WO2024099078A1 - 检测攻击流量的方法及相关设备 - Google Patents
检测攻击流量的方法及相关设备 Download PDFInfo
- Publication number
- WO2024099078A1 WO2024099078A1 PCT/CN2023/126565 CN2023126565W WO2024099078A1 WO 2024099078 A1 WO2024099078 A1 WO 2024099078A1 CN 2023126565 W CN2023126565 W CN 2023126565W WO 2024099078 A1 WO2024099078 A1 WO 2024099078A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- fingerprint
- data stream
- protection device
- type
- rate
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 109
- 238000012512 characterization method Methods 0.000 claims description 101
- 238000004458 analytical method Methods 0.000 claims description 64
- 230000015654 memory Effects 0.000 claims description 32
- 238000004590 computer program Methods 0.000 claims description 21
- 230000004044 response Effects 0.000 claims description 17
- 238000001514 detection method Methods 0.000 abstract description 15
- 238000004891 communication Methods 0.000 description 35
- 238000010586 diagram Methods 0.000 description 20
- 230000008569 process Effects 0.000 description 19
- 238000004422 calculation algorithm Methods 0.000 description 13
- 230000003287 optical effect Effects 0.000 description 11
- 239000000284 extract Substances 0.000 description 6
- 238000000605 extraction Methods 0.000 description 5
- 230000003068 static effect Effects 0.000 description 4
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000000670 limiting effect Effects 0.000 description 3
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 2
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 2
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 2
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Definitions
- the present application relates to the field of network security technology, and in particular to a method for detecting attack traffic and related equipment.
- TLS data streams In recent years, distributed denial of service (DDoS) attacks on servers based on data streams encrypted by transport layer security (TLS) (hereinafter referred to as TLS data streams) have become more frequent.
- security protection devices such as firewalls
- the security protection device detects whether the TLS data stream is attack traffic. When the TLS data stream is not attack traffic, the security protection device forwards the TLS data stream to the server. When the TLS data stream is attack traffic, the security protection device blocks the TLS data stream.
- Security protection devices can determine whether a TLS data flow is attack traffic by matching the fingerprint of the TLS data flow with a preset fingerprint library, which is obtained by analyzing known DDoS attack tools.
- a preset fingerprint library which is obtained by analyzing known DDoS attack tools.
- the accuracy of the preset fingerprint library is not high, resulting in a low accuracy rate in detecting attack traffic.
- the present application provides a method and related equipment for detecting attack traffic, which can improve the accuracy of attack traffic detection.
- the present application provides a method for detecting attack traffic.
- the method can be applied to a security protection device.
- the security protection device obtains a first rate characterization value of a first traffic in a first time period, wherein the first traffic includes at least one first data stream, and the destination Internet Protocol (IP) address of each first data stream is the same, or the destination IP address of at least one first data stream belongs to an IP group.
- IP Internet Protocol
- the security protection device generates at least one fingerprint based on the first rate characterization value, each fingerprint being generated based on a message field of one of the at least one first data streams, and any fingerprint being used to detect whether the data stream matching it is an attack traffic.
- the security protection device can obtain the fingerprint in real time according to the data flow, that is, the fingerprint is obtained dynamically.
- the dynamically obtained fingerprint can better reflect the ongoing attack status. Therefore, when the dynamically obtained fingerprint is used to detect the attack traffic, it can provide the accuracy of the attack traffic detection. Furthermore, when the dynamically obtained fingerprint is used to detect the attack traffic, it is only necessary to compare the fingerprint of the data flow to be detected with the dynamically obtained fingerprint, and there is no need to decrypt the encrypted data flow, which avoids the occupation of computing resources by the decrypted data flow and avoids the impact on user privacy and security.
- the first data stream is a TLS data stream
- the security protection device generates a fingerprint corresponding to the first data stream according to the message field of the Hello message (TLS ClientHello) of the TLS data stream.
- the first data stream includes TLS ClientHello
- the security protection device obtains the bytes included in some fields in TLS ClientHello, and then connects these bytes together to obtain a string, and then uses a hash algorithm (for example, MD4 algorithm, MD5 algorithm or SHA-1 algorithm) to perform hash calculation on the string to obtain the fingerprint corresponding to the first data stream.
- the above-mentioned partial fields include any one or more of the following fields: version, accepted ciphers, extension list, elliptic curve and elliptic curve format in TLS ClientHello.
- the at least one fingerprint includes at least one first-class fingerprint.
- the security protection device generates at least one fingerprint according to the first rate characterization value, including: when the first rate characterization value does not exceed the first rate threshold, the security protection device generates at least one first-class fingerprint, and the first-class fingerprint indicates that the data flow matching it is normal traffic.
- the security protection device generates at least one first-category fingerprint, including: the security protection device generates a first fingerprint for each first data stream in the at least one first data stream, and when the number of any first fingerprints meets the first condition, the any first fingerprint is determined as a first-category fingerprint.
- the first condition may include any one or more of the following: the number of any first fingerprint exceeds the first number threshold; or the ratio of any first fingerprint exceeds the first ratio threshold; or the number of any first fingerprint ranks in the top M1; or the ratio of any first fingerprint ranks in the top N1; or any first fingerprint ranks in the top
- M1 and N1 are natural numbers.
- the security protection device can extract at least one first fingerprint. Since different first data streams may correspond to the same first fingerprint, this also leads to a larger number of first fingerprints and a smaller number of first fingerprints in the above at least one first fingerprint.
- the first rate characterization value does not exceed the first rate threshold, most or all of the first data streams included in the first traffic are normal traffic, so it can be inferred that the above-mentioned large number of first fingerprints (i.e., the first fingerprints that meet the first condition) are most likely fingerprints corresponding to normal traffic. Therefore, the first type of fingerprints obtained based on the above method can be used to determine that the traffic matching the first type of fingerprint is normal traffic.
- the security protection device obtains a second rate characterization value of the second traffic in the second time period, and when the second rate characterization value does not exceed the first rate threshold, updates the at least one first-class fingerprint.
- the second traffic includes at least one second data stream, and the destination IP address of each second data stream is the same, or the destination IP address of at least one second data stream belongs to an IP group.
- the first type of fingerprint is time-sensitive.
- the security protection device determines a first type of fingerprint in the first period, but the client corresponding to the fingerprint is infected by the attack tool in the second period and becomes an attack client. In this case, the fingerprint will no longer be a first type of fingerprint.
- the security protection device can dynamically update the first type of fingerprint, which improves the accuracy of the first type of fingerprint. Accordingly, when using the more accurate first type of fingerprint to detect whether the data flow is an attack flow, the detection result is also more accurate.
- the second time period is later than the first time period and is adjacent to the first time period, or the second time period is later than the first time period and both the second time period and the first time period include a common time period.
- the above update can be performed based on a periodic manner or based on a dynamic sliding window manner.
- the security protection device updates at least one first-class fingerprint, including: the security protection device generates a second fingerprint for each of the at least one second data stream, and when the number of any second fingerprints meets the second condition, determines any second fingerprint as a new first-class fingerprint, and then replaces the at least one first-class fingerprint with the new first-class fingerprint.
- the second condition includes any one or more of the following: the number of any second fingerprint exceeds the second number threshold; or the ratio of any second fingerprint exceeds the second ratio threshold; or the number of any second fingerprint ranks in the top M2; or the ratio of any second fingerprint ranks in the top N2; or the frequency of occurrence of any second fingerprint exceeds the second frequency threshold.
- M2 and N2 are natural numbers.
- the at least one fingerprint further includes at least one second type of fingerprint.
- the security protection device When the second rate characterization value exceeds the first rate threshold, the security protection device generates at least one second type of fingerprint.
- the security protection device generates at least one second-category fingerprint, including: the security protection device generates a second fingerprint for each second data stream in the at least one second data stream, and when the number of any second fingerprints meets the third condition and the at least one first-category fingerprint does not include any second fingerprint, any second fingerprint is determined as a second-category fingerprint.
- the third condition may include any one or more of the following: the number of any second fingerprint exceeds the third number threshold; or the ratio of any second fingerprint exceeds the third ratio threshold; or the number of any second fingerprint ranks in the top M3; or the ratio of any second fingerprint ranks in the top N3; or the frequency of any second fingerprint exceeds the third frequency threshold.
- M3 and N3 are natural numbers.
- the security protection device can extract at least one second fingerprint. Since different second data streams may correspond to the same second fingerprint, this also leads to a larger number of second fingerprints and a smaller number of second fingerprints in the above at least one second fingerprint.
- the second rate characterization value exceeds the first rate threshold, most or all of the second data streams included in the second traffic are likely to be attack traffic, and further, the second fingerprints with a larger number (i.e., the second fingerprints that meet the third condition) are likely to be fingerprints corresponding to attack traffic.
- the second type of fingerprint obtained based on the above method can be used to determine that the traffic matching the second type of fingerprint is attack traffic.
- the second traffic may also include normal traffic
- the second fingerprint corresponding to the normal traffic may also meet the third condition, that is, if the second fingerprint is judged only by the third condition, the second fingerprint corresponding to the normal traffic may be mistakenly determined as the second type of fingerprint. Therefore, in addition to the third condition, the above implementation method also determines the second type of fingerprint based on at least one of the first type of fingerprints, so that the accuracy of the second type of fingerprint can be further improved.
- the at least one fingerprint includes at least one second type of fingerprint.
- the security protection device generates at least one fingerprint according to the first rate characterization value, including: when the first rate characterization value exceeds the first rate threshold, the security protection device generates at least one second type of fingerprint, and the second type of fingerprint indicates that the data flow matching it is attack traffic.
- the security protection device generates at least one second-category fingerprint, including: the security protection device generates a first fingerprint for each first data stream in at least one first data stream, and when the number of any first fingerprints meets a fourth condition, determines any first fingerprint as a second-category fingerprint.
- the fourth condition may include any one or more of the following: the number of any first fingerprint exceeds the fourth number threshold; or the ratio of any first fingerprint exceeds the fourth ratio threshold; or the number of any first fingerprint ranks in the top M4; or the ratio of any first fingerprint ranks in the top N4; or the frequency of occurrence of any first fingerprint exceeds the fourth frequency threshold.
- M4 and N4 are natural numbers.
- the first rate characterization value exceeds the first rate threshold, it means that most or all of the first data flows included in the first traffic are attack traffic. Therefore, it can be inferred that among the at least one first fingerprint extracted based on the first traffic, the first fingerprint with a larger number (i.e., the first fingerprint that meets the fourth condition) is likely to be the fingerprint corresponding to the attack traffic.
- the fingerprint corresponding to the attack traffic can indicate the attack traffic, so the second type of fingerprint obtained by the above implementation method can indicate the attack traffic.
- the security protection device obtains a second rate characterization value of the second traffic in the second time period, and when the second rate characterization value exceeds the first rate threshold, updates the at least one second type fingerprint.
- the second traffic includes at least one second data flow, and the destination IP address of each second data flow is the same, or the destination IP address of at least one second data flow belongs to an IP group.
- the security protection device updates at least one second-category fingerprint, including: the security protection device generates a second fingerprint for each of the at least one second data stream, respectively; when the number of any second fingerprints meets the fifth condition, the any second fingerprint is determined as a new second-category fingerprint, and then the at least one second-category fingerprint is replaced by the new second-category fingerprint.
- the fifth condition may include any one or more of the following: the number of any second fingerprint exceeds the fifth number threshold; or the ratio of any second fingerprint exceeds the fifth ratio threshold; or the number of any second fingerprint ranks in the top M5; or the ratio of any second fingerprint ranks in the top N5; or the frequency of occurrence of any second fingerprint exceeds the fifth frequency threshold.
- M5 and N5 are natural numbers.
- the second type of fingerprint is time-sensitive. For example, if a second type of fingerprint determined by a security protection device in a first period of time is repaired and the client corresponding to the fingerprint is no longer attacking the server after a period of time, in this case, the fingerprint will no longer be a second type of fingerprint.
- the security protection device can dynamically update the second type of fingerprint, which improves the accuracy of the second type of fingerprint. Accordingly, when using the second type of fingerprint with higher accuracy to detect whether a data flow is an attack flow, the detection result is also more accurate.
- the security protection device generates at least one blacklist according to the at least one second type fingerprint.
- the blacklist is used to indicate that the data flow matching the blacklist is attack traffic.
- the security protection device generates at least one blacklist based on at least one second type of fingerprint, including: when the request rate or response rate of a first data stream among the at least one first data stream exceeds the second rate threshold, and the at least one second type of fingerprint includes the fingerprint corresponding to the first data stream, the security protection device determines the source IP address of the first data stream as a blacklist.
- the security protection device determines the source IP address of the second data stream as a blacklist.
- a blacklist is generated based on the second type of fingerprint, so that the security device can determine whether the data flow to be detected is attack traffic by matching the source IP address of the data flow to be detected with the above blacklist.
- the security device can determine whether the data flow to be detected is attack traffic by matching the source IP address of the data flow to be detected with the above blacklist.
- the security protection device sends the at least one second-type fingerprint to the analysis device.
- the analysis device may also send the received at least one second-type fingerprint to other security protection devices, so that the other security protection devices detect attack traffic according to the at least one second-type fingerprint. In this way, the security of the network protected by other security protection devices can be improved.
- the security protection device releases the data stream; when the fingerprint corresponding to the data stream to be detected matches any one of the at least one second-category fingerprints mentioned above, the security protection device blocks the data stream or limits the speed of the data stream; when the source IP address of the data stream to be detected matches any one of the at least one blacklist mentioned above, the security protection device blocks the data stream or limits the speed of the data stream.
- the present application provides another method for detecting attack traffic, which can be applied to an analysis device.
- the analysis device receives second-class fingerprint libraries sent by multiple security protection devices respectively, each second-class fingerprint library includes at least one second-class fingerprint, and any second-class fingerprint indicates that the data flow matched therewith is an attack traffic.
- the analysis device generates a total fingerprint library based on the received multiple second-class fingerprint libraries, and the total fingerprint library includes part or all of the second-class fingerprints in the multiple second-class fingerprint libraries.
- the analysis device sends the total fingerprint library to multiple security protection devices, so that multiple security protection devices detect attack traffic based on the total fingerprint library. In this way, multiple security protection devices can obtain more comprehensive and accurate second-class fingerprints, thereby improving the security of the network protected by each security protection device.
- the present application provides a security protection device.
- the security protection device includes an acquisition module and a fingerprint generation module.
- the acquisition module is used to obtain a first rate characterization value of a first flow in a first time period, the first flow includes at least one first data stream, the destination IP address of each first data stream is the same, or the destination IP address of at least one first data stream belongs to an IP group.
- the fingerprint generation module is used to generate at least one fingerprint based on the first rate characterization value, each fingerprint is generated based on a message field of one of the at least one first data streams, and any fingerprint is used to detect whether the data stream matching it is an attack flow.
- the first data stream is a TLS data stream
- the fingerprint generation module generates a fingerprint corresponding to the first data stream according to a message field of a Hello message (TLS ClientHello) of the TLS data stream.
- the first data stream includes TLS ClientHello
- the fingerprint generation module obtains the bytes included in some fields in TLS ClientHello, then concatenates these bytes together to obtain a string, and then uses a hash algorithm (for example, MD4 algorithm, MD5 algorithm or SHA-1 algorithm) to perform hash calculation on the string to obtain the fingerprint corresponding to the first data stream.
- the above-mentioned partial fields include any one or more of the following fields: version, accepted ciphers, extension list, elliptic curve and elliptic curve format in TLS ClientHello.
- the at least one fingerprint includes at least one first-class fingerprint
- the fingerprint generation module is used to generate at least one first-class fingerprint when the first rate characterization value does not exceed the first rate threshold, and the first-class fingerprint indicates that the data flow matching it is normal traffic.
- the fingerprint generation module is used to generate a first fingerprint for each first data stream in the at least one first data stream, and when the number of any first fingerprints meets the first condition, determine any first fingerprint as a first-category fingerprint.
- the first condition may include any one or more of the following: the number of any first fingerprint exceeds the first number threshold; or the ratio of any first fingerprint exceeds the first ratio threshold; or the number of any first fingerprint ranks in the top M1; or the ratio of any first fingerprint ranks in the top N1; or the frequency of occurrence of any first fingerprint exceeds the first frequency threshold.
- M1 and N1 are natural numbers.
- the acquisition module is further used to acquire a second rate characterization value of a second flow in a second time period, the second flow includes at least one second data stream, the destination IP address of each second data stream is the same, or the destination IP address of at least one second data stream belongs to an IP group.
- the fingerprint generation module is also used to update the at least one first-category fingerprint when the second rate characterization value does not exceed the first rate threshold.
- the second time period is later than the first time period and is adjacent to the first time period, or the second time period is later than the first time period and both the second time period and the first time period include a common time period.
- the fingerprint generation module is used to generate a second fingerprint for each second data stream in the at least one second data stream, respectively, and when the number of any second fingerprints meets the second condition, determine the any second fingerprint as a new first-category fingerprint, and replace the at least one first-category fingerprint with the new first-category fingerprint.
- the second condition may include any one or more of the following: the number of any second fingerprint exceeds the second number threshold; or the ratio of any second fingerprint exceeds the second ratio threshold; or the number of any second fingerprint ranks in the top M2; or the ratio of any second fingerprint ranks in the top N2; or the frequency of any second fingerprint exceeds the second frequency threshold.
- M2 and N2 are natural numbers.
- the at least one fingerprint further includes at least one second type of fingerprint.
- the fingerprint generation module is further configured to generate at least one second type of fingerprint when the second rate characterization value exceeds the first rate threshold.
- the fingerprint generation module is used to generate a second fingerprint for each second data stream in the at least one second data stream, and when the number of any second fingerprints meets the third condition and the at least one first-category fingerprint does not include any second fingerprint, the any second fingerprint is determined as a second-category fingerprint.
- the third condition may include any one or more of the following: the number of any second fingerprint exceeds the third number threshold; the ratio of any second fingerprint exceeds the third ratio threshold; the number of any second fingerprint ranks in the top M3; the ratio of any second fingerprint ranks in the top N3; or the frequency of any second fingerprint exceeds the third frequency threshold.
- M3 and N3 are natural numbers.
- the at least one fingerprint includes at least one second type of fingerprint.
- the fingerprint generation module is used to generate at least one second type of fingerprint when the first rate characterization value exceeds the first rate threshold, and the second type of fingerprint indicates that the data flow matched therewith is attack traffic.
- the fingerprint generation module is used to generate a first fingerprint for each first data stream in the at least one first data stream, and when the number of any first fingerprints meets the fourth condition, determine the any first fingerprint as a second type fingerprint.
- the fourth condition may include any one or more of the following: the number of any first fingerprint exceeds the fourth number threshold; the ratio of any first fingerprint exceeds the fourth ratio threshold; the number of any first fingerprint ranks in the top M4; the ratio of any first fingerprint ranks in the top N4; or the frequency of any first fingerprint exceeds the fourth frequency threshold.
- M4 and N4 are natural numbers.
- the acquisition module is further used to acquire a second rate characterization value of a second flow in a second time period, the second flow includes at least one second data stream, the destination IP address of each second data stream is the same, or the destination IP address of at least one second data stream belongs to an IP group.
- the fingerprint generation module is also used to update the at least one second type fingerprint when the second rate characterization value exceeds the first rate threshold.
- the fingerprint generation module is used to generate a second fingerprint for each second data stream in the above-mentioned at least one second data stream, respectively, and when the number of any second fingerprints meets the fifth condition, determine any second fingerprint as a new second-category fingerprint, and replace the above-mentioned at least one second-category fingerprint with the new second-category fingerprint.
- the fifth condition may include any one or more of the following: the number of any second fingerprint exceeds the fifth number threshold; or the ratio of any second fingerprint exceeds the fifth ratio threshold; or the number of any second fingerprint ranks in the top M5; or the ratio of any second fingerprint ranks in the top N5; or any second fingerprint ranks in the top
- M5 and N5 are natural numbers.
- the security protection device further includes a blacklist generation module.
- the blacklist generation module is used to generate at least one blacklist according to the at least one second type fingerprint.
- the blacklist generation module is used to determine the source IP address of the first data stream as a blacklist when the request rate or response rate of a first data stream among the at least one first data stream exceeds the second rate threshold, and the at least one second type of fingerprint includes the fingerprint corresponding to the first data stream.
- the request rate of a second data stream among the at least one second data stream exceeds the second rate threshold, and the at least one second type of fingerprint includes the fingerprint corresponding to the second data stream, determine the source IP address of the second data stream as a blacklist.
- the security protection device further includes a sending module.
- the sending module is used to send the at least one second type fingerprint to the analysis device.
- the security protection device also includes a detection module.
- the detection module is used to determine whether the fingerprint corresponding to the data stream to be detected matches any one of the first-class fingerprints in the at least one first-class fingerprint.
- the sending module is notified to release the data stream.
- the detection module is also used to determine whether the fingerprint corresponding to the data stream to be detected matches any one of the second-class fingerprints in the at least one second-class fingerprint.
- the detection module is also used to determine whether the source IP address of the data stream to be detected matches any one of the blacklists in the at least one blacklist. When the source IP address of the data stream to be detected matches any one of the blacklists in the at least one blacklist, the data stream is blocked or the data stream is speed-limited.
- the present application provides an analysis device.
- the analysis device includes a receiving module, an analysis module, and a sending module.
- the receiving module is used to respectively receive second-class fingerprint libraries sent by multiple security protection devices, each second-class fingerprint library includes at least one second-class fingerprint, and any second-class fingerprint indicates that the data flow matched therewith is attack traffic.
- the analysis module is used to generate a total fingerprint library based on the received multiple second-class fingerprint libraries, and the total fingerprint library includes part or all of the second-class fingerprints in the multiple second-class fingerprint libraries.
- the sending module is used to send the total fingerprint library to multiple security protection devices, so that the multiple security protection devices detect attack traffic based on the total fingerprint library.
- the present application provides a security protection device, which includes a processor and a memory, wherein the processor executes computer program code in the memory to implement part or all of the method described in the first aspect and any implementation of the first aspect.
- the present application provides an analysis device, which includes a processor and a memory, wherein the processor executes computer program codes in the memory to implement part or all of the method described in the second aspect.
- the present application provides a computer-readable storage medium.
- the computer storage medium stores computer program code, and when the computer program code is executed by a computing device, the computing device executes part or all of the method described in the aforementioned first aspect and any implementation of the first aspect.
- the present application provides another computer-readable storage medium.
- the computer storage medium stores computer program codes, and when the computer program codes are executed by a computing device, the computing device executes part or all of the method described in the second aspect above.
- the present application provides a computer program product.
- the computer program product may be software or a program product that includes instructions and can be run on a computing device or stored in any available medium.
- the at least one computing device executes part or all of the method described in the aforementioned first aspect and any one of the implementations of the first aspect.
- the present application provides another computer program product.
- the computer program product may be software or a program product that includes instructions and can be run on a computing device or stored in any available medium.
- the computer program product executes part or all of the method described in the second aspect.
- FIG1 is a schematic diagram of an application scenario provided by an embodiment of the present application.
- FIG2 is a flow chart of a method for detecting attack traffic provided in an embodiment of the present application.
- FIG3 is a schematic diagram of generating at least one first type of fingerprint provided by an embodiment of the present application.
- FIG4 is a schematic diagram of another method for generating at least one first type of fingerprint provided by an embodiment of the present application.
- FIG5 is a schematic diagram of generating at least one second type of fingerprint provided by an embodiment of the present application.
- FIG6 is a schematic diagram of another method of generating at least one second type of fingerprint provided by an embodiment of the present application.
- FIG7 is a schematic diagram of updating at least one first type of fingerprint provided by an embodiment of the present application.
- FIG8 is a schematic diagram of another method of updating at least one first-category fingerprint provided by an embodiment of the present application.
- FIG9 is a schematic diagram of another method of generating at least one second type of fingerprint provided by an embodiment of the present application.
- FIG10 is a schematic diagram of another method for generating at least one second type of fingerprint provided in an embodiment of the present application.
- FIG11 is a schematic diagram of another application scenario provided by an embodiment of the present application.
- FIG12 is a flow chart of another method for detecting attack traffic provided in an embodiment of the present application.
- FIG13 is a flow chart of a method for defending against network attacks provided in an embodiment of the present application.
- FIG14 is a schematic diagram of the structure of a safety protection device provided in an embodiment of the present application.
- FIG15 is a schematic diagram of the structure of another safety protection device provided in an embodiment of the present application.
- FIG16 is a schematic diagram of the structure of an analysis device provided in an embodiment of the present application.
- FIG. 17 is a schematic diagram of the structure of another analysis device provided in an embodiment of the present application.
- the description methods such as "at least one (or at least one, or at least one item) of a1, a2, ..., an" used in the embodiments of the present application include the situation where any one of a1, a2, ..., an exists alone, and also include any combination of any multiple of a1, a2, ..., an. Each situation can exist alone.
- the description method of "at least one (or at least one, or at least one item) of a1, a2, a3" includes the situation where a1 exists alone, a2 exists alone, a3 exists alone, a1 and a2 exist at the same time, a1 and a3 exist at the same time, a2 and a3 exist at the same time, and a1, a2, and a3 exist at the same time.
- “Multiple” refers to two or more.
- "And/or” is used to describe the association relationship of associated objects, indicating three relationships that can exist independently. For example, b1 and/or b2 can indicate the existence of b1 alone, b2 alone, and the existence of b1 and b2 at the same time.
- DDoS attack is a network attack method.
- the attack principle is: the attacker controls a large number of zombie hosts in the botnet to send a large amount of data flow to the server, making the server busy processing the data flow from these zombie hosts, thereby exhausting the server's system resources (including computing resources, storage resources and network resources), causing the server to be unable to process the data flow from normal clients. It is understandable that if the zombie host uses TLS or SSL to encrypt the data flow sent to the server, then after receiving the encrypted data flow, the security protection device will find it difficult to directly parse the data carried in the data flow, and it will also be difficult to determine whether the data flow is attack traffic.
- the embodiment of the present application provides a method for detecting attack traffic, which obtains fingerprints in real time by extracting fingerprints from real-time data streams.
- attack traffic it is only necessary to match the fingerprint corresponding to the data stream to be detected with the fingerprint obtained above to determine whether the data stream is an attack traffic. Since the method provided by the embodiment of the present application obtains fingerprints through real-time data streams, it better reflects the current state of network attacks. Therefore, compared with the preset fingerprint library in the prior art, the fingerprint obtained by the method provided by the embodiment of the present application has higher accuracy in detecting data streams.
- the method provided by the embodiment of the present application can be detected without decrypting the data stream, which consumes less time and resources, and can also avoid the impact on user privacy.
- the method for detecting attack traffic provided in the embodiment of the present application can be performed by a security protection device.
- the security protection device can be a software device, a hardware device, or a combination of a software device and a hardware device.
- the security protection device can be a virtual machine (VM) or software with a protection function.
- VM virtual machine
- Fig. 1 shows an application scenario of an embodiment of the present application. As shown in Fig. 1, the scenario includes a client 100, a server 200 and a security protection device 300, and these parts are briefly described below.
- the client 100 includes a normal client and an attack client.
- a normal client is a client that generates normal traffic and sends normal traffic to the server 200 to request the server 200 to provide services, such as a browser or a business client.
- An attack client is a client that generates an attack traffic and sends a normal traffic to the server 200 to request the server 200 to provide services. Attack traffic and clients that send attack traffic to the server 200 to launch network attacks on the server 200, for example, clients deployed on zombie hosts and infected by attack tools (such as Trojans), etc.
- the data flow sent by the attack client to the server 200 is attack traffic, and the attack traffic is used to consume the system resources of the server 200;
- the data flow sent by the normal client to the server 200 is normal traffic, and normal traffic refers to the traffic of normal business, that is, non-attack traffic, and normal traffic is used to request services from the server 200.
- the server 200 is used to provide various services such as computing or applications for the client 100.
- the server 200 includes, for example, an application server and a web page server (also called a web server).
- the security protection device 300 is used to protect the network 400, which includes at least one server 200. Therefore, the security protection device 300 can protect at least one server 200 in the network 400 from network attacks initiated by attacking clients. Specifically, for the data stream sent from the client 100 to the server 200, before it reaches the server 200, the security protection device 300 first detects whether the data stream is attack traffic. If the data stream is attack traffic, the security protection device 300 blocks the data stream or limits the speed of the data stream. On the contrary, if the data stream is not attack traffic (i.e., normal traffic), the security protection device 300 releases the data stream.
- attack traffic i.e., normal traffic
- the security protection device 300 may include one or any combination of a firewall, a security gateway (such as a router or a switch), an intrusion detection system (IDS) type device, an intrusion prevention system (IPS) type device, a unified threat management (UTM) device, an anti-virus (AV) device, an anti-DDoS (anti-DDoS) device, and a next-generation firewall (NGFW).
- a security gateway such as a router or a switch
- IDS intrusion detection system
- IPS intrusion prevention system
- UDM unified threat management
- AV anti-virus
- anti-DDoS anti-DDoS
- NGFW next-generation firewall
- the following describes in detail how the security protection device 300 detects attack traffic in conjunction with the flowchart of a method for detecting attack traffic shown in FIG. 2 .
- the security protection device 300 obtains a first rate characterization value of a first flow in a first time period.
- the first traffic includes at least one data stream.
- the at least one first data stream includes at least one of a TLS data stream or a data stream based on SSL encryption (hereinafter referred to as SSL data stream).
- SSL data stream The source IP address of each first data stream in the at least one first data stream may be the same or different.
- the at least one first data stream comes from at least one client 100, and the at least one client 100 may include a normal client or an attacking client.
- the destination IP address of each first data stream in the at least one first data stream is the same.
- the destination IP address of the first data stream is referred to as the first IP address below, and the server indicated by the first IP address can be any server 200 in the network 400.
- the destination IP address of at least one first data stream belongs to an IP group (hereinafter referred to as the first IP group).
- the first IP group includes one or more IP addresses, and the server indicated by each IP address may be any server 200 in the network 400.
- the security protection device 300 may divide the IP group in a variety of ways. For example, the security protection device may divide the IP addresses of the servers 200 used to provide the same service in the network 400 into one IP group. Alternatively, the security protection device 300 divides the IP groups according to the network segment of the network 400, for example, the IP addresses belonging to the same department in the enterprise network are divided into one IP group. Alternatively, the security protection device 300 divides the IP groups according to the user's configuration.
- the security protection device 300 divides the IP addresses with the same subnet mask into one IP group. Therefore, the first IP group may include multiple IP addresses of the servers 200 used to provide the same service, or the first IP group may include multiple IP addresses belonging to the same network segment, or the first IP group may include multiple IP addresses configured by the user, or the first IP group may include multiple IP addresses with the same subnet mask.
- the first rate characterization value is used to indicate the flow rate of the first flow in the first time period.
- the first rate characterization value can be expressed in bytes or bits, for example, the total number of bytes or bits corresponding to the first flow in the first time period; or, it can also be expressed in bytes or bits per unit time, for example, the average number of bits (bit per second, BPS) corresponding to the first flow in the first time period.
- the first rate characterization value can also be expressed in packets, for example, the total number of packets corresponding to the first flow in the first time period; or, it can also be expressed in packets per unit time, for example, the average number of packets (packets per second, PPS) corresponding to the first flow in the first time period.
- the security protection device 300 determines the traffic (i.e., the first traffic) sent to the first IP address in the first time period according to the first IP address, thereby obtaining a first rate characterization value. It is understandable that the security protection device 300 can use each IP address in the network it protects as a first IP address, and for each first IP address, the security protection device 300 executes the method provided in the embodiment of the present application.
- the security protection device 300 determines the traffic (i.e., the first traffic) sent to the first IP group in the first time period according to the first IP group, thereby obtaining a first rate characterization value. It is understandable that multiple first IP groups can be set in the embodiment of the present application, and for each first IP group, the security protection device executes the method provided in the embodiment of the present application.
- the security protection device 300 generates at least one fingerprint according to the first rate characterization value.
- Each fingerprint of the at least one fingerprint is generated based on a message field of a first data stream of the at least one first data stream.
- the TLS data stream includes a hello message (i.e., TLS ClientHello) sent by the client 100 to the server 200. Therefore, after receiving the TLS data stream, the security protection device 300 can obtain the TLS ClientHello included in the TLS data stream, and then obtain the bytes included in some fields in the TLS ClientHello, and then connect these bytes together to obtain a string, and then use a hash algorithm (such as MD4 algorithm, MD5 algorithm or SHA-1 algorithm) to perform hash calculation on the string to obtain the fingerprint corresponding to the TLS data stream.
- a hash algorithm such as MD4 algorithm, MD5 algorithm or SHA-1 algorithm
- the above-mentioned partial fields include any one or more of the following fields: the version (TLS version), accepted ciphers (ciphers), extension list (extensions), elliptic curves (elliptic curves) and elliptic curve point formats (elliptic curves point formats) in TLS ClientHello.
- At least one fingerprint includes at least one first-class fingerprint, and the first-class fingerprint indicates that the data flow matching the fingerprint is normal traffic.
- at least one fingerprint includes at least one second-class fingerprint, and the second-class fingerprint indicates that the data flow matching the fingerprint is attack traffic.
- S1021 The security protection device 300 determines whether the first rate characterization value exceeds the first rate threshold. When the first rate characterization value does not exceed the first rate threshold, the security protection device 300 executes S1022; optionally, when the first rate characterization value exceeds the first rate threshold, the security protection device 300 executes S1023.
- the first rate threshold can be preset by the user (such as 1000PPS or 20000BPS), or it can be dynamically adjusted by the security protection device 300 according to actual conditions.
- the first rate threshold during the peak traffic period can be set to be greater than the first rate threshold during the low traffic period, where the peak traffic period and the low traffic period can be determined by the security protection device 300 based on historical traffic conditions.
- the first rate characterization value may have one or more representations, and accordingly, the first rate threshold may also include one or more thresholds.
- the safety protection device 300 determines whether the first rate characterization value exceeds the first rate threshold in multiple implementations.
- the first rate characterization value is the first average number of bits.
- the first rate characterization value exceeds the first rate characterization value.
- the first rate characterization value does not exceed the first rate characterization value.
- the first rate characterization value is the first average number of packets.
- the first rate characterization value exceeds the first rate characterization value.
- the first rate characterization value does not exceed the first rate characterization value.
- the first rate threshold includes the first average number of bits and the first average number of messages.
- the first rate characterization value when the average number of bits corresponding to the first flow in the first time period is less than or equal to the first average number of bits, and the average number of messages corresponding to the first flow in the first time period is less than or equal to the first average number of messages, the first rate characterization value does not exceed the first rate threshold; when the average number of bits corresponding to the first flow in the first time period is greater than the first average number of bits, or the average number of messages corresponding to the first flow in the first time period is greater than the first average number of messages, the first rate characterization value exceeds the first rate threshold.
- the first rate characterization value when the average number of bits corresponding to the first flow in the first time period is less than or equal to the first average number of bits, or the average number of messages corresponding to the first flow in the first time period is less than or equal to the first average number of messages, the first rate characterization value does not exceed the first rate threshold; when the average number of bits corresponding to the first flow in the first time period is greater than the first average number of bits, and the average number of messages corresponding to the first flow in the first time period is greater than the first average number of messages, the first rate characterization value exceeds the first rate threshold.
- the first rate characterization value exceeds the first rate threshold; otherwise, the first rate characterization value does not exceed the first rate threshold.
- the security protection device 300 generates at least one first type of fingerprint.
- the security protection device 300 generates a first fingerprint for each first data stream in the at least one first data stream, and when any first fingerprint satisfies the first condition, determines the first fingerprint as a first-category fingerprint.
- the first condition includes any one or more of the following: the number of any first fingerprint exceeds the first number threshold; the ratio of any first fingerprint (i.e., the ratio of the number of any first fingerprint to the total number of all first fingerprints) exceeds the first ratio threshold; the number of any first fingerprint ranks in the top M1; the ratio of any first fingerprint ranks in the top N1; the frequency of occurrence of any first fingerprint (i.e., the number of any first fingerprint per unit time) exceeds the first frequency threshold.
- M1 and N1 are natural numbers
- the first number threshold, the first ratio threshold, the first frequency threshold, and M1 and N1 can all be preset by the user, or dynamically adjusted by the security protection device 300 according to actual conditions.
- 100 first fingerprints can be obtained. Among these 100 first fingerprints, 15 first fingerprints are fingerprint 1, 3 first fingerprints are fingerprint 2, 50 first fingerprints are fingerprint 3, 1 first fingerprint is fingerprint 4, 1 first fingerprint is fingerprint 5, 1 first fingerprint is fingerprint 6, 20 first fingerprints are fingerprint 7, 1 first fingerprint is fingerprint 8, 1 first fingerprint is fingerprint 9, and 7 first fingerprints are fingerprint 10. Sort fingerprints 1 to 10 in descending order of quantity, and determine that the top 3 fingerprints are fingerprint 3, fingerprint 7 and fingerprint 1, respectively. Then, fingerprint 3, fingerprint 7 and fingerprint 1 are the first type of fingerprints.
- a first number threshold for example, the first number threshold is 10
- the security protection device 300 can extract at least one first fingerprint by performing fingerprint extraction on each first data stream in the first traffic.
- Different first data streams may correspond to the same first fingerprint, which results in a larger number of first fingerprints and a smaller number of first fingerprints in the above-mentioned at least one first fingerprint. Since most or all of the first data streams included in the first traffic are normal traffic when the first rate characterization value does not exceed the first rate threshold, it can be inferred that the above-mentioned large number of first fingerprints (i.e., first-class fingerprints) are most likely the fingerprints corresponding to normal traffic. Therefore, the first-class fingerprints obtained based on the above method can be used to determine that the traffic matching the first-class fingerprint is normal traffic.
- the security protection device 300 generates at least one second type of fingerprint.
- the security protection device 300 when the first rate characterization value exceeds the first rate threshold, the security protection device 300 generates at least one second type fingerprint. Specifically, the security protection device 300 generates a first fingerprint for each first data stream in the at least one first data stream, and when the number of any first fingerprints meets the fourth condition, the first fingerprint is determined as a second type fingerprint.
- the fourth condition includes any one or more of the following: the number of any first fingerprint exceeds the fourth number threshold; the ratio of any first fingerprint exceeds the fourth ratio threshold; the number of any first fingerprint ranks in the top M4; the ratio of any first fingerprint ranks in the top N4; the frequency of any first fingerprint exceeds the fourth frequency threshold.
- M4 and N4 are natural numbers, and the fourth number threshold, the fourth ratio threshold, the fourth frequency threshold, and M4 and N4 can all be preset by the user, or dynamically adjusted by the security protection device 300 according to actual conditions.
- the security protection device 300 can obtain 1000 first fingerprints after fingerprint extraction of the 1000 data streams. Among the 1000 first fingerprints, 15 first fingerprints are fingerprint 1, 3 first fingerprints are fingerprint 2, 50 first fingerprints are fingerprint 3, 1 first fingerprint is fingerprint 4, 1 first fingerprint is fingerprint 5, 1 first fingerprint is fingerprint 6, 20 first fingerprints are fingerprint 7, 1 first fingerprint is fingerprint 8, 1 first fingerprint is fingerprint 9, 7 first fingerprints are fingerprint 10, 300 first fingerprints are fingerprint 11, 400 first fingerprints are fingerprint 12, and 200 first fingerprints are fingerprint 13.
- the ratio of fingerprint 1 is 0.015 (15/1000)
- the ratio of fingerprint 2 is 0.003 (3/1000)
- the ratio of fingerprint 3 is 0.05 (50/1000)
- the ratios of fingerprint 4, fingerprint 5, fingerprint 6, fingerprint 8 and fingerprint 9 are all 0.001 (1/1000)
- the ratio of fingerprint 7 is 0.02 (20/1000)
- the ratio of fingerprint 10 is 0.007 (7/1000)
- the ratio of fingerprint 11 is 0.3 (300/1000)
- the ratio of fingerprint 12 is 0.4 (400/1000)
- the ratio of fingerprint 13 is 0.2 (200/1000). Sort fingerprints 1 to 13 in descending order of ratio, and determine that the top three fingerprints are fingerprint 12, fingerprint 11 and fingerprint 13. Then, fingerprint 12, fingerprint 11 and fingerprint 13 are the second type of fingerprints.
- a fourth ratio threshold for example, the fourth ratio threshold is 0.1
- the security protection device 300 can extract at least one first fingerprint by performing fingerprint extraction on each first data stream in the first traffic.
- Different first data streams may correspond to the same first fingerprint, which results in a larger number of first fingerprints and a smaller number of first fingerprints in the above-mentioned at least one first fingerprint.
- the first rate characterization value exceeds the first rate threshold, it means that most or all of the data streams included in the first traffic are attack traffic, it can be inferred that the above-mentioned large number of first fingerprints (i.e., the second type of fingerprints) are most likely the fingerprints corresponding to the attack traffic.
- the second type of fingerprints obtained based on the above method can be used to determine that the traffic matching the second type of fingerprint is the attack traffic.
- the safety protection device 300 may also execute any one or more of the following steps.
- the security protection device 300 obtains a second rate characterization value of the second flow in a second time period.
- the second traffic includes at least one second data stream.
- the at least one second data stream includes at least one of a TLS data stream or an SSL data stream.
- the source IP address of each second data stream in the at least one second data stream may be the same or different.
- the second data streams come from at least one client 100, and the at least one client 100 may include a normal client or an attacking client.
- the source IP address of any second data stream may be the same as the source IP address of a first data stream, or may be different from the source IP addresses of all first data streams.
- the destination IP address of each second data stream in the at least one second data stream is the same, and the destination IP address of each second data stream is the first IP address.
- the destination IP address of the at least one second data stream belongs to an IP group, and the IP group is the first IP group.
- the second time period is later than the first time period and the second time period is adjacent to the first time period.
- the security protection device 300 can obtain the rate characterization value of the traffic sent to the network 400 in a periodic manner. Taking 1s as a cycle as an example, when the first time period is 1-1000ms, the second time period is 1001-2000ms; when the first time period is 1001-2000ms, the second time period is 2001-3000ms.
- the second time period is later than the first time period and the second time period and the first time period both include a common time period.
- the security protection device 300 can obtain the rate characterization value of the traffic sent to the network 400 by means of a sliding window. Taking a sliding window of 10ms as an example, when the first time period is 1-1000ms, the second time period is 11-1010ms; when the first time period is 11-1010ms, the second time period is 21-1020ms.
- the second rate characterization value indicates the flow rate of the second flow in the second time period. Similar to the first rate characterization value, the second rate characterization value can be expressed in bytes or bits, for example, the total number of bytes or bits corresponding to the second flow in the second time period; or, it can also be expressed in bytes or bits per unit time, for example, the average number of bits corresponding to the second flow in the second time period. The second rate characterization value can also be expressed in messages, for example, the total number of messages corresponding to the second flow in the second time period; or, it can also be expressed in messages per unit time, for example, the average number of messages corresponding to the second flow in the second time period.
- the security protection device 300 determines the traffic (i.e., the second traffic) sent to the first IP address in the second time period based on the first IP address, thereby obtaining a second rate characterization value.
- the security protection device 300 determines the traffic (i.e., the second traffic) sent to the first IP group within the second time period based on the first IP group, thereby obtaining a second rate characterization value.
- S104 The security protection device 300 determines whether the second rate characterization value exceeds the first rate threshold. When the second rate characterization value does not exceed the first rate threshold, the security protection device 300 executes S105; when the second rate characterization value exceeds the first rate threshold, the security protection device 300 executes S106-S107.
- the safety protection device 300 may also determine whether the second rate characterization value exceeds the first rate threshold in one or more ways. For details, please refer to the process of the safety protection device 300 determining whether the first rate characterization value exceeds the first rate threshold described in S1021 above, which will not be described again here.
- the security protection device 300 updates at least one first type fingerprint.
- the security protection device 300 generates a second fingerprint for each second data stream in the at least one second data stream, and when any second fingerprint satisfies the second condition, the second fingerprint is determined as a new first-class fingerprint. Then, the security protection device 300 replaces at least one first-class fingerprint with the new first-class fingerprint.
- the second condition includes any one or more of the following: the number of any second fingerprint exceeds the second number threshold; the ratio of any second fingerprint (i.e., the ratio of the number of any second fingerprint to the total number of the second fingerprint) exceeds the second ratio threshold; the number of any second fingerprint ranks in the top M2; the ratio of any second fingerprint ranks in the top N2; the frequency of occurrence of any second fingerprint (i.e., the number of data streams corresponding to any second fingerprint received by the security protection device 300 per unit time) exceeds the second frequency threshold.
- M2 and N2 are natural numbers
- the second number threshold, the second ratio threshold, the second frequency threshold, and M2 and N2 can all be preset by the user, or can be dynamically adjusted by the security protection device 300 according to actual conditions.
- the first condition and the second condition can be the same or different, and can be set specifically according to actual conditions. For example, when the first time period is a low-peak period of traffic, and the second time period is a peak period of traffic, the first number threshold in the first condition can be set to be less than the second number threshold in the second condition.
- the security protection device 300 extracts fingerprints from the 200 data streams and obtains 200 second fingerprints.
- 15 second fingerprints are fingerprint 1
- 10 second fingerprints are fingerprint 2
- 70 second fingerprints are fingerprint 3
- 5 second fingerprints are fingerprint 4
- 2 fingerprints are fingerprint
- 9 second fingerprints are fingerprint 6
- 45 second fingerprints are fingerprint 7
- 1 fingerprint is fingerprint 9
- 10 fingerprints are fingerprint 10
- 30 fingerprints are fingerprint 14, and 3 fingerprints are fingerprint 15.
- the above 11 fingerprints are sorted in order from large to small in number, and it is determined that the fingerprints ranked in the first 3 positions are fingerprint 3, fingerprint 7, and fingerprint 14, respectively.
- fingerprint 3, fingerprint 7, and fingerprint 14 are new first-class fingerprints.
- the second number threshold for example, the second number threshold is 20
- the first type of fingerprint is time-sensitive.
- the security protection device 300 determines a first type of fingerprint in the first period, but the client corresponding to the fingerprint is infected by the attack tool and becomes an attack client in the second period. In this case, the fingerprint will no longer be a first type of fingerprint.
- the security protection device 300 can update the first type of fingerprint (i.e., execute the above S105) so that the first type of fingerprint can accurately indicate normal traffic, thereby improving the security of the server 200 indicated by the first IP address or the first IP group.
- the security protection device 300 generates at least one second type of fingerprint.
- the security protection device 300 generates a second fingerprint for each second data stream in the at least one second data stream, and when any second fingerprint satisfies the third condition and at least one first-category fingerprint does not include the second fingerprint, the second fingerprint is determined as a second-category fingerprint.
- the third condition includes any one or more of the following: the number of any second fingerprint exceeds the third number threshold; the ratio of any second fingerprint exceeds the third ratio threshold; the number of any second fingerprint ranks in the top M3; the ratio of any second fingerprint ranks in the top N3; the frequency of any second fingerprint exceeds the third frequency threshold.
- M3 and N3 are natural numbers, and the third number threshold, the third ratio threshold, the third frequency threshold, and M3 and N3 can all be preset by the user, or dynamically adjusted by the security protection device 300 according to actual conditions.
- the security protection device 300 extracts fingerprints from the 1000 data streams and obtains 1000 second fingerprints.
- 15 first fingerprints are fingerprint 1
- 3 first fingerprints are fingerprint 2
- 150 first fingerprints are fingerprint 3
- 1 first fingerprint is fingerprint 4
- 1 first fingerprint is fingerprint
- 1 first fingerprint is fingerprint
- 1 first fingerprint is fingerprint
- 1 first fingerprint is fingerprint
- 1 first fingerprint is fingerprint 6
- 20 first fingerprints are fingerprint
- 1 first fingerprint is fingerprint 8
- 1 first fingerprint is fingerprint 9
- 7 first fingerprints are fingerprint 10
- 300 first fingerprints are fingerprint 11, and 500 first fingerprints are fingerprint 12.
- the ratio of fingerprint 1 is 0.015 (15/1000)
- the ratio of fingerprint 2 is 0.003 (3/1000)
- the ratio of fingerprint 3 is 0.15 (150/1000)
- the ratios of fingerprint 4, fingerprint 5, fingerprint 6, fingerprint 8 and fingerprint 9 are all 0.001 (1/1000)
- the ratio of fingerprint 7 is 0.02 (20/1000)
- the ratio of fingerprint 10 is 0.007 (7/1000)
- the ratio of fingerprint 11 is 0.3 (300/1000)
- the ratio of fingerprint 12 is 0.5 (500/1000).
- Sort fingerprints 1 to 12 in descending order of ratio, and determine that the top 3 fingerprints are fingerprint 12, fingerprint 11 and fingerprint 3.
- fingerprint 3 is a first-class fingerprint, so only fingerprint 12 and fingerprint 11 are second-class fingerprints.
- the ratios of fingerprint 3, fingerprint 11 and fingerprint 12 exceed 0.1 and are ranked in the top 3, but since fingerprint 3 is a first-category fingerprint, only fingerprint 11 and fingerprint 12 are second-category fingerprints.
- the security protection device 300 generates at least one blacklist according to at least one second type of fingerprint.
- the security protection device 300 obtains the request rate (or response rate) of each second data flow in at least one second data flow, and when the request rate (or response rate) of one second data flow in at least one second data flow exceeds the second rate threshold, and at least one second type of fingerprint includes the fingerprint corresponding to the second data flow, the source IP address of the second data flow is determined as one of the at least one blacklist.
- the request rate of the second data stream refers to the rate at which the source IP address of the second data stream initiates requests to the destination IP address of the second data stream during the second time period.
- the request rate of the second data stream can be expressed by the number of bits per unit time, for example, the number of bits sent per second by the source IP address of the second data stream to the destination IP address of the second data stream during the second time period; the request rate of the second data stream can also be expressed by the number of messages per unit time, for example, the number of messages sent per second by the source IP address of the second data stream to the destination IP address of the second data stream during the second time period.
- the response rate of the second data stream refers to the rate at which the destination IP address of the second data stream responds to the source IP address of the second data stream within the second time period, for example, the destination IP address of the second data stream returns an acknowledgement character (ACK) to the source IP address of the second data stream. s speed.
- ACK acknowledgement character
- the second rate threshold may be preset by the user (such as 100PPS) or may be dynamically adjusted by the security protection device 300 according to actual conditions. For example, the second rate threshold during a traffic peak period is greater than the second rate threshold during a traffic off-peak period.
- the security protection device 300 determines the source IP address of the second data stream corresponding to fingerprint 11 and the source IP address of the second data stream corresponding to fingerprint 12 as blacklisted.
- the blacklist generated based on the second type of fingerprint enables the security device to determine whether the data flow to be detected is attack traffic by matching the source IP address of the data flow to be detected with the blacklist. Compared with extracting the fingerprint corresponding to the data flow, it takes less time and resources to obtain the source IP address of the data flow, so the rate of detecting attack traffic using at least one blacklist is faster and consumes less resources.
- the security protection device 300 can also generate at least one whitelist based on at least one first-class fingerprint. Specifically, when the request rate (or response rate) of a first data stream in at least one first data stream does not exceed the third rate threshold, and at least one first-class fingerprint includes the fingerprint corresponding to the first data stream, the source IP address of the first data stream is determined as a whitelist.
- the third rate threshold can be preset by the user, or it can be dynamically adjusted by the security protection device 300 according to actual conditions.
- the description of the request rate (or response rate) of the first data stream can refer to the relevant description in S108 below.
- the whitelist is also time-sensitive. Therefore, after the security protection device 300 updates the first type of fingerprint, it can also perform the step of updating at least one of the above whitelists. Specifically, when the request rate (or response rate) of one of the at least one second data streams does not exceed the fourth rate threshold, and the new first type of fingerprint includes the fingerprint corresponding to the second data stream, the security protection device 300 determines the source IP address of the second data stream as a new whitelist.
- the fourth rate threshold can be preset by the user, or it can be dynamically adjusted by the security protection device 300 according to actual conditions. Afterwards, the security protection device 300 replaces at least one whitelist with the above new whitelist. In this way, the whitelist can accurately indicate normal traffic, thereby improving the security of the server 200 indicated by the first IP address or the first IP group.
- the safety protection device 300 may also execute any of the following steps.
- the security protection device 300 generates at least one blacklist according to at least one second type of fingerprint.
- the security protection device 300 obtains the request rate (or response rate) of each first data flow in at least one first data flow, and when the request rate (or response rate) of one first data flow in at least one first data flow exceeds the second rate threshold, and at least one second-class fingerprint includes the fingerprint corresponding to the first data flow, the source IP address of the first data flow is determined as one of the at least one blacklist.
- the request rate of the first data stream refers to the rate at which the source IP address of the first data stream initiates requests to the destination IP address of the first data stream during the first time period. Similar to the request rate of the second data stream, the request rate of the first data stream can be expressed in terms of the number of bits per unit time, for example, the number of bits sent per second from the source IP address of the first data stream to the destination IP address of the first data stream during the first time period; or, the request rate of the first data stream can also be expressed in terms of the number of messages per unit time, for example, the number of messages sent per second from the source IP address of the first data stream to the destination IP address of the first data stream during the first time period.
- the response rate of the first data flow refers to the rate at which the destination IP address of the first data flow responds to the source IP address of the first data flow within the first time period, for example, the rate at which the destination IP address of the first data flow returns ACK to the source IP address of the first data flow.
- the security protection device 300 obtains a second rate characterization value of the second flow in the second time period.
- the security protection device 300 determines whether the second rate characterization value exceeds the first rate threshold. When the second rate characterization value does not exceed the first rate threshold, the security protection device 300 executes S111; when the second rate characterization value exceeds the first rate threshold, the security protection device 300 executes S112-S113.
- the security protection device 300 generates at least one first type of fingerprint.
- the security protection device 300 generates a second fingerprint for each second data stream in the at least one second data stream, and when any second fingerprint satisfies the second condition, the second fingerprint is determined as a first-class fingerprint.
- the second condition please refer to the description in S105 above.
- the security protection device 300 updates at least one second type of fingerprint.
- the security protection device 300 generates a second fingerprint for each second data stream in the at least one second data stream. When any second fingerprint satisfies the fifth condition, the security protection device 300 determines the second fingerprint as a new second-class fingerprint. The protection device 300 replaces at least one second type fingerprint with the new second type fingerprint.
- the fifth condition may include any one or more of the following: the number of any second fingerprints exceeds the fifth quantity threshold; or the ratio of any second fingerprint exceeds the fifth ratio threshold; or the number of any second fingerprints ranks in the top M5; or the ratio of any second fingerprint ranks in the top N5; or the frequency of occurrence of any second fingerprint exceeds the fifth frequency threshold; wherein M5 and N5 are natural numbers, and the fifth quantity threshold, the fifth ratio threshold, the fifth frequency threshold, as well as M5 and N5 can all be preset by the user, or can be dynamically adjusted by the security protection device 300 according to actual conditions.
- the security protection device 300 updates at least one blacklist.
- the security protection device 300 obtains the request rate (or response rate) of each second data stream in at least one second data stream, and when the request rate (or response rate) of one second data stream in at least one second data stream exceeds the second rate threshold, and the new second type fingerprint includes the fingerprint corresponding to the second data stream, the source IP address of the second data stream is determined as a new blacklist. Then, the security protection device 300 replaces at least one blacklist with the above new blacklist.
- the relevant description of the request rate (or response rate) of the second data stream and the second rate threshold can be found in the relevant description in the above S107.
- the second type of fingerprint and blacklist also have time validity.
- the security protection device 300 determines a second type of fingerprint in the first period, but the client corresponding to the fingerprint has been restored to a normal client after a period of time and no longer attacks the server 200. In this case, the fingerprint is no longer a second type of fingerprint.
- the security protection device 300 determines a blacklist in the first period of time, but the attack client indicated by the blacklist is repaired after a period of time and no longer launches attacks, while some other originally normal clients become attack clients. To this end, the security protection device 300 can execute the above S112-S113, so that the second type of fingerprint and blacklist can accurately indicate the attack traffic, thereby improving the security of the server 200 indicated by the first IP address or the first IP group.
- the security protection device 300 can also perform the step of updating at least one second type of fingerprint according to the traffic received in the subsequent time period after executing S106.
- the security protection device 300 can also perform the step of updating at least one blacklist according to the traffic received in the subsequent time period after executing S107 above, and perform the step of updating at least one first type of fingerprint and updating at least one whitelist according to the traffic received in the subsequent time period after executing S111 above. Since the implementation process of these steps is similar to the implementation process of S105, S112 and S113 above, they will not be described here.
- the above embodiment only describes how the security protection device 300 detects the attack traffic directed to the server 200 indicated by the first IP address or the first IP group, that is, based on the first traffic whose destination IP address is the first IP address or the destination IP address belongs to the first IP group, one or more of the following are learned: at least one first-class fingerprint, at least one second-class fingerprint, at least one blacklist, at least one whitelist, and then detects whether the data flow sent to the first IP address or the first IP group is the attack traffic based on the one or more of the learned ones.
- the security protection device 300 can also use a method similar to S101-S113 described above to detect the attack traffic. Specifically, the second IP address or the second IP group is described: the security protection device 300 obtains the rate characterization value of the third traffic in the first time period, and the destination IP addresses of the data flows in the third traffic are all the second IP addresses, or belong to the second IP group. Then, the security protection device 300 generates at least one first-class fingerprint (or at least one second-class fingerprint) according to the rate characterization value of the third traffic.
- the at least one first-class fingerprint (or at least one second-class fingerprint) obtained here is used to detect whether the data flow sent to the second IP address or the second IP group is attack traffic.
- the security protection device 300 can also refer to the above S103-S113 to generate at least one blacklist, at least one whitelist and at least one second-class fingerprint (or at least one first-class fingerprint) for the second IP address or the second IP group. Afterwards, the security protection device 300 can detect whether the data flow sent to the second IP address or the second IP group is attack traffic based on the above-mentioned learned content.
- the security protection device 300 can refer to the above S101-S113 to generate one or more of at least one first-class fingerprint, at least one second-class fingerprint, at least one blacklist, and at least one whitelist for any one or more servers 200 in the network 400, thereby obtaining one or more of the first-class fingerprint library, the second-class fingerprint library, the blacklist library, or the whitelist library.
- the first-class fingerprint library includes at least one first-class fingerprint
- the second-class fingerprint library includes at least one second-class fingerprint
- the blacklist library includes at least one blacklist
- the whitelist library includes at least one whitelist.
- safety protection device 300 may also perform the following steps:
- the security protection device 300 sends one or more of the following to the analysis device: a first type fingerprint library, a second type fingerprint library, a blacklist library, or a whitelist library.
- the analysis device may be the analysis device 500 shown in FIG. 11 , and the analysis device 500 is deployed in a data center, which includes a large number of basic resources (including computing resources, storage resources, and network resources).
- the computing resources included in the data center may be computing devices such as servers, storage resources may be storage devices such as hard disks, and network resources may be network devices such as routers and switches.
- the analysis device 500 may be one or more servers in the data center, or may be a server or VM deployed in the data center.
- the software device can be distributedly deployed on multiple servers, or distributedly deployed on multiple VMs, or distributedly deployed on servers and VMs.
- each security protection device 300 is used to protect a network 400, and the analysis device 500 is connected to the multiple security protection devices 300 respectively. Therefore, the analysis device 500 can also send one or more of the above-mentioned received first-class fingerprint library, second-class fingerprint library, blacklist library or whitelist library to other security protection devices 300, so that other security protection devices 300 can also detect attack traffic according to one or more of the above-mentioned first-class fingerprint library, second-class fingerprint library, blacklist library or whitelist library.
- S201 Multiple security protection devices 300 send second-type fingerprint libraries to the analysis device 500 respectively. Accordingly, the analysis device 500 receives the second-type fingerprint libraries sent by the multiple security protection devices 300 respectively.
- Each second fingerprint library includes at least one second-type fingerprint.
- the second type of fingerprint library sent by each security protection device 300 is generated by each security protection device 300 by executing one or more steps of the above S101-S104, S106, S109-S110 and S112, so it will not be described repeatedly here.
- the analysis device 500 generates a total fingerprint library according to the plurality of second-category fingerprint libraries, where the total fingerprint library includes part or all of the second-category fingerprints in the plurality of second-category fingerprint libraries.
- the analysis device 500 generates a total fingerprint library according to the plurality of second-category fingerprint libraries, including: the analysis device 500 adds all the second-category fingerprints included in the plurality of second-category fingerprint libraries to the total fingerprint library.
- the analysis device 500 generates a total fingerprint library according to the above-mentioned multiple second-class fingerprint libraries, including: the analysis device 500 obtains all second-class fingerprints included in the above-mentioned multiple second-class fingerprint libraries, and when the frequency of any second-class fingerprint appears exceeds a preset frequency threshold, the second-class fingerprint is added to the total fingerprint library.
- the frequency of any second-class fingerprint appears refers to the number of the second-class fingerprints obtained by the analysis device 500 per unit time.
- the analysis device 500 updates the above-mentioned total fingerprint library. Specifically, for any second-category fingerprint in the total fingerprint library, the analysis device 500 records the time of first adding to the total fingerprint library, and if the analysis device 500 fails to obtain the second-category fingerprint for a long time (such as exceeding a time threshold), the second-category fingerprint is deleted from the total fingerprint library.
- the analysis device 500 further determines the threat level of each second type of fingerprint according to the frequency of occurrence of each second type of fingerprint.
- the analysis device 500 sends the total fingerprint library to the multiple security protection devices 300. Accordingly, the multiple security protection devices 300 receive the total fingerprint library sent by the analysis device 500.
- S204 Multiple security protection devices 300 detect attack traffic according to the total fingerprint library.
- the security protection device 300 detects attack traffic based on the total fingerprint library, including: if the fingerprint corresponding to the data flow matches any second-category fingerprint in the total fingerprint library, the security protection device 300 determines that the data flow is attack traffic.
- multiple security protection devices 300 can also send multiple first type fingerprint libraries (each first type fingerprint library includes at least one first type fingerprint), multiple blacklist libraries (each blacklist library includes at least one blacklist), or multiple whitelist libraries (each whitelist library includes at least one whitelist) to the analysis device 500.
- the analysis device 500 can also generate a total first type fingerprint library based on the received multiple first type fingerprint libraries, or generate a total blacklist library based on the received multiple blacklist libraries, or generate a total whitelist library based on the received multiple whitelist libraries.
- the analysis device 500 will also send the above-mentioned total first type fingerprint library, total blacklist library, and total whitelist library to multiple security protection devices 300, so that multiple security protection devices 300 can detect attack traffic. It should be understood that since the above process is similar to the process described in S201-S204 above, it will not be described in detail here.
- the following describes in detail how the security protection device 300 protects the server 200 indicated by the first IP address or the first IP group based on one or more of at least one first-class fingerprint, at least one second-class fingerprint, at least one blacklist or at least one whitelist obtained as described above, in conjunction with the flow chart of the network attack defense method shown in FIG13.
- the security protection device 300 receives a target data stream.
- the destination IP address of the target data flow is the first IP address, or the destination IP address of the target data flow belongs to the first IP group.
- the source IP address of the target data flow may be at least one client 100 .
- the security protection device 300 processes the target data flow according to the fingerprint corresponding to the target data flow and/or the source IP address of the target data flow.
- the security protection device 300 generates at least one first type fingerprint, at least one second type fingerprint, and at least one A blacklist and at least one whitelist.
- the security protection device 300 processes the target data stream according to the fingerprint corresponding to the target data stream, including: the security protection device 300 determines at least one first-class fingerprint and/or at least one second-class fingerprint corresponding to the first IP address according to the destination IP address of the target data stream. The security protection device 300 generates the fingerprint corresponding to the target data stream according to the message field of the target data stream. If the fingerprint corresponding to the target data stream matches any first-class fingerprint of at least one first-class fingerprint corresponding to the first IP address, the security protection device 300 releases the target data stream so that the target data stream reaches the server 200.
- the security protection device 300 blocks the target data stream so that the target data stream cannot reach the server 200, or performs speed limit processing on the target data stream so that only part of the traffic of the target data stream reaches the server 200.
- the process of the security protection device 300 generating the fingerprint corresponding to the target data stream according to the message field of the target data stream can refer to the fingerprint generation process in S102 above, which is not described here.
- the security protection device 300 processes the target data stream according to the source IP address of the target data stream, including: the security protection device 300 determines at least one blacklist and/or at least one whitelist corresponding to the first IP address according to the destination IP address of the target data stream. The security protection device 300 obtains the source IP address of the target data stream. If the source IP address of the target data stream matches one of the at least one blacklist corresponding to the first IP address, the security protection device 300 blocks the target data stream or performs speed limit processing on the target data stream. If the source IP address of the target data stream matches one of the at least one whitelist corresponding to the first IP address, the security protection device 300 releases the target data stream, allowing the target data stream to reach the server 200.
- the security protection device 300 generates at least one first type fingerprint, at least one second type fingerprint, at least one blacklist and at least one whitelist for the first IP group.
- the security protection device 300 processes the target data stream according to the fingerprint corresponding to the target data stream, including: the security protection device 300 determines that the destination IP address of the target data stream matches an IP address in the first IP group, and then determines at least one first-class fingerprint and/or at least one second-class fingerprint corresponding to the first IP group.
- the security protection device 300 generates a fingerprint corresponding to the target data stream according to the message field of the target data stream. If the fingerprint corresponding to the target data stream matches any first-class fingerprint of at least one first-class fingerprint corresponding to the first IP group, the security protection device 300 releases the target data stream and allows the target data stream to reach the server 200. If the fingerprint corresponding to the target data stream matches any second-class fingerprint of at least one second-class fingerprint corresponding to the first IP group, the security protection device 300 blocks the target data stream or performs speed limit processing on the target data stream.
- the security protection device 300 processes the target data stream according to the source IP address of the target data stream, including: the security protection device 300 determines that the destination IP address of the target data stream matches an IP address in the first IP group, and then determines at least one blacklist and/or at least one whitelist corresponding to the first IP group. The security protection device 300 obtains the source IP address of the target data stream. If the source IP address of the target data stream matches one of the at least one blacklist corresponding to the first IP group, the security protection device 300 blocks the target data stream or performs speed limit processing on the target data stream. If the source IP address of the target data stream matches one of the at least one whitelist corresponding to the first IP group, the security protection device 300 releases the target data stream.
- the security protection device 300 obtains at least one second-class fingerprint and/or at least one blacklist from the analysis device 500.
- the security protection device 300 may match the fingerprint corresponding to the target data flow with the at least one second-class fingerprint obtained above. If the match is successful, the security protection device 300 blocks the target data flow or performs speed limiting processing on the target data flow.
- the security protection device 300 may match the source IP address of the target data flow with the at least one blacklist obtained above. If the match is successful, the security protection device 300 blocks the target data flow or performs speed limiting processing on the target data flow.
- the method described in the above S301-S302 only needs to extract the fingerprint of the encrypted data stream and/or determine the source IP address of the encrypted data stream to know how to process the encrypted data stream.
- the method provided in the embodiment of the present application consumes less time and resources to extract the fingerprint of the encrypted data stream and/or determine the source IP address of the encrypted data stream, and can avoid the impact on user privacy.
- the attack client when the attack client finds that the attack on the server fails, the attack client generally modifies the fingerprint of the data stream sent by the client by modifying the algorithm list of the encryption suite. At this time, if the preset fingerprint library in the prior art is used to detect the attack traffic, the attack traffic sent by the attack client may not be detected.
- the accuracy of attack traffic detection is higher.
- FIG. 14 shows a schematic diagram of a structure of a safety protection device 300.
- the safety protection device 300 includes an acquisition module 310. and a fingerprint generation module 320.
- the security protection device 300 may further include one or more of a blacklist generation module 330, a sending module 340, a receiving module 350 or a detection module 360.
- the acquisition module 310 is used to execute any one or more steps in the above S101, S103 and S109; the fingerprint generation module 320 is used to execute any one or more steps in the above S102, S104-S106, S110-S112; the blacklist generation module 330 is used to execute any one or more steps in the above S107, S108, S113 and generating and updating at least one whitelist; the sending module 340 is used to execute the above S114, send the first category fingerprint library, blacklist library or whitelist library to the analysis device 500, and release any one or more steps of normal traffic; the receiving module 350 is used to execute the above S301, S203 to receive the total fingerprint library sent by the analysis device 500, and receive any one or more steps of the total first category fingerprint library, total blacklist library or total whitelist library sent by the analysis device 500; the detection module 360 is used to execute any one or more steps in the above S204 and S302.
- each module inside the security protection device 300 can be a software module, a hardware module, or partly a software module and partly a hardware module.
- FIG15 shows another schematic diagram of the structure of the security protection device 300.
- the security protection device 300 includes a memory 410, a processor 420, a communication interface 430, and a bus 440, wherein the memory 410, the processor 420, and the communication interface 430 communicate via the bus 440. It should be understood that the embodiment of the present application does not limit the number of memories 410, processors 420, and communication interfaces 430 in the security protection device 300.
- the memory 410 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random-access memory (RAM) or other types of dynamic storage devices that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto.
- the memory 410 may exist independently and be connected to the processor 420 via the bus 440.
- the memory 410 may also be integrated with the processor 420.
- the memory 410 stores program codes, for example, program codes in the acquisition module 310, program codes in the fingerprint generation module 320, program codes in the blacklist generation module 330, program codes in the sending module 340, program codes in the receiving module 350, and program codes in the detection module 360.
- the processor 420 and the communication interface 430 are used to execute part or all of the methods executed by the security protection device 300 in the above method embodiment (including one or more steps executed by the security protection device 300 in the above S101-S114, S201, S203-S204, and S301-S303).
- the memory 410 can also store an operating system and data, wherein the data stored in the memory 410 includes intermediate data and result data generated by the processor 420 during the execution process, for example, the first fingerprint and the first type of fingerprint.
- the processor 420 may be a central processing unit (CPU), a graphics processing unit (GPU), a network processor (NP), a microprocessor, or may be one or more integrated circuits for implementing the steps performed by the safety protection device 300 in the above method embodiment, for example, an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
- the above PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.
- the communication interface 430 uses any transceiver-like device to communicate with other devices or communication networks, for example, receiving a data stream sent from the client 100 to the server 200 through the communication interface 430, or sending normal traffic to the server 200 through the communication interface 430, or sending a second type of fingerprint library to the analysis device 500 through the communication interface, etc.
- the communication interface 430 includes a wired communication interface and may also include a wireless communication interface.
- the wired communication interface may be, for example, an Ethernet interface.
- the Ethernet interface may be an optical interface, an electrical interface, or a combination thereof.
- the wireless communication interface may be a wireless local area network (WLAN) interface, a cellular network communication interface, or a combination thereof, etc.
- WLAN wireless local area network
- the bus 440 may include a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc.
- the bus may be divided into an address bus, a data bus, a control bus, etc.
- FIG. 15 is represented by only one line, but it does not mean that there is only one bus or one type of bus.
- the bus 440 may include a path for transmitting information between various components of the security protection device 300 (e.g., the memory 410, the processor 420, and the communication interface 430).
- FIG16 shows a schematic diagram of the structure of the analysis device 500.
- the analysis device 500 includes a receiving module 510, an analyzing module 520, and a sending module 530.
- the receiving module 510, the analyzing module 520, and the sending module 530 work together to implement the steps performed by the analysis device 500 in the above method embodiment.
- the receiving module 510 is used to perform any one or more steps of receiving multiple second-class fingerprint libraries sent by multiple security protection devices 300 in S201, and receiving multiple first-class fingerprint libraries, multiple blacklist libraries, or multiple whitelist libraries sent by multiple security protection devices 300;
- the analyzing module 520 is used to perform the above S202;
- the sending module 530 is used to perform any one or more steps of sending a total fingerprint library to multiple security protection devices 300 in S203, and sending a total first-class fingerprint library, a total blacklist library, or a total whitelist library to multiple security protection devices 300.
- each module inside the analysis device 500 can be a software module, a hardware module, or partly a software module and partly a hardware module.
- FIG17 shows another schematic diagram of the structure of the analysis device 500.
- the analysis device 500 includes a memory 610, a processor 620, a communication interface 630, and a bus 640, wherein the memory 610, the processor 620, and the communication interface 630 communicate via the bus 640. It should be understood that the embodiment of the present application does not limit the number of memories 610, processors 620, and communication interfaces 630 in the analysis device 500.
- the memory 610 may be a ROM or other type of static storage device that can store static information and instructions, or a RAM or other type of dynamic storage device that can store information and instructions, or an EEPROM, CD-ROM or other optical disk storage, optical disk storage (including compressed optical disk, laser disk, optical disk, digital versatile disk, Blu-ray disk, etc.), magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto.
- the memory 610 may exist independently and be connected to the processor 620 via the bus 640.
- the memory 610 may also be integrated with the processor 620.
- the memory 610 stores program codes, such as program codes in the receiving module 510, program codes in the analyzing module 520, and program codes in the sending module 530.
- program codes stored in the memory 610 are executed by the processor 620, the processor 620 and the communication interface 630 are used to execute part or all of the methods executed by the analysis device 500 in the above method embodiment (including one or more steps executed by the analysis device 500 in S201-S203 above).
- the memory 610 may also store data, wherein the data stored in the memory 610 includes intermediate data and result data generated by the processor 620 during the execution process, such as a total fingerprint library.
- the processor 620 may be a CPU, NP, microprocessor, or may be one or more integrated circuits for implementing the steps performed by the analysis device 500 in the above method embodiment, for example, ASIC, PLD or a combination thereof.
- the above PLD may be CPLD, FPGA, GAL or any combination thereof.
- the communication interface 630 uses any transceiver-like device to communicate with other devices or communication networks, for example, receiving the second type of fingerprint library sent by the security protection device 300 through the communication interface 430, or sending the total fingerprint library to the security protection device 300 through the communication interface.
- the communication interface 630 includes a wired communication interface and may also include a wireless communication interface.
- the wired communication interface may be, for example, an Ethernet interface.
- the Ethernet interface may be an optical interface, an electrical interface, or a combination thereof.
- the wireless communication interface may be a WLAN interface, a cellular network communication interface, or a combination thereof.
- the bus 640 may include a PCI bus or an EISA bus, etc.
- the bus may be divided into an address bus, a data bus, a control bus, etc.
- FIG. 17 shows only one line, but does not mean that there is only one bus or one type of bus.
- the bus 640 may include a path for transmitting information between various components of the analysis device 500 (e.g., the memory 610, the processor 620, and the communication interface 630).
- the embodiment of the present application also provides a computer-readable storage medium.
- the computer-readable storage medium can be any available medium that can be stored by a computing device or a data storage device such as a data center containing one or more available media, wherein the available medium can be a magnetic medium (such as a floppy disk, a hard disk, a tape), an optical medium (such as a DVD), or a semiconductor medium (such as a solid-state hard disk), etc.
- the computer-readable storage medium includes instructions, wherein the instructions instruct the computing device to perform the steps performed by the security protection device 300 described above.
- the embodiment of the present application also provides another computer-readable storage medium.
- the computer-readable storage medium may also be any available medium that can be stored by the computing device or a data storage device such as a data center containing one or more available media.
- the computer-readable storage medium includes instructions, wherein the instructions instruct the computing device to perform the steps performed by the analysis device 500 described above.
- the embodiment of the present application also provides a computer program product including instructions.
- the computer program product may be software or a program product including instructions that can be run on a computing device or stored in any available medium.
- the at least one computing device executes the steps performed by the security protection device 300 described above.
- the present application embodiment also provides another computer program product including instructions.
- the computer program product may also include A software or program product containing instructions that can be run on a computing device or stored in any available medium.
- the at least one computing device executes the steps performed by the analysis device 500 described above.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请公开了一种检测攻击流量的方法及相关设备。该方法可以应用于安全防护设备。安全防护设备获取第一时段内第一流量的第一速率表征值,第一流量包括至少一条第一数据流,每条第一数据流的目的IP地址均相同,或者,至少一条第一数据流的目的IP地址属于一个IP组。之后,安全防护设备根据第一速率表征值生成至少一个指纹,每个指纹是基于至少一条第一数据流中的一条第一数据流的报文字段生成的,任一指纹用于检测与任一指纹匹配的数据流是否为攻击流量。利用该方法可提高攻击流量的检测准确性。
Description
本申请要求在2022年11月11日提交的中国国家知识产权局、申请号为202211414736.4的中国专利申请的优先权,发明名称为“一种攻击检测的方法及相关装置”的中国专利申请的优先权,以及在2023年1月19日提交中国国家知识产权局、申请号为202310119197.X的中国专利申请的优先权,发明名称为“检测攻击流量的方法及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及网络安全技术领域,尤其涉及一种检测攻击流量的方法及相关设备。
近年来,基于安全传输层协议(transport layer security,TLS)加密的数据流(以下简称为TLS数据流)对服务器展开的分布式拒绝服务(distributed denial of service attack,DDoS)攻击变得愈加频繁。为了确保服务器的正常运行,需要安全防护设备(例如,防火墙)对发往服务器的TLS数据流进行过滤。即,安全防护设备检测TLS数据流是否为攻击流量。当TLS数据流不是攻击流量时,安全防护设备将该TLS数据流转发送至服务器。当TLS数据流流是攻击流量时,安全防护设备阻断该TLS数据流。
安全防护设备可以通过将TLS数据流的指纹与预设指纹库进行匹配来确定该TLS数据流是否为攻击流量,预设指纹库是通过对已知的DDoS攻击工具进行分析得到的。但是,预设指纹库的准确性不高,导致对攻击流量的检测的准确率较低。
发明内容
本申请提供了一种检测攻击流量的方法及相关设备,能够提高攻击流量的检测的准确性。
第一方面,本申请提供了一种检测攻击流量的方法。该方法可以应用于安全防护设备。安全防护设备获取第一时段内第一流量的第一速率表征值,第一流量包括至少一条第一数据流,每条第一数据流的目的互联网协议(Internet Protocol,IP)地址均相同,或者,至少一条第一数据流的目的IP地址属于一个IP组。之后,安全防护设备根据第一速率表征值生成至少一个指纹,每个指纹是基于至少一条第一数据流中的一条第一数据流的报文字段生成的,任一指纹用于检测与其匹配的数据流是否为攻击流量。
本申请提供的技术方案中,安全防护设备可以根据数据流实时地获得指纹,即,该指纹是动态获得的。该动态获得的指纹更能反映正在进行的攻击状态,因此,当该动态获得的指纹用于检测攻击流量时,能够提供攻击流量的检测的准确性。进一步地,当该动态获得的指纹用于检测攻击流量时,仅需比较待检测的数据流的指纹与该动态获得的指纹,无需对加密的数据流进行解密,这避免了解密数据流对计算资源的占用,并避免了对用户隐私安全的影响。
结合第一方面,在一种可能的实现方式中,第一数据流为TLS数据流,安全防护设备根据TLS数据流的Hello报文(TLS ClientHello)的报文字段生成第一数据流对应的指纹。第一数据流包括TLS ClientHello,安全防护设备获取TLS ClientHello中的部分字段所包括的字节,然后将这些字节连接在一起得到一个字符串,之后再利用哈希算法(例如,MD4算法、MD5算法或SHA-1算法)对该字符串进行哈希计算,便可得到该第一数据流对应的指纹。其中,上述部分字段包括以下任一个或多个字段:TLS ClientHello中的版本、接受的密码、扩展列表、椭圆曲线和椭圆曲线格式。
结合第一方面,在一种可能的实现方式中,上述至少一个指纹包括至少一个第一类指纹。安全防护设备根据第一速率表征值生成至少一个指纹,包括:当第一速率表征值不超过第一速率阈值时,安全防护设备生成至少一个第一类指纹,第一类指纹指示与其匹配的数据流为正常流量。
进一步地,安全防护设备生成至少一个第一类指纹,包括:安全防护设备分别为上述至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹的数量满足第一条件时,将该任一第一指纹确定为一个第一类指纹。
第一条件可包括以下任一项或多项:任一第一指纹的数量超过第一数量阈值;或任一第一指纹的比例超过第一比例阈值;或任一第一指纹的数量排在前M1位;或任一第一指纹的比例排在前N1位;或任一第
一指纹出现的频率超过第一频率阈值。其中,M1和N1为自然数。
通过上述实现方式,安全防护设备可提取到至少一个第一指纹。由于不同的第一数据流可能对应相同的第一指纹,这也就导致在上述至少一个第一指纹中,有的第一指纹的数量较多,有的第一指纹的数量较少。当第一速率表征值不超过第一速率阈值时,第一流量所包括的大部分或全部第一数据流正常流量,因此可以推断出上述数量较多的第一指纹(即满足第一条件的第一指纹)大概率为正常流量对应的指纹。因此,基于上述方式获取的第一类指纹可以用于确定与第一类指纹匹配的流量为正常流量。
在一种可能的实现方式中,安全防护设备获取第二时段内第二流量的第二速率表征值,当第二速率表征值不超过第一速率阈值时,更新上述至少一个第一类指纹。第二流量包括至少一条第二数据流,每条第二数据流的目的IP地址均相同,或者,至少一条第二数据流的目的IP地址属于一个IP组。
应理解,在实际应用中,第一类指纹具有时效性。比如说,安全防护设备在第一时段确定的某个第一类指纹,但该指纹对应的客户端在第二时段被攻击工具所感染成为了攻击客户端。在这种情况下,该指纹将不再是第一类指纹。通过上述实现方式,安全防护设备可以动态更新第一类指纹,这提高了第一类指纹的准确性,相应地,使用准确性更高的第一类指纹来检测数据流是否为攻击流量时,其检测结果也更为准确。
第二时段晚于第一时段且第二时段与第一时段相邻,或者,第二时段晚于第一时段且第二时段与第一时段均包括一个共同的时段。
即,上述更新可以是基于周期性的方式进行,也可以是基于动态滑窗的方式进行。
进一步地,安全防护设备更新至少一个第一类指纹,包括:安全防护设备分别为上述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第二条件时,将该任一第二指纹确定为一个新的第一类指纹,之后,将上述至少一个第一类指纹替换为上述新的第一类指纹。
第二条件包括以下任一项或多项:任一第二指纹的数量超过第二数量阈值;或任一第二指纹的比例超过第二比例阈值;或任一第二指纹的数量排在前M2位;或任一第二指纹的比例排在前N2位;或任一第二指纹出现的频率超过第二频率阈值。其中,M2和N2为自然数。
在一种可能的实现方式中,上述至少一个指纹还包括至少一个第二类指纹。当第二速率表征值超过第一速率阈值时,安全防护设备生成至少一个第二类指纹。
进一步地,安全防护设备生成至少一个第二类指纹,包括:安全防护设备分别为上述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第三条件且上述至少一个第一类指纹不包括任一第二指纹时,将该任一第二指纹确定为一个第二类指纹。
第三条件可包括以下任一项或多项:任一第二指纹的数量超过第三数量阈值;或任一第二指纹的比例超过第三比例阈值;或任一第二指纹的数量排在前M3位;或任一第二指纹的比例排在前N3位;或任一第二指纹出现的频率超过第三频率阈值。其中,M3和N3为自然数。
通过上述实现方式,安全防护设备可提取到至少一个第二指纹。由于不同的第二数据流可能对应相同的第二指纹,这也就导致在上述至少一个第二指纹中,有的第二指纹的数量较多,有的第二指纹的数量较少。当第二速率表征值超过第一速率阈值时,第二流量所包括的大部分或全部第二数据流有可能为攻击流量,进一步地,上述数量较多的第二指纹(即满足第三条件的第二指纹)大概率为攻击流量对应的指纹。基于上述方式获取的第二类指纹可以用于确定与第二类指纹匹配的流量为攻击流量。
另外,当第二速率表征值大于第一速率阈值时,除了攻击流量之外,第二流量还可能包括正常流量,而正常流量对应的第二指纹也可能满足第三条件,也就是说,如果仅以第三条件来判断第二指纹,则可能导致正常流量对应的第二指纹被误确定为第二类指纹。因此,上述实现方式中除了根据第三条件,还根据上述至少一个第一类指纹来确定第二类指纹,如此,可以进一步提升第二类指纹的准确性。
结合第一方面,在一种可能的实现方式中,上述至少一个指纹包括至少一个第二类指纹。安全防护设备根据第一速率表征值生成至少一个指纹,包括:当第一速率表征值超过第一速率阈值时,安全防护设备生成至少一个第二类指纹,第二类指纹指示与其匹配的数据流为攻击流量。
进一步地,安全防护设备生成至少一个第二类指纹,包括:安全防护设备分别为至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹的数量满足第四条件时,将该任一第一指纹确定为一个第二类指纹。
第四条件可包括以下任一项或多项:任一第一指纹的数量超过第四数量阈值;或任一第一指纹的比例超过第四比例阈值;或任一第一指纹的数量排在前M4位;或任一第一指纹的比例排在前N4位;或任一第一指纹出现的频率超过第四频率阈值。其中,M4和N4为自然数。
应理解,当第一速率表征值超过第一速率阈值时,说明第一流量所包括的大部分或全部第一数据流均为攻击流量,因此可以推断出,在上述基于第一流量提取到的至少一个第一指纹中,数量较多的第一指纹(即满足第四条件的第一指纹)大概率为攻击流量对应的指纹。攻击流量对应的指纹可指示攻击流量,因此通过上述实现方式得到的第二类指纹可指示攻击流量。
在一种可能的实现方式中,安全防护设备获取第二时段内第二流量的第二速率表征值,当第二速率表征值超过第一速率阈值时,更新上述至少一个第二类指纹。第二流量包括至少一条第二数据流,每条第二数据流的目的IP地址均相同,或者,至少一条第二数据流的目的IP地址属于一个IP组。
进一步地,安全防护设备更新至少一个第二类指纹,包括:安全防护设备分别为上述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第五条件时,将该任一第二指纹确定为一个新的第二类指纹,再将上述至少一个第二类指纹替换为该新的第二类指纹。
第五条件可包括以下任一项或多项:任一第二指纹的数量超过第五数量阈值;或任一第二指纹的比例超过第五比例阈值;或任一第二指纹的数量排在前M5位;或任一第二指纹的比例排在前N5位;或任一第二指纹出现的频率超过第五频率阈值。其中,M5和N5为自然数。
应理解,在实际应用中,第二类指纹具有时效性,例如,安全防护设备在第一时段确定的某个第二类指纹,该指纹对应的客户端得到修复,其在一段时间后不再攻击服务器,在这种情况下,该指纹将不再是第二类指纹。通过上述实现方式,安全防护设备可以动态更新第二类指纹,这提高了第二类指纹的准确性,相应地,使用准确性更高的第二类指纹来检测数据流是否为攻击流量时,其检测结果也更为准确。
在一种可能的实现方式中,安全防护设备根据上述至少一个第二类指纹生成至少一个黑名单。黑名单用于指示与其匹配的数据流为攻击流量。
进一步地,安全防护设备根据至少一个第二类指纹生成至少一个黑名单,包括:当上述至少一条第一数据流中的一条第一数据流的请求速率或响应速率超过第二速率阈值,且上述至少一个第二类指纹包括该第一数据流对应的指纹时,安全防护设备将该第一数据流的源IP地址确定为一个黑名单。或者,当上述至少一条第二数据流中的一条第二数据流的请求速率超过第二速率阈值,且上述至少一个第二类指纹包括该第二数据流对应的指纹时,安全防护设备将该第二数据流的源IP地址确定为一个黑名单。
本技术方案中,基于第二类指纹生成黑名单,使得安全设备可以通过匹配待检测数据流的源IP地址与上述黑名单,以确定待检测数据流是否为攻击流量。相较于提取数据流对应的指纹而言,获取数据流的源IP地址所耗费的时间和资源更少,因此使用上述至少一个黑名单检测攻击流量的速率更快,且耗费更少的资源。
在一种可能的实现方式中,安全防护设备向分析设备发送上述至少一个第二类指纹。进一步地,分析设备还可将接收到的至少一个第二类指纹发送给其他安全防护设备,使得其他安全防护设备根据上述至少一个第二类指纹检测攻击流量。如此,可提高其他安全防护设备所保护的网络的安全性。
结合第一方面,在一种可能的实现方式中,当待检测的数据流对应的指纹与上述至少一个第一类指纹中的任一个第一类指纹匹配时,安全防护设备放行该数据流;当待检测的数据流对应的指纹与上述至少一个第二类指纹中的任一个第二类指纹匹配时,安全防护设备阻断该数据流或对该数据流进行限速处理;当待检测的数据流的源IP地址与上述至少一个黑名单中的任一个黑名单匹配时,安全防护设备阻断该数据流或对该数据流进行限速处理。
第二方面,本申请提供了另一种检测攻击流量的方法,该方法可以应用于分析设备。分析设备分别接收多个安全防护设备发送的第二类指纹库,每个第二类指纹库包括至少一个第二类指纹,任一第二类指纹指示与其匹配的数据流为攻击流量。之后,分析设备根据接收到的多个第二类指纹库生成总指纹库,总指纹库包括部分或全部多个第二类指纹库中的第二类指纹。然后,分析设备将总指纹库发送给多个安全防护设备,使得多个安全防护设备根据总指纹库检测攻击流量。如此,可使得多个安全防护设备获得更全面且更准确的第二类指纹,从而提高各个安全防护设备所保护的网络的安全性。
第三方面,本申请提供了一种安全防护设备。该安全防护设备包括获取模块和指纹生成模块。获取模块用于获取第一时段内第一流量的第一速率表征值,第一流量包括至少一条第一数据流,每条第一数据流的目的IP地址均相同,或者,至少一条第一数据流的目的IP地址属于一个IP组。指纹生成模块用于根据第一速率表征值生成至少一个指纹,每个指纹是基于至少一条第一数据流中的一条第一数据流的报文字段生成的,任一指纹用于检测与其匹配的数据流是否为攻击流量。
结合第三方面,在一种可能的实现方式中,第一数据流为TLS数据流,指纹生成模块根据TLS数据流的Hello报文(TLS ClientHello)的报文字段生成第一数据流对应的指纹。第一数据流包括TLS ClientHello,
指纹生成模块获取TLS ClientHello中的部分字段所包括的字节,然后将这些字节连接在一起得到一个字符串,之后再利用哈希算法(例如,MD4算法、MD5算法或SHA-1算法)对该字符串进行哈希计算,便可得到该第一数据流对应的指纹。其中,上述部分字段包括以下任一个或多个字段:TLS ClientHello中的版本、接受的密码、扩展列表、椭圆曲线和椭圆曲线格式。
结合第三方面,在一种可能的实现方式中,上述至少一个指纹包括至少一个第一类指纹,指纹生成模块用于当第一速率表征值不超过第一速率阈值时,生成至少一个第一类指纹,第一类指纹指示与其匹配的数据流为正常流量。
进一步地,指纹生成模块用于分别为上述至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹的数量满足第一条件时,将该任一第一指纹确定为一个第一类指纹。
第一条件可包括以下任一项或多项:任一第一指纹的数量超过第一数量阈值;或任一第一指纹的比例超过第一比例阈值;或任一第一指纹的数量排在前M1位;或任一第一指纹的比例排在前N1位;或任一第一指纹出现的频率超过第一频率阈值。其中,M1和N1为自然数。
在一种可能的实现方式中,获取模块还用于获取第二时段内第二流量的第二速率表征值,第二流量包括至少一条第二数据流,每条第二数据流的目的IP地址均相同,或者,至少一条第二数据流的目的IP地址属于一个IP组。指纹生成模块还用于当第二速率表征值不超过第一速率阈值时,更新上述至少一个第一类指纹。
第二时段晚于第一时段且第二时段与第一时段相邻,或者,第二时段晚于第一时段且第二时段与第一时段均包括一个共同的时段。
进一步地,指纹生成模块用于分别为上述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第二条件时,将该任一第二指纹确定为一个新的第一类指纹,以及将上述至少一个第一类指纹替换为上述新的第一类指纹。
第二条件可包括以下任一项或多项:任一第二指纹的数量超过第二数量阈值;或任一第二指纹的比例超过第二比例阈值;或任一第二指纹的数量排在前M2位;或任一第二指纹的比例排在前N2位;或任一第二指纹出现的频率超过第二频率阈值。其中,M2和N2为自然数。
在一种可能的实现方式中,上述至少一个指纹还包括至少一个第二类指纹。指纹生成模块还用于当第二速率表征值超过第一速率阈值时,生成至少一个第二类指纹。
进一步地,指纹生成模块用于分别为上述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第三条件且上述至少一个第一类指纹不包括任一第二指纹时,将该任一第二指纹确定为一个第二类指纹。
第三条件可包括以下任一项或多项:任一第二指纹的数量超过第三数量阈值;任一第二指纹的比例超过第三比例阈值;任一第二指纹的数量排在前M3位;任一第二指纹的比例排在前N3位;或任一第二指纹出现的频率超过第三频率阈值。其中,M3和N3为自然数。
结合第三方面,在一种可能的实现方式中,上述至少一个指纹包括至少一个第二类指纹。指纹生成模块用于当第一速率表征值超过第一速率阈值时,生成至少一个第二类指纹,第二类指纹指示与其匹配的数据流为攻击流量。
进一步地,指纹生成模块用于分别为至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹的数量满足第四条件时,将该任一第一指纹确定为一个第二类指纹。
其中,第四条件可包括以下任一项或多项:任一第一指纹的数量超过第四数量阈值;任一第一指纹的比例超过第四比例阈值;任一第一指纹的数量排在前M4位;任一第一指纹的比例排在前N4位;或任一第一指纹出现的频率超过第四频率阈值。其中,M4和N4为自然数。
在一种可能的实现方式中,获取模块还用于获取第二时段内第二流量的第二速率表征值,第二流量包括至少一条第二数据流,每条第二数据流的目的IP地址均相同,或者,至少一条第二数据流的目的IP地址属于一个IP组。指纹生成模块还用于当第二速率表征值超过第一速率阈值时,更新上述至少一个第二类指纹。
进一步地,指纹生成模块用于分别为上述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第五条件时,将该任一第二指纹确定为一个新的第二类指纹,以及将上述至少一个第二类指纹替换为该新的第二类指纹。
第五条件可包括以下任一项或多项:任一第二指纹的数量超过第五数量阈值;或任一第二指纹的比例超过第五比例阈值;或任一第二指纹的数量排在前M5位;或任一第二指纹的比例排在前N5位;或任一第
二指纹出现的频率超过第五频率阈值。其中,M5和N5为自然数。
在一种可能的实现方式中,安全防护设备还包括黑名单生成模块。黑名单生成模块用于根据上述至少一个第二类指纹生成至少一个黑名单。
进一步地,黑名单生成模块用于当上述至少一条第一数据流中的一条第一数据流的请求速率或响应速率超过第二速率阈值,且上述至少一个第二类指纹包括该第一数据流对应的指纹时,安全防护设备将该第一数据流的源IP地址确定为一个黑名单。或者,当上述至少一条第二数据流中的一条第二数据流的请求速率超过第二速率阈值,且上述至少一个第二类指纹包括第二数据流对应的指纹时,将第二数据流的源IP地址确定为一个黑名单。
在一种可能的实现方式中,安全防护设备还包括发送模块。发送模块用于向分析设备发送上述至少一个第二类指纹。
结合第三方面,在一种可能的实现方式中,安全防护设备还包括检测模块。检测模块用于确定待检测的数据流对应的指纹是否与上述至少一个第一类指纹中的任一个第一类指纹匹配,当待检测的数据流对应的指纹与上述至少一个第一类指纹中的任一个第一类指纹匹配时,通知发送模块放行该数据流。检测模块还用于确定待检测的数据流对应的指纹是否与上述至少一个第二类指纹中的任一个第二类指纹匹配,当待检测的数据流对应的指纹与上述至少一个第二类指纹中的任一个第二类指纹匹配时,阻断该数据流或对该数据流进行限速处理。检测模块还用于确定待检测的数据流的源IP地址是否与上述至少一个黑名单中的任一个黑名单匹配,当待检测的数据流的源IP地址与上述至少一个黑名单中的任一个黑名单匹配时,阻断该数据流或对该数据流进行限速处理。
第四方面,本申请提供了一种分析设备。该分析设备包括接收模块、分析模块和发送模块。接收模块用于分别接收多个安全防护设备发送的第二类指纹库,每个第二类指纹库包括至少一个第二类指纹,任一第二类指纹指示与其匹配的数据流为攻击流量。分析模块用于根据接收到的多个第二类指纹库生成总指纹库,总指纹库包括部分或全部多个第二类指纹库中的第二类指纹。发送模块用于将总指纹库发送给多个安全防护设备,使得多个安全防护设备根据总指纹库检测攻击流量。
第五方面,本申请提供了一种安全防护设备。该安全防护设备包括处理器和存储器,处理器执行存储器中的计算机程序代码以实现前述第一方面及第一方面的任一种实现方式所描述部分或全部方法。
第六方面,本申请提供了一种分析设备。该分析设备包括处理器和存储器,处理器执行存储器中的计算机程序代码以实现前述第二方面所描述部分或全部方法。
第七方面,本申请提供了一种计算机可读存储介质。该计算机存储介质存储有计算机程序代码,当所述计算机程序代码被计算设备执行时,该计算设备执行前述第一方面及第一方面的任一种实现方式所描述部分或全部方法。
第八方面,本申请提供了另一种计算机可读存储介质。该计算机存储介质存储有计算机程序代码,当所述计算机程序代码被计算设备执行时,该计算设备执行前述第二方面所描述部分或全部方法。
第九方面,本申请提供了一种计算机程序产品。该计算机程序产品可以是包含指令的、能够运行在计算设备上或被储存在任何可用介质中的软件或程序产品。当该计算机程序产品在至少一个计算设备上运行时,使得至少一个计算设备执行前述第一方面及第一方面的任一种实现方式所描述部分或全部方法。
第十方面,本申请提供了另一种计算机程序产品。该计算机程序产品可以是包含指令的、能够运行在计算设备上或被储存在任何可用介质中的软件或程序产品。当该计算机程序产品在至少一个计算设备上运行时,使得至少一个计算设备执行前述第二方面所描述部分或全部方法。
图1是本申请实施例提供的一种应用场景的示意图;
图2是本申请实施例提供的一种检测攻击流量的方法的流程示意图;
图3是本申请实施例提供的一种生成至少一个第一类指纹的示意图;
图4是本申请实施例提供的另一种生成至少一个第一类指纹的示意图;
图5是本申请实施例提供的一种生成至少一个第二类指纹的示意图;
图6是本申请实施例提供的另一种生成至少一个第二类指纹的示意图;
图7是本申请实施例提供的一种更新至少一个第一类指纹的示意图;
图8是本申请实施例提供的另一种更新至少一个第一类指纹的示意图;
图9是本申请实施例提供的另一种生成至少一个第二类指纹的示意图;
图10是本申请实施例提供的另一种生成至少一个第二类指纹的示意图;
图11是本申请实施例提供的另一种应用场景的示意图;
图12是本申请实施例提供的另一种检测攻击流量的方法的流程示意图;
图13是本申请实施例提供的一种网络攻击的防御方法的流程示意图;
图14是本申请实施例提供的一种安全防护设备的结构示意图;
图15是本申请实施例提供的另一种安全防护设备的结构示意图;
图16是本申请实施例提供的一种分析设备的结构示意图;
图17是本申请实施例提供的另一种分析设备的结构示意图。
下面结合附图,对本申请提供的技术方案进行描述。
本申请提供的技术方案中所使用的术语只是为了描述特定实施例,而并非旨在作为对本申请的限制。例如,本申请实施例中采用诸如“第一”、“第二”的前缀词,仅仅为了区分不同的描述对象,对被描述对象的位置、顺序、优先级、数量或内容等没有限定作用。例如,被描述对象是“速率阈值”,则“第一速率阈值”和“第二速率阈值”中的“速率阈值”之前的序数词并不限定“速率阈值”的大小。再如,被描述的对象是“指纹”,则“第一指纹”和“第二指纹”中的“指纹”之前的序数词并不限定“指纹”的数量和提取方式等。再如,本申请实施例中采用的诸如“a1、a2、…、an中的至少一个(或至少一种、或至少一项)”等的描述方式,包括a1、a2、…、an中任一个单独存在的情况,也包括a1、a2、…、an中的任意多个的任意组合情况,每种情况可以单独存在,例如,“a1、a2、a3中的至少一个(或至少一种、或至少一项)”的描述方式包括单独存在a1,单独存在a2,单独存在a3,同时存在a1和a2,同时存在a1和a3,同时存在a2和a3,以及同时存在a1、a2和a3的情况。“多个”是指两个或两个以上。“和/或”用于描述关联对象的关联关系,表示可以独立存在的三种关系,例如,b1和/或b2,可以表示单独存在b1,单独存在b2,以及同时存在b1和b2。
随着网络通信安全问题的频发,网络通信的安全性成为当前关注的热点。在具体实现中,将网络流量进行加密处理后再传输是一种提高网络通信安全性的有效手段。
对网络流量进行加密的方式多种多样,目前通常基于TLS或安全套接层(secure sockets layer,SSL)对网络流量进行加密。值得注意的是,虽然基于TLS或SSL对网络流量进行加密可以提高网络通信的安全性,但与此同时也会导致DDoS攻击的防御更加困难。
DDoS攻击是一种网络攻击手段,其攻击原理是:攻击者控制僵尸网络中的大量僵尸主机向服务器发送大量数据流,使服务器忙于处理来自于这些僵尸主机的数据流,从而耗尽服务器的系统资源(包括计算资源、存储资源和网络资源),导致该服务器无法处理来自于正常客户端的数据流。可以理解的是,如果僵尸主机使用TLS或SSL对发往服务器的数据流进行加密,则安全防护设备在接收到该加密后的数据流后,将难以直接解析出该数据流中承载的数据,也就难以确定该数据流是否为攻击流量。
本申请实施例提供了一种检测攻击流量的方法,该方法通过对实时的数据流进行指纹提取,从而实时地获得指纹。在检测攻击流量时,只需将待检测数据流对应的指纹与上述获得的指纹进行匹配,便可确定该数据流是否为攻击流量。由于本申请实施例提供的方法是通过实时的数据流得到指纹的,其更体现当前的网络攻击状态,因此,相较于现有技术中的预设指纹库,通过本申请实施例提供的方法得到的指纹对数据流的检测具有更高的准确性。另外,在待检测数据流为加密数据流(例如,TLS数据流)时,本申请实施例提供的方法无需解密数据流即可进行检测,其所耗费的时间和资源更少,而且还能避免对用户隐私的影响。
本申请实施例提供的检测攻击流量的方法可以由安全防护设备执行。安全防护设备既可以是软件装置,也可以是硬件设备,还可以是软件装置和硬件设备的结合。当安全防护设备是软件装置时,安全防护设备可以是虚拟机(virtual machine,VM)或具有防护功能的软件。
下面结合图1示例性地对本申请实施例的应用场景进行简要描述。
图1示出了本申请实施例的一种应用场景。如图1所示,该场景中包括客户端100、服务器200和安全防护设备300,下面对这几个部分进行简要描述。
客户端100包括正常客户端和攻击客户端。正常客户端是指通过生成正常流量以及向服务器200发送正常流量来请求服务器200提供服务的客户端,例如,浏览器或业务客户端。攻击客户端是指通过生成攻
击流量以及向服务器200发送攻击流量来向服务器200发起网络攻击的客户端,例如,部署在僵尸主机上的被攻击工具(如木马)感染的客户端等。本申请实施例中,攻击客户端向服务器200发送的数据流是攻击流量,攻击流量用于消耗服务器200的系统资源;正常客户端向服务器200发送的数据流是正常流量,正常流量是指正常业务的流量,即非攻击流量,正常流量用于向服务器200请求服务。
服务器200用于为客户端100提供计算或应用等各种服务,服务器200例如包括应用服务器和网页服务器(也称为web服务器)。
安全防护设备300用于保护网络400,网络400包括至少一台服务器200。因此,安全防护设备300可保护网络400中的至少一台服务器200,避免其受到攻击客户端发起的网络攻击。具体地,对于客户端100发往服务器200的数据流,在其到达服务器200之前,先由安全防护设备300检测该数据流是否为攻击流量。如果该数据流是攻击流量,则安全防护设备300阻断该数据流或对该数据流进行限速。相反地,如果该数据流不是攻击流量(即正常流量),则安全防护设备300放行该数据流。
在一些实施例中,安全防护设备300可包括防火墙、安全网关(如路由器或交换机)、入侵检测系统(intrusion detection system,IDS)类设备、入侵防御系统(intrusion prevention system,IPS)类设备、统一威胁管理(unified threat management,UTM)设备、反病毒(anti-virus,AV)设备、抗DDoS(anti-DDoS)设备、下一代防火墙(next generation firewall,NGFW)中的一者或任意组合。
下面结合图2示出的一种检测攻击流量的方法的流程示意图,对安全防护设备300如何检测攻击流量进行详细地描述。
S101:安全防护设备300获取第一时段内第一流量的第一速率表征值。
第一流量包括至少一条数据流。可选地,至少一条第一数据流包括TLS数据流或基于SSL加密的数据流(以下简称为SSL数据流)中的至少一种。至少一条第一数据流中的每条第一数据流的源IP地址可以相同也可以不同,换言之,至少一条第一数据流来自于至少一个客户端100,至少一个客户端100可包括正常客户端,也可包括攻击客户端。
可选地,至少一条第一数据流中的每条第一数据流的目的IP地址均相同。以下将第一数据流的目的IP地址简称为第一IP地址,第一IP地址指示的服务器可以是网络400中的任一服务器200。
可选地,至少一条第一数据流的目的IP地址属于一个IP组(以下简称为第一IP组)。第一IP组包括一个或多个IP地址,每个IP地址指示的服务器可以是网络400中的任一服务器200。在具体实现中,安全防护设备300可使用多种方式划分IP组。比如说,安全防护设备可将网络400中用于提供同一业务的服务器200的IP地址划分为一个IP组。或者,安全防护设备300根据网络400的网段划分IP组,例如,将归属于企业网中同一部门的IP地址划分为一个IP组。又或者,安全防护设备300根据用户的配置划分IP组。又或者,安全防护设备300将具有相同子网掩码的IP地址划分为一个IP组。因此,第一IP组可包括多个用于提供相同业务的服务器200的IP地址,或者第一IP组可包括属于同一网段的多个IP地址,或者第一IP组可包括用户配置的多个IP地址,或者第一IP组可包括具有相同子网掩码的多个IP地址。
第一速率表征值用于指示第一时段内第一流量的流量速率。可选地,第一速率表征值可以用字节数或比特数表示,例如,第一时段内第一流量对应的字节总数或比特总数;或者,也可以用单位时间内的字节数或比特数进行表示,例如,第一时段内第一流量对应的平均比特数(bit per second,BPS)。第一速率表征值还可以用报文数表示,例如,第一时段内第一流量对应的报文总数;或者,也可以用单位时间内的报文数表示,例如,第一时段内第一流量对应的平均报文数(packets per second,PPS)。
在一些实施例中,当第一流量中的至少一条第一数据流的目的IP地址均为第一IP地址时,安全防护设备300根据第一IP地址确定在第一时段内发往第一IP地址的流量(即第一流量),从而得到第一速率表征值。可以理解的是,安全防护设备300可以将其所保护的网络内的每个IP地址均作为一个第一IP地址,针对每个第一IP地址,安全防护设备300均执行本申请实施例所提供的方法。
在一些实施例中,当第一流量中的至少一条第一数据流的目的IP地址属于一个IP组时,安全防护设备300根据第一IP组确定在第一时段内发往第一IP组的流量(即第一流量),从而得到第一速率表征值。可以理解的是,本申请实施例中可以设置多个第一IP组,针对每个第一IP组,安全防护设备均执行本申请实施例所提供的方法。
S102:安全防护设备300根据第一速率表征值生成至少一个指纹。
至少一个指纹中的每个指纹是基于至少一条第一数据流中的一条第一数据流的报文字段生成的。具体
地,以第一数据流是TLS数据流为例,TLS数据流包括客户端100向服务器200发送的hello报文(即TLS ClientHello),因此,安全防护设备300接收到TLS数据流后,可获得该TLS数据流中包括的TLS ClientHello,然后获取TLS ClientHello中的部分字段所包括的字节,然后将这些字节连接在一起得到一个字符串,之后再利用哈希算法(如MD4算法、MD5算法或SHA-1算法)对该字符串进行哈希计算,得到该TLS数据流对应的指纹。其中,上述部分字段包括以下任一个或多个字段:TLS ClientHello中的版本(TLS version)、接受的密码(ciphers)、扩展列表(extensions)、椭圆曲线(elliptic curves)和椭圆曲线格式(elliptic curves point formats)。
至少一个指纹中的任一指纹用于检测与该指纹匹配的数据流是否为攻击流量。可选地,至少一个指纹包括至少一个第一类指纹,第一类指纹指示与该指纹匹配的数据流为正常流量。可选地,至少一个指纹包括至少一个第二类指纹,第二类指纹指示与该指纹匹配的数据流为攻击流量。
下面通过S1021-S1023对上述S102进行详细地描述。
S1021:安全防护设备300判断第一速率表征值是否超过第一速率阈值。当第一速率表征值不超过第一速率阈值时,安全防护设备300执行S1022;可选地,当第一速率表征值超过第一速率阈值时,安全防护设备300执行S1023。
第一速率阈值可以是用户预设的(如1000PPS或20000BPS),也可以是安全防护设备300根据实际情况动态调整的,例如,流量高峰期时的第一速率阈值可设置为大于流量低峰期的第一速率阈值,其中,流量高峰期和流量低峰期可以是安全防护设备300根据历史的流量情况确定的。
由前文可知,第一速率表征值可有一种或多种表示,相应地,第一速率阈值也可包括一个或多个阈值。当第一速率表征值有多种表示时,安全防护设备300判断第一速率表征值是否超过第一速率阈值包括多种实现方式。
例如,假设第一速率表征值为第一时段内第一流量对应的平均比特数,则第一速率表征值为第一平均比特数。当第一时段内第一流量对应的平均比特数大于第一平均比特数时,第一速率表征值超过第一速率表征值。当第一时段内第一流量对应的平均比特数小于等于第一平均比特数时,第一速率表征值不超过第一速率表征值。
又例如,假设第一速率表征值为第一时段内第一流量对应的平均报文数,则第一速率表征值为第一平均报文数。当第一时段内第一流量对应的平均报文数大于第一平均报文数时,第一速率表征值超过第一速率表征值。当第一时段内第一流量对应的平均报文数小于等于第一平均报文数时,第一速率表征值不超过第一速率表征值。
再例如,假设第一速率表征值包括第一时段内第一流量对应的平均比特数和第一时段内第一流量对应的平均报文数,则第一速率阈值包括第一平均比特数和第一平均报文数。在一种可能的实现方式中,当第一时段内第一流量对应的平均比特数小于等于第一平均比特数,且第一时段内第一流量对应的平均报文数小于等于第一平均报文数时,第一速率表征值不超过第一速率阈值;当第一时段内第一流量对应的平均比特数大于第一平均比特数,或第一时段内第一流量对应的平均报文数大于第一平均报文数时,第一速率表征值超过第一速率阈值。在另一种实现方式中,当第一时段内第一流量对应的平均比特数小于等于第一平均比特数,或第一时段内第一流量对应的平均报文数小于等于第一平均报文数时,第一速率表征值不超过第一速率阈值;当第一时段内第一流量对应的平均比特数大于第一平均比特数,且第一时段内第一流量对应的平均报文数大于第一平均报文数时,第一速率表征值超过第一速率阈值。在另一种实现方式中,当第一时段内第一流量对应的平均比特数大于第一平均比特数,或者第一时段内第一流量对应的平均报文数大于第一平均报文数时,第一速率表征值超过第一速率阈值,否则,第一速率表征值不超过第一速率阈值。
S1022:安全防护设备300生成至少一个第一类指纹。
具体地,安全防护设备300分别为至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹满足第一条件时,将该第一指纹确定为一个第一类指纹。
第一条件包括以下任一项或多项:任一第一指纹的数量超过第一数量阈值;任一第一指纹的比例(即任一第一指纹的数量与所有第一指纹的总数量的比值)超过第一比例阈值;任一第一指纹的数量排在前M1位;任一第一指纹的比例排在前N1位;任一第一指纹出现的频率(即单位时间内任一第一指纹的数量)超过第一频率阈值。其中,M1和N1为自然数,第一数量阈值、第一比例阈值、第一频率阈值以及M1和N1均可以是用户预设的,也可以是安全防护设备300根据实际情况动态调整的。
例如,如图3所示,第一条件是任一第一指纹的数量排在前M1位(例如,M1=3),第一流量包括100条数据流,且这100条数据流的目的IP地址均为第一IP地址。安全防护设备300分别对这100条数据流
进行指纹提取后可得到100个第一指纹。在这100个第一指纹中,有15个第一指纹是指纹1,3个第一指纹是指纹2,50个第一指纹是指纹3,1个第一指纹是指纹4,1个第一指纹是指纹5,1个第一指纹是指纹6,20个第一指纹是指纹7,1个第一指纹是指纹8,1个第一指纹是指纹9,7个第一指纹是指纹10。将指纹1至指纹10按照数量从大到小的顺序进行排序,确定排序在前3位的指纹分别是指纹3、指纹7和指纹1,那么,指纹3、指纹7和指纹1便是第一类指纹。
又例如,如图4所示,第一条件包括任一第一指纹的数量超过第一数量阈值(例如,第一数量阈值为10),且任一第一指纹的数量排在前M1位(例如,M1=3)。仍以图3描述的指纹1至指纹10为例,由于上述10个指纹中,只有指纹1、指纹3和指纹7的数量超过10且排序在前3位,因此指纹1、指纹3和指纹7是第一类指纹。
应理解,安全防护设备300通过对第一流量中的每条第一数据流进行指纹提取,可提取到至少一个第一指纹。不同的第一数据流可能对应同一个第一指纹,这就导致在上述至少一个第一指纹中,有的第一指纹的数量较多,有的第一指纹的数量较少。由于在第一速率表征值不超过第一速率阈值时,第一流量所包括的大部分或全部第一数据流为正常流量,因此可以推断出上述数量较多的第一指纹(即第一类指纹)大概率是正常流量对应的指纹。因此,基于上述方式获取的第一类指纹可以用于确定与第一类指纹匹配的流量为正常流量。
S1023:安全防护设备300生成至少一个第二类指纹。
可选地,当第一速率表征值超过第一速率阈值时,安全防护设备300生成至少一个第二类指纹。具体地,安全防护设备300分别为至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹的数量满足第四条件时,将该第一指纹确定为一个第二类指纹。
第四条件包括以下任一项或多项:任一第一指纹的数量超过第四数量阈值;任一第一指纹的比例超过第四比例阈值;任一第一指纹的数量排在前M4位;任一第一指纹的比例排在前N4位;任一第一指纹出现的频率超过第四频率阈值。其中,M4和N4为自然数,第四数量阈值、第四比例阈值、第四频率阈值以及M4和N4均可以是用户预设的,也可以是安全防护设备300根据实际情况动态调整的。
例如,如图5所示,第四条件是任一第一指纹的比例排在前M4位(例如,M4=3),第一流量包括1000条数据流,且这1000条数据流的目的IP地址均为第一IP地址。安全防护设备300分别对这1000条数据流进行指纹提取后可得到1000个第一指纹。在这1000个第一指纹中,有15个第一指纹是指纹1,3个第一指纹是指纹2,50个第一指纹是指纹3,1个第一指纹是指纹4,1个第一指纹是指纹5,1个第一指纹是指纹6,20个第一指纹是指纹7,1个第一指纹是指纹8,1个第一指纹是指纹9,7个第一指纹是指纹10,300个第一指纹是指纹11,400个第一指纹是指纹12,200个第一指纹是指纹13。那么,指纹1的比例是0.015(15/1000),指纹2的比例是0.003(3/1000),指纹3的比例是0.05(50/1000),指纹4、指纹5、指纹6、指纹8和指纹9的比例均是0.001(1/1000),指纹7的比例是0.02(20/1000),指纹10的比例是0.007(7/1000),指纹11的比例是0.3(300/1000),指纹12的比例是0.4(400/1000),指纹13的比例是0.2(200/1000)。将指纹1至指纹13按照比例从大到小的顺序进行排序,确定排序在前3位的指纹分别是指纹12、指纹11和指纹13,那么,指纹12、指纹11和指纹13便是第二类指纹。
又例如,如图6所示,第四条件包括任一第一指纹的比例超过第四比例阈值(例如,第四比例阈值为0.1),且任一第一指纹的比例排在前N4位(例如,N4=3)。仍以图5描述的指纹1至指纹13为例,由于上述13个指纹中,只有指纹11、指纹12和指纹13的比例超过0.1且排序在前3位,因此指纹11、指纹12和指纹13是第二类指纹。
应理解,安全防护设备300通过对第一流量中的每条第一数据流进行指纹提取,可提取到至少一个第一指纹。不同的第一数据流可能对应同一个第一指纹,这就导致在上述至少一个第一指纹中,有的第一指纹的数量较多,有的第一指纹的数量较少。由于在第一速率表征值超过第一速率阈值时,说明第一流量所包括的大部分或全部数据流为攻击流量,因此可以推断出上述数量较多的第一指纹(即第二类指纹)大概率是攻击流量对应的指纹。基于上述方式获取的第二类指纹可以用于确定与第二类指纹匹配的流量为攻击流量。
可选地,安全防护设备300在执行上述S1022之后,还可以执行以下任一个或多个步骤。
S103:安全防护设备300获取第二时段内第二流量的第二速率表征值。
第二流量包括至少一条第二数据流。可选地,至少一条第二数据流包括TLS数据流或SSL数据流中的至少一种。至少一条第二数据流中的每条第二数据流的源IP地址可以相同也可以不同,换言之,至少一
条第二数据流来自于至少一个客户端100,至少一个客户端100可包括正常客户端,也可包括攻击客户端。而且,任一第二数据流的源IP地址可以与某条第一数据流的源IP地址相同,也可以与所有的第一数据流的源IP地址均不同。
可选地,至少一条第二数据流中的每条第二数据流的目的IP地址均相同,且每条第二数据流的目的IP地址均为第一IP地址。或者,至少一条第二数据流的目的IP地址属于一个IP组,且该IP组为第一IP组。
可选地,第二时段晚于第一时段且第二时段与第一时段相邻。相应地,在具体实现中,安全防护设备300可通过周期性的方式获取发往网络400的流量的速率表征值。以1s为一个周期为例,当第一时段是1-1000ms时,第二时段是1001-2000ms;当第一时段是1001-2000ms时,第二时段是2001-3000ms。
可选地,第二时段晚于第一时段且第二时段与第一时段均包括一个共同的时段。相应地,在具体实现中,安全防护设备300可通过滑窗的方式获取发往网络400的流量的速率表征值。以10ms进行一次滑窗为例,当第一时段是1-1000ms时,第二时段是11-1010ms;当第一时段是11-1010ms时,第二时段是21-1020ms。
第二速率表征值指示第二时段内第二流量的流量速率。与第一速率表征值类似的,第二速率表征值可以用字节数或比特数表示,例如,第二时段内第二流量对应的字节总数或比特总数;或者,也可以用单位时间内的字节数或比特数进行表示,例如,第二时段内第二流量对应的平均比特数。第二速率表征值还可以用报文数表示,例如,第二时段内第二流量对应的报文总数;或者,也可以用单位时间内的报文数表示,例如,第二时段内第二流量对应的平均报文数。
在一些实施例中,当第二流量中的至少一条第二数据流的目的IP地址均为第一IP地址时,安全防护设备300根据第一IP地址确定在第二时段内发往第一IP地址的流量(即第二流量),从而得到第二速率表征值。
在一些实施例中,当第二流量中的至少一条第二数据流的目的IP地址均属于第一IP组时,安全防护设备300根据第一IP组确定在第二时段内发往第一IP组的流量(即第二流量),从而得到第二速率表征值。
S104:安全防护设备300判断第二速率表征值是否超过第一速率阈值。当第二速率表征值不超过第一速率阈值时,安全防护设备300执行S105;当第二速率表征值超过第一速率阈值时,安全防护设备300执行S106-S107。
由于第二速率表征值也可有一种或多种表示,因此安全防护设备300也可通过一种或多种方式来判断第二速率表征值是否超过第一速率阈值,具体可参见上述S1021所描述的安全防护设备300判断第一速率表征值是否超过第一速率阈值的过程,这里不再进行描述。
S105:安全防护设备300更新至少一个第一类指纹。
具体地,安全防护设备300分别为至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹满足第二条件时,将该第二指纹确定为一个新的第一类指纹。然后,安全防护设备300将至少一个第一类指纹替换为上述新的第一类指纹。
第二条件包括以下任一项或多项:任一第二指纹的数量超过第二数量阈值;任一第二指纹的比例(即任一第二指纹的数量与所述第二指纹的总数量的比值)超过第二比例阈值;任一第二指纹的数量排在前M2位;任一第二指纹的比例排在前N2位;任一第二指纹出现的频率(即单位时间内任一第二指纹对应的数据流被安全防护设备300接收到的个数)超过第二频率阈值。其中,M2和N2为自然数,第二数量阈值、第二比例阈值、第二频率阈值以及M2和N2均可以是用户预设的,也可以是安全防护设备300根据实际情况动态调整的。在一些实施例中,第一条件和第二条件可以相同,也可以不同,具体可根据实际情况进行设置,比如说,当第一时段是流量低峰期,而第二时段是流量高峰期时,第一条件中的第一数量阈值可设置为小于第二条件中的第二数量阈值。
例如,如图7所示,第二条件是任一第二指纹的数量排在前M2位(例如,M2=3),第二流量包括200条数据流,且这200条数据流的目的IP地址均为第一IP地址。安全防护设备300分别对这200条数据流进行指纹提取后可得到200个第二指纹。在这200个第二指纹中,有15个第二指纹是指纹1,10个第二指纹是指纹2,70个第二指纹是指纹3,5个第二指纹是指纹4,2个指纹是指纹5,9个第二指纹是指纹6,45个第二指纹是指纹7,1个指纹是指纹9,10个指纹是指纹10,30个指纹是指纹14,3个指纹是指纹15。将上述11个指纹按照数量从大到小的顺序进行排序,确定排序在前3位的指纹分别是指纹3、指纹7和指纹14,那么,指纹3、指纹7和指纹14便是新的第一类指纹。
又例如,如图8所示,第二条件包括任一第二指纹的数量超过第二数量阈值(例如,第二数量阈值为20),且任一第二指纹的数量排在前M2位(例如,M2=3)。仍以图7描述的指纹为例,由于上述11个指纹中,只有指纹3、指纹7和指纹14的数量超过20个且排序在前3位,因此指纹3、指纹7和指纹14是新的第一类指纹。
应理解,在实际应用中,第一类指纹具有时效性,比如说:安全防护设备300在第一时段确定了某个第一类指纹,但该指纹对应的客户端在第二时段被攻击工具所感染成为了攻击客户端,在这种情况下,该指纹将不再是第一类指纹。为此,安全防护设备300可更新第一类指纹(即执行上述S105),使得第一类指纹可准确地指示正常流量,从而提高第一IP地址或第一IP组所指示的服务器200的安全性。
S106:安全防护设备300生成至少一个第二类指纹。
具体地,安全防护设备300分别为至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹满足第三条件且至少一个第一类指纹不包括该第二指纹时,将该第二指纹确定为一个第二类指纹。
第三条件包括以下任一项或多项:任一第二指纹的数量超过第三数量阈值;任一第二指纹的比例超过第三比例阈值;任一第二指纹的数量排在前M3位;任一第二指纹的比例排在前N3位;任一第二指纹出现的频率超过第三频率阈值。其中,M3和N3为自然数,第三数量阈值、第三比例阈值、第三频率阈值以及M3和N3均可以是用户预设的,也可以是安全防护设备300根据实际情况动态调整的。
例如,如图9所示,第三条件是任一第二指纹的比例排在前N3位(例如,N3=3),第二流量包括1000条数据流,且这1000条数据流的目的IP地址均为第一IP地址。安全防护设备300分别对这1000条数据流进行指纹提取后可得到1000个第二指纹,在这1000个第二指纹中,有15个第一指纹是指纹1,3个第一指纹是指纹2,150个第一指纹是指纹3,1个第一指纹是指纹4,1个第一指纹是指纹5,1个第一指纹是指纹6,20个第一指纹是指纹7,1个第一指纹是指纹8,1个第一指纹是指纹9,7个第一指纹是指纹10,300个第一指纹是指纹11,500个第一指纹是指纹12。那么,指纹1的比例是0.015(15/1000),指纹2的比例是0.003(3/1000),指纹3的比例是0.15(150/1000),指纹4、指纹5、指纹6、指纹8和指纹9的比例均是0.001(1/1000),指纹7的比例是0.02(20/1000),指纹10的比例是0.007(7/1000),指纹11的比例是0.3(300/1000),指纹12的比例是0.5(500/1000)。将指纹1至指纹12按照比例从大到小的顺序进行排序,确定排序在前3位的指纹分别是指纹12、指纹11和指纹3。由图3可知,指纹3是第一类指纹,因此,只有指纹12和指纹11是第二类指纹。
又例如,如图10所示,第三条件包括任一第二指纹的比例超过第三比例阈值(例如,第三比例阈值为0.1),且任一第二指纹的比例排在前N3(N3=3),仍以图9描述的指纹为例,由于上述12个指纹中,指纹3、指纹11和指纹12的比例超过0.1且排序在前3位,但由于指纹3是第一类指纹,因此,只有指纹11和指纹12是第二类指纹。
应理解,本步骤在确定一个第二指纹是否为第二类指纹时,除了需要确定该第二指纹是否满足第三条件,还需确定该第二指纹是否为上述S1022得到的至少一个第一类指纹,这是因为:当第二流量的第二速率表征值大于第一速率阈值时,说明第二流量包括攻击流量,但除了攻击流量之外,第二流量还可能包括正常流量,而正常流量对应的第二指纹也可能满足第三条件,也就是说,如果仅以第三条件来判断第二指纹,则可能导致正常流量对应的第二指纹被误确定为第二类指纹。因此,结合第三条件以及上述S1022得到的至少一个第一类指纹确定第二指纹,可以进一步提升第二类指纹的准确性。
S107:安全防护设备300根据至少一个第二类指纹生成至少一个黑名单。
具体地,安全防护设备300获取至少一条第二数据流中的每条第二数据流的请求速率(或响应速率),当至少一条第二数据流中的一条第二数据流的请求速率(或响应速率)超过第二速率阈值,且至少一个第二类指纹包括该第二数据流对应的指纹时,将该第二数据流的源IP地址确定为至少一个黑名单中的一个黑名单。
第二数据流的请求速率是指第二时段内第二数据流的源IP地址向第二数据流的目的IP地址发起请求的速率。可选地,第二数据流的请求速率可以用单位时间内的比特数进行表示,例如,第二时段内第二数据流的源IP地址向第二数据流的目的IP地址每秒发送的比特数;第二数据流的请求速率也可以用单位时间内的报文数进行表示,例如,第二时段内第二数据流的源IP地址向第二数据流的目的IP地址每秒发送报文的数量。
第二数据流的响应速率是指第二时段内第二数据流的目的IP地址响应第二数据流的源IP地址的速率,例如,第二数据流的目的IP地址向第二数据流的源IP地址返回确认字符(acknowledge character,ACK)
的速率。
第二速率阈值可以是用户预设的(如100PPS),也可以是安全防护设备300根据实际情况动态调整的,例如,流量高峰期时第二速率阈值大于流量低峰期时第二速率阈值。
举例而言,仍以图9描述的例子为例,假设指纹1-指纹10对应的第二数据流的源IP地址向第一IP地址发起请求的速率均小于第二速率阈值,指纹11和指纹12对应的第二数据流的源IP地址向第一IP地址指示的服务器发起请求的速率均大于第二速率阈值,且指纹11和指纹12是第二类指纹,因此安全防护设备300将指纹11对应的第二数据流的源IP地址和指纹12对应的第二数据流的源IP地址确定为黑名单。
上述基于第二类指纹生成黑名单,使得安全设备可以通过匹配待检测数据流的源IP地址与上述黑名单,以确定待检测数据流是否为攻击流量。相较于提取数据流对应的指纹而言,获取数据流的源IP地址所耗费的时间和资源更少,因此使用上述至少一个黑名单检测攻击流量的速率更快,且耗费更少的资源。
在实际应用中,除了上述黑名单之外,安全防护设备300还可根据至少一个第一类指纹生成至少一个白名单。具体地,当至少一条第一数据流中的一条第一数据流的请求速率(或响应速率)不超过第三速率阈值,且至少一个第一类指纹包括该第一数据流对应的指纹时,将该第一数据流的源IP地址确定为一个白名单。其中,第三速率阈值可以是用户预设的,也可以是安全防护设备300根据实际情况动态调整的。另外,第一数据流的请求速率(或响应速率)的描述可参见后文S108中的相关描述。
应理解,在实际应用中,与第一类指纹类似的,白名单也具有时效性,因此,安全防护设备300更新第一类指纹后,还可执行更新上述至少一个白名单的步骤。具体地,当至少一条第二数据流中的一条第二数据流的请求速率(或响应速率)不超过第四速率阈值,且新的第一类指纹包括该第二数据流对应的指纹时,安全防护设备300将该第二数据流的源IP地址确定为一个新的白名单。其中,第四速率阈值可以是用户预设的,也可以是安全防护设备300根据实际情况动态调整的。之后,安全防护设备300将至少一个白名单替换为上述新的白名单。如此,使得白名单可准确地指示正常流量,从而提高第一IP地址或第一IP组所指示的服务器200的安全性。
可选地,安全防护设备300在执行上述S1023之后,还可以执行下述任一步骤。
S108:安全防护设备300根据至少一个第二类指纹生成至少一个黑名单。
具体地,安全防护设备300获取至少一条第一数据流中的每条第一数据流的请求速率(或响应速率),当至少一条第一数据流中的一条第一数据流的请求速率(或响应速率)超过第二速率阈值,且至少一个第二类指纹包括该第一数据流对应的指纹时,将该第一数据流的源IP地址确定为至少一个黑名单中的一个黑名单。
第一数据流的请求速率是指第一时段内第一数据流的源IP地址向第一数据流的目的IP地址发起请求的速率。与第二数据流的请求速率类似的,第一数据流的请求速率可以用单位时间内的比特数进行表示,例如,第一时段内第一数据流的源IP地址向第一数据流的目的IP地址每秒发送的比特数;或者,第一数据流的请求速率也可以用单位时间内的报文数进行表示,例如,第一时段内第一数据流的源IP地址向第一数据流的目的IP地址每秒发送报文的数量。
第一数据流的响应速率是指第一时段内第一数据流的目的IP地址响应第一数据流的源IP地址的速率,例如,第一数据流的目的IP地址向第一数据流的源IP地址返回ACK的速率。
S109:安全防护设备300获取第二时段内第二流量的第二速率表征值。
S110:安全防护设备300判断第二速率表征值是否超过第一速率阈值。当第二速率表征值不超过第一速率阈值时,安全防护设备300执行S111;当第二速率表征值超过第一速率阈值时,安全防护设备300执行S112-S113。
其中,上述S109-S110的具体实现过程与上述S103-S104的具体实现过程一致,因此这里不再重复描述。
S111:安全防护设备300生成至少一个第一类指纹。
具体地,安全防护设备300分别为至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹满足第二条件时,将该第二指纹确定为一个第一类指纹。其中,第二条件的相关描述可参见上述S105中的相关描述。
S112:安全防护设备300更新至少一个第二类指纹。
具体地,安全防护设备300分别为至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹满足第五条件时,安全防护设备300将该第二指纹确定为一个新的第二类指纹。然后,安全防
护设备300将至少一个第二类指纹替换为上述新的第二类指纹。
第五条件可包括以下任一项或多项:任一第二指纹的数量超过第五数量阈值;或任一第二指纹的比例超过第五比例阈值;或任一第二指纹的数量排在前M5位;或任一第二指纹的比例排在前N5位;或任一第二指纹出现的频率超过第五频率阈值;其中,M5和N5为自然数,第五数量阈值、第五比例阈值、第五频率阈值以及M5和N5均可以是用户预设的,也可以是安全防护设备300根据实际情况动态调整的。
S113:安全防护设备300更新至少一个黑名单。
具体地,安全防护设备300获取至少一条第二数据流中的每条第二数据流的请求速率(或响应速率),当至少一条第二数据流中的一条第二数据流的请求速率(或响应速率)超过第二速率阈值,且新的第二类指纹包括该第二数据流对应的指纹时,将该第二数据流的源IP地址确定为一个新的黑名单。然后,安全防护设备300将至少一个黑名单替换为上述新的黑名单。其中,第二数据流的请求速率(或响应速率)和第二速率阈值的相关描述可参见上述S107中的相关描述。
应理解,在实际应用中,与第一类指纹类似的,第二类指纹和黑名单也具有时效性,例如,安全防护设备300在第一时段确定了某个第二类指纹,但该指纹对应的客户端在一段时间后已被恢复为正常客户端,不再攻击服务器200,在这种情况下,该指纹不再是第二类指纹。再如,安全防护设备300在第一时段确定了某个黑名单,但该黑名单所指示的攻击客户端在一段时间后得到了修复,不再发起攻击,而其他一些原本正常的客户端变成了攻击客户端。为此,安全防护设备300可执行上述S112-S113,使得第二类指纹和黑名单可准确地指示攻击流量,从而提高第一IP地址或第一IP组所指示的服务器200的安全性。
还应理解,为了简便描述,上述实施例并未对第一类指纹、第二类指纹、黑名单以及白名单的各种更新情况进行详细地描述。但在实际应用中,除了上述S105、S112和S113所描述的情况之外,安全防护设备300还可在执行S106后,根据后续时段接收到的流量执行更新至少一个第二类指纹的步骤。同样的,安全防护设备300还可在执行上述S107后,根据后续时段接收到的流量执行更新至少一个黑名单的步骤,以及在执行上述S111后,根据后续时段接收到的流量执行更新至少一个第一类指纹以及更新至少一个白名单的步骤。由于这些步骤的实现过程与上述S105、S112和S113的实现过程类似,因此这里不再进行描述。
另外,上述实施例仅描述了安全防护设备300如何检测出针对第一IP地址或第一IP组指示的服务器200的攻击流量,即根据目的IP地址为第一IP地址或目的IP地址属于第一IP组的第一流量和第二流量学习到以下一项或多项:至少一个第一类指纹、至少一个第二类指纹、至少一个黑名单、至少一个白名单,然后根据上述学习到的一项或多项检测发往第一IP地址或第一IP组的数据流是否为攻击流量。应理解,在实际应用中,针对网络400中的其他IP地址(例如,第二IP地址)或IP组(例如,第二IP组),安全防护设备300也可采用与上述S101-S113类似的方法来检测攻击流量。具体以第二IP地址或第二IP组进行描述:安全防护设备300获取第一时段内第三流量的速率表征值,第三流量中的数据流的目的IP地址均是第二IP地址,或属于第二IP组。然后,安全防护设备300根据第三流量的速率表征值生成至少一个第一类指纹(或至少一个第二类指纹),此处得到的至少一个第一类指纹(或至少一个第二类指纹)用于检测发往第二IP地址或第二IP组的数据流是否为攻击流量。进一步地,安全防护设备300还可参照上述S103-S113生成针对第二IP地址或第二IP组的至少一个黑名单、至少一个白名单以及至少一个第二类指纹(或至少一个第一类指纹)。之后,安全防护设备300便可根据上述学习到的内容检测发往第二IP地址或第二IP组的数据流是否为攻击流量。
也就是说,安全防护设备300可参照上述S101-S113为网络400中的任一台或多台服务器200相应地生成至少一个第一类指纹、至少一个第二类指纹、至少一个黑名单、至少一个白名单中的一项或多项,从而可得到第一类指纹库、第二类指纹库、黑名单库或白名单库中的一项或多项。其中,第一类指纹库包括至少一个第一类指纹,第二类指纹库包括至少一个第二类指纹,黑名单库包括至少一个黑名单,白名单库包括至少一个白名单。
更进一步地,安全防护设备300还可执行下述步骤:
S114:安全防护设备300向分析设备发送以下一项或多项:第一类指纹库、第二类指纹库、黑名单库或白名单库。
在一些实施例中,分析设备可以是图11所示的分析设备500,分析设备500部署在数据中心,数据中心包括大量基础资源(包括计算资源、存储资源和网络资源),数据中心包括的计算资源可以例如服务器的计算设备,存储资源可以例如硬盘的存储设备,网络资源可以是例如路由器和交换机的网络设备。可选地,分析设备500可以是数据中心上的一台或多台服务器,也可以是部署在数据中心上的服务器或VM上
的软件装置,该软件装置可以分布式地部署在多台服务器上,或者分布式地部署在多台VM上,又或者分布式地部署在服务器和VM上。
在一些实施例中,存在多个安全防护设备300,每个安全防护设备300用于保护一个网络400,分析设备500分别与多个安全防护设备300连接,因此,分析设备500还可将上述接收到的第一类指纹库、第二类指纹库、黑名单库或白名单库中的一项或多项发送给其他安全防护设备300,使得其他安全防护设备300也可根据上述第一类指纹库、第二类指纹库、黑名单库或白名单库中的一项或多项检测攻击流量。
下面基于图11所示的场景,并结合图12示出的另一种检测攻击流量的方法的流程示意图,对安全防护设备300如何检测攻击流量进行另一方面的描述。
S201:多个安全防护设备300分别向分析设备500发送第二类指纹库,相应地,分析设备500分别接收多个安全防护设备300发送的第二类指纹库,每个第二指纹库包括至少一个第二类指纹。
其中,每个安全防护设备300发送的第二类指纹库是每个安全防护设备300通过执行上述S101-S104、S106、S109-S110以及S112中的一个或多个步骤而生成的,因此这里不再对其进行重复地描述。
S202:分析设备500根据上述多个第二类指纹库生成总指纹库,总指纹库包括部分或全部多个第二类指纹库中的第二类指纹。
在一些实施例中,分析设备500根据上述多个第二类指纹库生成总指纹库,包括:分析设备500将上述多个第二类指纹库包括的所有第二类指纹均添加到总指纹库。
在其他一些实施例中,分析设备500根据上述多个第二类指纹库生成总指纹库,包括:分析设备500获取上述多个第二类指纹库包括的所有第二类指纹,当任一第二类指纹出现的频率超过预设频率阈值时,将该第二类指纹添加至总指纹库。其中,任一第二类指纹出现的频率是指分析设备500单位时间内获取到该第二类指纹的数量。
可选地,分析设备500更新上述总指纹库。具体地,对于总指纹库中的任一个第二类指纹,分析设备500记录首次添加至总指纹库的时间,如果分析设备500长时间(如超过时长阈值)未获取到该第二类指纹,则从总指纹库中删除该第二类指纹。
可选地,对于总指纹库中的第二类指纹,分析设备500还根据每个第二类指纹出现的频率,确定每个第二类指纹的威胁等级。其中,第二类指纹出现的频率越高,该第二类指纹的威胁等级越高,与威胁等级越高的第二类指纹匹配的数据流是攻击流量的可能性越大。
S203:分析设备500将总指纹库发送给多个安全防护设备300,相应地,多个安全防护设备300接收分析设备500发送的总指纹库。
S204:多个安全防护设备300根据总指纹库检测攻击流量。
具体地,以一个安全防护设备300为例,安全防护设备300根据总指纹库检测攻击流量,包括:如果数据流对应的指纹与总指纹库中的任一第二类指纹匹配,则安全防护设备300确定该数据流为攻击流量。
与第二类指纹库类似的,多个安全防护设备300还可向分析设备500发送多个第一类指纹库(每个第一类指纹库包括至少一个第一类指纹)、多个黑名单库(每个黑名单库包括至少一个黑名单)、或多个白名单库(每个白名单库包括至少一个白名单)。相应地,分析设备500还可根据接收到的多个第一类指纹库生成总的第一类指纹库,或根据接收到的多个黑名单库生成总黑名单库,或根据接收到的多个白名单库生成总白名单库。然后,分析设备500还会将上述总的第一类指纹库、总黑名单库、总白名单库发送给多个安全防护设备300,以便于多个安全防护设备300检测攻击流量。应理解,由于上述过程与上述S201-S204所描述的过程类似,因此,这里不再对其展开描述。
下面结合图13示出的网络攻击的防御方法的流程示意图,详细地描述安全防护设备300如何根据上述获得的至少一个第一类指纹、至少一个第二类指纹、至少一个黑名单或至少一个白名单中的一项或多项,来保护第一IP地址或第一IP组所指示的服务器200。
S301:安全防护设备300接收目标数据流。
目标数据流的目的IP地址为第一IP地址,或者,目标数据流的目的IP地址属于第一IP组。目标数据流的源IP地址可以是至少一个客户端100。
S302:安全防护设备300根据目标数据流对应的指纹和/或目标数据流的源IP地址对目标数据流进行处理。
(1)安全防护设备300是针对第一IP地址生成的至少一个第一类指纹、至少一个第二类指纹、至少
一个黑名单以及至少一个白名单。
安全防护设备300根据目标数据流对应的指纹对目标数据流进行处理,包括:安全防护设备300根据目标数据流的目的IP地址,确定与第一IP地址对应的至少一个第一类指纹和/或至少一个第二类指纹。安全防护设备300根据目标数据流的报文字段生成目标数据流对应的指纹。如果目标数据流对应的指纹与第一IP地址对应的至少一个第一类指纹中的任一第一类指纹匹配,则安全防护设备300放行目标数据流,使目标数据流到达服务器200。如果目标数据流对应的指纹与第一IP地址对应的至少一个第二类指纹中的任一第二类指纹匹配,则安全防护设备300阻断该目标数据流,使目标数据流无法到达服务器200,或对目标数据流进行限速处理,使得只有目标数据流的部分流量到达服务器200。其中,安全防护设备300根据目标数据流的报文字段生成目标数据流对应的指纹的过程可参见上述S102中指纹的生成过程,这里不再进行描述。
安全防护设备300根据目标数据流的源IP地址对目标数据流进行处理,包括:安全防护设备300根据目标数据流的目的IP地址,确定与第一IP地址对应的至少一个黑名单和/或至少一个白名单。安全防护设备300获取目标数据流的源IP地址,如果目标数据流的源IP地址与第一IP地址对应的至少一个黑名单中的一个黑名单匹配,则安全防护设备300阻断该目标数据流或对目标数据流进行限速处理。如果目标数据流的源IP地址与第一IP地址对应的至少一个白名单中的一个白名单匹配,则安全防护设备300放行目标数据流,使目标数据流到达服务器200。
(2)安全防护设备300是针对第一IP组生成的至少一个第一类指纹、至少一个第二类指纹、至少一个黑名单以及至少一个白名单。
安全防护设备300根据目标数据流对应的指纹对目标数据流进行处理,包括:安全防护设备300确定目标数据流的目的IP地址与第一IP组中的一个IP地址匹配,之后,确定与第一IP组对应的至少一个第一类指纹和/或至少一个第二类指纹。安全防护设备300根据目标数据流的报文字段生成目标数据流对应的指纹。如果目标数据流对应的指纹与第一IP组对应的至少一个第一类指纹中的任一第一类指纹匹配,则安全防护设备300放行目标数据流,使目标数据流到达服务器200。如果目标数据流对应的指纹与第一IP组对应的至少一个第二类指纹中的任一第二类指纹匹配,则安全防护设备300阻断该目标数据流或对目标数据流进行限速处理。
安全防护设备300根据目标数据流的源IP地址对目标数据流进行处理,包括:安全防护设备300确定目标数据流的目的IP地址与第一IP组中的一个IP地址匹配,之后,确定与第一IP组对应的至少一个黑名单和/或至少一个白名单。安全防护设备300获取目标数据流的源IP地址,如果目标数据流的源IP地址与第一IP组对应的至少一个黑名单中的一个黑名单匹配,则安全防护设备300阻断该目标数据流或对目标数据流进行限速处理。如果目标数据流的源IP地址与第一IP组对应的至少一个白名单中的一个白名单匹配,则安全防护设备300放行目标数据流。
(3)安全防护设备300从分析设备500处获取了至少一个第二类指纹和/或至少一个黑名单。在这种情况下,安全防护设备300可将目标数据流对应的指纹与上述获取到的至少一个第二类指纹进行匹配,如果匹配成功,则安全防护设备300阻断该目标数据流或对目标数据流进行限速处理。或者,安全防护设备300可将目标数据流的源IP地址与上述获取到的至少一个黑名单进行匹配,如果匹配成功,则安全防护设备300阻断该目标数据流或对目标数据流进行限速处理。
应理解,当目标数据流是加密数据流(例如,TLS数据流或SSL数据流)时,上述S301-S302所描述的方法中只需通过提取加密数据流的指纹和/或确定加密数据流的源IP地址便可知如何处理该加密数据流,相较于现有技术中需要通过对加密数据流进行解密后才能确定如何处理加密数据流而言,本申请实施例提供的方法中提取加密数据流的指纹和/或确定加密数据流的源IP地址所耗费的时间和资源更少,且可以避免对用户隐私的影响。另外,在实际应用中,当攻击客户端发现对服务器的攻击失效时,攻击客户端一般会通过修改加密套件的算法列表来修改由该客户端发送的数据流的指纹。此时,如果使用现有技术中的预设指纹库来检测攻击流量,则可能无法检测出该攻击客户端发送的攻击流量。而本申请实施例提供的方法中,由于使用了至少一个第一类指纹、至少一个第二类指纹、至少一个黑名单、至少一个白名单中的一项或多项来检测攻击流量,且上述几项均是动态更新的,所以对于攻击流量的检测的准确率更高。
前文结合图2-图13详细地描述了本申请实施例提供的检测攻击流量的方法,下面结合图14-图17,从结构方面对实施上述方法实施例的安全防护设备300以及分析设备500进行详细地描述。
图14示出了安全防护设备300的一种结构示意图,如图14所示,安全防护设备300包括获取模块310
和指纹生成模块320。可选地,安全防护设备300还可包括黑名单生成模块330、发送模块340、接收模块350或检测模块360中的一个或多个。获取模块310用于执行上述S101、S103和S109中的任一个或多个步骤;指纹生成模块320用于执行上述S102、S104-S106、S110-S112中的任一个或多个步骤;黑名单生成模块330用于执行上述S107、S108、S113以及生成和更新至少一个白名单中的任一个或多个步骤;发送模块340用于执行上述S114,向分析设备500发送第一类指纹库、黑名单库或白名单库,以及放行正常流量中的任一个或多个步骤;接收模块350用于执行上述S301、S203中接收分析设备500发送的总指纹库,以及接收分析设备500发送的总的第一类指纹库、总黑名单库或总白名单库中的任一个或多个步骤;检测模块360用于执行上述S204和S302中的任一个或多个步骤。
应理解,图14所示的结构示意图仅仅是根据功能对安全防护设备300进行划分的一种示例性的结构划分方式,本申请实施例并不对安全防护设备300的结构的具体划分方式进行限定。还应理解,安全防护设备300内部的各个模块可以是软件模块,也可以是硬件模块,也可以部分是软件模块部分是硬件模块。
图15示出了安全防护设备300的另一种结构示意图,如图15所示,安全防护设备300包括存储器410、处理器420、通信接口430以及总线440,其中,存储器410、处理器420和通信接口430通过总线440通信。应理解,本申请实施例不限定安全防护设备300中的存储器410、处理器420以及通信接口430的个数。
存储器410可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其它类型的静态存储设备,也可以是随机存取存储器(random-access memory,RAM)或者可存储信息和指令的其它类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其它磁存储设备,或者是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其它介质,但不限于此。存储器410可以是独立存在,并通过总线440与处理器420相连接。存储器410也可以和处理器420集成在一起。
在一些实施例中,存储器410存储有程序代码,例如,获取模块310中的程序代码、指纹生成模块320中的程序代码、黑名单生成模块330中的程序代码、发送模块340中的程序代码、接收模块350中的程序代码以及检测模块360中的程序代码等。当存储器410中存储的程序代码被处理器420执行时,处理器420和通信接口430用于执行上述方法实施例中安全防护设备300所执行的部分或全部方法(包括上述S101-S114、S201、S203-S204以及S301-S303中由安全防护设备300执行的一个或多个步骤)。存储器410还可以存储有操作系统和数据,其中,存储器410中存储的数据包括处理器420在执行过程中产生的中间数据后结果数据等,例如,第一指纹和第一类指纹等。
处理器420可以是一个中央处理器(central processing unit,CPU)、图形处理器(graphics processing unit,GPU)、网络处理器(network processor,NP)、微处理器、或者可以是一个或多个用于实现上述方法实施例中安全防护设备300所执行的步骤的集成电路,例如,专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(Generic Array Logic,GAL)或其任意组合。
通信接口430使用任何收发器一类的装置,用于与其它设备或通信网络通信,例如,通过通信接口430接收客户端100发往服务器200的数据流,或通过通信接口430向服务器200发送正常流量,或通过通信接口向分析设备500发送第二类指纹库等。通信接口430包括有线通信接口,还可以包括无线通信接口。其中,有线通信接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线通信接口可以为无线局域网(wireless local area networks,WLAN)接口,蜂窝网络通信接口或其组合等。
总线440可包括外设部件互连标准(Peripheral Component Interconnect,PCI)总线或扩展工业标准结构(Extended Industry Standard Architecture,EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图15中仅用一条线表示,但并不表示仅有一根总线或一种类型的总线。总线440可包括在安全防护设备300的各个部件(例如,存储器410、处理器420和通信接口430)之间传送信息的通路。
图16示出了分析设备500的一种结构示意图,如图16所示,分析设备500包括接收模块510、分析模块520和发送模块530。其中,接收模块510、分析模块520和发送模块530协同工作以实现上述方法实施例中分析设备500所执行的步骤。具体地,接收模块510用于执行上述S201中接收多个安全防护设备300发送的多个第二类指纹库,以及接收多个安全防护设备300发送的多个第一类指纹库、多个黑名单库或多个白名单库中的任一个或多个步骤;分析模块520用于执行上述S202;发送模块530用于执行上述S203中向多个安全防护设备300发送总指纹库,以及向多个安全防护设备300发送的总的第一类指纹库、总黑名单库或总白名单库中的任一个或多个步骤。
应理解,图16所示的结构示意图仅仅是根据功能对分析设备500进行划分的一种示例性的结构划分方式,本申请实施例并不对分析设备500的结构的具体划分方式进行限定。还应理解,分析设备500内部的各个模块可以是软件模块,也可以是硬件模块,也可以部分是软件模块部分是硬件模块。
图17示出了分析设备500的另一种结构示意图,如图17所示,分析设备500包括存储器610、处理器620、通信接口630以及总线640,其中,存储器610、处理器620和通信接口630通过总线640通信。应理解,本申请实施例不限定分析设备500中的存储器610、处理器620以及通信接口630的个数。
存储器610可以是ROM或可存储静态信息和指令的其它类型的静态存储设备,也可以是RAM或者可存储信息和指令的其它类型的动态存储设备,也可以是EEPROM、CD-ROM或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其它磁存储设备,或者是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其它介质,但不限于此。存储器610可以是独立存在,并通过总线640与处理器620相连接。存储器610也可以和处理器620集成在一起。
在一些实施例中,存储器610存储有程序代码,例如,接收模块510中的程序代码、分析模块520中的程序代码以及发送模块530中的程序代码等。当存储器610中存储的程序代码被处理器620执行时,处理器620和通信接口630用于执行上述方法实施例中分析设备500所执行的部分或全部方法(包括上述S201-S203中由分析设备500执行的一个或多个步骤等)。存储器610还可以存储有数据,其中,存储器610中存储的数据包括处理器620在执行过程中产生的中间数据后结果数据等,例如,总指纹库等。
处理器620可以是一个CPU、NP、微处理器、或者可以是一个或多个用于实现上述方法实施例中分析设备500所执行的步骤的集成电路,例如,ASIC、PLD或其组合。上述PLD可以是CPLD、FPGA、GAL或其任意组合。
通信接口630使用任何收发器一类的装置,用于与其它设备或通信网络通信,例如,通过通信接口430接收安全防护设备300发送的第二类指纹库,或通过通信接口向安全防护设备300发送总指纹库等。通信接口630包括有线通信接口,还可以包括无线通信接口。其中,有线通信接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线通信接口可以为WLAN接口,蜂窝网络通信接口或其组合等。
总线640可包括PCI总线或EISA总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图17中仅用一条线表示,但并不表示仅有一根总线或一种类型的总线。总线640可包括在分析设备500的各个部件(例如,存储器610、处理器620和通信接口630)之间传送信息的通路。
本申请实施例还提供了一种计算机可读存储介质。该计算机可读存储介质可以是计算设备能够存储的任何可用介质或者是包含一个或多个可用介质的数据中心等数据存储设备,其中,可用介质可以是磁性介质(如软盘、硬盘、磁带)、光介质(如DVD)、或者半导体介质(如固态硬盘)等。该计算机可读存储介质包括指令,其中,指令指示计算设备执行前文所描述安全防护设备300执行的步骤。
除此之外,本申请实施例还提供了另一种计算机可读存储介质。该计算机可读存储介质也可以是计算设备能够存储的任何可用介质或者是包含一个或多个可用介质的数据中心等数据存储设备。该计算机可读存储介质包括指令,其中,指令指示计算设备执行前文所描述的分析设备500执行的步骤。
本申请实施例还提供了一种包含指令的计算机程序产品。该计算机程序产品可以是包含指令的、能够运行在计算设备上或被储存在任何可用介质中的软件或程序产品。当该计算机程序产品在至少一个计算设备上运行时,使得至少一个计算设备执行前文所描述安全防护设备300执行的步骤。
除此之外,本申请实施例还提供了另一种包含指令的计算机程序产品。该计算机程序产品也可以是包
含指令的、能够运行在计算设备上或被储存在任何可用介质中的软件或程序产品。当该计算机程序产品在至少一个计算设备上运行时,使得至少一个计算设备执行前文所描述分析设备500执行的步骤。
最后应说明的是:以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的保护范围。
Claims (36)
- 一种检测攻击流量的方法,其特征在于,所述方法包括:获取第一时段内第一流量的第一速率表征值,所述第一流量包括至少一条第一数据流,每条第一数据流的目的互联网协议IP地址均相同,或者,所述至少一条第一数据流的目的IP地址属于一个IP组;根据所述第一速率表征值生成至少一个指纹,每个指纹是基于所述至少一条第一数据流中的一条第一数据流的报文字段生成的,任一指纹用于检测与所述任一指纹匹配的数据流是否为攻击流量。
- 根据权利要求1所述的方法,其特征在于,所述至少一个指纹包括至少一个第一类指纹,所述根据所述第一速率表征值生成至少一个指纹,包括:当所述第一速率表征值不超过第一速率阈值时,生成所述至少一个第一类指纹,所述第一类指纹指示与所述第一类指纹匹配的数据流为正常流量。
- 根据权利要求2所述的方法,其特征在于,所述生成所述至少一个第一类指纹,包括:分别为所述至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹的数量满足第一条件时,将所述任一第一指纹确定为一个所述第一类指纹。
- 根据权利要求3所述的方法,其特征在于,所述第一条件包括以下任一项或多项:所述任一第一指纹的数量超过数量阈值;或所述任一第一指纹的比例超过比例阈值;或所述任一第一指纹的数量排在前M位;或所述任一第一指纹的比例排在前N位;或所述任一第一指纹出现的频率超过频率阈值;其中,M和N为自然数。
- 根据权利要求2至4任一所述的方法,其特征在于,所述方法还包括:获取第二时段内第二流量的第二速率表征值,所述第二流量包括至少一条第二数据流,每条第二数据流的目的IP地址均相同,或者,所述至少一条第二数据流的目的IP地址属于一个IP组;当所述第二速率表征值不超过所述第一速率阈值时,更新所述至少一个第一类指纹。
- 根据权利要求5所述的方法,其特征在于,所述更新所述至少一个第一类指纹,包括:分别为所述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第二条件时,将所述任一第二指纹确定为一个新的第一类指纹;将所述至少一个第一类指纹替换为所述新的第一类指纹。
- 根据权利要求5或6所述的方法,其特征在于,所述第二时段晚于所述第一时段且所述第二时段与所述第一时段相邻,或者,所述第二时段晚于所述第一时段且所述第二时段与所述第一时段均包括一个共同的时段。
- 根据权利要求5所述的方法,其特征在于,所述至少一个指纹还包括至少一个第二类指纹,所述方法还包括:当所述第二速率表征值超过所述第一速率阈值时,生成所述至少一个第二类指纹。
- 根据权利要求8所述的方法,其特征在于,所述生成所述至少一个第二类指纹,包括:分别为所述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第二条件且所述至少一个第一类指纹不包括所述任一第二指纹时,将所述任一第二指纹确定为一个所述第二类指纹。
- 根据权利要求1所述的方法,其特征在于,所述至少一个指纹包括至少一个第二类指纹,所述根 据所述第一速率表征值生成至少一个指纹,包括:当所述第一速率表征值超过第一速率阈值时,生成所述至少一个第二类指纹,所述第二类指纹指示与所述第二类指纹匹配的数据流为攻击流量。
- 根据权利要求10所述的方法,其特征在于,所述生成所述至少一个第二类指纹,包括:分别为所述至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹的数量满足第一条件时,将所述任一第一指纹确定为一个所述第二类指纹。
- 根据权利要求11所述的方法,其特征在于,所述方法还包括:获取第二时段内第二流量的第二速率表征值,所述第二流量包括至少一条第二数据流,每条第二数据流的目的IP地址均相同,或者,所述至少一条第二数据流的目的IP地址属于一个IP组;当所述第二速率表征值超过所述第一速率阈值时,更新所述至少一个第二类指纹。
- 根据权利要求12所述的方法,其特征在于,所述更新所述至少一个第二类指纹,包括:分别为所述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第二条件时,将所述任一第二指纹确定为一个新的第二类指纹;将所述至少一个第二类指纹替换为所述新的第二类指纹。
- 根据权利要求9至13任一所述的方法,其特征在于,所述方法还包括:根据所述至少一个第二类指纹生成至少一个黑名单。
- 根据权利要求14所述的方法,其特征在于,所述根据所述至少一个第二类指纹生成至少一个黑名单,包括:当所述至少一条第一数据流中的一条第一数据流的请求速率或响应速率超过第二速率阈值,且所述至少一个第二类指纹包括所述第一数据流对应的指纹时,将所述第一数据流的源IP地址确定为所述至少一个黑名单中的一个黑名单;或当所述至少一条第二数据流中的一条第二数据流的请求速率或响应速率超过所述第二速率阈值,且所述至少一个第二类指纹包括所述第二数据流对应的指纹时,将所述第二数据流的源IP地址确定为所述至少一个黑名单中的一个黑名单。
- 根据权利要求9至15任一所述的方法,其特征在于,所述方法还包括:向分析设备发送所述至少一个第二类指纹。
- 一种检测攻击流量的方法,其特征在于,所述方法包括:分别接收多个安全防护设备发送的第二类指纹库,每个第二类指纹库包括至少一个第二类指纹,任一第二类指纹指示与所述任一第二类指纹匹配的数据流为攻击流量;根据接收到的多个第二类指纹库生成总指纹库,所述总指纹库包括部分或全部所述多个第二类指纹库中的第二类指纹;将所述总指纹库发送给所述多个安全防护设备,使得所述多个安全防护设备根据所述总指纹库检测攻击流量。
- 一种安全防护设备,其特征在于,所述安全防护设备包括:获取模块,用于获取第一时段内第一流量的第一速率表征值,所述第一流量包括至少一条第一数据流,每条第一数据流的目的互联网协议IP地址均相同,或者,所述至少一条第一数据流的目的IP地址属于一个IP组;指纹生成模块,用于根据所述第一速率表征值生成至少一个指纹,每个指纹是基于所述至少一条第一数据流中的一条第一数据流的报文字段生成的,任一指纹用于检测与所述任一指纹匹配的数据流是否为攻击流量。
- 根据权利要求18所述的安全防护设备,其特征在于,所述至少一个指纹包括至少一个第一类指纹,所述指纹生成模块,用于当所述第一速率表征值不超过第一速率阈值时,生成所述至少一个第一类指纹,所述第一类指纹指示与所述第一类指纹匹配的数据流为正常流量。
- 根据权利要求19所述的安全防护设备,其特征在于,所述指纹生成模块,用于分别为所述至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹的数量满足第一条件时,将所述任一第一指纹确定为一个所述第一类指纹。
- 根据权利要求20所述的安全防护设备,其特征在于,所述第一条件包括以下任一项或多项:所述任一第一指纹的数量超过数量阈值;或所述任一第一指纹的比例超过比例阈值;或所述任一第一指纹的数量排在前M位;或所述任一第一指纹的比例排在前N位;或所述任一第一指纹出现的频率超过频率阈值;其中,M和N为自然数。
- 根据权利要求19至21任一所述的安全防护设备,其特征在于,所述获取模块,还用于获取第二时段内第二流量的第二速率表征值,所述第二流量包括至少一条第二数据流,每条第二数据流的目的IP地址均相同,或者,所述至少一条第二数据流的目的IP地址属于一个IP组;所述指纹生成模块,还用于当所述第二速率表征值不超过所述第一速率阈值时,更新所述至少一个第一类指纹。
- 根据权利要求22所述的安全防护设备,其特征在于,所述指纹生成模块,用于分别为所述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第二条件时,将所述任一第二指纹确定为一个新的第一类指纹,以及将所述至少一个第一类指纹替换为所述新的第一类指纹。
- 根据权利要求22或23所述的安全防护设备,其特征在于,所述第二时段晚于所述第一时段且所述第二时段与所述第一时段相邻,或者,所述第二时段晚于所述第一时段且所述第二时段与所述第一时段均包括一个共同的时段。
- 根据权利要求22所述的安全防护设备,其特征在于,所述至少一个指纹还包括至少一个第二类指纹,所述指纹生成模块,还用于当所述第二速率表征值超过所述第一速率阈值时,生成所述至少一个第二类指纹。
- 根据权利要求25所述的安全防护设备,其特征在于,所述指纹生成模块,用于分别为所述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第二条件且所述至少一个第一类指纹不包括所述任一第二指纹时,将所述任一第二指纹确定为一个所述第二类指纹。
- 根据权利要求18所述的安全防护设备,其特征在于,所述至少一个指纹包括至少一个第二类指纹,所述指纹生成模块,用于当所述第一速率表征值超过第一速率阈值时,生成所述至少一个第二类指纹,所述第二类指纹指示与所述第二类指纹匹配的数据流为攻击流量。
- 根据权利要求27所述的安全防护设备,其特征在于,所述指纹生成模块,用于分别为所述至少一条第一数据流中的每条第一数据流生成一个第一指纹,当任一第一指纹的数量满足第一条件时,将所述任一第一指纹确定为一个所述第二类指纹。
- 根据权利要求28所述的安全防护设备,其特征在于,所述获取模块,还用于获取第二时段内第二流量的第二速率表征值,所述第二流量包括至少一条第二数据流,每条第二数据流的目的IP地址均相同,或者,所述至少一条第二数据流的目的IP地址属于一个IP组;所述指纹生成模块,还用于当所述第二速率表征值超过所述第一速率阈值时,更新所述至少一个第二类指纹。
- 根据权利要求29所述的安全防护设备,其特征在于,所述指纹生成模块,用于分别为所述至少一条第二数据流中的每条第二数据流生成一个第二指纹,当任一第二指纹的数量满足第二条件时,将所述任一第二指纹确定为一个新的第二类指纹,以及将所述至少一个第二类指纹替换为所述新的第二类指纹。
- 根据权利要求26至30任一所述的安全防护设备,其特征在于,所述安全防护设备还包括:黑名单生成模块,用于根据所述至少一个第二类指纹生成至少一个黑名单。
- 根据权利要求31所述的安全防护设备,其特征在于,所述黑名单生成模块,用于当所述至少一条第一数据流中的一条第一数据流的请求速率或响应速率超过第二速率阈值,且所述至少一个第二类指纹包括所述第一数据流对应的指纹时,将所述第一数据流的源IP地址确定为所述至少一个黑名单中的一个黑名单;或当所述至少一条第二数据流中的一条第二数据流的请求速率超过第二速率阈值,且所述至少一个第二类指纹包括所述第二数据流对应的指纹时,将所述第二数据流的源IP地址确定为所述至少一个黑名单中的一个黑名单。
- 根据权利要求26至32任一所述的安全防护设备,其特征在于,所述安全防护设备还包括:发送模块,用于向分析设备发送所述至少一个第二类指纹。
- 一种分析设备,其特征在于,所述分析设备包括:接收模块,用于分别接收多个安全防护设备发送的第二类指纹库,每个第二类指纹库包括至少一个第二类指纹,任一第二类指纹指示与所述任一第二类指纹匹配的数据流为攻击流量;分析模块,用于根据接收到的多个第二类指纹库生成总指纹库,所述总指纹库包括部分或全部所述多个第二类指纹库中的第二类指纹;发送模块,还用于将所述总指纹库发送给所述多个安全防护设备,使得所述多个安全防护设备根据所述总指纹库检测攻击流量。
- 一种安全防护设备,其特征在于,包括处理器和存储器,所述处理器执行所述存储器中的计算机程序代码以实现前述权利要求1至17任一项所述的方法。
- 一种计算机可读存储介质,其特征在于,存储有计算机程序代码,当所述计算机程序代码被计算设备执行时,所述计算设备执行前述权利要求1至17任一项所述的方法。
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211414736.4 | 2022-11-11 | ||
CN202211414736 | 2022-11-11 | ||
CN202310119197.XA CN118041565A (zh) | 2022-11-11 | 2023-01-19 | 检测攻击流量的方法及相关设备 |
CN202310119197.X | 2023-01-19 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2024099078A1 true WO2024099078A1 (zh) | 2024-05-16 |
Family
ID=90993891
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2023/126565 WO2024099078A1 (zh) | 2022-11-11 | 2023-10-25 | 检测攻击流量的方法及相关设备 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN118041565A (zh) |
WO (1) | WO2024099078A1 (zh) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101599976A (zh) * | 2009-07-10 | 2009-12-09 | 成都市华为赛门铁克科技有限公司 | 过滤用户数据报协议数据包的方法和装置 |
CN103856470A (zh) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | 分布式拒绝服务攻击检测方法及检测装置 |
US20210185083A1 (en) * | 2019-12-17 | 2021-06-17 | Imperva, Inc. | Packet fingerprinting for enhanced distributed denial of service protection |
CN114826630A (zh) * | 2021-01-22 | 2022-07-29 | 华为技术有限公司 | 防护设备中的流量处理方法及防护设备 |
-
2023
- 2023-01-19 CN CN202310119197.XA patent/CN118041565A/zh active Pending
- 2023-10-25 WO PCT/CN2023/126565 patent/WO2024099078A1/zh unknown
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101599976A (zh) * | 2009-07-10 | 2009-12-09 | 成都市华为赛门铁克科技有限公司 | 过滤用户数据报协议数据包的方法和装置 |
CN103856470A (zh) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | 分布式拒绝服务攻击检测方法及检测装置 |
US20210185083A1 (en) * | 2019-12-17 | 2021-06-17 | Imperva, Inc. | Packet fingerprinting for enhanced distributed denial of service protection |
CN114826630A (zh) * | 2021-01-22 | 2022-07-29 | 华为技术有限公司 | 防护设备中的流量处理方法及防护设备 |
Also Published As
Publication number | Publication date |
---|---|
CN118041565A (zh) | 2024-05-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Kumar et al. | SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN | |
US9544273B2 (en) | Network traffic processing system | |
EP3400694B1 (en) | Method and protection apparatus to prevent malicious information communication in ip networks by exploiting benign networking protocols | |
Singh et al. | Automated Worm Fingerprinting. | |
US8296842B2 (en) | Detecting public network attacks using signatures and fast content analysis | |
EP1895738B1 (en) | Intelligent network interface controller | |
US7853689B2 (en) | Multi-stage deep packet inspection for lightweight devices | |
US9253153B2 (en) | Anti-cyber hacking defense system | |
JP2010268483A (ja) | 能動的ネットワーク防衛システム及び方法 | |
Sanmorino et al. | DDoS attack detection method and mitigation using pattern of the flow | |
JP2009534001A (ja) | 悪質な攻撃の検出システム及びそれに関連する使用方法 | |
Al-Ani et al. | Match-prevention technique against denial-of-service attack on address resolution and duplicate address detection processes in IPv6 link-local network | |
US20110026529A1 (en) | Method And Apparatus For Option-based Marking Of A DHCP Packet | |
EP3442195B1 (en) | Reliable and secure parsing of packets | |
JP6592196B2 (ja) | 悪性イベント検出装置、悪性イベント検出方法および悪性イベント検出プログラム | |
Boppana et al. | Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks | |
Saad et al. | A study on detecting ICMPv6 flooding attack based on IDS | |
WO2024099078A1 (zh) | 检测攻击流量的方法及相关设备 | |
Bahashwan et al. | Propose a flow-based approach for detecting abnormal behavior in neighbor discovery protocol (NDP) | |
Patil et al. | Port scanning based model to detect Malicious TCP traffic and mitigate its impact in SDN | |
TW201132055A (en) | Routing device and related packet processing circuit | |
Liu et al. | A survey on ipv6 security threats and defense mechanisms | |
Mopari et al. | Detection of DDoS attack and defense against IP spoofing | |
US11997133B2 (en) | Algorithmically detecting malicious packets in DDoS attacks | |
US12113806B2 (en) | Packet processing method, apparatus, and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23887769 Country of ref document: EP Kind code of ref document: A1 |