reduced value is the The process of the third packet passing through the first port, the product of the maximum value of the actual access traffic of the first port and the second ratio value, wherein the second reduction value is not lower than the preset
  • the minimum allowable access traffic of the first port is in the range of 1/5 to 1/2.
  • the method further includes:
  • the second matching degree is higher than the second set threshold, increasing the allowed access traffic of the first port to a first increased value, and the first increasing value is the third The maximum value of the actual value of the actual access traffic of the first port and the third ratio value during the process of the packet passing through the first port, where the first increase value is not higher than the preset maximum allowable value.
  • an adaptive anti-attack device which is applied to a network element system, and the device includes:
  • a first receiving unit configured to receive a second packet from a first port of the network element system, where the network element system includes at least one port, where the first port is one of the at least one port, and
  • the network element system includes multiple nodes inside;
  • a first acquiring unit configured to acquire a pre-stored first path according to a service type of the second packet, where the first path is when the first packet passes the network element system, and the network element system Path information that is internally experienced, the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all having the second The packet of the service type of the same type of the packet and the packet passing through the network element system passes through the packet of the network element system for the first time;
  • a second acquiring unit configured to acquire a second path, where the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, where the second path includes At least one node that the second packet passes in the order of time in the network element system;
  • a first matching unit configured to match each node included in the first path with a corresponding node included in the second path, to obtain a first matching degree of the second path and the first path ;
  • a comparing unit configured to compare the first matching degree with a first set threshold, and if the first matching degree is lower than the first set threshold, determining that the second packet is an abnormal packet
  • the first set threshold is set according to the tolerance of the service type to the bit error rate or the communication delay
  • the adjusting unit is configured to reduce the allowed access traffic of the first port.
  • the at least one node included in the first path and the at least one node included in the second path are respectively sorted in a chronological order. Then, nodes located in the first path and having the same order in the second path correspond to each other.
  • the first set threshold value ranges from 60% to 70%.
  • the device further includes:
  • a third receiving unit configured to receive the first packet from any port of the network element system
  • a seventh acquiring unit configured to acquire the first path that is experienced inside the network element system when the first packet passes through the network element system, and perform storage processing on the first path.
  • the first The matching unit is specifically used to:
  • a path includes n1 nodes
  • the device further comprises:
  • a third acquiring unit configured to acquire traffic of each of the n1 nodes included in the first path.
  • the second path includes n2 nodes
  • the device further comprises:
  • a fourth acquiring unit configured to acquire traffic of each of the n2 nodes included in the second path.
  • the first matching unit is specifically configured to:
  • the device further includes:
  • the third obtaining unit acquires the traffic of each of the n1 nodes included in the first path
  • the first normalization processing unit is configured to normalize the traffic of each of the n1 nodes by using the following formula:
  • f x is the traffic of node x after normalization
  • x ranges from 1 to n1
  • F x is the traffic of node x.
  • the device further includes:
  • the second normalization processing unit is configured to normalize the traffic of each of the n2 nodes by using the following formula:
  • the adjusting The unit is specifically used to:
  • the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second packet passing through the second packet.
  • the maximum value of the actual access traffic of the first port is the product of the first ratio, wherein the first reduction value is not lower than the preset minimum of the first port.
  • the access rate is allowed to be allowed, and the first ratio value ranges from 1/5 to 1/2.
  • the device also includes:
  • a second receiving unit configured to receive a third packet from the first port
  • a fifth acquiring unit configured to acquire a third path, where the third path is path information that is experienced inside the network element system when the third packet passes through the network element system, where the third path includes The third packet is at least one node that passes through the network element system in chronological order.
  • the device further includes:
  • a second matching unit configured to: each node included in the third path and the first path, respectively, if a service type of the third packet is the same as a service type of the first packet Corresponding nodes are matched to obtain a second matching degree of the third path and the first path; or
  • the device includes:
  • a sixth acquiring unit configured to acquire a pre-stored fourth path, where the fourth path is the fourth packet, if the service type of the third packet is the same as the service type of the fourth packet
  • the fourth path includes at least one node that the fourth packet passes in time sequence in the network element system.
  • the fourth packet is a packet that passes through the network element system for the first time in all the packets that have the same service type as the service type of the third packet and that pass through the network element system;
  • the second matching unit is configured to match each node included in the third path with a corresponding node included in the fourth path, to obtain a second matching degree of the third path and the fourth path.
  • the adjusting unit is further configured to:
  • the second matching degree is lower than or equal to the first set threshold, reducing the allowed access traffic of the first port to a second reduced value, and the second reduced value is the The maximum value of the actual access traffic of the first port and the second ratio during the process of the third packet passing through the first port
  • the second reduction value is not lower than a preset minimum allowed access traffic of the first port, and the second ratio value ranges from 1/5 to 1/2.
  • the adjusting unit is further configured to:
  • the second matching degree is higher than the second set threshold, increasing the allowed access traffic of the first port to a first increased value, and the first increasing value is the third The maximum value of the actual value of the actual access traffic of the first port and the third ratio value during the process of the packet passing through the first port, where the first increase value is not higher than the preset maximum allowable value.
  • the adaptive anti-attack method and device receive the second packet through the first port of the network element system, and obtain the pre-stored first path according to the service type of the second packet.
  • the first path is a packet that passes through the network element system for the first time, and obtains a second path, in the packet that is the same as the service type of the first packet, and that passes through the network element system.
  • the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, and then each node included in the first path is respectively included with the second path. The node performs matching to obtain the first matching degree.
  • the first matching degree and the first set threshold are compared to determine whether the second packet is an abnormal packet, and the second packet is determined to be an abnormal packet. , reducing the allowed access traffic of the first port.
  • the method can automatically determine whether the packet is an abnormal packet, and if the packet is an abnormal packet, reduce the allowed access traffic of the port that receives the packet. It achieves adaptive anti-attack on abnormal packets, eliminates the cumbersome operation of firewall manual configuration, and effectively improves the dynamic identification and interception effect of network attacks.
  • FIG. 1 is a schematic flowchart of an adaptive attack defense method according to an embodiment of the present disclosure
  • FIG. 2 is a schematic diagram of an exemplary message vector path
  • FIG. 3 is a schematic flowchart of another adaptive attack defense method according to an embodiment of the present invention.
  • Figure 4 is a schematic diagram of comparison of service packet attack defense effects
  • FIG. 5 is a schematic flowchart diagram of still another adaptive attack defense method according to an embodiment of the present invention.
  • FIG. 6 is an exemplary service node normalized traffic distribution diagram
  • FIG. 7 is a schematic structural diagram of an adaptive anti-attack device according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of another adaptive attack defense device according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of still another adaptive anti-attack device according to an embodiment of the present invention.
  • the firewall unit is independent of the network element system, and does not have the ability to identify and analyze the service type. Therefore, the abnormal message recognition capability of the "smart design" camouflage is weak, and the adaptive anti-attack device of the present invention is involved. It is set in the NE system to monitor packets processed by each node in the NE system. The packet passes through any of the network element systems, and multiple nodes included in the network element system process the packets in sequence, and the packets received from the port are passed through the nodes in the network element system in time order.
  • the device can reduce the allowed access traffic of the port that receives the packet, so as to achieve adaptive attack defense against abnormal packets, eliminate the cumbersome operation of the firewall manual configuration, and effectively improve the network attack. Dynamic recognition and interception effects.
  • FIG. 1 is a schematic flowchart of an adaptive attack defense method according to an embodiment of the present invention, where the method includes the following steps:
  • Step S101 Receive a second packet from a first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the network element system includes Multiple nodes.
  • the network element system in this embodiment may be any communication network element such as a router, a switch, or a mobility management entity (English: Mobility Management Entity, MME for short), and the network element system includes multiple ports, and the internal network includes multiple The node, the network element system can receive packets sent by other network element systems from any port, and the packets pass through one or more nodes in the network element system in turn, and each node processes the packets separately, and each node performs authentication. , analysis and other processing.
  • the second packet here is generally a packet of the service type that is not passed through the network element system for the first time.
  • Step S102 Acquire a pre-stored first path according to the service type of the second packet, where the first path is a path that is experienced inside the network element system when the first packet passes through the network element system.
  • the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all services that have the second packet.
  • the packets passing through the NE system are passed through the packets of the NE system for the first time.
  • the network element system Before receiving the second packet, the network element system receives the first packet from any port of the network element system, and obtains the first packet when the first packet passes the network element system, in the network element system.
  • the first path is internally processed, and the first path is stored, and the first packet is a packet that passes through the network element system for the first time.
  • the attributes of the service are changed, for example, some configurations of the service are changed, or the version of the service is upgraded
  • the packets pass through the service processing system, the type of the service changes, and
  • the path of the processing node or the node that passes through the system may change.
  • the path that the service packet passes through is re-learned.
  • the packet is considered to be the first packet passing through the NE system.
  • the path information that is learned in the network element system when the first packet passes through the network element system is triggered.
  • the path includes the packet passing through the time in the network element system.
  • the path is classified into a network element system, a node, or a cloud server according to the type of service. Therefore, the first path of the packet of the service type can be obtained according to the service type of the second packet.
  • FIG. 2 is a schematic diagram of the packet vector path.
  • the internal processing of the system has the corresponding node processing.
  • the packet of the A service type is taken as an example. After the normal packet enters the NE system, it needs to pass the authentication, registration, and hierarchical processing.
  • the processing path is: CCU—> MDU—>MIU—>SIG—>CSU—>IFU, where CCU, MDU, MIU, SIG, CSU, and IFU are nodes inside the network element system;
  • the processing path of B service type packets is: CCU— >CSU—>MIU—>MDU—>SIG—>IFU.
  • the message is modeled by the direction vector diagram as follows:
  • p k represents whether the service packet of the type passes the node, and the value of p k is 0 or 1, and a n represents the location information of the node where the packet is located at time n; a n+1 represents the normal message at the next moment. Expected path information.
  • Step S103 the second path is obtained, where the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, and the second path includes the second path. At least one node that the message passes in the order of time within the network element system.
  • the path information that is experienced in the network element system is the second path.
  • the second packet passes through one or more nodes in the order of time in the network element system. Passed node information.
  • Step S104 Match each node included in the first path with a corresponding node included in the second path to obtain a first matching degree of the second path and the first path.
  • At least one node included in the first path and at least one node included in the second path are respectively sorted according to a time sequence, and then located in the first path and located in the second path.
  • the nodes having the same sequence are corresponding, and then each node included in the first path is matched with the corresponding node included in the second path to obtain the matching degree of the second path and the first path.
  • step S105 the first matching degree is compared with the first set threshold. If the first matching degree is lower than the first set threshold, the second packet is determined to be an abnormal packet.
  • the first set threshold is set according to the tolerance of the service type to the bit error rate or the communication delay.
  • the packets of the service type are highly tolerant to the bit error rate or the communication delay. That is, the order of the internal nodes of a certain NE system that the packets are allowed to pass through is different from that of the packets passing through the NE system for the first time. , The packets of the service type are less tolerant to the bit error rate or the communication delay. The order of the internal nodes of a certain NE system that the packets pass through is less than the difference between the packets passing through the NE system for the first time. Therefore, different matching thresholds are set for different service types. If the matching degree between the obtained second packet and the path of the first packet is lower than the threshold, the second packet is determined to be an abnormal packet. .
  • Step S106 If it is determined that the second packet is an abnormal packet, reduce the allowed access traffic of the first port.
  • the abnormal traffic can be prevented from initiating a large-scale attack on the network element system by reducing the allowed access traffic of the port that receives the second packet.
  • the node that passes the packets received from the port in the order of the time in the network element system is the same as the service type of the packet, and The first time that the packet passing through the packet of the NE system is matched, the matching degree of the path is obtained, and the received packet is determined to be an abnormal packet according to the matching degree. If the packet is an abnormal packet, Reduce the allowable access traffic of the port that receives the packet, so as to achieve adaptive attack defense against abnormal packets, eliminate the cumbersome operation of the firewall manual configuration, and effectively improve the dynamic identification and interception effect of the network attack.
  • FIG. 3 is a schematic flowchart of another adaptive attack defense method according to an embodiment of the present invention, where the method includes the following steps:
  • Step S201 Receive a second packet from the first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the network element system includes Multiple nodes.
  • Step S202 Acquire a pre-stored first path according to the service type of the second packet, where the first path is a path that is experienced inside the network element system when the first packet passes through the network element system.
  • the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all services that have the second packet.
  • the packets passing through the NE system are passed through the packets of the NE system for the first time.
  • Step S203 the second path is obtained, where the second path is that the second packet passes the network element.
  • the path information that is experienced in the network element system the second path includes at least one node that the second packet passes in time sequence in the network element system.
  • Steps S201-S203 are the same as steps S101-S103 of the embodiment shown in FIG. 1, and details are not described herein again.
  • Step S204 matching each node included in the first path with a corresponding node included in the second path, to determine whether each node included in the first path is corresponding to the second path
  • the nodes are the same, and the first matching degree of the second path and the first path is obtained.
  • At least one node included in the first path and at least one node included in the second path are respectively sorted according to a time sequence, and then located in the first path and located in the second path. Nodes having the same order are corresponding, and then each node included in the first path is respectively matched with a corresponding node included in the second path to determine whether each node included in the first path includes the second path. The corresponding nodes are the same to obtain the matching degree of the second path and the first path.
  • the service packets of the A service type should pass through these nodes in sequence: CCU->MDU->MIU->SIG->CSU->IFU, assuming that the current service of the set type is detected.
  • step S205 the first matching degree is compared with the first set threshold. If the first matching degree is lower than the first set threshold, the second packet is determined to be an abnormal packet.
  • the first set threshold is set according to the tolerance of the service type to the bit error rate or the communication delay.
  • Step S206 When it is determined that the second packet is an abnormal packet, reduce the allowed access traffic of the first port to a first reduced value.
  • Different matching thresholds are set according to different tolerances of different service types to the error rate or the communication delay.
  • the threshold ranges from 60% to 70%. If the matching degree between the obtained second packet and the path of the first packet is lower than the threshold, the second packet may be determined to be an abnormal packet.
  • the method of adjusting the allowed access traffic of the port that receives the packet is triggered to prevent packet attack. Specifically, for the packet flow whose matching degree is higher than the set threshold, the packet is determined to be a legal packet, and the access traffic is not controlled; for the packet flow whose matching degree is lower than the set threshold, the packet is determined to be an abnormal packet, and Start the defense mechanism to reduce the allowed access traffic of the port. Allowed access to the stream The amount is reduced, and the attack on the system by the abnormal service message is relatively small.
  • the allowed access traffic of the port is reduced step by step, which can reduce the impact of the short-time pulse attack on the packet.
  • the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second packet.
  • a process of the first port the maximum value of the actual access traffic of the first port is multiplied by a first ratio, wherein the first reduction value is not lower than the preset first port.
  • the minimum allowable access traffic, the first ratio value ranges from 1/5 to 1/2.
  • Step S207 Receive a third packet from the first port.
  • Step S208 the third path is obtained, where the third path is path information that is experienced inside the network element system when the third packet passes through the network element system, and the third path includes the third path. At least one node that the message passes in the order of time within the network element system.
  • the port receives the packet continuously.
  • the service type of the received third packet may be the same as or different from the first packet or the second packet.
  • the path information that is experienced inside the network element system when the third packet passes through the network element system is obtained.
  • Step S209 in a case where the service type of the third packet is the same as the service type of the first packet, each node included in the third path is respectively associated with a corresponding node included in the first path. Matching is performed to obtain a second matching degree of the third path and the first path.
  • Step S210 If the service type of the third packet is the same as the service type of the fourth packet, obtain a fourth path that is stored in advance, where the fourth path is that the fourth packet passes the network.
  • the path information that is experienced in the network element system, the fourth path includes at least one node that the fourth packet passes in time sequence in the network element system, and the fourth The packet is the packet that passes through the network element system for the first time in all the packets that have the same service type as the third packet and that pass through the network element system.
  • Step S211 each node included in the third path is matched with a corresponding node included in the fourth path, to obtain a second matching degree of the third path and the fourth path.
  • the matching degree of the newly received third packet is calculated, if the service type of the third packet is the same as the first packet, the third packet is matched with the path of the first packet to obtain the second matching. Degree, if the service type of the third packet is different from the first packet, obtain the same service type as the third packet, and The path of the fourth packet of the network element system is matched for the first time to match the path of the third packet with the fourth packet to obtain the second matching degree.
  • Step S212 if the second matching degree is lower than or equal to the first set threshold, reducing the allowed access traffic of the first port to a second reduced value, the second reduced value a process of the third packet passing through the first port, the maximum value of the actual access traffic of the first port, and a second ratio value, wherein the second reduction value is not lower than the pre-predetermined value.
  • the minimum allowable access traffic of the first port is set, and the second ratio value ranges from 1/5 to 1/2.
  • the allowed access traffic of the port is again reduced according to a certain ratio.
  • reducing the allowed access traffic of the port is performed step by step, that is, the process of S207-S212 is cyclic until the allowed access traffic of the port is not lower than the preset minimum allowable of the first port. Access traffic.
  • the allowed access traffic of the port is restored, and the recovery process is performed step by step, and the allowed connection of the port is gradually reduced.
  • the process of entering traffic is similar.
  • the defense implementation adopts a binary exponential backoff algorithm to effectively implement the traffic restriction of the abnormal access port; and maintain the minimum traffic standard, and automatically recover the abnormality when the port attack behavior disappears.
  • the allowed access traffic of the port is decremented to 1/2 of the previous period setting threshold, and the abnormal attack is suppressed to the system.
  • the degree of influence of the text processing; after the minimum traffic standard (the minimum traffic standard is set according to the traffic in the normal period of the port, the default is 5%), no further down-regulation, and the port shape is monitored in real time.
  • the traffic limit of the port is adjusted to twice the threshold set in the previous cycle, and the access capability is gradually restored until the port is allowed. Maximum flow threshold.
  • the defense algorithm can try to avoid the black hole of the node, that is, avoid the "unrecoverable exception".
  • the black hole of the node means that a node is restricted by the system due to abnormal behavior. When the normal state is restored after a certain period of time, the historical abnormality cannot be eliminated and recovered. The system is normally connected.
  • FIG 4 it is a comparison diagram of the defense effect of the service packet attack, and the abscissa indicates the strength of the attack packet. (Unit: packet per second), the ordinate indicates the load level of the system (the CPU usage is shown in the figure, the unit is a percentage; it can also be measured by the occupancy rate of other key resources), and the curve 1 is the service with the general defense strategy.
  • the packet defense attack defense effect the common defense policy uses a separate firewall unit to enable the traffic attack related configuration; the curve 2 is the adaptive anti-attack method of the embodiment. It can be clearly seen that the adaptive attack defense method of the present embodiment can effectively reduce the impact of abnormal attack packets on the system, and ensure service access and smooth operation of the normal port.
  • the node that passes the packets received from the port in the order of the time in the network element system is the same as the service type of the packet, and The first time that the packet passing through the packet of the NE system is matched, the matching degree of the path is obtained, and the received packet is determined to be an abnormal packet according to the matching degree. If the packet is an abnormal packet, The access control traffic of the port that receives the packet is reduced step by step, so as to achieve adaptive attack defense against abnormal packets, eliminate the cumbersome operation of the manual configuration of the firewall, and effectively improve the dynamic identification and interception effect of the network attack; When the matching degree is increased, the allowed access traffic of the port can be quickly restored to avoid the instability of the NE system.
  • FIG. 5 is a schematic flowchart of still another method for implementing an adaptive attack defense according to an embodiment of the present invention. The method includes the following steps:
  • Step S301 Receive a second packet from the first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the network element system includes Multiple nodes.
  • This step is the same as step S101 or S102 of the embodiment shown in FIG. 1 or FIG. 3, and details are not described herein again.
  • Step S302 Acquire a pre-stored first path according to the service type of the second packet, and acquire traffic of each node of the n1 nodes included in the first path.
  • the step of acquiring the first path stored in advance is the same as the step S102 or S202 of the embodiment shown in FIG. 1 or FIG. 3, and details are not described herein again.
  • the present embodiment also requires acquiring the traffic of each of the n1 nodes included in the first path, simultaneously with or after acquiring the first path stored in advance.
  • the packets pass through the nodes of the NE system in sequence.
  • the traffic of different packets on the same node may be the same or different.
  • Step S303 acquiring a second path, and acquiring traffic of each of the n2 nodes included in the second path.
  • the step of acquiring the second path is the same as the step S103 or S203 of the embodiment shown in FIG. 1 or FIG. 3, and details are not described herein again.
  • the embodiment further requires acquiring the traffic of each of the n2 nodes included in the second path.
  • Step S304 normalizing the traffic of each of the n1 and n2 nodes respectively.
  • the traffic matching of each node is directly performed, and the calculation amount is large. Therefore, the traffic of each node in the n1 and n2 nodes can be normalized separately, as follows:
  • f x is the traffic of node x after normalization
  • x ranges from 1 to n1
  • F x is the traffic of node x.
  • f y is the traffic of the node y after the normalization process, and the value of y ranges from 1 to n2, and F y is the traffic of the node y.
  • Step S305 matching traffic of each node in the n2 nodes with traffic of a corresponding node in the n1 nodes, respectively, to determine a traffic distribution of the n2 nodes and a traffic distribution of the n1 nodes. Whether they are the same, and then acquiring the first matching degree of the second path and the first path.
  • the traffic of each node in the n2 nodes is matched with the traffic of the corresponding node in the n1 nodes, so that it can be determined whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, specifically
  • the matching technique may refer to the prior art to determine whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, so that the first matching degree of the second path and the first path may be acquired.
  • Step S306 The first matching degree is compared with the first set threshold. If the first matching degree is lower than the first set threshold, the second packet is determined to be an abnormal message.
  • Step S307 in the case that the second packet is determined to be an abnormal packet, the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second reported
  • the first value of the actual value of the actual access traffic of the first port is the product of the first ratio value, wherein the first reduction value is not lower than the preset first
  • the minimum allowable access traffic of the port, the first ratio value ranges from 1/5 to 1/2.
  • Step S308 receiving a third packet from the first port.
  • Step S309 acquiring a third path, and acquiring traffic of each of the n3 nodes included in the third path.
  • the third path is path information that is experienced in the network element system when the third packet passes through the network element system, and the third path includes the third packet in the network element system. At least one node that passes internally in chronological order.
  • Step S310 if the service type of the third packet is the same as the service type of the first packet, the traffic of each node in the n3 nodes is respectively corresponding to the n1 nodes.
  • the traffic of the node is matched to determine the traffic distribution of the n3 nodes and the flow of the n1 nodes. Whether the quantity distribution is the same, and then acquiring the second matching degree of the third path and the first path.
  • Step S311 If the service type of the third packet is the same as the service type of the fourth packet, obtain a fourth path stored in advance, and acquire each node of the n4 nodes included in the fourth path. Traffic.
  • Step S312 matching the traffic of each node of the n3 nodes with the traffic of the corresponding node of the n4 nodes, respectively, to determine the traffic distribution of the n3 nodes and the traffic distribution of the n4 nodes. Whether they are the same, and then acquiring the second matching degree of the third path and the fourth path.
  • Step S313 if the second matching degree is lower than or equal to the first set threshold, reducing the allowed access flow of the first port to a second reduced value, the second reduced value a process of the third packet passing through the first port, the maximum value of the actual access traffic of the first port, and a second ratio value, wherein the second reduction value is not lower than the pre-predetermined value.
  • the minimum allowable access traffic of the first port is set, and the second ratio value ranges from 1/5 to 1/2.
  • Step S314 if the second matching degree is higher than the second set threshold, increasing the allowed access traffic of the first port to a first increasing value, where the first increasing value is During the process of the third packet passing through the first port, the maximum value of the actual access traffic of the first port is the product of the third ratio value, wherein the first increase value is not higher than the preset.
  • the process of the steps S306-S314 is to perform the process of determining the abnormality of the packet and the process of adjusting the allowed access traffic of the port, which is similar to the foregoing embodiment, except that the matching degree of the newly received packet is obtained.
  • the traffic of each node of multiple nodes is compared to determine whether their traffic distribution is the same, thereby obtaining the matching degree of the path.
  • the node that passes the packets received from the port in the order of the time in the network element system is the same as the service type of the packet, and The traffic of the passing node of the packet passing through the NE system is matched for the first time to obtain the path.
  • the matching degree is determined according to the matching degree, and whether the received packet is an abnormal packet, and when the packet is an abnormal packet, the allowed access traffic of the port receiving the packet is gradually decreased, thereby achieving
  • the adaptive anti-attack of abnormal packets eliminates the cumbersome operation of the manual configuration of the firewall, effectively improves the dynamic identification and interception effect of the network attack, and can quickly restore the allowed access traffic of the port when the matching degree is increased. To avoid the instability of the network element system.
  • the adaptive anti-attack device provided by the embodiment of the present invention is described in detail below with reference to FIG. 7 to FIG.
  • FIG. 7 is a schematic structural diagram of an adaptive anti-attack device according to an embodiment of the present invention.
  • the device 1000 is located in a network element system and is a monitoring device independent of a service processing node of a webpage system.
  • the device 1000 includes:
  • the first receiving unit 11 is configured to receive a second packet from a first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the The network element system includes multiple nodes inside.
  • the network element system in this embodiment may be any communication network element such as a router, a switch, or a mobility management entity (English: Mobility Management Entity, MME for short), and the network element system includes multiple ports, and the internal network includes multiple
  • the first receiving unit 11 can receive the packet sent by the other network element system from any port, and the packet passes through one or more nodes in the network element system, and each node processes the packet separately, and each node performs the packet processing. Authentication, analysis and other processing.
  • the second packet here is generally a packet of the service type that is not passed through the network element system for the first time.
  • the first obtaining unit 12 is configured to acquire a pre-stored first path according to the service type of the second packet, where the first path is when the first packet passes the network element system, and the network element is Path information that is experienced by the system, the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all For the first time, the packets of the service type of the second packet pass through the packet of the network element system.
  • the third receiving unit (not shown) is configured to receive the first packet from any port of the network element system, and the seventh acquiring unit (not shown) For obtaining the first report
  • the first path that is experienced in the network element system, and the first path is stored, and the first packet is a packet that passes through the network element system for the first time.
  • the attributes of the service are changed, for example, some configurations of the service are changed, or the version of the service is upgraded
  • the packets pass through the service processing system, the type of the service changes, and
  • the path of the processing node or the node that passes through the system may change.
  • the path that the service packet passes through is re-learned.
  • the packet is considered to be the first packet passing through the NE system. Therefore, when there is a new registration.
  • the path information that is learned in the network element system when the first packet passes through the network element system is triggered.
  • the path includes the packet passing through the time in the network element system.
  • the path is classified into a network element system, a node, or a cloud server according to the type of service. Therefore, the first obtaining unit 12 may obtain the first path of the packet of the service type according to the service type of the second packet.
  • the packet vector path diagram is used.
  • the network element system has a corresponding node processing link.
  • the packet of the A service type is taken as an example, and the normal packet enters the network element. After the system, it needs to pass the authentication, registration, hierarchical processing and other business links.
  • the processing path is: CCU->MDU->MIU->SIG->CSU->IFU, among them, CCU, MDU, MIU, SIG, CSU,
  • the IFU is a node inside the network element system;
  • the processing path of the B service type packet is: CCU->CSU->MIU->MDU->SIG->IFU.
  • the message is modeled by the direction vector diagram as follows:
  • p k represents whether the service packet of the type passes the node, and the value of p k is 0 or 1, and a n represents the location information of the node where the packet is located at time n; a n+1 represents the normal message at the next moment. Expected path information.
  • the second obtaining unit 13 is configured to acquire a second path, where the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, and the second path is And including at least one node that the second packet passes in time sequence in the network element system.
  • the second obtaining unit 13 obtains the path information that is experienced in the network element system when the second packet passes through the network element system, that is, the second path, and the second packet passes through one or more times in the order of time in the network element system. Nodes can obtain node information that passes in sequence.
  • a first matching unit 14 configured to match each node included in the first path with a corresponding node included in the second path, to obtain a first match between the second path and the first path degree.
  • the first matching unit 14 sorts at least one node included in the first path and at least one node included in the second path according to a time sequence, and the sum located in the first path is located. The nodes having the same order in the second path are corresponding, and then the first matching unit 14 matches each node included in the first path with the corresponding node included in the second path to obtain the second path and The degree of matching of the first path.
  • the comparing unit 15 is configured to compare the first matching degree with the first set threshold, and if the first matching degree is lower than the first set threshold, determine that the second packet is an abnormal report
  • the first set threshold is set according to the tolerance of the service type to the error rate or the communication delay.
  • the packets of the service type are highly tolerant to the bit error rate or the communication delay. That is, the order of the internal nodes of a certain NE system that the packets are allowed to pass through is different from that of the packets passing through the NE system for the first time.
  • the service type of the packet is less tolerant to the bit error rate or the communication delay.
  • the order of the internal nodes of a certain NE system that the packet passes through is different from the packet passing through the NE system for the first time. If the matching degree of the obtained second packet and the path of the first packet is lower than the threshold, the comparing unit 15 may determine the second packet. It is an abnormal message.
  • the adjusting unit 16 is configured to reduce the allowed access traffic of the first port.
  • the adjusting unit 16 can prevent the abnormal packet from initiating a large-scale attack on the network element system by reducing the allowed access traffic of the port that receives the second packet.
  • an adaptive attack defense device is configured to pass the packets received from the port in the sequence of time in the network element system, and the service type of the packet is the same as that of the packet.
  • FIG. 8 is a schematic structural diagram of another adaptive anti-attack device according to an embodiment of the present invention.
  • the device 2000 includes:
  • the first receiving unit 20 is configured to receive a second packet from the first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the The network element system includes multiple nodes inside.
  • the first obtaining unit 21 is configured to acquire, according to the service type of the second packet, a first path that is stored in advance, where the first path is when the first packet passes the network element system, and the network element is Path information that is experienced by the system, the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all For the first time, the packets of the service type of the second packet pass through the packet of the network element system.
  • the second obtaining unit 22 is configured to acquire a second path, where the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, and the second path is And including at least one node that the second packet passes in time sequence in the network element system.
  • the functions of the first receiving unit 20, the first obtaining unit 21, and the second obtaining unit 22 are the same as the first receiving unit 11, the first obtaining unit 12, and the second obtaining unit 13 of the embodiment shown in FIG. 7, respectively. Let me repeat.
  • a first matching unit 23 configured to match each node included in the first path with a corresponding node included in the second path, to determine whether each node included in the first path is related to the first
  • the second path includes the same node, and the first matching degree of the second path and the first path is obtained.
  • the first matching unit 23 sorts at least one node included in the first path and at least one node included in the second path according to a sequence of time, and the sum located in the first path is located.
  • the nodes having the same order in the second path are corresponding, and then the first matching unit 23 matches each node included in the first path with the corresponding node included in the second path, respectively, to determine that the first path includes Whether each node is associated with the corresponding section of the second path
  • the points are the same to obtain the matching degree between the second path and the first path.
  • the service packets of the A service type should pass through these nodes in sequence: CCU->MDU->MIU->SIG->CSU->IFU, assuming that the current service of the set type is detected.
  • the comparing unit 23 is configured to compare the first matching degree with the first set threshold, and if the first matching degree is lower than the first set threshold, determine that the second packet is an abnormal report
  • the first set threshold is set according to the tolerance of the service type to the error rate or the communication delay.
  • the adjusting unit 25 is configured to reduce the allowed access traffic of the first port to a first reduced value if the second packet is determined to be an abnormal packet.
  • Different matching thresholds are set according to different tolerances of different service types to the error rate or the communication delay.
  • the threshold ranges from 60% to 70%. If the matching degree between the obtained second packet and the path of the first packet is lower than the threshold, the comparing unit 24 may determine that the second packet is an abnormal packet.
  • the trigger adjustment unit 25 adopts a manner of adjusting the allowed access traffic of the port that receives the packet to prevent packet attack. Specifically, for the packet flow whose matching degree is higher than the set threshold, the packet is determined to be a legal packet, and the access traffic is not controlled; for the packet flow whose matching degree is lower than the set threshold, the packet is determined to be an abnormal packet, and Start the defense mechanism to reduce the allowed access traffic of the port. The traffic allowed to be accessed is reduced, and the attack on the system by abnormal service packets is relatively small.
  • the allowed access traffic of the port is reduced step by step, which can reduce the impact of the short-time pulse attack on the packet.
  • the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second packet.
  • a process of the first port the maximum value of the actual access traffic of the first port is multiplied by a first ratio, wherein the first reduction value is not lower than the preset first port.
  • the minimum allowable access traffic, the first ratio value ranges from 1/5 to 1/2.
  • the second receiving unit 26 is configured to receive the third packet from the first port.
  • the fifth obtaining unit 27 is configured to acquire a third path, where the third path is path information that is experienced inside the network element system when the third packet passes through the network element system, and the third path is Including The third packet is at least one node that passes through the network element system in chronological order.
  • the port receives the packet continuously, and the service type of the third packet received by the second receiving unit 26 may be the same as or different from the first packet or the second packet.
  • the fifth obtaining unit 27 acquires path information that is experienced inside the network element system when the third packet passes through the network element system.
  • a second matching unit 28 configured to: each node included in the third path and the first one, respectively, if a service type of the third packet is the same as a service type of the first packet The corresponding node included in the path performs matching to obtain the second matching degree of the third path and the first path.
  • the sixth obtaining unit 29 is configured to acquire a pre-stored fourth path, where the fourth path is the fourth report, if the service type of the third packet is the same as the service type of the fourth packet.
  • the fourth path includes at least one node that the fourth packet passes in time sequence in the network element system.
  • the fourth packet is a packet that passes through the network element system for the first time in all the packets that have the same service type as the service type of the third packet and that pass through the network element system.
  • the second matching unit 28 is further configured to match each node included in the third path with a corresponding node included in the fourth path to obtain a second matching degree of the third path and the fourth path.
  • the second matching unit 28 matches the third packet with the path of the first packet. Obtaining a second matching degree. If the service type of the third packet is different from the first packet, the path of the fourth packet that is the same as the service type of the third packet and passes through the network element system for the first time is obtained. The three packets are matched with the path of the fourth packet to obtain a second matching degree.
  • the adjusting unit 25 is further configured to reduce the allowed access traffic of the first port to a second reduced value if the second matching degree is lower than or equal to the first set threshold, where
  • the second reduction value is a product of a maximum value of the actual access traffic of the first port and a second ratio value in the process of the third packet passing through the first port, where the second reduction value is not
  • the minimum allowable access traffic of the first port is lower than the preset, and the second ratio value ranges from 1/5 to 1/2.
  • the allowed access traffic of the port is again reduced according to a certain ratio.
  • reducing the allowed access traffic of the port is performed step by step, that is, the process is cyclic until the allowed access traffic of the port is not lower than the preset minimum allowed access traffic of the first port. .
  • the adjusting unit 25 is further configured to increase the allowed access traffic of the first port to a first increased value, where the second matching degree is higher than a second set threshold, the first increase The value is a product of a maximum value of the actual access traffic of the first port and a third ratio value in the process of the third packet passing through the first port, where the first increase value is not high.
  • the allowed access traffic of the port is restored, and the recovery process is performed step by step, and the allowed connection of the port is gradually reduced.
  • the process of entering traffic is similar.
  • the defense implementation adopts a binary exponential backoff algorithm to effectively implement the traffic restriction of the abnormal access port; and maintain the minimum traffic standard, and automatically recover the abnormality when the port attack behavior disappears.
  • the allowed access traffic of the port is decremented to 1/2 of the previous period setting threshold, and the abnormal attack is suppressed to the system.
  • the degree of influence of the text processing after the minimum traffic standard (the minimum traffic standard is set according to the traffic in the normal period of the port, the default is 5%), no longer down, and the status of the port is monitored in real time;
  • the traffic limit of the port is adjusted to twice the threshold set by the previous period, and the access capability is gradually restored until the maximum traffic threshold allowed by the port is reached.
  • the defense algorithm can try to avoid the black hole of the node, that is, avoid the "unrecoverable exception".
  • the black hole of the node means that a node is restricted by the system due to abnormal behavior. When the normal state is restored after a certain period of time, the historical abnormality cannot be eliminated and recovered. The system is normally connected.
  • FIG. 4 it is a comparison diagram of the defense effect of the service packet attack, and the abscissa indicates the strength of the attack packet. (unit: packet per second), the ordinate indicates the degree of load of the system (The CPU usage is shown in the figure. The unit is a percentage; it can also be measured by the occupancy rate of other key resources.)
  • Curve 1 is the defense effect of the service packet attack with the common defense policy. The common defense policy is the independent firewall unit. Traffic attack related configuration; curve 2 is an adaptive anti-attack method using this embodiment. It can be clearly seen that the adaptive attack defense method of the present embodiment can effectively reduce the impact of abnormal attack packets on the system, and ensure service access and smooth operation of the normal port.
  • an adaptive attack defense device is configured to pass the packets received from the port in the sequence of time in the network element system, and the service type of the packet is the same as that of the packet.
  • the first time that the packet passing through the packet of the NE system is matched the matching degree of the path is obtained, and the received packet is determined to be an abnormal packet according to the matching degree. If the packet is an abnormal packet, The access control traffic of the port that receives the packet is reduced step by step, so as to achieve adaptive attack defense against abnormal packets, eliminate the cumbersome operation of the manual configuration of the firewall, and effectively improve the dynamic identification and interception effect of the network attack;
  • the matching degree is increased, the allowed access traffic of the port can be quickly restored to avoid the instability of the NE system.
  • FIG. 9 is a schematic structural diagram of another adaptive anti-attack device according to an embodiment of the present invention.
  • the device 3000 includes:
  • the first receiving unit 31 is configured to receive a second packet from the first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the The network element system includes multiple nodes inside.
  • the first receiving unit 31 has the same functions as the first receiving unit 11 shown in FIG. 7 or the first receiving unit 20 shown in FIG. 8, and details are not described herein again.
  • the first obtaining unit 32 is configured to acquire a pre-stored first path according to the service type of the second packet.
  • the third obtaining unit 33 is configured to acquire traffic of each of the n1 nodes included in the first path.
  • the present embodiment further requires the third obtaining unit 33 to acquire the traffic of each of the n1 nodes included in the first path, while the first obtaining unit 32 acquires the first path stored in advance.
  • the packets pass through the nodes of the NE system in sequence.
  • the traffic of different packets on the same node may be the same or different.
  • the first normalization processing unit 34 is configured to use each node of the n1 nodes. The traffic is normalized separately.
  • the traffic matching of each node is directly performed, and the calculation amount is large. Therefore, the traffic of each node in the n1 nodes can be normalized separately, as follows:
  • f x is the traffic of node x after normalization
  • x ranges from 1 to n1
  • F x is the traffic of node x.
  • the second obtaining unit 35 is configured to acquire the second path.
  • the fourth obtaining unit 36 is configured to acquire traffic of each of the n2 nodes included in the second path.
  • the present embodiment further requires the fourth obtaining unit 36 to acquire the traffic of each of the n2 nodes included in the second path, while the second acquiring unit 33 acquires the second path.
  • the second normalization processing unit 37 is configured to use each of the n2 nodes. The traffic is normalized separately.
  • a first matching unit 38 configured to separately send traffic of each of the n2 nodes to the n1
  • the traffic of the corresponding node in the nodes is matched to determine whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, and the first matching of the second path and the first path is obtained. degree.
  • the first matching unit 38 matches the traffic of each of the n2 nodes with the traffic of the corresponding node of the n1 nodes, so that the traffic distribution of the n2 nodes and the traffic of the n1 nodes may be determined. If the distribution is the same, the specific matching technique may refer to the prior art to determine whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, so that the first matching degree of the second path and the first path may be acquired.
  • the comparing unit 39 is configured to compare the first matching degree with the first set threshold, and if the first matching degree is lower than the first set threshold, determine that the second packet is an abnormal report Text.
  • the adjusting unit 40 is configured to reduce, when the second packet is an abnormal packet, the allowed access traffic of the first port to a first reduced value, where the first reduced value is The first packet is passed through the first port, and the maximum value of the actual access traffic of the first port is a product of a first ratio, where the first reduction value is not lower than a preset location.
  • the second receiving unit 41 is configured to receive the third packet from the first port.
  • the fifth obtaining unit 42 is configured to acquire a third path, and acquire traffic of each of the n3 nodes included in the third path.
  • the third path is path information that is experienced in the network element system when the third packet passes through the network element system, and the third path includes the third packet in the network element system. At least one node that passes internally in chronological order.
  • the second matching unit 43 is configured to: when the service type of the third packet is the same as the service type of the first packet, the traffic of each node of the n3 nodes is respectively associated with the n1 The traffic of the corresponding one of the nodes is matched to determine whether the traffic distribution of the n3 nodes is the same as the traffic distribution of the n1 nodes, and the second matching of the third path and the first path is obtained. degree.
  • the sixth obtaining unit 44 is configured to: service type of the third packet and a service class of the fourth packet In the case of the same type, the pre-stored fourth path is acquired, and the traffic of each of the n4 nodes included in the fourth path is acquired.
  • the second matching unit 43 is further configured to match traffic of each of the n3 nodes with traffic of a corresponding one of the n4 nodes to determine a traffic distribution of the n3 nodes and the n4 Whether the traffic distributions of the nodes are the same, and the second matching degree of the third path and the fourth path is obtained.
  • the adjusting unit 40 is further configured to reduce the allowed access traffic of the first port to a second reduced value if the second matching degree is lower than or equal to the first set threshold, where
  • the second reduction value is a product of a maximum value of the actual access traffic of the first port and a second ratio value in the process of the third packet passing through the first port, where the second reduction value is not
  • the minimum allowable access traffic of the first port is lower than the preset, and the second ratio value ranges from 1/5 to 1/2.
  • the adjusting unit 40 is further configured to increase the allowed access traffic of the first port to a first increased value, where the second matching degree is higher than a second set threshold, the first increase The value is a product of a maximum value of the actual access traffic of the first port and a third ratio value in the process of the third packet passing through the first port, where the first increase value is not high.
  • the function of the above unit is to perform the process of determining the abnormal packet and the process of adjusting the allowed access traffic of the port, which is similar to the foregoing embodiment, except that when the matching degree of the newly received message is acquired, the new receiving is obtained.
  • the traffic of each of the plurality of nodes in the network element system through which the received message passes, and the traffic of each node and the number of webpage systems that the first type of the service type passes through the message of the network element system The traffic of each node of each node is compared to determine whether the traffic distribution is the same, so as to obtain the matching degree of the path.
  • an adaptive attack defense device is configured to pass the packets received from the port in the sequence of time in the network element system, and the service type of the packet is the same as that of the packet.
  • the traffic passing through the packets of the NE system is matched, and the matching degree of the path is obtained.
  • the matching degree it is determined whether the received packet is an abnormal packet, and the packet is an abnormal packet.
  • the adaptive anti-attack of the packet eliminates the cumbersome operation of the manual configuration of the firewall, effectively improves the dynamic identification and interception effect of the network attack, and can quickly restore the allowed access traffic of the port when the matching degree is increased.
  • the instability of the network element system is configured to pass the packets received from the port in the sequence of time in the network element system, and the service type of the packet is the same as that of the packet.
  • Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another.
  • a storage medium may be any available media that can be accessed by a computer.
  • the computer readable medium may include a random access memory (RAM), a read-only memory (ROM), and an electrically erasable programmable read only memory (Electrically Erasable Programmable Read).
  • EEPROM Electrically erasable programmable read-only memory
  • CD-ROM Compact DiscRead-Only Memory
  • Any connection may suitably be a computer readable medium.
  • the software is transmitted from a website, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, Then coaxial cable, fiber optic cable, twisted pair, DSL or wireless technologies such as infrared, wireless and microwave are included in the fixing of the associated medium.
  • DSL Digital Subscriber Line
  • Disks and discs include compact discs (CDs), laser discs, optical discs, digital versatile discs (DVDs), floppy discs, and Blu-ray discs, where the disc is usually magnetically complex.
  • the data is used, and the disc uses a laser to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a method of adaptively blocking a network attack and a device utilizing the same. The method comprises: matching a node arranged in a chronological order of passage of a message received from a port and a node of passage of a message having a same service type as the message received from the port and delivered through a network element system for a first time so as to obtain a matching degree of paths; determining, according to the matching degree, whether the received message is abnormal; and if so, reducing allowable accessed data traffic of the port receiving the message. As a consequence, the embodiment of the invention can adaptively block a network attach from an abnormal message, reducing lengthy and complicated operational steps of manually configuring a firewall, and effectively enhancing dynamic recognition and a blocking result of a network attack.

Description

一种自适应防攻击方法及装置Adaptive anti-attack method and device
本申请要求于2015年6月17日提交中国专利局、申请号为CN201510337388.9、发明名称为“一种自适应防攻击方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application filed on June 17, 2015, the Chinese Patent Application No. CN201510337388.9, entitled "An Adaptive Anti-Attack Method and Apparatus", the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本发明涉及通信安全技术领域,尤其涉及一种自适应防攻击方法及装置。The present invention relates to the field of communication security technologies, and in particular, to an adaptive anti-attack method and apparatus.
背景技术Background technique
在电信设备中,不同的网元间通过路由器、交换机、快速以太网(英文:Fast Ethernet,简称:FE)接口、千兆以太网(英文:Gigabit Ethernet,简称:GE)接口等设备/端口实现互联互通,为用户提供多样化的电信服务。随着IT、CT组网的不断融合,电信网络遭遇外部异常报文攻击的情况不断出现,进而引起单板复位、业务阻塞等问题。In a telecommunication device, different network elements are implemented by devices, ports, such as routers, switches, Fast Ethernet (FE) interfaces, and Gigabit Ethernet (GE) interfaces. Interoperability provides users with a variety of telecommunications services. With the continuous integration of IT and CT networks, the situation of external abnormal packet attacks on the telecom network is constantly appearing, which causes problems such as board reset and service congestion.
常见的网络防攻击方案,就是在网元入口部署防火墙。通过防火墙的预置策略,对接入的数据报文进行甄别。对于符合预置策略的报文允许接入网络,不符合预置策略的报文予以丢弃。预置策略需要人工配置生成,业务频繁变更场景下灵活性不足。且由于防火墙单元与业务单元独立,不具备业务类型的识别与解析能力,因此,对于“精巧设计”的伪装的异常业务报文识别能力较弱,对于此类型的攻击行为,防火墙通过对异常流量行为、碎片报文识别等技术,只能实现部分性的防护能力。因此,如何消除人工配置防火墙的繁琐操作环节,有效提升网络攻击的动态识别及拦截效果,是当前需要解决的问题。A common network attack defense solution is to deploy a firewall at the NE portal. The access data packets are identified by the firewall's preset policy. Packets that meet the preset policy are allowed to access the network. Packets that do not meet the preset policy are discarded. The preset policy needs to be manually configured and generated, and the flexibility of the service change scenario is insufficient. Because the firewall unit is independent of the service unit and does not have the ability to identify and analyze the service type, the ability to identify the abnormal service packets of the "smart design" is weak. For this type of attack behavior, the firewall passes the abnormal traffic. Techniques such as behavior and fragmentation message recognition can only achieve partial protection. Therefore, how to eliminate the cumbersome operation links of manually configuring the firewall and effectively improve the dynamic identification and interception effect of the network attack is a problem that needs to be solved currently.
发明内容Summary of the invention
本发明提供了一种自适应防攻击方法及装置,以对异常报文进行自适应防攻击,有效提升网络攻击的动态识别及拦截效果。The invention provides an adaptive anti-attack method and device, which can adaptively defend against abnormal packets and effectively improve the dynamic identification and interception effect of network attacks.
第一方面,提供了一种自适应防攻击方法,包括:In a first aspect, an adaptive anti-attack method is provided, including:
自网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口, 所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点;Receiving a second packet from the first port of the network element system, where the network element system includes at least one port, The first port is one of the at least one port, and the network element system internally includes a plurality of nodes;
根据所述第二报文的业务类型,获取预先存储的第一路径,所述第一路径为第一报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第一路径包括所述第一报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第一报文为所有具有与所述第二报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文;Acquiring, according to the service type of the second packet, a first path that is stored in advance, where the first path is path information that is experienced in the network element system when the first packet passes through the network element system, The first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is the same as all the service types of the second packet. The packet passing the network element system for the first time in the packet of the service type and passing through the network element system;
获取第二路径,所述第二路径为所述第二报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第二路径包括所述第二报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点;Obtaining a second path, where the second path is path information that is performed inside the network element system when the second packet passes the network element system, and the second path includes the second packet At least one node that passes through the network element system in chronological order;
将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度;Matching each node included in the first path with a corresponding node included in the second path to obtain a first matching degree of the second path and the first path;
将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文,所述第一设定阈值是根据所述业务类型对误码率或通信延时的容忍度设定的;Comparing the first matching degree with the first set threshold, if the first matching degree is lower than the first set threshold, determining that the second packet is an abnormal packet, the first Setting the threshold is set according to the tolerance of the service type to the bit error rate or the communication delay;
在确定所述第二报文为异常报文的情况下,减小所述第一端口的允许接入流量。And determining that the second packet is an abnormal packet, and reducing the allowed access traffic of the first port.
结合第一方面,在第一方面的第一种可能实现方式中,按照时间的先后顺序,将所述第一路径包括的至少一个节点和所述第二路径包括的至少一个节点分别进行排序,则位于所述第一路径中的和位于所述第二路径中的具有相同序位的节点是相对应的。With reference to the first aspect, in a first possible implementation manner of the first aspect, the at least one node included in the first path and the at least one node included in the second path are respectively sorted in a chronological order. Then, nodes located in the first path and having the same order in the second path correspond to each other.
结合第一方面或第一方面的第一种可能实现方式,在第一方面的第二种可能实现方式中,所述第一设定阈值的取值范围为60%~70%。In conjunction with the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the first set threshold is in a range of 60% to 70%.
结合第一方面、第一方面的第一种可能实现方式或第一方面的第二种可能实现方式,在第一方面的第三种可能实现方式中,在所述自网元系统的第一端口接收第二报文之前,所述方法还包括:With reference to the first aspect, the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the first in the self-network element system Before the port receives the second packet, the method further includes:
自所述网元系统的任一端口接收所述第一报文;Receiving the first packet from any port of the network element system;
获取所述第一报文通过所述网元系统时,在所述网元系统内部经历的所述 第一路径,并将所述第一路径进行存储处理。Obtaining the experience experienced in the network element system when the first packet passes through the network element system a first path and storing the first path.
结合第一方面或第一方面的第一种可能实现方式至第一方面的第三种可能实现方式中任一种可能实现方式,在第一方面的第四种可能实现方式中,所述将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度,具体包括:With reference to the first aspect or the first possible implementation of the first aspect to any one of the possible implementations of the third possible implementation of the first aspect, in a fourth possible implementation of the first aspect, the Each of the nodes included in the first path is matched with a corresponding node that is included in the second path, to obtain a first matching degree of the second path and the first path, and specifically includes:
将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以确定所述第一路径包括的每一节点是否与所述第二路径包括的相应节点相同,进而获取所述第二路径和所述第一路径的第一匹配度。Matching each node included in the first path with a corresponding node included in the second path to determine whether each node included in the first path is the same as a corresponding node included in the second path, And acquiring a first matching degree of the second path and the first path.
结合第一方面或第一方面的第一种可能实现方式至第一方面的第三种可能实现方式中任一种可能实现方式,在第一方面的第五种可能实现方式中,所述第一路径包括n1个节点,With reference to the first aspect or the first possible implementation of the first aspect to any one of the third possible implementation manners of the first aspect, in a fifth possible implementation manner of the first aspect, A path includes n1 nodes,
则所述获取预先存储的第一路径之后,所述方法还包括:After the obtaining the pre-stored first path, the method further includes:
获取所述第一路径包括的所述n1个节点中每一节点的流量。Obtaining traffic of each of the n1 nodes included in the first path.
结合第一方面的第五种可能实现方式,在第一方面的第六种可能实现方式中,所述第二路径包括n2个节点,In conjunction with the fifth possible implementation of the first aspect, in a sixth possible implementation manner of the first aspect, the second path includes n2 nodes,
则所述获取第二路径之后,所述方法还包括:After the obtaining the second path, the method further includes:
获取所述第二路径包括的所述n2个节点中每一节点的流量。Obtaining traffic of each of the n2 nodes included in the second path.
结合第一方面的第六种可能实现方式,在第一方面的第七种可能实现方式中,所述将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度,具体包括:With reference to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the performing the node included in the first path and the corresponding node included in the second path respectively The matching, to obtain the first matching degree of the second path and the first path, specifically includes:
将所述n2个节点中每一节点的流量分别与所述n1个节点中的相应节点的流量进行匹配,以确定所述n2个节点的流量分布与所述n1个节点的流量分布是否相同,进而获取所述第二路径和所述第一路径的第一匹配度。Matching the traffic of each of the n2 nodes with the traffic of the corresponding node of the n1 nodes, respectively, to determine whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, And acquiring a first matching degree of the second path and the first path.
结合第一方面的第五种可能实现方式,在第一方面的第八种可能实现方式中,所述获取所述第一路径包括的所述n1个节点中每一节点的流量之后,所述方法还包括:With reference to the fifth possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, after the acquiring the traffic of each of the n1 nodes included in the first path, The method also includes:
采用如下公式对所述n1个节点中每一节点的流量分别进行归一化处理: The traffic of each node in the n1 nodes is separately normalized by using the following formula:
Figure PCTCN2016073642-appb-000001
Figure PCTCN2016073642-appb-000001
其中,fx为进行归一化处理后的节点x的流量,x的取值范围为1~n1,Fx为节点x的流量,
Figure PCTCN2016073642-appb-000002
为所述n1个节点的流量的最大值。Where f x is the traffic of node x after normalization, x ranges from 1 to n1, and F x is the traffic of node x.
Figure PCTCN2016073642-appb-000002
The maximum value of the traffic of the n1 nodes.
结合第一方面的第六种可能实现方式,在第一方面的第九种可能实现方式中,所述获取所述第二路径包括的所述n2个节点中每一节点的流量之后,所述方法还包括:With reference to the sixth possible implementation manner of the first aspect, in a ninth possible implementation manner of the first aspect, after the acquiring the traffic of each of the n2 nodes included in the second path, The method also includes:
采用如下公式对所述n2个节点中每一节点的流量分别进行归一化处理:The traffic of each of the n2 nodes is normalized by the following formula:
Figure PCTCN2016073642-appb-000003
Figure PCTCN2016073642-appb-000003
Figure PCTCN2016073642-appb-000004
Figure PCTCN2016073642-appb-000004
结合第一方面或第一方面的第一种可能实现方式至第一方面的第九种可能实现方式中任一种可能实现方式,在第一方面的第十种可能实现方式中,所述在确定所述第二报文为异常报文的时刻起,减小所述第一端口的允许接入流量,具体包括:With reference to the first aspect or the first possible implementation of the first aspect to any one of the possible implementations of the ninth possible implementation of the first aspect, in a tenth possible implementation manner of the first aspect, When the second packet is determined to be an abnormal packet, the allowed access traffic of the first port is reduced, which specifically includes:
在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流量减小为第一缩小值,所述第一缩小值为所述第二报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第一比例值的乘积,其中,所述第一缩小值不低于预设的所述第一端口的最低允许接入流量,所述第一比例值的取值范围为1/5~1/2。When the second packet is determined to be an abnormal packet, the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second packet passing through the second packet. In the process of the first port, the maximum value of the actual access traffic of the first port is the product of the first ratio, wherein the first reduction value is not lower than the preset minimum of the first port. The access rate is allowed to be allowed, and the first ratio value ranges from 1/5 to 1/2.
结合第一方面或第一方面的第一种可能实现方式至第一方面的第十种可能实现方式中任一种可能实现方式,在第一方面的第十一种可能实现方式中,所述在确定所述第二报文为异常报文的时刻起,减小所述第一端口的允许接入流量之后,所述方法还包括:With reference to the first aspect or the first possible implementation of the first aspect to any one of the possible implementations of the tenth possible implementation of the first aspect, in an eleventh possible implementation manner of the first aspect, After the determining that the second packet is an abnormal packet, the method further includes:
自所述第一端口接收第三报文;Receiving a third message from the first port;
获取第三路径,所述第三路径为所述第三报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第三路径包括所述第三报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。 Obtaining a third path, where the third path is path information that is performed inside the network element system when the third packet passes through the network element system, and the third path includes the third packet At least one node that passes through the network element system in chronological order.
结合第一方面的第十一种可能实现方式,在第一方面的第十二种可能实现方式中,所述方法还包括:In conjunction with the eleventh possible implementation manner of the first aspect, in a twelfth possible implementation manner of the first aspect, the method further includes:
在所述第三报文的业务类型和所述第一报文的业务类型相同的情况下,将所述第三路径包括的每一节点分别与所述第一路径包括的相应节点进行匹配,以获取所述第三路径和所述第一路径的第二匹配度;或者,And each of the nodes included in the third path is matched with a corresponding node included in the first path, where the service type of the third packet is the same as the service type of the first packet, Obtaining a second matching degree of the third path and the first path; or
在所述第三报文的业务类型和第四报文的业务类型相同的情况下,获取预先存储的第四路径,所述第四路径为所述第四报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第四路径包括所述第四报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第四报文为所有具有与所述第三报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文;并将所述第三路径包括的每一节点分别与第四路径包括的相应节点进行匹配,以获取所述第三路径和所述第四路径的第二匹配度。If the service type of the third packet is the same as the service type of the fourth packet, the fourth path is obtained, where the fourth path is when the fourth packet passes the network element system. The path information that is experienced in the network element system, where the fourth path includes at least one node that the fourth packet passes in time sequence in the network element system, and the fourth packet is All the packets having the same service type as the service type of the third packet and passing through the network element system, the packets passing through the network element system for the first time; and each of the third paths is included The nodes respectively match the corresponding nodes included in the fourth path to obtain the second matching degree of the third path and the fourth path.
结合第一方面的第十二种可能实现方式,在第一方面的第十三种可能实现方式中,所述方法还包括:In conjunction with the twelfth possible implementation of the first aspect, in a thirteenth possible implementation manner of the first aspect, the method further includes:
在所述第二匹配度低于或者等于所述第一设定阈值的情况下,将所述第一端口的允许接入流量减小为第二缩小值,所述第二缩小值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第二比例值的乘积,其中,所述第二缩小值不低于预设的所述第一端口的最低允许接入流量,所述第二比例值的取值范围为1/5~1/2。If the second matching degree is lower than or equal to the first set threshold, reducing the allowed access traffic of the first port to a second reduced value, and the second reduced value is the The process of the third packet passing through the first port, the product of the maximum value of the actual access traffic of the first port and the second ratio value, wherein the second reduction value is not lower than the preset The minimum allowable access traffic of the first port is in the range of 1/5 to 1/2.
结合第一方面的第十二种可能实现方式,在第一方面的第十四种可能实现方式中,所述方法还包括:In conjunction with the twelfth possible implementation of the first aspect, in a fourteenth possible implementation manner of the first aspect, the method further includes:
在所述第二匹配度高于第二设定阈值的情况下,将所述第一端口的允许接入流量增大为第一增大值,所述第一增大值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第三比例值的乘积,其中,所述第一增大值不高于预设的最高允许接入流量;其中,所述第二设定阈值大于所述第一设定阈值,且所述第二设定阈值的取值范围为70%~80%,所述第三比例值的取值范围为2~5。 If the second matching degree is higher than the second set threshold, increasing the allowed access traffic of the first port to a first increased value, and the first increasing value is the third The maximum value of the actual value of the actual access traffic of the first port and the third ratio value during the process of the packet passing through the first port, where the first increase value is not higher than the preset maximum allowable value. Accessing the traffic; wherein the second set threshold is greater than the first set threshold, and the second set threshold is in a range of 70% to 80%, and the value of the third ratio is The range is 2 to 5.
第二方面,提供了一种自适应防攻击装置,应用于网元系统,所述装置包括:In a second aspect, an adaptive anti-attack device is provided, which is applied to a network element system, and the device includes:
第一接收单元,用于自所述网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口,所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点;a first receiving unit, configured to receive a second packet from a first port of the network element system, where the network element system includes at least one port, where the first port is one of the at least one port, and The network element system includes multiple nodes inside;
第一获取单元,用于根据所述第二报文的业务类型,获取预先存储的第一路径,所述第一路径为第一报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第一路径包括所述第一报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第一报文为所有具有与所述第二报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文;a first acquiring unit, configured to acquire a pre-stored first path according to a service type of the second packet, where the first path is when the first packet passes the network element system, and the network element system Path information that is internally experienced, the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all having the second The packet of the service type of the same type of the packet and the packet passing through the network element system passes through the packet of the network element system for the first time;
第二获取单元,用于获取第二路径,所述第二路径为所述第二报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第二路径包括所述第二报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点;a second acquiring unit, configured to acquire a second path, where the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, where the second path includes At least one node that the second packet passes in the order of time in the network element system;
第一匹配单元,用于将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度;a first matching unit, configured to match each node included in the first path with a corresponding node included in the second path, to obtain a first matching degree of the second path and the first path ;
比较单元,用于将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文,所述第一设定阈值是根据所述业务类型对误码率或通信延时的容忍度设定的;a comparing unit, configured to compare the first matching degree with a first set threshold, and if the first matching degree is lower than the first set threshold, determining that the second packet is an abnormal packet The first set threshold is set according to the tolerance of the service type to the bit error rate or the communication delay;
在所述比较单元确定所述第二报文为异常报文的情况下,调整单元,用于减小所述第一端口的允许接入流量。And in the case that the comparing unit determines that the second packet is an abnormal packet, the adjusting unit is configured to reduce the allowed access traffic of the first port.
结合第二方面,在第二方面的第一种可能实现方式中,按照时间的先后顺序,将所述第一路径包括的至少一个节点和所述第二路径包括的至少一个节点分别进行排序,则位于所述第一路径中的和位于所述第二路径中的具有相同序位的节点是相对应的。With reference to the second aspect, in a first possible implementation manner of the second aspect, the at least one node included in the first path and the at least one node included in the second path are respectively sorted in a chronological order. Then, nodes located in the first path and having the same order in the second path correspond to each other.
结合第二方面或第二方面的第一种可能实现方式,在第二方面的第二种可 能实现方式中,所述第一设定阈值的取值范围为60%~70%。In combination with the second aspect or the first possible implementation of the second aspect, the second In an implementation manner, the first set threshold value ranges from 60% to 70%.
结合第二方面、第二方面的第一种可能实现方式或第二方面的第二种可能实现方式,在第二方面的第三种可能实现方式中,所述装置还包括:With reference to the second aspect, the first possible implementation of the second aspect, or the second possible implementation of the second aspect, in a third possible implementation manner of the second aspect, the device further includes:
第三接收单元,用于自所述网元系统的任一端口接收所述第一报文;a third receiving unit, configured to receive the first packet from any port of the network element system;
第七获取单元,用于获取所述第一报文通过所述网元系统时,在所述网元系统内部经历的所述第一路径,并将所述第一路径进行存储处理。And a seventh acquiring unit, configured to acquire the first path that is experienced inside the network element system when the first packet passes through the network element system, and perform storage processing on the first path.
结合第二方面或第二方面的第一种可能实现方式至第二方面的第三种可能实现方式中任一种可能实现方式在第二方面的第四种可能实现方式中,所述第一匹配单元具体用于:With reference to the second aspect or the first possible implementation of the second aspect to any one of the third possible implementation manners of the second aspect, in a fourth possible implementation manner of the second aspect, the first The matching unit is specifically used to:
将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以确定所述第一路径包括的每一节点是否与所述第二路径包括的相应节点相同,进而获取所述第二路径和所述第一路径的第一匹配度。Matching each node included in the first path with a corresponding node included in the second path to determine whether each node included in the first path is the same as a corresponding node included in the second path, And acquiring a first matching degree of the second path and the first path.
结合第二方面或第二方面的第一种可能实现方式至第二方面的第三种可能实现方式中任一种可能实现方式,在第二方面的第五种可能实现方式中,所述第一路径包括n1个节点,With reference to the second aspect, or the first possible implementation of the second aspect, to any one of the possible implementations of the third possible implementation of the second aspect, in a fifth possible implementation manner of the second aspect, A path includes n1 nodes,
则所述装置还包括:Then the device further comprises:
第三获取单元,用于获取所述第一路径包括的所述n1个节点中每一节点的流量。And a third acquiring unit, configured to acquire traffic of each of the n1 nodes included in the first path.
结合第二方面的第五种可能实现方式,在第二方面的第六种可能实现方式中,所述第二路径包括n2个节点,With reference to the fifth possible implementation of the second aspect, in a sixth possible implementation manner of the second aspect, the second path includes n2 nodes,
则所述装置还包括:Then the device further comprises:
第四获取单元,用于获取所述第二路径包括的所述n2个节点中每一节点的流量。And a fourth acquiring unit, configured to acquire traffic of each of the n2 nodes included in the second path.
结合第二方面的第六种可能实现方式,在第二方面的第七种可能实现方式中,所述第一匹配单元具体用于:With reference to the sixth possible implementation of the second aspect, in a seventh possible implementation manner of the second aspect, the first matching unit is specifically configured to:
将所述n2个节点中每一节点的流量分别与所述n1个节点中的相应节点的流量进行匹配,以确定所述n2个节点的流量分布与所述n1个节点的流量分布是否相同,进而获取所述第二路径和所述第一路径的第一匹配度。 Matching the traffic of each of the n2 nodes with the traffic of the corresponding node of the n1 nodes, respectively, to determine whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, And acquiring a first matching degree of the second path and the first path.
结合第二方面的第五种可能实现方式,在第二方面的第八种可能实现方式中,所述装置还包括:With reference to the fifth possible implementation of the second aspect, in an eighth possible implementation manner of the second aspect, the device further includes:
在所述第三获取单元获取所述第一路径包括的所述n1个节点中每一节点的流量之后,After the third obtaining unit acquires the traffic of each of the n1 nodes included in the first path,
第一归一化处理单元,用于采用如下公式对所述n1个节点中每一节点的流量分别进行归一化处理:The first normalization processing unit is configured to normalize the traffic of each of the n1 nodes by using the following formula:
Figure PCTCN2016073642-appb-000005
Figure PCTCN2016073642-appb-000005
其中,fx为进行归一化处理后的节点x的流量,x的取值范围为1~n1,Fx为节点x的流量,
Figure PCTCN2016073642-appb-000006
为所述n1个节点的流量的最大值。Where f x is the traffic of node x after normalization, x ranges from 1 to n1, and F x is the traffic of node x.
Figure PCTCN2016073642-appb-000006
The maximum value of the traffic of the n1 nodes.
结合第二方面的第六种可能实现方式,在第二方面的第九种可能实现方式中,所述装置还包括:In conjunction with the sixth possible implementation of the second aspect, in a ninth possible implementation manner of the second aspect, the device further includes:
在所述第四获取单元获取所述第二路径包括的所述n2个节点中每一节点的流量之后,After the fourth obtaining unit acquires the traffic of each of the n2 nodes included in the second path,
第二归一化处理单元,用于采用如下公式对所述n2个节点中每一节点的流量分别进行归一化处理:The second normalization processing unit is configured to normalize the traffic of each of the n2 nodes by using the following formula:
Figure PCTCN2016073642-appb-000007
Figure PCTCN2016073642-appb-000007
Figure PCTCN2016073642-appb-000008
Figure PCTCN2016073642-appb-000008
结合第二方面或第二方面的第一种可能实现方式至第二方面的第九种可能实现方式中任一种可能实现方式,在第二方面的第十种可能实现方式中,所述调整单元具体用于:With reference to the second aspect or the first possible implementation of the second aspect to any one of the possible implementation manners of the ninth possible implementation manner of the second aspect, in the tenth possible implementation manner of the second aspect, the adjusting The unit is specifically used to:
在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流量减小为第一缩小值,所述第一缩小值为所述第二报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第一比例值的乘积,其中,所述第一缩小值不低于预设的所述第一端口的最低允许接入流量,所述第一比例值的取值范围为1/5~1/2。 When the second packet is determined to be an abnormal packet, the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second packet passing through the second packet. In the process of the first port, the maximum value of the actual access traffic of the first port is the product of the first ratio, wherein the first reduction value is not lower than the preset minimum of the first port. The access rate is allowed to be allowed, and the first ratio value ranges from 1/5 to 1/2.
结合第二方面或第二方面的第一种可能实现方式至第二方面的第十种可能实现方式中任一种可能实现方式,在第二方面的第十一种可能实现方式中,所述装置还包括:With reference to the second aspect, or the first possible implementation of the second aspect, to any one of the possible implementations of the tenth possible implementation of the second aspect, in an eleventh possible implementation manner of the second aspect, The device also includes:
在所述调整单元减小所述第一端口的允许接入流量之后,After the adjusting unit decreases the allowed access traffic of the first port,
第二接收单元,用于自所述第一端口接收第三报文;a second receiving unit, configured to receive a third packet from the first port;
第五获取单元,用于获取第三路径,所述第三路径为所述第三报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第三路径包括所述第三报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。a fifth acquiring unit, configured to acquire a third path, where the third path is path information that is experienced inside the network element system when the third packet passes through the network element system, where the third path includes The third packet is at least one node that passes through the network element system in chronological order.
结合第二方面的第十一种可能实现方式,在第二方面的第十二种可能实现方式中,所述装置还包括:With reference to the eleventh possible implementation of the second aspect, in a twelfth possible implementation manner of the second aspect, the device further includes:
第二匹配单元,用于在所述第三报文的业务类型和所述第一报文的业务类型相同的情况下,将所述第三路径包括的每一节点分别与所述第一路径包括的相应节点进行匹配,以获取所述第三路径和所述第一路径的第二匹配度;或者,a second matching unit, configured to: each node included in the third path and the first path, respectively, if a service type of the third packet is the same as a service type of the first packet Corresponding nodes are matched to obtain a second matching degree of the third path and the first path; or
所述装置包括:The device includes:
第六获取单元,用于在所述第三报文的业务类型和第四报文的业务类型相同的情况下,获取预先存储的第四路径,所述第四路径为所述第四报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第四路径包括所述第四报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第四报文为所有具有与所述第三报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文;a sixth acquiring unit, configured to acquire a pre-stored fourth path, where the fourth path is the fourth packet, if the service type of the third packet is the same as the service type of the fourth packet When the network element system passes through the path information that is experienced in the network element system, the fourth path includes at least one node that the fourth packet passes in time sequence in the network element system. The fourth packet is a packet that passes through the network element system for the first time in all the packets that have the same service type as the service type of the third packet and that pass through the network element system;
所述第二匹配单元用于将所述第三路径包括的每一节点分别与第四路径包括的相应节点进行匹配,以获取所述第三路径和所述第四路径的第二匹配度。The second matching unit is configured to match each node included in the third path with a corresponding node included in the fourth path, to obtain a second matching degree of the third path and the fourth path.
结合第二方面的第十二种可能实现方式,在第二方面的第十三种可能的实现方式中,所述调整单元还用于:In conjunction with the twelfth possible implementation of the second aspect, in the thirteenth possible implementation manner of the second aspect, the adjusting unit is further configured to:
在所述第二匹配度低于或者等于所述第一设定阈值的情况下,将所述第一端口的允许接入流量减小为第二缩小值,所述第二缩小值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第二比例值 的乘积,其中,所述第二缩小值不低于预设的所述第一端口的最低允许接入流量,所述第二比例值的取值范围为1/5~1/2。If the second matching degree is lower than or equal to the first set threshold, reducing the allowed access traffic of the first port to a second reduced value, and the second reduced value is the The maximum value of the actual access traffic of the first port and the second ratio during the process of the third packet passing through the first port And the second reduction value is not lower than a preset minimum allowed access traffic of the first port, and the second ratio value ranges from 1/5 to 1/2.
结合第二方面的第十二种可能实现方式,在第二方面的第十四种可能的实现方式中,所述调整单元还用于:In conjunction with the twelfth possible implementation of the second aspect, in the fourteenth possible implementation manner of the second aspect, the adjusting unit is further configured to:
在所述第二匹配度高于第二设定阈值的情况下,将所述第一端口的允许接入流量增大为第一增大值,所述第一增大值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第三比例值的乘积,其中,所述第一增大值不高于预设的最高允许接入流量;其中,所述第二设定阈值大于所述第一设定阈值,且所述第二设定阈值的取值范围为70%~80%,所述第三比例值的取值范围为2~5。If the second matching degree is higher than the second set threshold, increasing the allowed access traffic of the first port to a first increased value, and the first increasing value is the third The maximum value of the actual value of the actual access traffic of the first port and the third ratio value during the process of the packet passing through the first port, where the first increase value is not higher than the preset maximum allowable value. Accessing the traffic; wherein the second set threshold is greater than the first set threshold, and the second set threshold is in a range of 70% to 80%, and the value of the third ratio is The range is 2 to 5.
可见,本发明实施例提供的一种自适应防攻击方法及装置,通过网元系统的第一端口接收到第二报文,根据该第二报文的业务类型,获取预先存储的第一路径,该第一路径为所有具有与该第一报文的业务类型相同的业务类型且经过所述网元系统的报文中、首次经过所述网元系统的报文,并获取第二路径,该第二路径为该第二报文通过所述网元系统时,在所述网元系统内部经历的路径信息,然后将第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,获取第一匹配度;通过比较该第一匹配度和第一设定阈值,判断该第二报文是否为异常报文,并在确定第二报文为异常报文的情况下,减小该第一端口的允许接入流量。采用该方案,能够在获取报文后,自动判断该报文是否为异常报文,并在确定该报文为异常报文的情况下,减小接收报文的端口的允许接入流量,从而达到对异常报文的自适应防攻击,消除防火墙人工配置的繁琐操作环节,有效提升网络攻击的动态识别及拦截效果。It can be seen that the adaptive anti-attack method and device provided by the embodiment of the present invention receive the second packet through the first port of the network element system, and obtain the pre-stored first path according to the service type of the second packet. The first path is a packet that passes through the network element system for the first time, and obtains a second path, in the packet that is the same as the service type of the first packet, and that passes through the network element system. The second path is path information that is experienced inside the network element system when the second packet passes through the network element system, and then each node included in the first path is respectively included with the second path. The node performs matching to obtain the first matching degree. The first matching degree and the first set threshold are compared to determine whether the second packet is an abnormal packet, and the second packet is determined to be an abnormal packet. , reducing the allowed access traffic of the first port. After the packet is obtained, the method can automatically determine whether the packet is an abnormal packet, and if the packet is an abnormal packet, reduce the allowed access traffic of the port that receives the packet. It achieves adaptive anti-attack on abnormal packets, eliminates the cumbersome operation of firewall manual configuration, and effectively improves the dynamic identification and interception effect of network attacks.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。 In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图1为本发明实施例提供的一种自适应防攻击方法的流程示意图;FIG. 1 is a schematic flowchart of an adaptive attack defense method according to an embodiment of the present disclosure;
图2为示例的报文矢量路径示意图;2 is a schematic diagram of an exemplary message vector path;
图3为本发明实施例提供的另一种自适应防攻击方法的流程示意图;3 is a schematic flowchart of another adaptive attack defense method according to an embodiment of the present invention;
图4为业务报文攻击防御效果对比示意图;Figure 4 is a schematic diagram of comparison of service packet attack defense effects;
图5本发明实施例提供的又一种自适应防攻击方法的流程示意图;FIG. 5 is a schematic flowchart diagram of still another adaptive attack defense method according to an embodiment of the present invention;
图6为示例的业务节点归一化流量分布图;6 is an exemplary service node normalized traffic distribution diagram;
图7为本发明实施例提供的一种自适应防攻击装置的结构示意图;FIG. 7 is a schematic structural diagram of an adaptive anti-attack device according to an embodiment of the present invention;
图8为本发明实施例提供的另一种自适应防攻击装置的结构示意图;FIG. 8 is a schematic structural diagram of another adaptive attack defense device according to an embodiment of the present invention;
图9为本发明实施例提供的又一种自适应防攻击装置的结构示意图。FIG. 9 is a schematic structural diagram of still another adaptive anti-attack device according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
现有技术中,防火墙单元与网元系统独立,不具备业务类型的识别与解析能力,因此,对于“精巧设计”的伪装的异常报文识别能力较弱,本发明涉及的自适应防攻击装置设置在网元系统内部,对网元系统内部各节点处理报文进行监控。报文经过任一个网元系统,网元系统内部包括的多个节点依次对报文进行处理,可以通过将从端口接收到的报文在网元系统内部按照时间的先后顺序经过的节点,与和该报文的业务类型相同的、且首次经过网元系统的报文的经过的节点进行匹配,获取路径的匹配度,根据该匹配度确定该接收到的报文是否为异常报文,在该报文为异常报文的情况下,减小接收报文的端口的允许接入流量,从而达到对异常报文的自适应防攻击,消除防火墙人工配置的繁琐操作环节,有效提升网络攻击的动态识别及拦截效果。In the prior art, the firewall unit is independent of the network element system, and does not have the ability to identify and analyze the service type. Therefore, the abnormal message recognition capability of the "smart design" camouflage is weak, and the adaptive anti-attack device of the present invention is involved. It is set in the NE system to monitor packets processed by each node in the NE system. The packet passes through any of the network element systems, and multiple nodes included in the network element system process the packets in sequence, and the packets received from the port are passed through the nodes in the network element system in time order. And the matching of the packets of the same type of the packet, and the packets passing through the network element system for the first time are matched, and the matching degree of the path is obtained, and the received packet is determined to be an abnormal packet according to the matching degree. If the packet is an abnormal packet, the device can reduce the allowed access traffic of the port that receives the packet, so as to achieve adaptive attack defense against abnormal packets, eliminate the cumbersome operation of the firewall manual configuration, and effectively improve the network attack. Dynamic recognition and interception effects.
下面结合图1-图6,对本发明实施例提供的自适应防攻击方法进行详细描述:The adaptive anti-attack method provided by the embodiment of the present invention is described in detail below with reference to FIG. 1 to FIG.
请参阅图1,为本发明实施例提供的一种自适应防攻击方法的流程示意图,该方法包括以下步骤: FIG. 1 is a schematic flowchart of an adaptive attack defense method according to an embodiment of the present invention, where the method includes the following steps:
步骤S101,自网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口,所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点。Step S101: Receive a second packet from a first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the network element system includes Multiple nodes.
本实施例涉及的网元系统可以是路由器、交换机、移动管理实体(英文:Mobility Management Entity,简称:MME)等任一通信网元,该网元系统包括多个端口,且其内部包括多个节点,网元系统可以自任一端口接收其他网元系统发送的报文,报文依次经过网元系统内部的一个或多个节点,由各个节点分别对报文进行处理,由各个节点进行鉴权、解析等处理。这里的第二报文一般为非首次经过该网元系统的该业务类型的报文。The network element system in this embodiment may be any communication network element such as a router, a switch, or a mobility management entity (English: Mobility Management Entity, MME for short), and the network element system includes multiple ports, and the internal network includes multiple The node, the network element system can receive packets sent by other network element systems from any port, and the packets pass through one or more nodes in the network element system in turn, and each node processes the packets separately, and each node performs authentication. , analysis and other processing. The second packet here is generally a packet of the service type that is not passed through the network element system for the first time.
步骤S102,根据所述第二报文的业务类型,获取预先存储的第一路径,所述第一路径为第一报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第一路径包括所述第一报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第一报文为所有具有与所述第二报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文。Step S102: Acquire a pre-stored first path according to the service type of the second packet, where the first path is a path that is experienced inside the network element system when the first packet passes through the network element system. The first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all services that have the second packet. The packets passing through the NE system are passed through the packets of the NE system for the first time.
在接收第二报文之前,网元系统自所述网元系统的任一端口接收所述第一报文,获取所述第一报文通过所述网元系统时,在所述网元系统内部经历的所述第一路径,并将所述第一路径进行存储处理,该第一报文为首次经过该网元系统的报文。当有新注册的业务时,或者业务的属性发生变更时,例如业务的一些配置发生变更,或者业务的版本进行了升级,这些报文经过业务处理系统时,则业务的类型发生变化,且在系统内部所经过的处理节点或节点路径可能会发生一些变化,需要重新学习业务报文所经过的路径,即认为该报文为首次经过该网元系统的报文,因此,当有新注册的业务时,或者业务的属性发生变更时,触发获取第一报文通过网元系统时,在网元系统内部经历的路径信息,该路径包括该报文在网元系统内部按照时间的先后顺序经过的一个或多个节点。按照业务类型,将该路径分类存储在网元系统、某个节点或云服务器等。因此,可以根据第二报文的业务类型,获取该业务类型的报文的第一路径。Before receiving the second packet, the network element system receives the first packet from any port of the network element system, and obtains the first packet when the first packet passes the network element system, in the network element system. The first path is internally processed, and the first path is stored, and the first packet is a packet that passes through the network element system for the first time. When there is a newly registered service, or when the attributes of the service are changed, for example, some configurations of the service are changed, or the version of the service is upgraded, when the packets pass through the service processing system, the type of the service changes, and The path of the processing node or the node that passes through the system may change. The path that the service packet passes through is re-learned. The packet is considered to be the first packet passing through the NE system. Therefore, when there is a new registration. When the service is changed, or the attribute of the service is changed, the path information that is learned in the network element system when the first packet passes through the network element system is triggered. The path includes the packet passing through the time in the network element system. One or more nodes. The path is classified into a network element system, a node, or a cloud server according to the type of service. Therefore, the first path of the packet of the service type can be obtained according to the service type of the second packet.
如图2所示的报文矢量路径示意图,对于每一种业务类型的报文,网元系 统内部设置有相应的节点处理环节,以A业务类型的报文为例,正常报文进入网元系统后,需要通过鉴权、注册、分级处理等业务环节,处理路径逐次为:CCU—>MDU—>MIU—>SIG—>CSU—>IFU,其中,CCU、MDU、MIU、SIG、CSU、IFU为该网元系统内部的节点;B业务类型的报文的处理路径逐次为:CCU—>CSU—>MIU—>MDU—>SIG—>IFU。Figure 2 is a schematic diagram of the packet vector path. For each type of service packet, the network element system The internal processing of the system has the corresponding node processing. The packet of the A service type is taken as an example. After the normal packet enters the NE system, it needs to pass the authentication, registration, and hierarchical processing. The processing path is: CCU—> MDU—>MIU—>SIG—>CSU—>IFU, where CCU, MDU, MIU, SIG, CSU, and IFU are nodes inside the network element system; the processing path of B service type packets is: CCU— >CSU—>MIU—>MDU—>SIG—>IFU.
以方向矢量图对报文进行建模如下:The message is modeled by the direction vector diagram as follows:
an+1=p1an+p2an-1+p3an-2+...+pkan-k+1   ……公式(1)a n+1 =p 1 a n +p 2 a n-1 +p 3 a n-2 +...+p k a n-k+1 ......Formula (1)
其中,pk代表该类型的业务报文是否经过该节点,pk的取值为0或1,an代表报文在n时刻所在节点位置信息;an+1代表正常报文在下一时刻的预期路径信息。Where p k represents whether the service packet of the type passes the node, and the value of p k is 0 or 1, and a n represents the location information of the node where the packet is located at time n; a n+1 represents the normal message at the next moment. Expected path information.
步骤S103,获取第二路径,所述第二路径为所述第二报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第二路径包括所述第二报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。Step S103, the second path is obtained, where the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, and the second path includes the second path. At least one node that the message passes in the order of time within the network element system.
获取第二报文经过网元系统时,在网元系统内部经历的路径信息,即第二路径,第二报文在网元系统内部按照时间的先后顺序经过一个或多个节点,可以获取依次经过的节点信息。When the second packet passes through the network element system, the path information that is experienced in the network element system is the second path. The second packet passes through one or more nodes in the order of time in the network element system. Passed node information.
步骤S104,将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度。Step S104: Match each node included in the first path with a corresponding node included in the second path to obtain a first matching degree of the second path and the first path.
在进行节点或路径匹配前,按照时间的先后顺序,将第一路径包括的至少一个节点和第二路径包括的至少一个节点分别进行排序,则位于第一路径中的和位于第二路径中的具有相同序位的节点是相对应的,然后,将第一路径包括的每一节点分别与第二路径包括的相应节点进行匹配,以获取第二路径和第一路径的匹配度。Before performing node or path matching, at least one node included in the first path and at least one node included in the second path are respectively sorted according to a time sequence, and then located in the first path and located in the second path. The nodes having the same sequence are corresponding, and then each node included in the first path is matched with the corresponding node included in the second path to obtain the matching degree of the second path and the first path.
步骤S105,将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文,所述第一设定阈值是根据所述业务类型对误码率或通信延时的容忍度设定的。In step S105, the first matching degree is compared with the first set threshold. If the first matching degree is lower than the first set threshold, the second packet is determined to be an abnormal packet. The first set threshold is set according to the tolerance of the service type to the bit error rate or the communication delay.
有的业务类型的报文对误码率或通信延时的容忍度较高,即允许报文所经过的某一网元系统内部节点的顺序与首次经过该网元系统的报文有一定差异, 有的业务类型的报文则对误码率或通信延时的容忍度较低,要求报文所经过的某一网元系统内部节点的顺序与首次经过该网元系统的报文差异较小,因此,针对不同的业务类型,设置不同的匹配度阈值,如果获取的第二报文与第一报文的路径的匹配度低于该阈值,则可以确定该第二报文为异常报文。The packets of the service type are highly tolerant to the bit error rate or the communication delay. That is, the order of the internal nodes of a certain NE system that the packets are allowed to pass through is different from that of the packets passing through the NE system for the first time. , The packets of the service type are less tolerant to the bit error rate or the communication delay. The order of the internal nodes of a certain NE system that the packets pass through is less than the difference between the packets passing through the NE system for the first time. Therefore, different matching thresholds are set for different service types. If the matching degree between the obtained second packet and the path of the first packet is lower than the threshold, the second packet is determined to be an abnormal packet. .
步骤S106,在确定所述第二报文为异常报文的情况下,减小所述第一端口的允许接入流量。Step S106: If it is determined that the second packet is an abnormal packet, reduce the allowed access traffic of the first port.
在确定第二报文为异常报文的情况下,通过减小接收该第二报文的端口的允许接入流量,可以防止异常报文对网元系统发起大规模攻击。When it is determined that the second packet is an abnormal packet, the abnormal traffic can be prevented from initiating a large-scale attack on the network element system by reducing the allowed access traffic of the port that receives the second packet.
根据本发明实施例提供的一种自适应防攻击方法,通过将从端口接收到的报文在网元系统内部按照时间的先后顺序经过的节点,与和该报文的业务类型相同的、且首次经过网元系统的报文的经过的节点进行匹配,获取路径的匹配度,根据该匹配度确定该接收到的报文是否为异常报文,在该报文为异常报文的情况下,减小接收报文的端口的允许接入流量,从而达到对异常报文的自适应防攻击,消除防火墙人工配置的繁琐操作环节,有效提升网络攻击的动态识别及拦截效果。An adaptive anti-attack method according to the embodiment of the present invention, the node that passes the packets received from the port in the order of the time in the network element system is the same as the service type of the packet, and The first time that the packet passing through the packet of the NE system is matched, the matching degree of the path is obtained, and the received packet is determined to be an abnormal packet according to the matching degree. If the packet is an abnormal packet, Reduce the allowable access traffic of the port that receives the packet, so as to achieve adaptive attack defense against abnormal packets, eliminate the cumbersome operation of the firewall manual configuration, and effectively improve the dynamic identification and interception effect of the network attack.
请参阅图3,为本发明实施例提供的另一种自适应防攻击方法的流程示意图,该方法包括以下步骤:FIG. 3 is a schematic flowchart of another adaptive attack defense method according to an embodiment of the present invention, where the method includes the following steps:
步骤S201,自网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口,所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点。Step S201: Receive a second packet from the first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the network element system includes Multiple nodes.
步骤S202,根据所述第二报文的业务类型,获取预先存储的第一路径,所述第一路径为第一报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第一路径包括所述第一报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第一报文为所有具有与所述第二报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文。Step S202: Acquire a pre-stored first path according to the service type of the second packet, where the first path is a path that is experienced inside the network element system when the first packet passes through the network element system. The first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all services that have the second packet. The packets passing through the NE system are passed through the packets of the NE system for the first time.
步骤S203,获取第二路径,所述第二路径为所述第二报文通过所述网元 系统时,在所述网元系统内部经历的路径信息,所述第二路径包括所述第二报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。Step S203, the second path is obtained, where the second path is that the second packet passes the network element. In the system, the path information that is experienced in the network element system, the second path includes at least one node that the second packet passes in time sequence in the network element system.
步骤S201-S203与图1所示实施例的步骤S101-S103相同,在此不再赘述。Steps S201-S203 are the same as steps S101-S103 of the embodiment shown in FIG. 1, and details are not described herein again.
步骤S204,将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以确定所述第一路径包括的每一节点是否与所述第二路径包括的相应节点相同,进而获取所述第二路径和所述第一路径的第一匹配度。Step S204, matching each node included in the first path with a corresponding node included in the second path, to determine whether each node included in the first path is corresponding to the second path The nodes are the same, and the first matching degree of the second path and the first path is obtained.
在进行节点或路径匹配前,按照时间的先后顺序,将第一路径包括的至少一个节点和第二路径包括的至少一个节点分别进行排序,则位于第一路径中的和位于第二路径中的具有相同序位的节点是相对应的,然后,将第一路径包括的每一节点分别与第二路径包括的相应节点进行匹配,以确定第一路径包括的每一节点是否与第二路径包括的相应节点相同,以获取第二路径和第一路径的匹配度。Before performing node or path matching, at least one node included in the first path and at least one node included in the second path are respectively sorted according to a time sequence, and then located in the first path and located in the second path. Nodes having the same order are corresponding, and then each node included in the first path is respectively matched with a corresponding node included in the second path to determine whether each node included in the first path includes the second path. The corresponding nodes are the same to obtain the matching degree of the second path and the first path.
以图2为例,A业务类型的业务报文正常应该顺序经过这些节点:CCU—>MDU—>MIU—>SIG—>CSU—>IFU,假设,检测到的当前的该设定类型的业务报文所经过的第三个和第四个节点与上述学习到的正常顺序不同,则认为其匹配度为4/6=66.7%。As shown in Figure 2, the service packets of the A service type should pass through these nodes in sequence: CCU->MDU->MIU->SIG->CSU->IFU, assuming that the current service of the set type is detected. The third and fourth nodes passing through the message are different from the normal order learned above, and the matching degree is considered to be 4/6=66.7%.
步骤S205,将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文,所述第一设定阈值是根据所述业务类型对误码率或通信延时的容忍度设定的。In step S205, the first matching degree is compared with the first set threshold. If the first matching degree is lower than the first set threshold, the second packet is determined to be an abnormal packet. The first set threshold is set according to the tolerance of the service type to the bit error rate or the communication delay.
步骤S206,在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流量减小为第一缩小值。Step S206: When it is determined that the second packet is an abnormal packet, reduce the allowed access traffic of the first port to a first reduced value.
针对不同的业务类型对误码率或通信延时的容忍度的不同,设置不同的匹配度阈值,该阈值的取值范围为60%~70%。如果获取的第二报文与第一报文的路径的匹配度低于该阈值,则可以确定该第二报文为异常报文。Different matching thresholds are set according to different tolerances of different service types to the error rate or the communication delay. The threshold ranges from 60% to 70%. If the matching degree between the obtained second packet and the path of the first packet is lower than the threshold, the second packet may be determined to be an abnormal packet.
若确定为异常的业务报文,触发采取对该接收该报文的端口的允许接入流量进行调整的方式以防报文攻击。具体地,对于匹配度高于设定阈值的报文流,判定为合法报文,其接入流量不受控;对于匹配度低于设定阈值的报文流,判定为异常报文,并启动防御机制,减小该端口的允许接入流量。允许接入的流 量减小了,异常业务报文对系统的攻击就相对变小了。If it is determined that the service packet is abnormal, the method of adjusting the allowed access traffic of the port that receives the packet is triggered to prevent packet attack. Specifically, for the packet flow whose matching degree is higher than the set threshold, the packet is determined to be a legal packet, and the access traffic is not controlled; for the packet flow whose matching degree is lower than the set threshold, the packet is determined to be an abnormal packet, and Start the defense mechanism to reduce the allowed access traffic of the port. Allowed access to the stream The amount is reduced, and the attack on the system by the abnormal service message is relatively small.
本实施例进行逐级减小端口的允许接入流量,可以降低短时脉冲式攻击对报文的影响。具体地,在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流量减小为第一缩小值,该第一缩小值为所述第二报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第一比例值的乘积,其中,所述第一缩小值不低于预设的所述第一端口的最低允许接入流量,所述第一比例值的取值范围为1/5~1/2。In this embodiment, the allowed access traffic of the port is reduced step by step, which can reduce the impact of the short-time pulse attack on the packet. Specifically, in the case that the second packet is determined to be an abnormal packet, the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second packet. a process of the first port, the maximum value of the actual access traffic of the first port is multiplied by a first ratio, wherein the first reduction value is not lower than the preset first port. The minimum allowable access traffic, the first ratio value ranges from 1/5 to 1/2.
步骤S207,自所述第一端口接收第三报文。Step S207: Receive a third packet from the first port.
步骤S208,获取第三路径,所述第三路径为所述第三报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第三路径包括所述第三报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。Step S208, the third path is obtained, where the third path is path information that is experienced inside the network element system when the third packet passes through the network element system, and the third path includes the third path. At least one node that the message passes in the order of time within the network element system.
该端口不断地接收报文,接收的第三报文的业务类型可能与第一报文或第二报文相同,也可能不同。同样地,获取第三报文通过网元系统时,在网元系统内部经历的路径信息。The port receives the packet continuously. The service type of the received third packet may be the same as or different from the first packet or the second packet. Similarly, the path information that is experienced inside the network element system when the third packet passes through the network element system is obtained.
步骤S209,在所述第三报文的业务类型和所述第一报文的业务类型相同的情况下,将所述第三路径包括的每一节点分别与所述第一路径包括的相应节点进行匹配,以获取所述第三路径和所述第一路径的第二匹配度。Step S209, in a case where the service type of the third packet is the same as the service type of the first packet, each node included in the third path is respectively associated with a corresponding node included in the first path. Matching is performed to obtain a second matching degree of the third path and the first path.
步骤S210,在所述第三报文的业务类型和第四报文的业务类型相同的情况下,获取预先存储的第四路径,所述第四路径为所述第四报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第四路径包括所述第四报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第四报文为所有具有与所述第三报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文。Step S210: If the service type of the third packet is the same as the service type of the fourth packet, obtain a fourth path that is stored in advance, where the fourth path is that the fourth packet passes the network. The path information that is experienced in the network element system, the fourth path includes at least one node that the fourth packet passes in time sequence in the network element system, and the fourth The packet is the packet that passes through the network element system for the first time in all the packets that have the same service type as the third packet and that pass through the network element system.
步骤S211,将所述第三路径包括的每一节点分别与第四路径包括的相应节点进行匹配,以获取所述第三路径和所述第四路径的第二匹配度。Step S211, each node included in the third path is matched with a corresponding node included in the fourth path, to obtain a second matching degree of the third path and the fourth path.
在计算新接收到的第三报文的匹配度时,如果第三报文的业务类型与第一报文相同,则将第三报文与第一报文的路径进行匹配,获取第二匹配度,如果第三报文的业务类型与第一报文不同,获取与第三报文的业务类型相同的、且 首次经过网元系统的第四报文的路径,将第三报文与第四报文的路径进行匹配,获取第二匹配度。When the matching degree of the newly received third packet is calculated, if the service type of the third packet is the same as the first packet, the third packet is matched with the path of the first packet to obtain the second matching. Degree, if the service type of the third packet is different from the first packet, obtain the same service type as the third packet, and The path of the fourth packet of the network element system is matched for the first time to match the path of the third packet with the fourth packet to obtain the second matching degree.
步骤S212,在所述第二匹配度低于或者等于所述第一设定阈值的情况下,将所述第一端口的允许接入流量减小为第二缩小值,所述第二缩小值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第二比例值的乘积,其中,所述第二缩小值不低于预设的所述第一端口的最低允许接入流量,所述第二比例值的取值范围为1/5~1/2。Step S212, if the second matching degree is lower than or equal to the first set threshold, reducing the allowed access traffic of the first port to a second reduced value, the second reduced value a process of the third packet passing through the first port, the maximum value of the actual access traffic of the first port, and a second ratio value, wherein the second reduction value is not lower than the pre-predetermined value. The minimum allowable access traffic of the first port is set, and the second ratio value ranges from 1/5 to 1/2.
如果监控到的新接收到的报文的匹配度仍低于或等于第一设定阈值,按照一定的比例值再次减小端口的允许接入流量。If the matching degree of the newly received packet is still lower than or equal to the first set threshold, the allowed access traffic of the port is again reduced according to a certain ratio.
需要说明的是,减小端口的允许接入流量是逐级进行的,即S207-S212的过程是循环的,直至端口的允许接入流量不低于预设的所述第一端口的最低允许接入流量。It should be noted that reducing the allowed access traffic of the port is performed step by step, that is, the process of S207-S212 is cyclic until the allowed access traffic of the port is not lower than the preset minimum allowable of the first port. Access traffic.
步骤S213,在所述第二匹配度高于第二设定阈值的情况下,将所述第一端口的允许接入流量增大为第一增大值,所述第一增大值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第三比例值的乘积,其中,所述第一增大值不高于预设的最高允许接入流量;其中,所述第二设定阈值大于所述第一设定阈值,且所述第二设定阈值的取值范围为70%~80%,所述第三比例值的取值范围为2~5。Step S213, if the second matching degree is higher than the second set threshold, increasing the allowed access traffic of the first port to a first increasing value, where the first increasing value is During the process of the third packet passing through the first port, the maximum value of the actual access traffic of the first port is the product of the third ratio value, wherein the first increase value is not higher than the preset. The highest allowable access traffic; wherein the second set threshold is greater than the first set threshold, and the second set threshold is in a range of 70% to 80%, the third ratio The value ranges from 2 to 5.
但如果监控到的新接收到的报文的匹配度高于第二设定阈值,则恢复端口的允许接入流量,且恢复的过程是逐级进行的,与逐级减小端口的允许接入流量的过程类似。However, if the matching degree of the newly received packet is higher than the second set threshold, the allowed access traffic of the port is restored, and the recovery process is performed step by step, and the allowed connection of the port is gradually reduced. The process of entering traffic is similar.
举例说明,防御实施环节采取二进制指数退避算法,有效实现异常接入端口的流量限制;并保持最低流量标准,在端口攻击行为消失时,能够自动实现异常恢复。For example, the defense implementation adopts a binary exponential backoff algorithm to effectively implement the traffic restriction of the abnormal access port; and maintain the minimum traffic standard, and automatically recover the abnormality when the port attack behavior disappears.
具体地,从某端口流入系统的报文流与矢量路径迁移模型匹配度低于阈值时,将端口的允许接入流量递减为上一周期设置阈值的1/2,抑制异常攻击对系统正常报文处理的影响度;直至最低流量标准后(最低流量标准参考该端口正常周期中流量进行设定,默认为5%),不再进行下调,并实时监控该端口状 态;在该异常节点报文流与矢量路径迁移模型匹配度恢复至高于阈值时,对该端口的流量限制调整至上一周期设置阈值的2倍,逐步恢复其接入能力,直至到达该端口允许的最大流量阈值。Specifically, when the matching degree between the packet flow and the vector path migration model flowing from the port is lower than the threshold, the allowed access traffic of the port is decremented to 1/2 of the previous period setting threshold, and the abnormal attack is suppressed to the system. The degree of influence of the text processing; after the minimum traffic standard (the minimum traffic standard is set according to the traffic in the normal period of the port, the default is 5%), no further down-regulation, and the port shape is monitored in real time. When the matching degree between the packet flow and the vector path migration model of the abnormal node is restored to be higher than the threshold, the traffic limit of the port is adjusted to twice the threshold set in the previous cycle, and the access capability is gradually restored until the port is allowed. Maximum flow threshold.
该防御算法可以尽力避免节点黑洞,即避免“无法恢复的异常”,节点黑洞即指某节点由于异常行为被系统限制接入,在某段时间后恢复正常状态时,无法消除历史异常影响、恢复系统正常接入的情况。The defense algorithm can try to avoid the black hole of the node, that is, avoid the "unrecoverable exception". The black hole of the node means that a node is restricted by the system due to abnormal behavior. When the normal state is restored after a certain period of time, the historical abnormality cannot be eliminated and recovered. The system is normally connected.
我们构造协议类型合法、业务类型异常的报文流,对系统进行大流量冲击,观测系统异常防御能力,如图4所示,为业务报文攻击防御效果对比示意图,横坐标表示攻击报文强度(单位:数据包每秒),纵坐标表示系统的负载程度(图示为CPU占用率,单位为百分比;也可以使用其他关键资源的占用率来度量),曲线1为采用通用防御策略的业务报文攻击防御效果,通用防御策略即采用独立防火墙单元,开启流量攻击相关配置;曲线2为采用本实施例的自适应防攻击方法。可以明显地看出,采用本实施例的自适应防攻击方法,能够有效降低异常攻击报文对系统的影响,保证正常端口的业务接入及平稳运行。We construct a packet flow with a valid protocol type and an abnormal service type, and perform a large traffic impact on the system to observe the abnormal defense capability of the system. As shown in Figure 4, it is a comparison diagram of the defense effect of the service packet attack, and the abscissa indicates the strength of the attack packet. (Unit: packet per second), the ordinate indicates the load level of the system (the CPU usage is shown in the figure, the unit is a percentage; it can also be measured by the occupancy rate of other key resources), and the curve 1 is the service with the general defense strategy. The packet defense attack defense effect, the common defense policy uses a separate firewall unit to enable the traffic attack related configuration; the curve 2 is the adaptive anti-attack method of the embodiment. It can be clearly seen that the adaptive attack defense method of the present embodiment can effectively reduce the impact of abnormal attack packets on the system, and ensure service access and smooth operation of the normal port.
根据本发明实施例提供的一种自适应防攻击方法,通过将从端口接收到的报文在网元系统内部按照时间的先后顺序经过的节点,与和该报文的业务类型相同的、且首次经过网元系统的报文的经过的节点进行匹配,获取路径的匹配度,根据该匹配度确定该接收到的报文是否为异常报文,在该报文为异常报文的情况下,逐级减小接收报文的端口的允许接入流量,从而达到对异常报文的自适应防攻击,消除防火墙人工配置的繁琐操作环节,有效提升网络攻击的动态识别及拦截效果;并可在监控到匹配度增大时,可快速恢复端口的允许接入流量,避免网元系统的不稳定。An adaptive anti-attack method according to the embodiment of the present invention, the node that passes the packets received from the port in the order of the time in the network element system is the same as the service type of the packet, and The first time that the packet passing through the packet of the NE system is matched, the matching degree of the path is obtained, and the received packet is determined to be an abnormal packet according to the matching degree. If the packet is an abnormal packet, The access control traffic of the port that receives the packet is reduced step by step, so as to achieve adaptive attack defense against abnormal packets, eliminate the cumbersome operation of the manual configuration of the firewall, and effectively improve the dynamic identification and interception effect of the network attack; When the matching degree is increased, the allowed access traffic of the port can be quickly restored to avoid the instability of the NE system.
请参阅图5,为本发明实施例提供的又一种自适应防攻击方法的流程示意图,该方法包括以下步骤:FIG. 5 is a schematic flowchart of still another method for implementing an adaptive attack defense according to an embodiment of the present invention. The method includes the following steps:
步骤S301,自网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口,所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点。 Step S301: Receive a second packet from the first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the network element system includes Multiple nodes.
本步骤与图1或图3所示实施例的步骤S101或S102相同,在此不再赘述。This step is the same as step S101 or S102 of the embodiment shown in FIG. 1 or FIG. 3, and details are not described herein again.
步骤S302,根据所述第二报文的业务类型,获取预先存储的第一路径,获取所述第一路径包括的所述n1个节点中每一节点的流量。Step S302: Acquire a pre-stored first path according to the service type of the second packet, and acquire traffic of each node of the n1 nodes included in the first path.
获取预先存储的第一路径的步骤与图1或图3所示实施例的步骤S102或S202相同,在此不再赘述。然而,在获取预先存储的第一路径的同时或之后,本实施例还要求获取第一路径包括的n1个节点中每一节点的流量。报文依次经过网元系统的节点,不同的报文在相同的节点的流量可能相同或不同。The step of acquiring the first path stored in advance is the same as the step S102 or S202 of the embodiment shown in FIG. 1 or FIG. 3, and details are not described herein again. However, the present embodiment also requires acquiring the traffic of each of the n1 nodes included in the first path, simultaneously with or after acquiring the first path stored in advance. The packets pass through the nodes of the NE system in sequence. The traffic of different packets on the same node may be the same or different.
步骤S303,获取第二路径,并获取所述第二路径包括的所述n2个节点中每一节点的流量。Step S303, acquiring a second path, and acquiring traffic of each of the n2 nodes included in the second path.
获取第二路径的步骤与图1或图3所示实施例的步骤S103或S203相同,在此不再赘述。同样地,在获取第二路径的同时或之后,本实施例还要求获取第二路径包括的n2个节点中每一节点的流量。The step of acquiring the second path is the same as the step S103 or S203 of the embodiment shown in FIG. 1 or FIG. 3, and details are not described herein again. Similarly, while acquiring the second path, the embodiment further requires acquiring the traffic of each of the n2 nodes included in the second path.
步骤S304,对所述n1和n2个节点中每一节点的流量分别进行归一化处理。Step S304, normalizing the traffic of each of the n1 and n2 nodes respectively.
由于流量是一个较大的数值,直接进行每个节点的流量匹配,计算量大,因此,可先对n1和n2个节点中每一节点的流量分别进行归一化处理,具体如下:Since the traffic is a large value, the traffic matching of each node is directly performed, and the calculation amount is large. Therefore, the traffic of each node in the n1 and n2 nodes can be normalized separately, as follows:
采用如下公式(2)对所述n1个节点中每一节点的流量分别进行归一化处理:The traffic of each node in the n1 nodes is normalized by using the following formula (2):
Figure PCTCN2016073642-appb-000009
   ……公式(2)
Figure PCTCN2016073642-appb-000009
 ...formula (2)
其中,fx为进行归一化处理后的节点x的流量,x的取值范围为1~n1,Fx为节点x的流量,
Figure PCTCN2016073642-appb-000010
为所述n1个节点的流量的最大值。Where f x is the traffic of node x after normalization, x ranges from 1 to n1, and F x is the traffic of node x.
Figure PCTCN2016073642-appb-000010
The maximum value of the traffic of the n1 nodes.
采用如下公式(3)对所述n2个节点中每一节点的流量分别进行归一化处理:The traffic of each node in the n2 nodes is normalized by using the following formula (3):
Figure PCTCN2016073642-appb-000011
   ……公式(3)
Figure PCTCN2016073642-appb-000011
 ...formula (3)
其中,fy为进行归一化处理后的节点y的流量,y的取值范围为1~n2, Fy为节点y的流量,
Figure PCTCN2016073642-appb-000012
为所述n2个节点的流量的最大值。Where f y is the traffic of the node y after the normalization process, and the value of y ranges from 1 to n2, and F y is the traffic of the node y.
Figure PCTCN2016073642-appb-000012
The maximum value of the traffic of the n2 nodes.
以业务类型A为例,基于归一化流量算法,其各节点的流量特征统计分布如图6所示。Taking service type A as an example, based on the normalized traffic algorithm, the statistical distribution of traffic characteristics of each node is shown in FIG. 6.
步骤S305,将所述n2个节点中每一节点的流量分别与所述n1个节点中的相应节点的流量进行匹配,以确定所述n2个节点的流量分布与所述n1个节点的流量分布是否相同,进而获取所述第二路径和所述第一路径的第一匹配度。Step S305, matching traffic of each node in the n2 nodes with traffic of a corresponding node in the n1 nodes, respectively, to determine a traffic distribution of the n2 nodes and a traffic distribution of the n1 nodes. Whether they are the same, and then acquiring the first matching degree of the second path and the first path.
将所述n2个节点中每一节点的流量分别与所述n1个节点中的相应节点的流量进行匹配,从而可以确定n2个节点的流量分布与所述n1个节点的流量分布是否相同,具体的匹配技术可参照现有技术,确定n2个节点的流量分布与所述n1个节点的流量分布是否相同,从而可以获取第二路径和第一路径的第一匹配度。The traffic of each node in the n2 nodes is matched with the traffic of the corresponding node in the n1 nodes, so that it can be determined whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, specifically The matching technique may refer to the prior art to determine whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, so that the first matching degree of the second path and the first path may be acquired.
步骤S306,将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文。Step S306: The first matching degree is compared with the first set threshold. If the first matching degree is lower than the first set threshold, the second packet is determined to be an abnormal message.
步骤S307,在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流量减小为第一缩小值,所述第一缩小值为所述第二报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第一比例值的乘积,其中,所述第一缩小值不低于预设的所述第一端口的最低允许接入流量,所述第一比例值的取值范围为1/5~1/2。Step S307, in the case that the second packet is determined to be an abnormal packet, the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second reported The first value of the actual value of the actual access traffic of the first port is the product of the first ratio value, wherein the first reduction value is not lower than the preset first The minimum allowable access traffic of the port, the first ratio value ranges from 1/5 to 1/2.
步骤S308,自所述第一端口接收第三报文。Step S308, receiving a third packet from the first port.
步骤S309,获取第三路径,并获取所述第三路径包括的n3个节点中每一节点的流量。Step S309, acquiring a third path, and acquiring traffic of each of the n3 nodes included in the third path.
所述第三路径为所述第三报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第三路径包括所述第三报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。The third path is path information that is experienced in the network element system when the third packet passes through the network element system, and the third path includes the third packet in the network element system. At least one node that passes internally in chronological order.
步骤S310,在所述第三报文的业务类型和所述第一报文的业务类型相同的情况下,将所述n3个节点中每一节点的流量分别与所述n1个节点中的相应节点的流量进行匹配,以确定所述n3个节点的流量分布与所述n1个节点的流 量分布是否相同,进而获取所述第三路径和所述第一路径的第二匹配度。Step S310, if the service type of the third packet is the same as the service type of the first packet, the traffic of each node in the n3 nodes is respectively corresponding to the n1 nodes. The traffic of the node is matched to determine the traffic distribution of the n3 nodes and the flow of the n1 nodes. Whether the quantity distribution is the same, and then acquiring the second matching degree of the third path and the first path.
步骤S311,在所述第三报文的业务类型和第四报文的业务类型相同的情况下,获取预先存储的第四路径,并获取所述第四路径包括的n4个节点中每一节点的流量。Step S311: If the service type of the third packet is the same as the service type of the fourth packet, obtain a fourth path stored in advance, and acquire each node of the n4 nodes included in the fourth path. Traffic.
步骤S312,将所述n3个节点中每一节点的流量分别与所述n4个节点中的相应节点的流量进行匹配,以确定所述n3个节点的流量分布与所述n4个节点的流量分布是否相同,进而获取所述第三路径和所述第四路径的第二匹配度。Step S312, matching the traffic of each node of the n3 nodes with the traffic of the corresponding node of the n4 nodes, respectively, to determine the traffic distribution of the n3 nodes and the traffic distribution of the n4 nodes. Whether they are the same, and then acquiring the second matching degree of the third path and the fourth path.
步骤S313,在所述第二匹配度低于或者等于所述第一设定阈值的情况下,将所述第一端口的允许接入流量减小为第二缩小值,所述第二缩小值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第二比例值的乘积,其中,所述第二缩小值不低于预设的所述第一端口的最低允许接入流量,所述第二比例值的取值范围为1/5~1/2。Step S313, if the second matching degree is lower than or equal to the first set threshold, reducing the allowed access flow of the first port to a second reduced value, the second reduced value a process of the third packet passing through the first port, the maximum value of the actual access traffic of the first port, and a second ratio value, wherein the second reduction value is not lower than the pre-predetermined value. The minimum allowable access traffic of the first port is set, and the second ratio value ranges from 1/5 to 1/2.
步骤S314,在所述第二匹配度高于第二设定阈值的情况下,将所述第一端口的允许接入流量增大为第一增大值,所述第一增大值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第三比例值的乘积,其中,所述第一增大值不高于预设的最高允许接入流量;其中,所述第二设定阈值大于所述第一设定阈值,且所述第二设定阈值的取值范围为70%~80%,所述第三比例值的取值范围为2~5。Step S314, if the second matching degree is higher than the second set threshold, increasing the allowed access traffic of the first port to a first increasing value, where the first increasing value is During the process of the third packet passing through the first port, the maximum value of the actual access traffic of the first port is the product of the third ratio value, wherein the first increase value is not higher than the preset. The highest allowable access traffic; wherein the second set threshold is greater than the first set threshold, and the second set threshold is in a range of 70% to 80%, the third ratio The value ranges from 2 to 5.
步骤S306-S314的过程为进行异常报文的判断和端口的允许接入流量的调整过程,与前述实施例类似,所不同的是,在获取新接收到的报文的匹配度时,是获取新接收到的报文所经过的网元系统中的多个节点中的每个节点的流量,将每个节点的流量与该业务类型的首次经过网元系统的报文所经过的网页系统中的多个节点的每个节点的流量进行比较,以确定其流量分布是否相同,从而获取路径的匹配度。The process of the steps S306-S314 is to perform the process of determining the abnormality of the packet and the process of adjusting the allowed access traffic of the port, which is similar to the foregoing embodiment, except that the matching degree of the newly received packet is obtained. The traffic of each node in the network element system through which the newly received packet passes, the traffic of each node and the webpage system through which the packet of the service type passes through the network element system for the first time. The traffic of each node of multiple nodes is compared to determine whether their traffic distribution is the same, thereby obtaining the matching degree of the path.
根据本发明实施例提供的一种自适应防攻击方法,通过将从端口接收到的报文在网元系统内部按照时间的先后顺序经过的节点,与和该报文的业务类型相同的、且首次经过网元系统的报文的经过的节点的流量进行匹配,获取路径 的匹配度,根据该匹配度确定该接收到的报文是否为异常报文,在该报文为异常报文的情况下,逐级减小接收报文的端口的允许接入流量,从而达到对异常报文的自适应防攻击,消除防火墙人工配置的繁琐操作环节,有效提升网络攻击的动态识别及拦截效果;并可在监控到匹配度增大时,可快速恢复端口的允许接入流量,避免网元系统的不稳定。An adaptive anti-attack method according to the embodiment of the present invention, the node that passes the packets received from the port in the order of the time in the network element system is the same as the service type of the packet, and The traffic of the passing node of the packet passing through the NE system is matched for the first time to obtain the path. The matching degree is determined according to the matching degree, and whether the received packet is an abnormal packet, and when the packet is an abnormal packet, the allowed access traffic of the port receiving the packet is gradually decreased, thereby achieving The adaptive anti-attack of abnormal packets eliminates the cumbersome operation of the manual configuration of the firewall, effectively improves the dynamic identification and interception effect of the network attack, and can quickly restore the allowed access traffic of the port when the matching degree is increased. To avoid the instability of the network element system.
下面结合图7-图9,对本发明实施例提供的自适应防攻击装置进行详细描述:The adaptive anti-attack device provided by the embodiment of the present invention is described in detail below with reference to FIG. 7 to FIG.
请参阅图7,为本发明实施例提供的一种自适应防攻击装置的结构示意图,该装置1000位于网元系统内部,是与网页系统的业务处理节点独立的监控装置,该装置1000包括:FIG. 7 is a schematic structural diagram of an adaptive anti-attack device according to an embodiment of the present invention. The device 1000 is located in a network element system and is a monitoring device independent of a service processing node of a webpage system. The device 1000 includes:
第一接收单元11,用于自网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口,所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点。The first receiving unit 11 is configured to receive a second packet from a first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the The network element system includes multiple nodes inside.
本实施例涉及的网元系统可以是路由器、交换机、移动管理实体(英文:Mobility Management Entity,简称:MME)等任一通信网元,该网元系统包括多个端口,且其内部包括多个节点,第一接收单元11可以自任一端口接收其他网元系统发送的报文,报文依次经过网元系统内部的一个或多个节点,由各个节点分别对报文进行处理,由各个节点进行鉴权、解析等处理。这里的第二报文一般为非首次经过该网元系统的该业务类型的报文。The network element system in this embodiment may be any communication network element such as a router, a switch, or a mobility management entity (English: Mobility Management Entity, MME for short), and the network element system includes multiple ports, and the internal network includes multiple The first receiving unit 11 can receive the packet sent by the other network element system from any port, and the packet passes through one or more nodes in the network element system, and each node processes the packet separately, and each node performs the packet processing. Authentication, analysis and other processing. The second packet here is generally a packet of the service type that is not passed through the network element system for the first time.
第一获取单元12,用于根据所述第二报文的业务类型,获取预先存储的第一路径,所述第一路径为第一报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第一路径包括所述第一报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第一报文为所有具有与所述第二报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文。The first obtaining unit 12 is configured to acquire a pre-stored first path according to the service type of the second packet, where the first path is when the first packet passes the network element system, and the network element is Path information that is experienced by the system, the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all For the first time, the packets of the service type of the second packet pass through the packet of the network element system.
在接收第二报文之前,第三接收单元(图中未示出)用于自所述网元系统的任一端口接收所述第一报文,第七获取单元(图中未示出)用于获取所述第一报 文通过所述网元系统时,在所述网元系统内部经历的所述第一路径,并将所述第一路径进行存储处理,该第一报文为首次经过该网元系统的报文。当有新注册的业务时,或者业务的属性发生变更时,例如业务的一些配置发生变更,或者业务的版本进行了升级,这些报文经过业务处理系统时,则业务的类型发生变化,且在系统内部所经过的处理节点或节点路径可能会发生一些变化,需要重新学习业务报文所经过的路径,即认为该报文为首次经过该网元系统的报文,因此,当有新注册的业务时,或者业务的属性发生变更时,触发获取第一报文通过网元系统时,在网元系统内部经历的路径信息,该路径包括该报文在网元系统内部按照时间的先后顺序经过的一个或多个节点。按照业务类型,将该路径分类存储在网元系统、某个节点或云服务器等。因此,第一获取单元12可以根据第二报文的业务类型,获取该业务类型的报文的第一路径。Before receiving the second packet, the third receiving unit (not shown) is configured to receive the first packet from any port of the network element system, and the seventh acquiring unit (not shown) For obtaining the first report When the text passes through the network element system, the first path that is experienced in the network element system, and the first path is stored, and the first packet is a packet that passes through the network element system for the first time. . When there is a newly registered service, or when the attributes of the service are changed, for example, some configurations of the service are changed, or the version of the service is upgraded, when the packets pass through the service processing system, the type of the service changes, and The path of the processing node or the node that passes through the system may change. The path that the service packet passes through is re-learned. The packet is considered to be the first packet passing through the NE system. Therefore, when there is a new registration. When the service is changed, or the attribute of the service is changed, the path information that is learned in the network element system when the first packet passes through the network element system is triggered. The path includes the packet passing through the time in the network element system. One or more nodes. The path is classified into a network element system, a node, or a cloud server according to the type of service. Therefore, the first obtaining unit 12 may obtain the first path of the packet of the service type according to the service type of the second packet.
如图2所示的报文矢量路径示意图,对于每一种业务类型的报文,网元系统内部设置有相应的节点处理环节,以A业务类型的报文为例,正常报文进入网元系统后,需要通过鉴权、注册、分级处理等业务环节,处理路径逐次为:CCU—>MDU—>MIU—>SIG—>CSU—>IFU,其中,CCU、MDU、MIU、SIG、CSU、IFU为该网元系统内部的节点;B业务类型的报文的处理路径逐次为:CCU—>CSU—>MIU—>MDU—>SIG—>IFU。As shown in Figure 2, the packet vector path diagram is used. For each type of service packet, the network element system has a corresponding node processing link. The packet of the A service type is taken as an example, and the normal packet enters the network element. After the system, it needs to pass the authentication, registration, hierarchical processing and other business links. The processing path is: CCU->MDU->MIU->SIG->CSU->IFU, among them, CCU, MDU, MIU, SIG, CSU, The IFU is a node inside the network element system; the processing path of the B service type packet is: CCU->CSU->MIU->MDU->SIG->IFU.
以方向矢量图对报文进行建模如下:The message is modeled by the direction vector diagram as follows:
an+1=p1an+p2an-1+p3an-2+...+pkan-k+1   ……公式(1)a n+1 =p 1 a n +p 2 a n-1 +p 3 a n-2 +...+p k a n-k+1 ......Formula (1)
其中,pk代表该类型的业务报文是否经过该节点,pk的取值为0或1,an代表报文在n时刻所在节点位置信息;an+1代表正常报文在下一时刻的预期路径信息。Where p k represents whether the service packet of the type passes the node, and the value of p k is 0 or 1, and a n represents the location information of the node where the packet is located at time n; a n+1 represents the normal message at the next moment. Expected path information.
第二获取单元13,用于获取第二路径,所述第二路径为所述第二报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第二路径包括所述第二报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。The second obtaining unit 13 is configured to acquire a second path, where the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, and the second path is And including at least one node that the second packet passes in time sequence in the network element system.
第二获取单元13获取第二报文经过网元系统时,在网元系统内部经历的路径信息,即第二路径,第二报文在网元系统内部按照时间的先后顺序经过一个或多个节点,可以获取依次经过的节点信息。 The second obtaining unit 13 obtains the path information that is experienced in the network element system when the second packet passes through the network element system, that is, the second path, and the second packet passes through one or more times in the order of time in the network element system. Nodes can obtain node information that passes in sequence.
第一匹配单元14,用于将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度。a first matching unit 14 configured to match each node included in the first path with a corresponding node included in the second path, to obtain a first match between the second path and the first path degree.
在进行节点或路径匹配前,第一匹配单元14按照时间的先后顺序,将第一路径包括的至少一个节点和第二路径包括的至少一个节点分别进行排序,则位于第一路径中的和位于第二路径中的具有相同序位的节点是相对应的,然后,第一匹配单元14将第一路径包括的每一节点分别与第二路径包括的相应节点进行匹配,以获取第二路径和第一路径的匹配度。Before performing node or path matching, the first matching unit 14 sorts at least one node included in the first path and at least one node included in the second path according to a time sequence, and the sum located in the first path is located. The nodes having the same order in the second path are corresponding, and then the first matching unit 14 matches each node included in the first path with the corresponding node included in the second path to obtain the second path and The degree of matching of the first path.
比较单元15,用于将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文,所述第一设定阈值是根据所述业务类型对误码率或通信延时的容忍度设定的。The comparing unit 15 is configured to compare the first matching degree with the first set threshold, and if the first matching degree is lower than the first set threshold, determine that the second packet is an abnormal report The first set threshold is set according to the tolerance of the service type to the error rate or the communication delay.
有的业务类型的报文对误码率或通信延时的容忍度较高,即允许报文所经过的某一网元系统内部节点的顺序与首次经过该网元系统的报文有一定差异,有的业务类型的报文则对误码率或通信延时的容忍度较低,要求报文所经过的某一网元系统内部节点的顺序与首次经过该网元系统的报文差异较小,因此,针对不同的业务类型,设置不同的匹配度阈值,如果获取的第二报文与第一报文的路径的匹配度低于该阈值,则比较单元15可以确定该第二报文为异常报文。The packets of the service type are highly tolerant to the bit error rate or the communication delay. That is, the order of the internal nodes of a certain NE system that the packets are allowed to pass through is different from that of the packets passing through the NE system for the first time. The service type of the packet is less tolerant to the bit error rate or the communication delay. The order of the internal nodes of a certain NE system that the packet passes through is different from the packet passing through the NE system for the first time. If the matching degree of the obtained second packet and the path of the first packet is lower than the threshold, the comparing unit 15 may determine the second packet. It is an abnormal message.
在比较单元15确定所述第二报文为异常报文的情况下,调整单元16,用于减小所述第一端口的允许接入流量。In the case that the comparison unit 15 determines that the second packet is an abnormal packet, the adjusting unit 16 is configured to reduce the allowed access traffic of the first port.
在确定第二报文为异常报文的情况下,调整单元16通过减小接收该第二报文的端口的允许接入流量,可以防止异常报文对网元系统发起大规模攻击。In the case that the second packet is determined to be an abnormal packet, the adjusting unit 16 can prevent the abnormal packet from initiating a large-scale attack on the network element system by reducing the allowed access traffic of the port that receives the second packet.
根据本发明实施例提供的一种自适应防攻击装置,通过将从端口接收到的报文在网元系统内部按照时间的先后顺序经过的节点,与和该报文的业务类型相同的、且首次经过网元系统的报文的经过的节点进行匹配,获取路径的匹配度,根据该匹配度确定该接收到的报文是否为异常报文,在该报文为异常报文的情况下,减小接收报文的端口的允许接入流量,从而达到对异常报文的自适应防攻击,消除防火墙人工配置的繁琐操作环节,有效提升网络攻击的动态识 别及拦截效果。According to an embodiment of the present invention, an adaptive attack defense device is configured to pass the packets received from the port in the sequence of time in the network element system, and the service type of the packet is the same as that of the packet. The first time that the packet passing through the packet of the NE system is matched, the matching degree of the path is obtained, and the received packet is determined to be an abnormal packet according to the matching degree. If the packet is an abnormal packet, Reduce the allowable access traffic of the port that receives the packet, so as to achieve adaptive attack defense against abnormal packets, eliminate the cumbersome operation of the firewall manual configuration, and effectively improve the network attack. Don't intercept the effect.
请参阅图8,为本发明实施例提供的另一种自适应防攻击装置的结构示意图,该装置2000包括:FIG. 8 is a schematic structural diagram of another adaptive anti-attack device according to an embodiment of the present invention. The device 2000 includes:
第一接收单元20,用于自网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口,所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点。The first receiving unit 20 is configured to receive a second packet from the first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the The network element system includes multiple nodes inside.
第一获取单元21,用于根据所述第二报文的业务类型,获取预先存储的第一路径,所述第一路径为第一报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第一路径包括所述第一报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第一报文为所有具有与所述第二报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文。The first obtaining unit 21 is configured to acquire, according to the service type of the second packet, a first path that is stored in advance, where the first path is when the first packet passes the network element system, and the network element is Path information that is experienced by the system, the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all For the first time, the packets of the service type of the second packet pass through the packet of the network element system.
第二获取单元22,用于获取第二路径,所述第二路径为所述第二报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第二路径包括所述第二报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。The second obtaining unit 22 is configured to acquire a second path, where the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, and the second path is And including at least one node that the second packet passes in time sequence in the network element system.
第一接收单元20、第一获取单元21、第二获取单元22的功能分别与图7所示实施例的第一接收单元11、第一获取单元12、第二获取单元13相同,在此不再赘述。The functions of the first receiving unit 20, the first obtaining unit 21, and the second obtaining unit 22 are the same as the first receiving unit 11, the first obtaining unit 12, and the second obtaining unit 13 of the embodiment shown in FIG. 7, respectively. Let me repeat.
第一匹配单元23,用于将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以确定所述第一路径包括的每一节点是否与所述第二路径包括的相应节点相同,进而获取所述第二路径和所述第一路径的第一匹配度。a first matching unit 23, configured to match each node included in the first path with a corresponding node included in the second path, to determine whether each node included in the first path is related to the first The second path includes the same node, and the first matching degree of the second path and the first path is obtained.
在进行节点或路径匹配前,第一匹配单元23按照时间的先后顺序,将第一路径包括的至少一个节点和第二路径包括的至少一个节点分别进行排序,则位于第一路径中的和位于第二路径中的具有相同序位的节点是相对应的,然后,第一匹配单元23将第一路径包括的每一节点分别与第二路径包括的相应节点进行匹配,以确定第一路径包括的每一节点是否与第二路径包括的相应节 点相同,以获取第二路径和第一路径的匹配度。Before performing node or path matching, the first matching unit 23 sorts at least one node included in the first path and at least one node included in the second path according to a sequence of time, and the sum located in the first path is located. The nodes having the same order in the second path are corresponding, and then the first matching unit 23 matches each node included in the first path with the corresponding node included in the second path, respectively, to determine that the first path includes Whether each node is associated with the corresponding section of the second path The points are the same to obtain the matching degree between the second path and the first path.
以图2为例,A业务类型的业务报文正常应该顺序经过这些节点:CCU—>MDU—>MIU—>SIG—>CSU—>IFU,假设,检测到的当前的该设定类型的业务报文所经过的第三个和第四个节点与上述学习到的正常顺序不同,则认为其匹配度为4/6=66.7%。As shown in Figure 2, the service packets of the A service type should pass through these nodes in sequence: CCU->MDU->MIU->SIG->CSU->IFU, assuming that the current service of the set type is detected. The third and fourth nodes passing through the message are different from the normal order learned above, and the matching degree is considered to be 4/6=66.7%.
比较单元23,用于将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文,所述第一设定阈值是根据所述业务类型对误码率或通信延时的容忍度设定的。The comparing unit 23 is configured to compare the first matching degree with the first set threshold, and if the first matching degree is lower than the first set threshold, determine that the second packet is an abnormal report The first set threshold is set according to the tolerance of the service type to the error rate or the communication delay.
调整单元25,用于在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流量减小为第一缩小值。The adjusting unit 25 is configured to reduce the allowed access traffic of the first port to a first reduced value if the second packet is determined to be an abnormal packet.
针对不同的业务类型对误码率或通信延时的容忍度的不同,设置不同的匹配度阈值,该阈值的取值范围为60%~70%。如果获取的第二报文与第一报文的路径的匹配度低于该阈值,则比较单元24可以确定该第二报文为异常报文。Different matching thresholds are set according to different tolerances of different service types to the error rate or the communication delay. The threshold ranges from 60% to 70%. If the matching degree between the obtained second packet and the path of the first packet is lower than the threshold, the comparing unit 24 may determine that the second packet is an abnormal packet.
若确定为异常的业务报文,触发调整单元25采取对该接收该报文的端口的允许接入流量进行调整的方式以防报文攻击。具体地,对于匹配度高于设定阈值的报文流,判定为合法报文,其接入流量不受控;对于匹配度低于设定阈值的报文流,判定为异常报文,并启动防御机制,减小该端口的允许接入流量。允许接入的流量减小了,异常业务报文对系统的攻击就相对变小了。If it is determined that the service packet is abnormal, the trigger adjustment unit 25 adopts a manner of adjusting the allowed access traffic of the port that receives the packet to prevent packet attack. Specifically, for the packet flow whose matching degree is higher than the set threshold, the packet is determined to be a legal packet, and the access traffic is not controlled; for the packet flow whose matching degree is lower than the set threshold, the packet is determined to be an abnormal packet, and Start the defense mechanism to reduce the allowed access traffic of the port. The traffic allowed to be accessed is reduced, and the attack on the system by abnormal service packets is relatively small.
本实施例进行逐级减小端口的允许接入流量,可以降低短时脉冲式攻击对报文的影响。具体地,在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流量减小为第一缩小值,该第一缩小值为所述第二报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第一比例值的乘积,其中,所述第一缩小值不低于预设的所述第一端口的最低允许接入流量,所述第一比例值的取值范围为1/5~1/2。In this embodiment, the allowed access traffic of the port is reduced step by step, which can reduce the impact of the short-time pulse attack on the packet. Specifically, in the case that the second packet is determined to be an abnormal packet, the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second packet. a process of the first port, the maximum value of the actual access traffic of the first port is multiplied by a first ratio, wherein the first reduction value is not lower than the preset first port. The minimum allowable access traffic, the first ratio value ranges from 1/5 to 1/2.
在所述调整单元减小所述第一端口的允许接入流量之后,第二接收单元26,用于自所述第一端口接收第三报文。After the adjusting unit reduces the allowed access traffic of the first port, the second receiving unit 26 is configured to receive the third packet from the first port.
第五获取单元27,用于获取第三路径,所述第三路径为所述第三报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第三路径包括 所述第三报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。The fifth obtaining unit 27 is configured to acquire a third path, where the third path is path information that is experienced inside the network element system when the third packet passes through the network element system, and the third path is Including The third packet is at least one node that passes through the network element system in chronological order.
该端口不断地接收报文,第二接收单元26接收的第三报文的业务类型可能与第一报文或第二报文相同,也可能不同。同样地,第五获取单元27获取第三报文通过网元系统时,在网元系统内部经历的路径信息。The port receives the packet continuously, and the service type of the third packet received by the second receiving unit 26 may be the same as or different from the first packet or the second packet. Similarly, the fifth obtaining unit 27 acquires path information that is experienced inside the network element system when the third packet passes through the network element system.
第二匹配单元28,用于在所述第三报文的业务类型和所述第一报文的业务类型相同的情况下,将所述第三路径包括的每一节点分别与所述第一路径包括的相应节点进行匹配,以获取所述第三路径和所述第一路径的第二匹配度。a second matching unit 28, configured to: each node included in the third path and the first one, respectively, if a service type of the third packet is the same as a service type of the first packet The corresponding node included in the path performs matching to obtain the second matching degree of the third path and the first path.
第六获取单元29,用于在所述第三报文的业务类型和第四报文的业务类型相同的情况下,获取预先存储的第四路径,所述第四路径为所述第四报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第四路径包括所述第四报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第四报文为所有具有与所述第三报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文。The sixth obtaining unit 29 is configured to acquire a pre-stored fourth path, where the fourth path is the fourth report, if the service type of the third packet is the same as the service type of the fourth packet When the text passes through the network element system, the path information that is experienced in the network element system, the fourth path includes at least one node that the fourth packet passes in time sequence in the network element system. The fourth packet is a packet that passes through the network element system for the first time in all the packets that have the same service type as the service type of the third packet and that pass through the network element system.
第二匹配单元28还用于将所述第三路径包括的每一节点分别与第四路径包括的相应节点进行匹配,以获取所述第三路径和所述第四路径的第二匹配度。The second matching unit 28 is further configured to match each node included in the third path with a corresponding node included in the fourth path to obtain a second matching degree of the third path and the fourth path.
在计算新接收到的第三报文的匹配度时,如果第三报文的业务类型与第一报文相同,则第二匹配单元28将第三报文与第一报文的路径进行匹配,获取第二匹配度,如果第三报文的业务类型与第一报文不同,获取与第三报文的业务类型相同的、且首次经过网元系统的第四报文的路径,将第三报文与第四报文的路径进行匹配,获取第二匹配度。When calculating the matching degree of the newly received third packet, if the service type of the third packet is the same as the first packet, the second matching unit 28 matches the third packet with the path of the first packet. Obtaining a second matching degree. If the service type of the third packet is different from the first packet, the path of the fourth packet that is the same as the service type of the third packet and passes through the network element system for the first time is obtained. The three packets are matched with the path of the fourth packet to obtain a second matching degree.
调整单元25还用于在所述第二匹配度低于或者等于所述第一设定阈值的情况下,将所述第一端口的允许接入流量减小为第二缩小值,所述第二缩小值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第二比例值的乘积,其中,所述第二缩小值不低于预设的所述第一端口的最低允许接入流量,所述第二比例值的取值范围为1/5~1/2。The adjusting unit 25 is further configured to reduce the allowed access traffic of the first port to a second reduced value if the second matching degree is lower than or equal to the first set threshold, where The second reduction value is a product of a maximum value of the actual access traffic of the first port and a second ratio value in the process of the third packet passing through the first port, where the second reduction value is not The minimum allowable access traffic of the first port is lower than the preset, and the second ratio value ranges from 1/5 to 1/2.
如果监控到的新接收到的报文的匹配度仍低于或等于第一设定阈值,按照一定的比例值再次减小端口的允许接入流量。 If the matching degree of the newly received packet is still lower than or equal to the first set threshold, the allowed access traffic of the port is again reduced according to a certain ratio.
需要说明的是,减小端口的允许接入流量是逐级进行的,即该过程是循环的,直至端口的允许接入流量不低于预设的所述第一端口的最低允许接入流量。It should be noted that reducing the allowed access traffic of the port is performed step by step, that is, the process is cyclic until the allowed access traffic of the port is not lower than the preset minimum allowed access traffic of the first port. .
调整单元25还用于在所述第二匹配度高于第二设定阈值的情况下,将所述第一端口的允许接入流量增大为第一增大值,所述第一增大值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第三比例值的乘积,其中,所述第一增大值不高于预设的最高允许接入流量;其中,所述第二设定阈值大于所述第一设定阈值,且所述第二设定阈值的取值范围为70%~80%,所述第三比例值的取值范围为2~5。The adjusting unit 25 is further configured to increase the allowed access traffic of the first port to a first increased value, where the second matching degree is higher than a second set threshold, the first increase The value is a product of a maximum value of the actual access traffic of the first port and a third ratio value in the process of the third packet passing through the first port, where the first increase value is not high. The preset maximum allowable access traffic; wherein the second set threshold is greater than the first set threshold, and the second set threshold ranges from 70% to 80%, the first The three-ratio value ranges from 2 to 5.
但如果监控到的新接收到的报文的匹配度高于第二设定阈值,则恢复端口的允许接入流量,且恢复的过程是逐级进行的,与逐级减小端口的允许接入流量的过程类似。However, if the matching degree of the newly received packet is higher than the second set threshold, the allowed access traffic of the port is restored, and the recovery process is performed step by step, and the allowed connection of the port is gradually reduced. The process of entering traffic is similar.
举例说明,防御实施环节采取二进制指数退避算法,有效实现异常接入端口的流量限制;并保持最低流量标准,在端口攻击行为消失时,能够自动实现异常恢复。For example, the defense implementation adopts a binary exponential backoff algorithm to effectively implement the traffic restriction of the abnormal access port; and maintain the minimum traffic standard, and automatically recover the abnormality when the port attack behavior disappears.
具体地,从某端口流入系统的报文流与矢量路径迁移模型匹配度低于阈值时,将端口的允许接入流量递减为上一周期设置阈值的1/2,抑制异常攻击对系统正常报文处理的影响度;直至最低流量标准后(最低流量标准参考该端口正常周期中流量进行设定,默认为5%),不再进行下调,并实时监控该端口状态;在该异常节点报文流与矢量路径迁移模型匹配度恢复至高于阈值时,对该端口的流量限制调整至上一周期设置阈值的2倍,逐步恢复其接入能力,直至到达该端口允许的最大流量阈值。Specifically, when the matching degree between the packet flow and the vector path migration model flowing from the port is lower than the threshold, the allowed access traffic of the port is decremented to 1/2 of the previous period setting threshold, and the abnormal attack is suppressed to the system. The degree of influence of the text processing; after the minimum traffic standard (the minimum traffic standard is set according to the traffic in the normal period of the port, the default is 5%), no longer down, and the status of the port is monitored in real time; When the matching degree between the stream and the vector path migration model is restored to be higher than the threshold, the traffic limit of the port is adjusted to twice the threshold set by the previous period, and the access capability is gradually restored until the maximum traffic threshold allowed by the port is reached.
该防御算法可以尽力避免节点黑洞,即避免“无法恢复的异常”,节点黑洞即指某节点由于异常行为被系统限制接入,在某段时间后恢复正常状态时,无法消除历史异常影响、恢复系统正常接入的情况。The defense algorithm can try to avoid the black hole of the node, that is, avoid the "unrecoverable exception". The black hole of the node means that a node is restricted by the system due to abnormal behavior. When the normal state is restored after a certain period of time, the historical abnormality cannot be eliminated and recovered. The system is normally connected.
我们构造协议类型合法、业务类型异常的报文流,对系统进行大流量冲击,观测系统异常防御能力,如图4所示,为业务报文攻击防御效果对比示意图,横坐标表示攻击报文强度(单位:数据包每秒),纵坐标表示系统的负载程度 (图示为CPU占用率,单位为百分比;也可以使用其他关键资源的占用率来度量),曲线1为采用通用防御策略的业务报文攻击防御效果,通用防御策略即采用独立防火墙单元,开启流量攻击相关配置;曲线2为采用本实施例的自适应防攻击方法。可以明显地看出,采用本实施例的自适应防攻击方法,能够有效降低异常攻击报文对系统的影响,保证正常端口的业务接入及平稳运行。We construct a packet flow with a valid protocol type and an abnormal service type, and perform a large traffic impact on the system to observe the abnormal defense capability of the system. As shown in Figure 4, it is a comparison diagram of the defense effect of the service packet attack, and the abscissa indicates the strength of the attack packet. (unit: packet per second), the ordinate indicates the degree of load of the system (The CPU usage is shown in the figure. The unit is a percentage; it can also be measured by the occupancy rate of other key resources.) Curve 1 is the defense effect of the service packet attack with the common defense policy. The common defense policy is the independent firewall unit. Traffic attack related configuration; curve 2 is an adaptive anti-attack method using this embodiment. It can be clearly seen that the adaptive attack defense method of the present embodiment can effectively reduce the impact of abnormal attack packets on the system, and ensure service access and smooth operation of the normal port.
根据本发明实施例提供的一种自适应防攻击装置,通过将从端口接收到的报文在网元系统内部按照时间的先后顺序经过的节点,与和该报文的业务类型相同的、且首次经过网元系统的报文的经过的节点进行匹配,获取路径的匹配度,根据该匹配度确定该接收到的报文是否为异常报文,在该报文为异常报文的情况下,逐级减小接收报文的端口的允许接入流量,从而达到对异常报文的自适应防攻击,消除防火墙人工配置的繁琐操作环节,有效提升网络攻击的动态识别及拦截效果;并可在监控到匹配度增大时,可快速恢复端口的允许接入流量,避免网元系统的不稳定。According to an embodiment of the present invention, an adaptive attack defense device is configured to pass the packets received from the port in the sequence of time in the network element system, and the service type of the packet is the same as that of the packet. The first time that the packet passing through the packet of the NE system is matched, the matching degree of the path is obtained, and the received packet is determined to be an abnormal packet according to the matching degree. If the packet is an abnormal packet, The access control traffic of the port that receives the packet is reduced step by step, so as to achieve adaptive attack defense against abnormal packets, eliminate the cumbersome operation of the manual configuration of the firewall, and effectively improve the dynamic identification and interception effect of the network attack; When the matching degree is increased, the allowed access traffic of the port can be quickly restored to avoid the instability of the NE system.
请参阅图9,为本发明实施例提供的又一种自适应防攻击装置的结构示意图,该装置3000包括:FIG. 9 is a schematic structural diagram of another adaptive anti-attack device according to an embodiment of the present invention. The device 3000 includes:
第一接收单元31,用于自网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口,所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点。The first receiving unit 31 is configured to receive a second packet from the first port of the network element system, where the network element system includes at least one port, the first port is one of the at least one port, and the The network element system includes multiple nodes inside.
该第一接收单元31与图7所示的第一接收单元11或图8所示的第一接收单元20的功能相同,在此不再赘述。The first receiving unit 31 has the same functions as the first receiving unit 11 shown in FIG. 7 or the first receiving unit 20 shown in FIG. 8, and details are not described herein again.
第一获取单元32,用于根据所述第二报文的业务类型,获取预先存储的第一路径。The first obtaining unit 32 is configured to acquire a pre-stored first path according to the service type of the second packet.
第三获取单元33,用于获取所述第一路径包括的所述n1个节点中每一节点的流量。The third obtaining unit 33 is configured to acquire traffic of each of the n1 nodes included in the first path.
在第一获取单元32获取预先存储的第一路径的同时或之后,本实施例还要求第三获取单元33获取第一路径包括的n1个节点中每一节点的流量。报文依次经过网元系统的节点,不同的报文在相同的节点的流量可能相同或不同。 The present embodiment further requires the third obtaining unit 33 to acquire the traffic of each of the n1 nodes included in the first path, while the first obtaining unit 32 acquires the first path stored in advance. The packets pass through the nodes of the NE system in sequence. The traffic of different packets on the same node may be the same or different.
在所述第三获取单元获取所述第一路径包括的所述n1个节点中每一节点的流量之后,第一归一化处理单元34,用于对所述n1个节点中每一节点的流量分别进行归一化处理。After the third obtaining unit acquires the traffic of each of the n1 nodes included in the first path, the first normalization processing unit 34 is configured to use each node of the n1 nodes. The traffic is normalized separately.
由于流量是一个较大的数值,直接进行每个节点的流量匹配,计算量大,因此,可先对n1个节点中每一节点的流量分别进行归一化处理,具体如下:Since the traffic is a large value, the traffic matching of each node is directly performed, and the calculation amount is large. Therefore, the traffic of each node in the n1 nodes can be normalized separately, as follows:
采用如下公式(2)对所述n1个节点中每一节点的流量分别进行归一化处理:The traffic of each node in the n1 nodes is normalized by using the following formula (2):
Figure PCTCN2016073642-appb-000013
   ……公式(2)
Figure PCTCN2016073642-appb-000013
 ...formula (2)
其中,fx为进行归一化处理后的节点x的流量,x的取值范围为1~n1,Fx为节点x的流量,
Figure PCTCN2016073642-appb-000014
为所述n1个节点的流量的最大值。Where f x is the traffic of node x after normalization, x ranges from 1 to n1, and F x is the traffic of node x.
Figure PCTCN2016073642-appb-000014
The maximum value of the traffic of the n1 nodes.
第二获取单元35,用于获取第二路径。The second obtaining unit 35 is configured to acquire the second path.
第四获取单元36,用于获取所述第二路径包括的所述n2个节点中每一节点的流量。The fourth obtaining unit 36 is configured to acquire traffic of each of the n2 nodes included in the second path.
同样地,在第二获取单元33获取第二路径的同时或之后,本实施例还要求第四获取单元36获取第二路径包括的n2个节点中每一节点的流量。Similarly, the present embodiment further requires the fourth obtaining unit 36 to acquire the traffic of each of the n2 nodes included in the second path, while the second acquiring unit 33 acquires the second path.
在所述第四获取单元获取所述第二路径包括的所述n2个节点中每一节点的流量之后,第二归一化处理单元37,用于对所述n2个节点中每一节点的流量分别进行归一化处理。After the fourth obtaining unit acquires the traffic of each of the n2 nodes included in the second path, the second normalization processing unit 37 is configured to use each of the n2 nodes. The traffic is normalized separately.
采用如下公式(3)对所述n2个节点中每一节点的流量分别进行归一化处理:The traffic of each node in the n2 nodes is normalized by using the following formula (3):
Figure PCTCN2016073642-appb-000015
   ……公式(3)
Figure PCTCN2016073642-appb-000015
 ...formula (3)
Figure PCTCN2016073642-appb-000016
Figure PCTCN2016073642-appb-000016
以业务类型A为例,基于归一化流量算法,其各节点的流量特征统计分布如图6所示。Taking service type A as an example, based on the normalized traffic algorithm, the statistical distribution of traffic characteristics of each node is shown in FIG. 6.
第一匹配单元38,用于将所述n2个节点中每一节点的流量分别与所述n1 个节点中的相应节点的流量进行匹配,以确定所述n2个节点的流量分布与所述n1个节点的流量分布是否相同,进而获取所述第二路径和所述第一路径的第一匹配度。a first matching unit 38, configured to separately send traffic of each of the n2 nodes to the n1 The traffic of the corresponding node in the nodes is matched to determine whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, and the first matching of the second path and the first path is obtained. degree.
第一匹配单元38将所述n2个节点中每一节点的流量分别与所述n1个节点中的相应节点的流量进行匹配,从而可以确定n2个节点的流量分布与所述n1个节点的流量分布是否相同,具体的匹配技术可参照现有技术,确定n2个节点的流量分布与所述n1个节点的流量分布是否相同,从而可以获取第二路径和第一路径的第一匹配度。The first matching unit 38 matches the traffic of each of the n2 nodes with the traffic of the corresponding node of the n1 nodes, so that the traffic distribution of the n2 nodes and the traffic of the n1 nodes may be determined. If the distribution is the same, the specific matching technique may refer to the prior art to determine whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, so that the first matching degree of the second path and the first path may be acquired.
比较单元39,用于将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文。The comparing unit 39 is configured to compare the first matching degree with the first set threshold, and if the first matching degree is lower than the first set threshold, determine that the second packet is an abnormal report Text.
调整单元40,用于在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流量减小为第一缩小值,所述第一缩小值为所述第二报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第一比例值的乘积,其中,所述第一缩小值不低于预设的所述第一端口的最低允许接入流量,所述第一比例值的取值范围为1/5~1/2。The adjusting unit 40 is configured to reduce, when the second packet is an abnormal packet, the allowed access traffic of the first port to a first reduced value, where the first reduced value is The first packet is passed through the first port, and the maximum value of the actual access traffic of the first port is a product of a first ratio, where the first reduction value is not lower than a preset location. The minimum allowable access traffic of the first port, where the first ratio value ranges from 1/5 to 1/2.
在所述调整单元减小所述第一端口的允许接入流量之后,第二接收单元41,用于自所述第一端口接收第三报文。After the adjusting unit reduces the allowed access traffic of the first port, the second receiving unit 41 is configured to receive the third packet from the first port.
第五获取单元42,用于获取第三路径,并获取所述第三路径包括的n3个节点中每一节点的流量。The fifth obtaining unit 42 is configured to acquire a third path, and acquire traffic of each of the n3 nodes included in the third path.
所述第三路径为所述第三报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第三路径包括所述第三报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。The third path is path information that is experienced in the network element system when the third packet passes through the network element system, and the third path includes the third packet in the network element system. At least one node that passes internally in chronological order.
第二匹配单元43,用于在所述第三报文的业务类型和所述第一报文的业务类型相同的情况下,将所述n3个节点中每一节点的流量分别与所述n1个节点中的相应节点的流量进行匹配,以确定所述n3个节点的流量分布与所述n1个节点的流量分布是否相同,进而获取所述第三路径和所述第一路径的第二匹配度。The second matching unit 43 is configured to: when the service type of the third packet is the same as the service type of the first packet, the traffic of each node of the n3 nodes is respectively associated with the n1 The traffic of the corresponding one of the nodes is matched to determine whether the traffic distribution of the n3 nodes is the same as the traffic distribution of the n1 nodes, and the second matching of the third path and the first path is obtained. degree.
第六获取单元44,用于在所述第三报文的业务类型和第四报文的业务类 型相同的情况下,获取预先存储的第四路径,并获取所述第四路径包括的n4个节点中每一节点的流量。The sixth obtaining unit 44 is configured to: service type of the third packet and a service class of the fourth packet In the case of the same type, the pre-stored fourth path is acquired, and the traffic of each of the n4 nodes included in the fourth path is acquired.
第二匹配单元43还用于将所述n3个节点中每一节点的流量分别与所述n4个节点中的相应节点的流量进行匹配,以确定所述n3个节点的流量分布与所述n4个节点的流量分布是否相同,进而获取所述第三路径和所述第四路径的第二匹配度。The second matching unit 43 is further configured to match traffic of each of the n3 nodes with traffic of a corresponding one of the n4 nodes to determine a traffic distribution of the n3 nodes and the n4 Whether the traffic distributions of the nodes are the same, and the second matching degree of the third path and the fourth path is obtained.
调整单元40还用于在所述第二匹配度低于或者等于所述第一设定阈值的情况下,将所述第一端口的允许接入流量减小为第二缩小值,所述第二缩小值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第二比例值的乘积,其中,所述第二缩小值不低于预设的所述第一端口的最低允许接入流量,所述第二比例值的取值范围为1/5~1/2。The adjusting unit 40 is further configured to reduce the allowed access traffic of the first port to a second reduced value if the second matching degree is lower than or equal to the first set threshold, where The second reduction value is a product of a maximum value of the actual access traffic of the first port and a second ratio value in the process of the third packet passing through the first port, where the second reduction value is not The minimum allowable access traffic of the first port is lower than the preset, and the second ratio value ranges from 1/5 to 1/2.
调整单元40还用于在所述第二匹配度高于第二设定阈值的情况下,将所述第一端口的允许接入流量增大为第一增大值,所述第一增大值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第三比例值的乘积,其中,所述第一增大值不高于预设的最高允许接入流量;其中,所述第二设定阈值大于所述第一设定阈值,且所述第二设定阈值的取值范围为70%~80%,所述第三比例值的取值范围为2~5。The adjusting unit 40 is further configured to increase the allowed access traffic of the first port to a first increased value, where the second matching degree is higher than a second set threshold, the first increase The value is a product of a maximum value of the actual access traffic of the first port and a third ratio value in the process of the third packet passing through the first port, where the first increase value is not high. The preset maximum allowable access traffic; wherein the second set threshold is greater than the first set threshold, and the second set threshold ranges from 70% to 80%, the first The three-ratio value ranges from 2 to 5.
以上单元的功能为进行异常报文的判断和端口的允许接入流量的调整过程,与前述实施例类似,所不同的是,在获取新接收到的报文的匹配度时,是获取新接收到的报文所经过的网元系统中的多个节点中的每个节点的流量,将每个节点的流量与该业务类型的首次经过网元系统的报文所经过的网页系统中的多个节点的每个节点的流量进行比较,以确定其流量分布是否相同,从而获取路径的匹配度。The function of the above unit is to perform the process of determining the abnormal packet and the process of adjusting the allowed access traffic of the port, which is similar to the foregoing embodiment, except that when the matching degree of the newly received message is acquired, the new receiving is obtained. The traffic of each of the plurality of nodes in the network element system through which the received message passes, and the traffic of each node and the number of webpage systems that the first type of the service type passes through the message of the network element system The traffic of each node of each node is compared to determine whether the traffic distribution is the same, so as to obtain the matching degree of the path.
根据本发明实施例提供的一种自适应防攻击装置,通过将从端口接收到的报文在网元系统内部按照时间的先后顺序经过的节点,与和该报文的业务类型相同的、且首次经过网元系统的报文的经过的节点的流量进行匹配,获取路径的匹配度,根据该匹配度确定该接收到的报文是否为异常报文,在该报文为异常报文的情况下,逐级减小接收报文的端口的允许接入流量,从而达到对异常 报文的自适应防攻击,消除防火墙人工配置的繁琐操作环节,有效提升网络攻击的动态识别及拦截效果;并可在监控到匹配度增大时,可快速恢复端口的允许接入流量,避免网元系统的不稳定。According to an embodiment of the present invention, an adaptive attack defense device is configured to pass the packets received from the port in the sequence of time in the network element system, and the service type of the packet is the same as that of the packet. For the first time, the traffic passing through the packets of the NE system is matched, and the matching degree of the path is obtained. According to the matching degree, it is determined whether the received packet is an abnormal packet, and the packet is an abnormal packet. Down, stepping down the allowed access traffic of the port receiving the packet, thereby reaching the abnormality The adaptive anti-attack of the packet eliminates the cumbersome operation of the manual configuration of the firewall, effectively improves the dynamic identification and interception effect of the network attack, and can quickly restore the allowed access traffic of the port when the matching degree is increased. The instability of the network element system.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为根据本发明,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必须的。It should be noted that, for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the present invention is not limited by the described action sequence. Because certain steps may be performed in other sequences or concurrently in accordance with the present invention. In addition, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above embodiments, the descriptions of the various embodiments are different, and the details that are not detailed in a certain embodiment can be referred to the related descriptions of other embodiments.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本发明可以用硬件实现,或固件实现,或它们的组合方式来实现。当使用软件实现时,可以将上述功能存储在计算机可读介质中或作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是计算机能够存取的任何可用介质。以此为例但不限于:计算机可读介质可以包括随机存取存储器(Random Access Memory,RAM)、只读存储器(Read-Only Memory,ROM)、电可擦可编程只读存储器(ElectricallyErasable Programmable Read-Only Memory,EEPROM)、只读光盘(Compact DiscRead-Only Memory,CD-ROM)或其他光盘存储、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质。此外。任何连接可以适当的成为计算机可读介质。例如,如果软件是使用同轴电缆、光纤光缆、双绞线、数字用户线(Digital Subscriber Line,DSL)或者诸如红外线、无线电和微波之类的无线技术从网站、服务器或者其他远程源传输的,那么同轴电缆、光纤光缆、双绞线、DSL或者诸如红外线、无线和微波之类的无线技术包括在所属介质的定影中。如本发明所使用的,盘(Disk)和碟(disc)包括压缩光碟(CD)、激光碟、光碟、数字通用光碟(DVD)、软盘和蓝光光碟,其中盘通常磁性的复 制数据,而碟则用激光来光学的复制数据。上面的组合也应当包括在计算机可读介质的保护范围之内。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented in hardware, firmware implementation, or a combination thereof. When implemented in software, the functions described above may be stored in or transmitted as one or more instructions or code on a computer readable medium. Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another. A storage medium may be any available media that can be accessed by a computer. For example, but not limited to, the computer readable medium may include a random access memory (RAM), a read-only memory (ROM), and an electrically erasable programmable read only memory (Electrically Erasable Programmable Read). -Only Memory, EEPROM), Compact DiscRead-Only Memory (CD-ROM) or other optical disc storage, disk storage media or other magnetic storage device, or can be used to carry or store expectations in the form of instructions or data structures. Program code and any other medium that can be accessed by a computer. Also. Any connection may suitably be a computer readable medium. For example, if the software is transmitted from a website, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, Then coaxial cable, fiber optic cable, twisted pair, DSL or wireless technologies such as infrared, wireless and microwave are included in the fixing of the associated medium. Disks and discs, as used in the present invention, include compact discs (CDs), laser discs, optical discs, digital versatile discs (DVDs), floppy discs, and Blu-ray discs, where the disc is usually magnetically complex. The data is used, and the disc uses a laser to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media.
总之,以上所述仅为本发明技术方案的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 In summary, the above description is only a preferred embodiment of the technical solution of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims (29)

  1. 一种自适应防攻击方法,其特征在于,包括:An adaptive anti-attack method, comprising:
    自网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口,所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点;The first port of the network element system receives the second packet, the network element system includes at least one port, the first port is one of the at least one port, and the network element system includes multiple nodes. ;
    根据所述第二报文的业务类型,获取预先存储的第一路径,所述第一路径为第一报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第一路径包括所述第一报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第一报文为所有具有与所述第一报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文;Acquiring, according to the service type of the second packet, a first path that is stored in advance, where the first path is path information that is experienced in the network element system when the first packet passes through the network element system, The first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is the same as all the service types of the first packet. The packet passing the network element system for the first time in the packet of the service type and passing through the network element system;
    获取第二路径,所述第二路径为所述第二报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第二路径包括所述第二报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点;Obtaining a second path, where the second path is path information that is performed inside the network element system when the second packet passes the network element system, and the second path includes the second packet At least one node that passes through the network element system in chronological order;
    将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度;Matching each node included in the first path with a corresponding node included in the second path to obtain a first matching degree of the second path and the first path;
    将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文,所述第一设定阈值是根据所述业务类型对误码率或通信延时的容忍度设定的;Comparing the first matching degree with the first set threshold, if the first matching degree is lower than the first set threshold, determining that the second packet is an abnormal packet, the first Setting the threshold is set according to the tolerance of the service type to the bit error rate or the communication delay;
    在确定所述第二报文为异常报文的情况下,减小所述第一端口的允许接入流量。And determining that the second packet is an abnormal packet, and reducing the allowed access traffic of the first port.
  2. 根据权利要求1所述的方法,其特征在于:The method of claim 1 wherein:
    按照时间的先后顺序,将所述第一路径包括的至少一个节点和所述第二路径包括的至少一个节点分别进行排序,则位于所述第一路径中的和位于所述第二路径中的具有相同序位的节点是相对应的。Sorting at least one node included in the first path and at least one node included in the second path according to a sequence of time, and then located in the first path and located in the second path Nodes with the same order are corresponding.
  3. 根据权利要求1或2所述的方法,其特征在于:Method according to claim 1 or 2, characterized in that it comprises:
    所述第一设定阈值的取值范围为60%~70%。 The first set threshold has a value ranging from 60% to 70%.
  4. 根据权利要求1至3任一项所述的方法,其特征在于,在所述自网元系统的第一端口接收第二报文之前,所述方法还包括:The method according to any one of claims 1 to 3, wherein before the receiving the second packet from the first port of the network element system, the method further includes:
    自所述网元系统的任一端口接收所述第一报文;Receiving the first packet from any port of the network element system;
    获取所述第一报文通过所述网元系统时,在所述网元系统内部经历的所述第一路径,并将所述第一路径进行存储处理。Obtaining the first path that is experienced inside the network element system when the first packet passes the network element system, and storing the first path.
  5. 根据权利要求1至4任一项所述的方法,其特征在于,所述将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度,具体包括:The method according to any one of claims 1 to 4, wherein each node included in the first path is matched with a corresponding node included in the second path to obtain the first The first matching degree of the second path and the first path includes:
    将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以确定所述第一路径包括的每一节点是否与所述第二路径包括的相应节点相同,进而获取所述第二路径和所述第一路径的第一匹配度。Matching each node included in the first path with a corresponding node included in the second path to determine whether each node included in the first path is the same as a corresponding node included in the second path, And acquiring a first matching degree of the second path and the first path.
  6. 根据权利要求1至4任一项所述的方法,其特征在于,所述第一路径包括n1个节点,The method according to any one of claims 1 to 4, wherein the first path comprises n1 nodes,
    则所述获取预先存储的第一路径之后,还包括:After the obtaining the pre-stored first path, the method further includes:
    获取所述第一路径包括的所述n1个节点中每一节点的流量。Obtaining traffic of each of the n1 nodes included in the first path.
  7. 根据权利要求6所述的方法,其特征在于,所述第二路径包括n2个节点,The method of claim 6 wherein said second path comprises n2 nodes.
    则所述获取第二路径之后,还包括:After the obtaining the second path, the method further includes:
    获取所述第二路径包括的所述n2个节点中每一节点的流量。Obtaining traffic of each of the n2 nodes included in the second path.
  8. 根据权利要求7所述的方法,其特征在于,所述将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度,具体包括:The method according to claim 7, wherein each node included in the first path is matched with a corresponding node included in the second path to obtain the second path and the The first matching degree of the first path specifically includes:
    将所述n2个节点中每一节点的流量分别与所述n1个节点中的相应节点的流量进行匹配,以确定所述n2个节点的流量分布与所述n1个节点的流量分布 是否相同,进而获取所述第二路径和所述第一路径的第一匹配度。Matching traffic of each of the n2 nodes with traffic of a corresponding node of the n1 nodes, respectively, to determine a traffic distribution of the n2 nodes and a traffic distribution of the n1 nodes Whether they are the same, and then acquiring the first matching degree of the second path and the first path.
  9. 根据权利要求6所述的方法,其特征在于,所述获取所述第一路径包括的所述n1个节点中每一节点的流量之后,还包括:The method according to claim 6, wherein after the obtaining the traffic of each of the n1 nodes included in the first path, the method further includes:
    采用如下公式对所述n1个节点中每一节点的流量分别进行归一化处理:The traffic of each node in the n1 nodes is separately normalized by using the following formula:
    Figure PCTCN2016073642-appb-100001
    Figure PCTCN2016073642-appb-100001
    其中,fx为进行归一化处理后的节点x的流量,x的取值范围为1~n1,Fx为节点x的流量,
    Figure PCTCN2016073642-appb-100002
    为所述n1个节点的流量的最大值。    Where f x is the traffic of node x after normalization, x ranges from 1 to n1, and F x is the traffic of node x.
    Figure PCTCN2016073642-appb-100002
    The maximum value of the traffic of the n1 nodes.
  10. 根据权利要求7所述的方法,其特征在于,所述获取所述第二路径包括的所述n2个节点中每一节点的流量之后,还包括:The method according to claim 7, wherein after the obtaining the traffic of each of the n2 nodes included in the second path, the method further includes:
    采用如下公式对所述n2个节点中每一节点的流量分别进行归一化处理:The traffic of each of the n2 nodes is normalized by the following formula:
    Figure PCTCN2016073642-appb-100003
    Figure PCTCN2016073642-appb-100003
    其中,fy为进行归一化处理后的节点y的流量,y的取值范围为1~n2,Fy为节点y的流量,
    Figure PCTCN2016073642-appb-100004
    为所述n2个节点的流量的最大值。    Where f y is the traffic of the node y after the normalization process, and the value of y ranges from 1 to n2, and F y is the traffic of the node y.
    Figure PCTCN2016073642-appb-100004
    The maximum value of the traffic of the n2 nodes.
  11. 根据权利要求1至10任意一项所述的方法,其特征在于,所述在确定所述第二报文为异常报文的时刻起,减小所述第一端口的允许接入流量,具体包括:The method according to any one of claims 1 to 10, wherein, when determining that the second packet is an abnormal packet, reducing the allowed access traffic of the first port, specifically include:
    在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流量减小为第一缩小值,所述第一缩小值为所述第二报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第一比例值的乘积,其中,所述第一缩小值不低于预设的所述第一端口的最低允许接入流量,所述第一比例值的取值范围为1/5~1/2。When the second packet is determined to be an abnormal packet, the allowed access traffic of the first port is reduced to a first reduced value, and the first reduced value is the second packet passing through the second packet. In the process of the first port, the maximum value of the actual access traffic of the first port is the product of the first ratio, wherein the first reduction value is not lower than the preset minimum of the first port. The access rate is allowed to be allowed, and the first ratio value ranges from 1/5 to 1/2.
  12. 根据权利要求1至11任一项所述的方法,其特征在于,所述在确定 所述第二报文为异常报文的时刻起,减小所述第一端口的允许接入流量之后,还包括:Method according to any one of claims 1 to 11, wherein said determining And after the second packet is an abnormal packet, after the allowed access traffic of the first port is decreased, the method further includes:
    自所述第一端口接收第三报文;Receiving a third message from the first port;
    获取第三路径,所述第三路径为所述第三报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第三路径包括所述第三报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。Obtaining a third path, where the third path is path information that is performed inside the network element system when the third packet passes through the network element system, and the third path includes the third packet At least one node that passes through the network element system in chronological order.
  13. 根据权利要求12所述的方法,其特征在于,还包括:The method of claim 12, further comprising:
    在所述第三报文的业务类型和所述第一报文的业务类型相同的情况下,将所述第三路径包括的每一节点分别与所述第一路径包括的相应节点进行匹配,以获取所述第三路径和所述第一路径的第二匹配度;或者,And each of the nodes included in the third path is matched with a corresponding node included in the first path, where the service type of the third packet is the same as the service type of the first packet, Obtaining a second matching degree of the third path and the first path; or
    在所述第三报文的业务类型和第四报文的业务类型相同的情况下,获取预先存储的第四路径,所述第四路径为所述第四报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第四路径包括所述第四报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第四报文为所有具有与所述第三报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文;并将所述第三路径包括的每一节点分别与第四路径包括的相应节点进行匹配,以获取所述第三路径和所述第四路径的第二匹配度。If the service type of the third packet is the same as the service type of the fourth packet, the fourth path is obtained, where the fourth path is when the fourth packet passes the network element system. The path information that is experienced in the network element system, where the fourth path includes at least one node that the fourth packet passes in time sequence in the network element system, and the fourth packet is All the packets having the same service type as the service type of the third packet and passing through the network element system, the packets passing through the network element system for the first time; and each of the third paths is included The nodes respectively match the corresponding nodes included in the fourth path to obtain the second matching degree of the third path and the fourth path.
  14. 根据权利要求13所述的方法,其特征在于,还包括:The method of claim 13 further comprising:
    在所述第二匹配度低于或者等于所述第一设定阈值的情况下,将所述第一端口的允许接入流量减小为第二缩小值,所述第二缩小值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第二比例值的乘积,其中,所述第二缩小值不低于预设的所述第一端口的最低允许接入流量,所述第二比例值的取值范围为1/5~1/2。If the second matching degree is lower than or equal to the first set threshold, reducing the allowed access traffic of the first port to a second reduced value, and the second reduced value is the The process of the third packet passing through the first port, the product of the maximum value of the actual access traffic of the first port and the second ratio value, wherein the second reduction value is not lower than the preset The minimum allowable access traffic of the first port is in the range of 1/5 to 1/2.
  15. 根据权利要求13所述的方法,其特征在于,还包括: The method of claim 13 further comprising:
    在所述第二匹配度高于第二设定阈值的情况下,将所述第一端口的允许接入流量增大为第一增大值,所述第一增大值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第三比例值的乘积,其中,所述第一增大值不高于预设的最高允许接入流量;其中,所述第二设定阈值大于所述第一设定阈值,且所述第二设定阈值的取值范围为70%~80%,所述第三比例值的取值范围为2~5。If the second matching degree is higher than the second set threshold, increasing the allowed access traffic of the first port to a first increased value, and the first increasing value is the third The maximum value of the actual value of the actual access traffic of the first port and the third ratio value during the process of the packet passing through the first port, where the first increase value is not higher than the preset maximum allowable value. Accessing the traffic; wherein the second set threshold is greater than the first set threshold, and the second set threshold is in a range of 70% to 80%, and the value of the third ratio is The range is 2 to 5.
  16. 一种自适应防攻击装置,应用于网元系统,其特征在于,包括:An adaptive anti-attack device is applied to a network element system, and includes:
    第一接收单元,用于自所述网元系统的第一端口接收第二报文,所述网元系统包括至少一个端口,所述第一端口为所述至少一个端口中的一个,且所述网元系统内部包括多个节点;a first receiving unit, configured to receive a second packet from a first port of the network element system, where the network element system includes at least one port, where the first port is one of the at least one port, and The network element system includes multiple nodes inside;
    第一获取单元,用于根据所述第二报文的业务类型,获取预先存储的第一路径,所述第一路径为第一报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第一路径包括所述第一报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第一报文为所有具有与所述第二报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文;a first acquiring unit, configured to acquire a pre-stored first path according to a service type of the second packet, where the first path is when the first packet passes the network element system, and the network element system Path information that is internally experienced, the first path includes at least one node that the first packet passes in time sequence in the network element system, and the first packet is all having the second The packet of the service type of the same type of the packet and the packet passing through the network element system passes through the packet of the network element system for the first time;
    第二获取单元,用于获取第二路径,所述第二路径为所述第二报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第二路径包括所述第二报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点;a second acquiring unit, configured to acquire a second path, where the second path is path information that is experienced inside the network element system when the second packet passes through the network element system, where the second path includes At least one node that the second packet passes in the order of time in the network element system;
    第一匹配单元,用于将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以获取所述第二路径和所述第一路径的第一匹配度;a first matching unit, configured to match each node included in the first path with a corresponding node included in the second path, to obtain a first matching degree of the second path and the first path ;
    比较单元,用于将所述第一匹配度与第一设定阈值进行比较,若所述第一匹配度低于所述第一设定阈值,则确定所述第二报文为异常报文,所述第一设定阈值是根据所述业务类型对误码率或通信延时的容忍度设定的;a comparing unit, configured to compare the first matching degree with a first set threshold, and if the first matching degree is lower than the first set threshold, determining that the second packet is an abnormal packet The first set threshold is set according to the tolerance of the service type to the bit error rate or the communication delay;
    在所述比较单元确定所述第二报文为异常报文的情况下,调整单元,用于减小所述第一端口的允许接入流量。 And in the case that the comparing unit determines that the second packet is an abnormal packet, the adjusting unit is configured to reduce the allowed access traffic of the first port.
  17. 根据权利要求16所述的装置,其特征在于:The device of claim 16 wherein:
    按照时间的先后顺序,将所述第一路径包括的至少一个节点和所述第二路径包括的至少一个节点分别进行排序,则位于所述第一路径中的和位于所述第二路径中的具有相同序位的节点是相对应的。Sorting at least one node included in the first path and at least one node included in the second path according to a sequence of time, and then located in the first path and located in the second path Nodes with the same order are corresponding.
  18. 根据权利要求16或17所述的装置,其特征在于:The device according to claim 16 or 17, wherein:
    所述第一设定阈值的取值范围为60%~70%。The first set threshold has a value ranging from 60% to 70%.
  19. 根据权利要求16至18任一项所述的装置,其特征在于,所述第一匹配单元具体用于:The device according to any one of claims 16 to 18, wherein the first matching unit is specifically configured to:
    将所述第一路径包括的每一节点分别与所述第二路径包括的相应节点进行匹配,以确定所述第一路径包括的每一节点是否与所述第二路径包括的相应节点相同,进而获取所述第二路径和所述第一路径的第一匹配度。Matching each node included in the first path with a corresponding node included in the second path to determine whether each node included in the first path is the same as a corresponding node included in the second path, And acquiring a first matching degree of the second path and the first path.
  20. 根据权利要求16至18任一项所述的装置,其特征在于,所述第一路径包括n1个节点,The apparatus according to any one of claims 16 to 18, wherein the first path comprises n1 nodes,
    则所述装置还包括:Then the device further comprises:
    第三获取单元,用于获取所述第一路径包括的所述n1个节点中每一节点的流量。And a third acquiring unit, configured to acquire traffic of each of the n1 nodes included in the first path.
  21. 根据权利要求20所述的装置,其特征在于,所述第二路径包括n2个节点,The apparatus according to claim 20, wherein said second path comprises n2 nodes,
    则所述装置还包括:Then the device further comprises:
    第四获取单元,用于获取所述第二路径包括的所述n2个节点中每一节点的流量。And a fourth acquiring unit, configured to acquire traffic of each of the n2 nodes included in the second path.
  22. 根据权利要求21所述的装置,其特征在于,所述第一匹配单元具体 用于:The apparatus according to claim 21, wherein said first matching unit is specific Used for:
    将所述n2个节点中每一节点的流量分别与所述n1个节点中的相应节点的流量进行匹配,以确定所述n2个节点的流量分布与所述n1个节点的流量分布是否相同,进而获取所述第二路径和所述第一路径的第一匹配度。Matching the traffic of each of the n2 nodes with the traffic of the corresponding node of the n1 nodes, respectively, to determine whether the traffic distribution of the n2 nodes is the same as the traffic distribution of the n1 nodes, And acquiring a first matching degree of the second path and the first path.
  23. 根据权利要求20所述的装置,其特征在于,所述装置还包括:The device of claim 20, wherein the device further comprises:
    在所述第三获取单元获取所述第一路径包括的所述n1个节点中每一节点的流量之后,After the third obtaining unit acquires the traffic of each of the n1 nodes included in the first path,
    第一归一化处理单元,用于采用如下公式对所述n1个节点中每一节点的流量分别进行归一化处理:The first normalization processing unit is configured to normalize the traffic of each of the n1 nodes by using the following formula:
    Figure PCTCN2016073642-appb-100005
    Figure PCTCN2016073642-appb-100005
    其中,fx为进行归一化处理后的节点x的流量,x的取值范围为1~n1,Fx为节点x的流量,
    Figure PCTCN2016073642-appb-100006
    为所述n1个节点的流量的最大值。    Where f x is the traffic of node x after normalization, x ranges from 1 to n1, and F x is the traffic of node x.
    Figure PCTCN2016073642-appb-100006
    The maximum value of the traffic of the n1 nodes.
  24. 根据权利要求21所述的装置,其特征在于,所述装置还包括:The device of claim 21, wherein the device further comprises:
    在所述第四获取单元获取所述第二路径包括的所述n2个节点中每一节点的流量之后,After the fourth obtaining unit acquires the traffic of each of the n2 nodes included in the second path,
    第二归一化处理单元,用于采用如下公式对所述n2个节点中每一节点的流量分别进行归一化处理:The second normalization processing unit is configured to normalize the traffic of each of the n2 nodes by using the following formula:
    Figure PCTCN2016073642-appb-100007
    Figure PCTCN2016073642-appb-100007
    其中,fy为进行归一化处理后的节点y的流量,y的取值范围为1~n2,Fy为节点y的流量,
    Figure PCTCN2016073642-appb-100008
    为所述n2个节点的流量的最大值。    Where f y is the traffic of the node y after the normalization process, and the value of y ranges from 1 to n2, and F y is the traffic of the node y.
    Figure PCTCN2016073642-appb-100008
    The maximum value of the traffic of the n2 nodes.
  25. 根据权利要求16至24任意一项所述的装置,其特征在于,所述调整单元具体用于:The device according to any one of claims 16 to 24, wherein the adjusting unit is specifically configured to:
    在确定所述第二报文为异常报文的情况下,将所述第一端口的允许接入流 量减小为第一缩小值,所述第一缩小值为所述第二报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第一比例值的乘积,其中,所述第一缩小值不低于预设的所述第一端口的最低允许接入流量,所述第一比例值的取值范围为1/5~1/2。In the case that the second packet is determined to be an abnormal packet, the allowed access flow of the first port is determined. The amount is reduced to a first reduced value, where the first reduced value is a maximum value of the actual access traffic of the first port and a first ratio during the process of the second packet passing through the first port. And the first reduction value is not lower than a preset minimum allowed access traffic of the first port, and the first ratio value ranges from 1/5 to 1/2.
  26. 根据权利要求16至25任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 16 to 25, wherein the device further comprises:
    在所述调整单元减小所述第一端口的允许接入流量之后,After the adjusting unit decreases the allowed access traffic of the first port,
    第二接收单元,用于自所述第一端口接收第三报文;a second receiving unit, configured to receive a third packet from the first port;
    第五获取单元,用于获取第三路径,所述第三路径为所述第三报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第三路径包括所述第三报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点。a fifth acquiring unit, configured to acquire a third path, where the third path is path information that is experienced inside the network element system when the third packet passes through the network element system, where the third path includes The third packet is at least one node that passes through the network element system in chronological order.
  27. 根据权利要求26所述的装置,其特征在于,还包括:The device of claim 26, further comprising:
    第二匹配单元,用于在所述第三报文的业务类型和所述第一报文的业务类型相同的情况下,将所述第三路径包括的每一节点分别与所述第一路径包括的相应节点进行匹配,以获取所述第三路径和所述第一路径的第二匹配度;或者,a second matching unit, configured to: each node included in the third path and the first path, respectively, if a service type of the third packet is the same as a service type of the first packet Corresponding nodes are matched to obtain a second matching degree of the third path and the first path; or
    所述装置包括:The device includes:
    第六获取单元,用于在所述第三报文的业务类型和第四报文的业务类型相同的情况下,获取预先存储的第四路径,所述第四路径为所述第四报文通过所述网元系统时,在所述网元系统内部经历的路径信息,所述第四路径包括所述第四报文在所述网元系统内部按照时间的先后顺序经过的至少一个节点,所述第四报文的业务类型与所述第三报文的业务类型相同,且所述第四报文为所有具有与所述第三报文的业务类型相同的业务类型且经过所述网元系统的报文中,首次经过所述网元系统的报文;a sixth acquiring unit, configured to acquire a pre-stored fourth path, where the fourth path is the fourth packet, if the service type of the third packet is the same as the service type of the fourth packet When the network element system passes through the path information that is experienced in the network element system, the fourth path includes at least one node that the fourth packet passes in time sequence in the network element system. The service type of the fourth packet is the same as the service type of the third packet, and the fourth packet is the same service type that has the same service type as the third packet and passes through the network. The packet of the meta-system passes through the packet of the network element system for the first time;
    所述第二匹配单元用于将所述第三路径包括的每一节点分别与第四路径包括的相应节点进行匹配,以获取所述第三路径和所述第四路径的第二匹配度。 The second matching unit is configured to match each node included in the third path with a corresponding node included in the fourth path, to obtain a second matching degree of the third path and the fourth path.
  28. 根据权利要求27所述的装置,其特征在于,所述调整单元还用于:The device according to claim 27, wherein the adjusting unit is further configured to:
    在所述第二匹配度低于或者等于所述第一设定阈值的情况下,将所述第一端口的允许接入流量减小为第二缩小值,所述第二缩小值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第二比例值的乘积,其中,所述第二缩小值不低于预设的所述第一端口的最低允许接入流量,所述第二比例值的取值范围为1/5~1/2。If the second matching degree is lower than or equal to the first set threshold, reducing the allowed access traffic of the first port to a second reduced value, and the second reduced value is the The process of the third packet passing through the first port, the product of the maximum value of the actual access traffic of the first port and the second ratio value, wherein the second reduction value is not lower than the preset The minimum allowable access traffic of the first port is in the range of 1/5 to 1/2.
  29. 根据权利要求27所述的装置,其特征在于,所述调整单元还用于:The device according to claim 27, wherein the adjusting unit is further configured to:
    在所述第二匹配度高于第二设定阈值的情况下,将所述第一端口的允许接入流量增大为第一增大值,所述第一增大值为所述第三报文经过所述第一端口的过程中,所述第一端口的实际接入流量的最大值与第三比例值的乘积,其中,所述第一增大值不高于预设的最高允许接入流量;其中,所述第二设定阈值大于所述第一设定阈值,且所述第二设定阈值的取值范围为70%~80%,所述第三比例值的取值范围为2~5。 If the second matching degree is higher than the second set threshold, increasing the allowed access traffic of the first port to a first increased value, and the first increasing value is the third The maximum value of the actual value of the actual access traffic of the first port and the third ratio value during the process of the packet passing through the first port, where the first increase value is not higher than the preset maximum allowable value. Accessing the traffic; wherein the second set threshold is greater than the first set threshold, and the second set threshold is in a range of 70% to 80%, and the value of the third ratio is The range is 2 to 5.
PCT/CN2016/073642 2015-06-17 2016-02-05 Method of adaptively blocking network attack and device utilizing same WO2016201996A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510337388.9A CN104954376B (en) 2015-06-17 2015-06-17 A kind of adaptive anti-attack method and device
CN201510337388.9 2015-06-17

Publications (1)

Publication Number Publication Date
WO2016201996A1 true WO2016201996A1 (en) 2016-12-22

Family

ID=54168729

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/073642 WO2016201996A1 (en) 2015-06-17 2016-02-05 Method of adaptively blocking network attack and device utilizing same

Country Status (2)

Country Link
CN (1) CN104954376B (en)
WO (1) WO2016201996A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104954376B (en) * 2015-06-17 2018-03-06 华为技术有限公司 A kind of adaptive anti-attack method and device
CN107135185A (en) * 2016-02-26 2017-09-05 华为技术有限公司 A kind of attack processing method, equipment and system
CN108234400B (en) * 2016-12-15 2021-01-22 北京金山云网络技术有限公司 Attack behavior determination method and device and situation awareness system
CN108183954A (en) * 2017-12-28 2018-06-19 北京奇虎科技有限公司 A kind of detection method and device of vehicle safety
CN108200042A (en) * 2017-12-28 2018-06-22 北京奇虎科技有限公司 A kind of detection method of vehicle safety and vehicle safety management platform
CN115174131B (en) * 2022-07-13 2023-07-11 陕西合友网络科技有限公司 Information interception method and system based on abnormal traffic identification and cloud platform

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192861A1 (en) * 2006-02-03 2007-08-16 George Varghese Methods and systems to detect an evasion attack
CN101714950A (en) * 2009-12-15 2010-05-26 中兴通讯股份有限公司 Method and device for realizing fault positioning
CN103746874A (en) * 2013-12-30 2014-04-23 华为技术有限公司 Method and equipment for IP (Internet protocol) FPM (flow performance monitor)
CN104954376A (en) * 2015-06-17 2015-09-30 华为技术有限公司 Self-adaptive anti-attack method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8042183B2 (en) * 2007-07-18 2011-10-18 At&T Intellectual Property Ii, L.P. Method and apparatus for detecting computer-related attacks
CN101800989B (en) * 2010-01-19 2013-07-10 重庆邮电大学 Anti-replay-attack system for industrial wireless network
CN102594834B (en) * 2012-03-09 2014-09-10 北京星网锐捷网络技术有限公司 Method and device for defending network attack and network equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192861A1 (en) * 2006-02-03 2007-08-16 George Varghese Methods and systems to detect an evasion attack
CN101714950A (en) * 2009-12-15 2010-05-26 中兴通讯股份有限公司 Method and device for realizing fault positioning
CN103746874A (en) * 2013-12-30 2014-04-23 华为技术有限公司 Method and equipment for IP (Internet protocol) FPM (flow performance monitor)
CN104954376A (en) * 2015-06-17 2015-09-30 华为技术有限公司 Self-adaptive anti-attack method and device

Also Published As

Publication number Publication date
CN104954376A (en) 2015-09-30
CN104954376B (en) 2018-03-06

Similar Documents

Publication Publication Date Title
WO2016201996A1 (en) Method of adaptively blocking network attack and device utilizing same
Santos et al. Machine learning algorithms to detect DDoS attacks in SDN
US10742669B2 (en) Malware host netflow analysis system and method
US11509501B2 (en) Automatic port verification and policy application for rogue devices
US20140269299A1 (en) Network controller normalization of network traffic
US20090300759A1 (en) Attack prevention techniques
US10193890B2 (en) Communication apparatus to manage whitelist information
CN109194661B (en) Network attack alarm threshold configuration method, medium, device and computing equipment
Khanna et al. Adaptive selective verification: An efficient adaptive countermeasure to thwart dos attacks
CN105991617B (en) Computer-implemented system and method for selecting a secure path using network scoring
CN104901971A (en) Method and device for carrying out safety analysis on network behaviors
US10305879B2 (en) Restricting fake multicast service announcements
WO2016127555A1 (en) Method and controller for controlling application permissions
Dao et al. Adaptive suspicious prevention for defending DoS attacks in SDN-based convergent networks
Papadopoulos et al. A novel graph-based descriptor for the detection of billing-related anomalies in cellular mobile networks
US20170171064A1 (en) Adapative Message Caches For Replay/Flood Protection In Mesh Network Devices
US10944695B2 (en) Uplink port oversubscription determination
EP2747345B1 (en) Ips detection processing method, network security device and system
Jagtap et al. Intelligent software defined networking: long short term memory‐graded rated unit enabled block‐attack model to tackle distributed denial of service attacks
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
Bartos et al. IFS: Intelligent flow sampling for network security–an adaptive approach
CN110881016B (en) Network security threat assessment method and device
Patil et al. Detection of distributed denial-of-service (DDoS) attack on software defined network (SDN)
Siboni et al. Botnet identification via universal anomaly detection
US12021755B2 (en) Classification and forwarding of network traffic flows

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16810737

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16810737

Country of ref document: EP

Kind code of ref document: A1