WO2018121331A1 - Procédé, appareil et serveur de détermination de demande malveillante - Google Patents

Procédé, appareil et serveur de détermination de demande malveillante Download PDF

Info

Publication number
WO2018121331A1
WO2018121331A1 PCT/CN2017/117067 CN2017117067W WO2018121331A1 WO 2018121331 A1 WO2018121331 A1 WO 2018121331A1 CN 2017117067 W CN2017117067 W CN 2017117067W WO 2018121331 A1 WO2018121331 A1 WO 2018121331A1
Authority
WO
WIPO (PCT)
Prior art keywords
blacklist
information
request
attack
expression
Prior art date
Application number
PCT/CN2017/117067
Other languages
English (en)
Chinese (zh)
Inventor
冯帅涛
杨洋
向西西
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2018121331A1 publication Critical patent/WO2018121331A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • the present application relates to the field of Internet security technologies, and in particular, to a method, an apparatus, and a server for determining an attack request.
  • a CC attack is determined by performing statistics on an IP (Internet Protocol) address. If an IP address exceeds a threshold in a certain period of time, the IP address is obtained. Blacklisted and blocked based on IP address.
  • IP Internet Protocol
  • This method can detect CC attacks in the case of large-scale access using the same IP, but cannot accurately identify CC attacks such as random URI (Uniform Resource Identifiers) attack type and random domain name type, and only through IP.
  • the angle is statistically simple and not flexible enough.
  • the attacker can gradually reduce the number of attacks according to the rules of IP statistics, and then create malicious attacks whose access times do not exceed the set threshold. If the threshold is adjusted to a small value, the rate of killing will increase.
  • NAT network address translation
  • the present invention provides a method and a device for determining an attack request, so as to solve the problem that the attack request is determined only by the number of accesses of the IP address in the prior art, and the type of the CC attack with a low IP address access frequency is not applicable, and various types cannot be accurately identified. CC attack, high killing rate and other issues.
  • a method for determining an attack request which is applied to a server, includes:
  • the access request is determined to be an attack request.
  • a device for determining an attack request which is applied to a server, includes:
  • a receiving unit configured to receive an access request
  • a matching unit configured to extract first request information in the access request, and match the first request information with information in a preset blacklist of various types that support multiple matching parameters
  • the first determining unit is configured to determine that the access request is an attack request when the information in the blacklist of any type is successfully matched.
  • a server including:
  • a transceiver module configured to receive an access request, and extract the first request information in the access request
  • a blocking module coupled to the execution module, for matching the first request information with pre-set information in various types of blacklists supporting multiple matching parameters, and in any type of black When the information in the list matches successfully, it is determined that the access request is an attack request.
  • an apparatus for determining an attack request comprising: a processor; a memory for storing the processor executable instructions; wherein the processor is Configured as:
  • the access request is determined to be an attack request.
  • a computer storage medium where the program medium is stored, and the instructions include:
  • the access request is determined to be an attack request.
  • FIG. 1 is a schematic diagram of a scenario of a method for determining an attack request of the present application
  • FIG. 2 is a flow chart of an embodiment of a method for determining an attack request of the present application
  • FIG. 3 is a hardware structure diagram of a device where the determining device of the attack request of the present application is located;
  • FIG. 4 is a hardware structural diagram of an apparatus for determining an attack request according to the present application.
  • FIG. 5 is a block diagram of an embodiment of a determining apparatus for an attack request according to the present application.
  • first, second, third, etc. may be used to describe various information in this application, such information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other.
  • first information may also be referred to as the second information without departing from the scope of the present application.
  • second information may also be referred to as the first information.
  • word "if” as used herein may be interpreted as "when” or “when” or “in response to a determination.”
  • an IP address is usually determined based on the received request, and then the amount of access of the IP address in a certain period of time is counted. If the amount of access exceeds a set threshold, the IP is generated based on the IP address. IP blacklist to block requests from this IP address. This mode can only block CC attacks that are frequently accessed by the same IP address, but the attacker can attack the number of times less than the set threshold. In this way, the type of CC attack that does not have a high IP address access frequency is not.
  • Applicable for example, frequent access to the URI of a large file, using a small number of attacks to fill the server's egress bandwidth, affecting user access, in this case only blocking according to the IP address, most likely to access
  • the IP address of other URIs causes misjudgment.
  • a domain name attack request for a CDN (Content Delivery Network) node may cause a CDN node to frequently query a DNS (Domain Name System), so that even if the amount of access (attack amount) is small, DNS may be caused.
  • DNS Domain Name System
  • An embodiment of the present application provides a method and apparatus for determining a new attack request, and determining various types of blacklists by using a preset expression and request information and response information in a set time period, and receiving based on the blacklist The request is judged and blocked.
  • This method can configure a number of targeted expressions according to the characteristics of the attack type, so as to achieve effective defense against various types of CC attacks.
  • the embodiment of the present application may be applied to a server, where the server may be a physical or logical server, or may be a physical or logical server that shares two or more different responsibilities, and cooperate with each other to implement the server in the embodiment of the present application.
  • the embodiments of the present application do not limit the types of servers, the types and protocols of communication networks between servers, and the like.
  • FIG. 1 is a schematic diagram of a scenario for determining an attack request according to an embodiment of the present application:
  • 1 includes: a server, n computers, respectively a first computer, a second computer up to an Nth computer, and the server receives a request from n computers.
  • the process of determining the attack request applied to the server is as shown in FIG. 2, and includes the following steps:
  • Step 201 Receive an access request.
  • the request may include an application layer request such as a http (Hyper Text Transfer Protocol) request, a rrt request, and an mp request
  • the requested content may include a request for a webpage, a video, a live broadcast, and the like.
  • the http request is taken as an example for description.
  • Step 202 Extract the first request information in the access request, and match the first request information with information in various types of blacklists that support multiple matching parameters.
  • the server parses the received access request, and the obtained first request information may include any one or more of the following parameters, but is not limited to the following parameters:
  • Count which indicates the number of accesses of the corresponding blacklist key (the blacklist key value, which can be understood as the above matching parameter).
  • Uri_num indicates the number of times a URI is accessed, for example, uri_num/a and uri_num/b are different URIs.
  • Status_count indicates the number of times a status code is returned in the request. It needs to take parameters, such as status_count
  • Status_ratio which indicates the ratio of the number of times a status code is returned in the request to the total number of accesses. It needs to take parameters, such as status_ratio
  • Arg_num which means that the number of args carried in the request, with parameters, can be represented by arg_num
  • None_arg_ratio which means that the ratio of requests that do not carry an arg to the total number of requests needs to be parameterized, such as none_arg_ratio
  • the total number of requests indicates the total number of requests received within the set time interval during the validity period of the blacklist.
  • Cookie_num which indicates the number of cookies in the request, which needs to be parameterized.
  • x indicates the number of cookies in the request.
  • None_cookie_ratio which means that the ratio of requests that do not carry a cookie to the total number of requests needs to be parameterized, for example, none_cookie_ratio
  • Req_header_num which indicates the number of headers carried in the request. It needs to take parameters, such as req_header_num
  • None_req_header_ratio indicates that the number of requests that do not carry a header accounts for the total number of requests. For example, none_header_ratio
  • Resp_header_num which indicates the number of headers carried in the response. It needs to take parameters. For example, the number of headers x is in the response of resp_header_num
  • None_req_header_ratio indicates the ratio of the response that does not carry a header to the total number of requests. It needs to take parameters, such as none_header_ratio
  • Method_ratio which indicates the ratio of the number of requests submitted in a certain way to the total number of requests, and needs to take parameters, such as method_ratio
  • the request can also be The get mode submission, the delete submission, the header submission, and the put submission can all calculate the proportion of the corresponding requests to the total number of requests.
  • Method_count represents the number of requests submitted in a certain way, with parameters, such as method_count
  • Req_traffic which indicates the total traffic value of the request, that is, the total traffic value consumed by the request received during the blacklist validity period.
  • Resp_traafic which represents the total traffic value of the response, that is, the total traffic value consumed by the response sent during the blacklist validity period.
  • the server may preset a blacklist that supports multiple matching parameters, and the blacklist includes multiple types, instead of the type only for the IP address as in the prior art, setting the blacklist includes the following steps (figure Not shown in 2):
  • Step 301 Parse the access request and/or the sent response received within the set time period, and obtain the second request information and/or the response information respectively.
  • the set time period may be a time period separated by an execution time interval of an expression for indicating an attack condition, for example, the execution time interval is 10 s, and the set time period is 10 s before the current time. segment.
  • the second request information and the response information may be any one or more of the parameters listed in step 202 above.
  • Step 302 Extract information corresponding to the variable from the second request information and/or the response information based on the variable in the preset expression.
  • an expression may be preset, which is composed of a variable and an operator, and is used to indicate an attack condition.
  • multiple types of expressions may be set based on various types and characteristics of the CC attack, so that Subsequent generation of blacklists covering multiple CC attack types can be generated.
  • information of the variable corresponding to the expression in the second request information and/or the response information is extracted.
  • operators can include but are not limited to the following:
  • the flexibility of statistics is increased, and the expression can be adjusted in time according to the type and actual situation of the attack, thereby facilitating accurate judgment on various attacks, thereby expanding the coverage of the attack, and simultaneously
  • the status code, header, and flow information are combined to determine the dimension and the judgment result is more accurate.
  • Step 303 Perform the operation by substituting the extracted information as an input into a variable of the expression.
  • the server After extracting the information of all the variables corresponding to the expression, the server substitutes the extracted information into the variable of the expression to perform an operation.
  • Step 304 When the operation result is that the attack condition is met, the blacklist is generated based on the type of the parameter in the expression.
  • the expression indicates an attack condition
  • the operation result when the operation result is true, it indicates that the information substituted into the expression variable conforms to the attack condition, and the access request corresponding to the information is most likely an attack request. Therefore, when the operation result is YES, a blacklist can be generated.
  • the operation result is negative (false)
  • the blacklist is pre-generated, and the statistics and the blacklist are generated after the request is received.
  • the process of determining is relatively simple, and only determining whether the information in the access request exists in the blacklist. That way, this method is quick and does not prolong the response time of the access, especially suitable for high-concurrency scenarios, and is especially suitable for distributed environment, all the http information of the whole distributed environment is counted, and the coverage is wider. .
  • the blacklist is classified into four types, and the blacklist type corresponds to the matching parameter, that is, the blacklist supports four matching parameters: including: IP, header_x, cookie_x, and arg_x.
  • Header_host ww.cdn.com, which indicates that the host (the domain name and port number of the specified request server) in the header (header) that generated the request is the blacklist of ww.cdn.com.
  • the number of blacklists may be more.
  • the first request information is matched with the information in the preset blacklist, if the number of blacklists is less than the set threshold, the first request information may be sequentially and information in each blacklist. If the number of blacklists is large, the efficiency of traversing each blacklist is relatively low. In this case, a blacklisted binary tree can be generated based on the blacklist type.
  • Step 203 When the information in the blacklist of any type is successfully matched, determine that the access request is an attack request.
  • the server pre-sets the blacklist: the server parses the access request and/or the response received during the set time period, and extracts the second request information and/or response information, where the second request information and the response information are It is any of the above matching parameters.
  • the server then reads the pre-set expression, which consists of variables and operators. For example, if the expression is method_count
  • the server takes the extracted second request information and/or response information as input into the variable of the expression for calculation, and still takes the above expression as an example, if the second request information extracted by the server is 7, due to 7>5 , the operation result is yes, the representation is established, and the operation result is in accordance with the attack condition, so the server generates a blacklist based on the type of the parameter in the expression.
  • the expression is of type header, thus generating a blacklist of type header, and the matching parameters in the blacklist include method_count.
  • the server After receiving the blacklist, the server receives the http access request from the computer, and the server extracts the first request information in the http access request, including count, uri_num, status_count, etc., and separately extracts the extracted information.
  • the information in the various types of blacklists set is matched, wherein the blacklist supports multiple matching parameters, and the matching parameters correspond to the information extracted in the access request.
  • the access request is determined to be an attack request.
  • the extracted first request information includes: count, none_cookie_ratio
  • an expression is:
  • the IP address matching parameters including count, none_cookie_ratio, and status_ratio are successfully matched, thereby determining that the access request is an attack request.
  • the method provided by the embodiment of the present application may further include the following steps:
  • the corresponding blocking scheme is determined based on the blacklist of the matching success, and then the attack request is blocked based on the determined blocking scheme.
  • each type of blacklist is stored with a blocking scheme corresponding to different blocking responses for different types of CC attacks.
  • the blocking scheme may include but is not limited to the following:
  • Chaptcha indicates the jump verification code page
  • the embodiments of the present application adopt different blocking schemes instead of the direct disconnection in the prior art, so as to be applicable to different service scenarios and attack scenarios. For example, if the current attack request seriously affects the current service, you can directly disconnect. If a suspected attack occurs, you can jump to the verification code page.
  • the expression has an execution time interval, that is, the expression generates a blacklist every execution interval. Then, in the embodiment of the present application, the first time length of the statistical expression from the last execution time; when the first time length reaches the first set time length, that is, when the time interval is executed, a new blacklist is generated based on the expression; Overwrite the current blacklist with the new blacklist.
  • the blacklist has an expiration_time, that is, the generated blacklist is valid only during the validity period. Then, in the embodiment of the present application, each blacklist is counted from the time of generation to the second time length from the time of generation; and when the second time length reaches the second set time length, it will be black. The list is set to invalid. The blacklist is usually valid for a longer period of time than the expression, so that the current blacklist is not valid and the new blacklist has not yet been generated.
  • the blacklist is always generated based on the latest request information and response information, and the blacklist is adjusted according to the current service situation and the attack situation, thereby ensuring the timeliness of the blacklist and ensuring more accurate determination. Attack requests, improve anti-attack efficiency and reduce the rate of missed attacks.
  • the manner of determining the attack request only by the number of accesses of the IP address is not applicable to the CC attack type with a low IP address access frequency, and the killing rate is high.
  • the present application not only judges the number of accesses of the IP address, but also judges the CC attack based on the header, the cookie, and the args, thereby enabling more accurate judgment of the attack request. It can also be judged based on the status code/flow information/method, so that the dimension is wider, the judgment mode is more flexible, and the judgment result is more accurate.
  • FIG. 3 is a schematic diagram of a module of a server according to an embodiment of the present disclosure.
  • FIG. 3 includes: a transceiver module 11, a statistics module 12, a configuration module 13, an execution module 14, and a blocking module 15.
  • the transceiver module 11 is configured to receive an access request, and send a response based on the access request, for example, receiving an http access request and sending an http response, and recording and reporting the request information and the response information.
  • the transceiver module 11 is typically set up based on nginx or Squid software.
  • the statistics module 12 is connected to the transceiver module 11 and configured to receive the request information and the response information reported by the transceiver module 11, and collect statistics on the variables corresponding to the expression from the request information and the response information according to a preset expression, and The result is reported to the execution module 14.
  • the configuration module 13 is connected to the execution module 14 for providing a dynamic expression configuration interface, and delivers an expression for indicating an attack condition to the execution module 14 in real time.
  • the execution module 14 is configured to parse the expression, and generate a blacklist according to the expression and the statistical result of the statistics module 12. Specifically, the information of the statistical module 12 is brought into the variable of the expression to perform an operation. If the result of the operation is YES, the blacklist of the corresponding type is generated by the blacklist type to which the variable according to the expression belongs.
  • the blocking module 15 is connected to the execution module 14 for matching the access request received by the transceiver module 11 according to the blacklist generated by the execution module 14, and blocking the access request matching the blacklist.
  • the present application also provides an embodiment of the determining device for the attack request.
  • An embodiment of the determining device of the attack request of the present application can be applied to a server.
  • the device embodiment may be implemented by software, or may be implemented by hardware or a combination of hardware and software. Taking the software implementation as an example, as a logical means, the processor of the device in which it is located reads the corresponding computer program instructions in the non-volatile memory into the memory. From the hardware level, as shown in FIG. 4, a hardware structure diagram of the device where the determining device of the attack request is located, except for the processor, the memory, the network interface, and the non-volatile memory shown in FIG. In addition, the device in which the device is located in the embodiment may also include other hardware according to the actual function of the device, which is not shown in FIG. 4 .
  • FIG. 5 it is a block diagram of an embodiment of a determining apparatus for an attack request according to the present application.
  • the apparatus may be applied to a server, and the apparatus includes: a receiving unit 510, a matching unit 520, and a first determining unit 530.
  • the receiving unit 510 is configured to receive an access request.
  • the matching unit 520 is configured to extract the first request information in the access request, and match the first request information with information in a preset blacklist of various types that support multiple matching parameters.
  • the first determining unit 530 is configured to determine that the access request is an attack request when the information in the blacklist of any type is successfully matched.
  • the apparatus may also include (not shown in Figure 5):
  • the parsing unit is configured to parse the access request received in the set time period, obtain the second request information, and/or parse the response sent in the set time period to obtain response information;
  • An extracting unit configured to extract information corresponding to the variable from the second request information and/or the response information based on a preset variable in an expression for indicating an attack condition
  • An operation unit configured to substitute the extracted information as an input into a variable of the expression to perform an operation
  • the first generating unit is configured to generate a blacklist of the corresponding type based on the blacklist type to which the variable of the expression belongs when the operation result is that the attack condition is met.
  • the first generating unit may include (not shown in FIG. 5):
  • a first determining subunit configured to determine a variable in an expression that meets the attack condition
  • a second determining subunit configured to search for a preset blacklist type, and determine a blacklist type to which the variable belongs;
  • generating a sub-unit configured to generate a blacklist of a corresponding type according to the blacklist type, where the blacklist type corresponds to the matching parameter.
  • the blacklist type includes: an internet protocol address, header_x, cookie_x, and arg_x.
  • the apparatus may also include (not shown in FIG. 5):
  • a storage unit is configured to store different types of blacklists and blocking schemes.
  • the apparatus further includes (not shown in FIG. 5):
  • a second determining unit configured to determine a corresponding blocking scheme based on the blacklist matching the success
  • a blocking unit configured to block the determined attack request based on the blocking scheme.
  • the blocking scheme includes any one of a jump page, a return rejection page, and a disconnection.
  • the apparatus further includes (not shown in FIG. 5):
  • a second generating unit configured to generate a new blacklist based on the expression when the first time length reaches a first set time length
  • Coverage unit for overwriting the current blacklist with the new blacklist.
  • the device embodiment since it basically corresponds to the method embodiment, reference may be made to the partial description of the method embodiment.
  • the device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the present application. Those of ordinary skill in the art can understand and implement without any creative effort.
  • the server adds a file task in the file task table, and sets a field including a service time period and a file generation time in the file task, and uses the sql logic statement to perform data storage time and file generation time. Contrast, it can ensure the complementarity and non-repetition of the found normal data and missing data, and can summarize the missing data effectively, timely, complete and accurate, and timely feedback to the fund company, greatly improving the operational efficiency.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé, un appareil et un serveur de détermination de demande malveillante, le procédé comprenant les étapes consistant : à recevoir une demande d'accès ; à extraire des premières informations de demande de la demande d'accès, et à mettre en correspondance les premières informations de demande avec des informations dans de multiples types de liste noire prédisposées qui prennent en charge de multiples paramètres de mise en correspondance ; lorsqu'il existe une mise en correspondance réussie avec des informations dans n'importe quel type de liste noire, à déterminer que la requête d'accès est une demande malveillante. Les solutions techniques de la présente invention résolvent les problèmes dans l'état de la technique de détermination d'une demande malveillante uniquement au moyen de la fréquence d'accès d'une adresse IP, ne pouvant pas être appliqué à un type d'attaque CC ayant une fréquence d'accès d'adresse IP faible, ne pouvant pas distinguer avec précision différents types d'attaque CC, et ayant un taux de faux positif élevé ; la présente invention peut prendre une décision sur une demande d'accès sur la base de multiples types de paramètre de correspondance, ladite décision ayant une dimensionnalité plus étendue, le mode de décision étant plus flexible, et les résultats de décision étant plus précis.
PCT/CN2017/117067 2016-12-28 2017-12-19 Procédé, appareil et serveur de détermination de demande malveillante WO2018121331A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611243727.8 2016-12-28
CN201611243727.8A CN108259425A (zh) 2016-12-28 2016-12-28 攻击请求的确定方法、装置及服务器

Publications (1)

Publication Number Publication Date
WO2018121331A1 true WO2018121331A1 (fr) 2018-07-05

Family

ID=62710299

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/117067 WO2018121331A1 (fr) 2016-12-28 2017-12-19 Procédé, appareil et serveur de détermination de demande malveillante

Country Status (3)

Country Link
CN (1) CN108259425A (fr)
TW (1) TW201824047A (fr)
WO (1) WO2018121331A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109729094A (zh) * 2019-01-24 2019-05-07 中国平安人寿保险股份有限公司 恶意攻击检测方法、系统、计算机装置及可读存储介质
CN113660275A (zh) * 2021-08-18 2021-11-16 中国电信股份有限公司 域名系统请求的处理方法、装置、电子设备和存储介质
CN113765913A (zh) * 2021-09-02 2021-12-07 云宏信息科技股份有限公司 Tomcat服务器配置访问黑名单的方法、存储介质和Tomcat服务器
CN114079574A (zh) * 2020-08-14 2022-02-22 中移动信息技术有限公司 数据过滤的方法、装置、设备及存储介质
CN114257403A (zh) * 2021-11-16 2022-03-29 北京网宿科技有限公司 误报检测方法、设备及可读存储介质
CN115001759A (zh) * 2022-05-19 2022-09-02 国网数字科技控股有限公司 一种访问信息处理方法、装置、电子设备和可读存储介质
CN116846678A (zh) * 2023-08-10 2023-10-03 国网冀北电力有限公司张家口供电公司 一种高可疑ip判定方法

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110858831B (zh) * 2018-08-22 2022-07-29 阿里巴巴集团控股有限公司 安全防护方法、装置以及安全防护设备
CN109347820B (zh) * 2018-10-12 2021-10-22 江苏满运软件科技有限公司 一种应用安全防御方法及系统
CN109547427B (zh) * 2018-11-14 2023-03-28 平安普惠企业管理有限公司 黑名单用户识别方法、装置、计算机设备及存储介质
CN109474601B (zh) * 2018-11-26 2021-06-01 杭州安恒信息技术股份有限公司 一种基于行为识别的扫描类攻击处置方法
CN111262719B (zh) * 2018-12-03 2022-12-02 阿里巴巴集团控股有限公司 信息显示方法、设备及存储介质
CN110071941B (zh) * 2019-05-08 2021-10-29 北京奇艺世纪科技有限公司 一种网络攻击检测方法、设备、存储介质及计算机设备
CN111212070B (zh) * 2019-12-31 2022-03-08 奇安信科技集团股份有限公司 风险监控方法、装置、计算设备以及介质
CN112468478A (zh) * 2020-11-23 2021-03-09 杭州贝嘟科技有限公司 攻击拦截方法、装置、计算机设备和存储介质
CN112995686B (zh) * 2021-02-03 2022-04-19 上海哔哩哔哩科技有限公司 数据处理方法、直播方法、鉴权服务器及直播数据服务器
CN113992403A (zh) * 2021-10-27 2022-01-28 北京知道创宇信息技术股份有限公司 访问限速拦截方法及装置、防御服务器和可读存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9003511B1 (en) * 2014-07-22 2015-04-07 Shape Security, Inc. Polymorphic security policy action
CN104768139A (zh) * 2015-02-28 2015-07-08 北京奇艺世纪科技有限公司 一种短信发送的方法及装置
CN105208026A (zh) * 2015-09-29 2015-12-30 努比亚技术有限公司 一种防止恶意攻击方法及网络系统
CN105786630A (zh) * 2016-02-26 2016-07-20 浪潮通用软件有限公司 一种基于中间件的Web API调控方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580228A (zh) * 2015-01-16 2015-04-29 北京京东尚科信息技术有限公司 对来自网络的访问请求产生黑名单的系统和方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9003511B1 (en) * 2014-07-22 2015-04-07 Shape Security, Inc. Polymorphic security policy action
CN104768139A (zh) * 2015-02-28 2015-07-08 北京奇艺世纪科技有限公司 一种短信发送的方法及装置
CN105208026A (zh) * 2015-09-29 2015-12-30 努比亚技术有限公司 一种防止恶意攻击方法及网络系统
CN105786630A (zh) * 2016-02-26 2016-07-20 浪潮通用软件有限公司 一种基于中间件的Web API调控方法

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109729094A (zh) * 2019-01-24 2019-05-07 中国平安人寿保险股份有限公司 恶意攻击检测方法、系统、计算机装置及可读存储介质
CN114079574A (zh) * 2020-08-14 2022-02-22 中移动信息技术有限公司 数据过滤的方法、装置、设备及存储介质
CN113660275A (zh) * 2021-08-18 2021-11-16 中国电信股份有限公司 域名系统请求的处理方法、装置、电子设备和存储介质
CN113765913A (zh) * 2021-09-02 2021-12-07 云宏信息科技股份有限公司 Tomcat服务器配置访问黑名单的方法、存储介质和Tomcat服务器
CN114257403A (zh) * 2021-11-16 2022-03-29 北京网宿科技有限公司 误报检测方法、设备及可读存储介质
CN114257403B (zh) * 2021-11-16 2024-03-26 北京网宿科技有限公司 误报检测方法、设备及可读存储介质
CN115001759A (zh) * 2022-05-19 2022-09-02 国网数字科技控股有限公司 一种访问信息处理方法、装置、电子设备和可读存储介质
CN115001759B (zh) * 2022-05-19 2024-01-12 国网数字科技控股有限公司 一种访问信息处理方法、装置、电子设备和可读存储介质
CN116846678A (zh) * 2023-08-10 2023-10-03 国网冀北电力有限公司张家口供电公司 一种高可疑ip判定方法
CN116846678B (zh) * 2023-08-10 2024-01-19 国网冀北电力有限公司张家口供电公司 一种高可疑ip判定方法

Also Published As

Publication number Publication date
CN108259425A (zh) 2018-07-06
TW201824047A (zh) 2018-07-01

Similar Documents

Publication Publication Date Title
WO2018121331A1 (fr) Procédé, appareil et serveur de détermination de demande malveillante
US11122067B2 (en) Methods for detecting and mitigating malicious network behavior and devices thereof
US10425383B2 (en) Platforms for implementing an analytics framework for DNS security
US10250466B2 (en) Application signature generation and distribution
WO2018107784A1 (fr) Procédé et dispositif de détection de canevas web
EP2263163B1 (fr) Gestion de contenus
US9258289B2 (en) Authentication of IP source addresses
CN102571547B (zh) 一种http流量的控制方法及装置
US8904524B1 (en) Detection of fast flux networks
CN110324295B (zh) 一种域名系统泛洪攻击的防御方法和装置
CN102137111A (zh) 一种防御cc攻击的方法、装置和内容分发网络服务器
CN112261172B (zh) 服务寻址访问方法、装置、系统、设备及介质
CN105959313A (zh) 一种防范http代理攻击的方法及装置
EP2830280A1 (fr) Mise en mémoire cache avec sécurité comme service
JP2019021294A (ja) DDoS攻撃判定システムおよび方法
JP7388613B2 (ja) パケット処理方法及び装置、デバイス、並びに、コンピュータ可読ストレージ媒体
EP3633948B1 (fr) Procédé et dispositif anti-attaques pour serveur
CN108632401B (zh) 减少dns递归服务器上隐私泄漏的匿名查询方法及系统
KR101200906B1 (ko) 네트워크 기반 고성능 유해사이트 차단 시스템 및 방법
US20230108362A1 (en) Key-value storage for url categorization
US9055113B2 (en) Method and system for monitoring flows in network traffic
CN106789413A (zh) 一种检测代理上网的方法和装置
EP3382981B1 (fr) Équipement utilisateur et procédé de protection de la confidentialité de l'utilisateur dans des réseaux de communication
CN114640504B (zh) Cc攻击防护方法、装置、设备和存储介质
US20180295151A1 (en) Methods for mitigating network attacks through client partitioning and devices thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17887989

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17887989

Country of ref document: EP

Kind code of ref document: A1