CN101039326A - Service flow recognition method, apparatus and method and system for defending distributed refuse attack - Google Patents

Service flow recognition method, apparatus and method and system for defending distributed refuse attack Download PDF

Info

Publication number
CN101039326A
CN101039326A CNA2007100988798A CN200710098879A CN101039326A CN 101039326 A CN101039326 A CN 101039326A CN A2007100988798 A CNA2007100988798 A CN A2007100988798A CN 200710098879 A CN200710098879 A CN 200710098879A CN 101039326 A CN101039326 A CN 101039326A
Authority
CN
China
Prior art keywords
user
module
totem information
user totem
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2007100988798A
Other languages
Chinese (zh)
Inventor
刘利锋
郑志彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNA2007100988798A priority Critical patent/CN101039326A/en
Priority to CN2007101387844A priority patent/CN101136922B/en
Publication of CN101039326A publication Critical patent/CN101039326A/en
Priority to EP08715357A priority patent/EP2136526A4/en
Priority to PCT/CN2008/070621 priority patent/WO2008131667A1/en
Priority to US12/607,854 priority patent/US20100095351A1/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Provided is a method and device for business flow recognition, a method and system for distributed declining service attack defense. The method for business flow recognition comprises: checking the target system which the user accesses; dynamically generating a user signing information concourse based on a statistic model which has a basis of the user access to the target system and a preset user access; picking up the user signing information from the business flow; comparing the picked user signing information with that in the user signing information concourse to determine whether the picked user signing information matches with the generated user signing information; determining the business flow being legal or not according to the matching results. When the method for business flow recognition is applied in the distributed declining service attack defense, the above legal business flow is processed with common subsequent performance, the above illegal business flow is refused to carry out the processing with common subsequent performance. Thereby, the accuracy of recognizing the legal business flow is improved, and the defense capability of the distributed declining service attack defense is also improved.

Description

Business Stream recognition methods, device and distributed refusal service attack defending method, system
Technical field
The present invention relates to the network communications technology field, be specifically related to a kind of Business Stream recognition methods, Business Stream recognition device, distributed refusal service attack defending method, distributed refusal service attack defending system and device.
Background technology
DDoS (Distributed Deny of Service, distributed denial of service) attacks and mainly to comprise two kinds of implementations, and 1, come attacking network equipment and server by big flow; 2, by making the incomplete request that to finish in a large number, to exhaust server resource fast.
An important feature of ddos attack is: launch a offensive from a large amount of puppet's main frames.The key that prevents ddos attack is: how will attack packet and distinguish from legal data packet, and promptly how differentiate legitimate traffic stream and malicious traffic stream.
At present, differentiate method and the DDoS defence method that legitimate traffic flows and malicious traffic flows and mainly contain following two kinds:
Method one, black hole technology.When ddos attack takes place, operator will be sent to the packet of victim and stop in the upstream as far as possible, then, the packet of stopping is introduced " black hole " and abandon, thereby save the basic network of operator and other client's business from damage.
Method two, MVP (Multi-Verification Process, multiple authentication is handled) technology.Attacking the gap, the DDoS system of defense is in " self study " pattern, and the Business Stream of monitoring separate sources is understood the regular traffic behavior, and set up the baseline configuration file.This baseline configuration file is used for adjusting strategy.This strategy is mainly used in discerns and filters attack traffic stream known, unknown and that had never seen in the past in the real-time network activity.
The inventor finds above-mentioned two kinds of methods of the prior art, and there are the following problems at least:
In method one, because operator will be sent to the data packet discarding of victim, so the legal data packet of this victim and malicious attack packet have been dropped together.Though this method can be saved the basic network of operator and other client's business from damage,, victim has lost all business service, objectively says, and the assailant has reached the purpose of attacking.
In method two, because attack traffic stream is that in check puppet's main frame sends, therefore, on the angle of message characteristic and message behavior, attack traffic stream has nothing different with general traffics, and attack traffic stream also can be regarded as a large amount of general traffics, so method two can not the accurate recognition attack traffic flow, there is a large amount of wrong reports, fails to report phenomenon, thereby make the defence capability of DDoS system of defense poor.
Summary of the invention
Embodiment of the present invention provides a kind of Business Stream recognition methods, device and distributed refusal service attack defending to use, and has improved the accuracy of identification legitimate traffic stream, has improved the defence capability of distributed refusal service attack defending system.
A kind of Business Stream recognition methods that embodiment of the present invention provides comprises:
The user capture goal systems is detected;
According to described detected user the visit of goal systems and preset user visit statistical model are dynamically generated the user totem information set;
Extract the user totem information in the Business Stream;
Whether the user totem information in the user totem information of more described extraction and the described set mates with the user totem information of definite described extraction and the user totem information in the described set;
Determine according to described definite comparative result that whether mates whether described Business Stream is legitimate traffic stream.
Embodiment of the present invention also provides a kind of distributed refusal service attack defending method, and this method comprises:
The user capture goal systems is detected;
According to described detected user the visit of goal systems and preset user visit statistical model are dynamically generated the user totem information set;
Extract the user totem information in the Business Stream;
Whether the user totem information in the user totem information of more described extraction and the described set mates with the user totem information of definite described extraction and the user totem information in the described set;
Determine according to described definite comparative result that whether mates whether described Business Stream is legitimate traffic stream.
Permission is carried out follow-up normal process operation to described definite legitimate traffic stream, and refusal carries out follow-up normal process operation to described definite illegal service stream.
Embodiment of the present invention also provides a kind of Business Stream recognition device, and described device comprises:
First module: be used to detect the visit of user to goal systems, and according to visit and the preset user visit statistical model dynamic user totem information that generate of described detected user to goal systems, and output;
Second module: be used to receive the user totem information of first module output, and be stored as the user totem information set;
Three module: the user totem information that is used for extracting Business Stream, the user totem information of storing in the user totem information of described extraction and described second module is compared, whether mate with the user totem information in definite described Business Stream and the user totem information of described second module stores, whether and judge according to the comparative result that whether mates whether described Business Stream is legitimate traffic stream, and to export described Business Stream be the judged result information of legitimate traffic stream.
Embodiment of the present invention also provides a kind of distributed refusal service attack defending system, and this system comprises:
First module is used to detect the visit of user to goal systems, and according to visit and the preset user visit statistical model dynamic user totem information that generate of detected user to goal systems, and output;
Second module: be used to receive the user totem information of first module output, and be stored as the user totem information set;
Three module: the user totem information that is used for extracting Business Stream, the user totem information of storing in the user totem information of described extraction and described second module is compared, whether mate with the user totem information in definite described Business Stream and the user totem information of described second module stores, whether and judge according to the comparative result that whether mates whether described Business Stream is legitimate traffic stream, and to export described Business Stream be the judged result information of legitimate traffic stream;
Four module: whether the Business Stream that is used to receive three module output is the judged result information of legitimate traffic, and allow described definite legitimate traffic stream is carried out follow-up normal process operation, refusal carries out follow-up normal process operation to described definite illegal service stream.
Embodiment of the present invention also provides a kind of device, comprises in the described device:
First module: be used to detect the visit of user to goal systems, and according to visit and the preset user visit statistical model dynamic user totem information that generate of detected user to goal systems, and output;
Second module: be used to receive the user totem information of first module output, and be stored as the user totem information set.
Description by technique scheme as can be known, embodiment of the present invention dynamically generates user totem information set by utilizing the user capture statistical model, makes the user totem information set be easy to safeguard and makes the user totem information set of generation can identify validated user as far as possible accurately; Therefore when utilizing the user totem information set that dynamically generates that legal Business Stream and illegal service stream are discerned, can improve the accuracy of identification legitimate traffic stream; Because embodiment of the present invention can accurately identify legitimate traffic stream, therefore, embodiment of the present invention can effectively prevent the distributed denial of service attack that illegal service stream brings; When having avoided victim to lose the legitimate traffic flow phenomenon, improved the defence capability of distributed refusal service attack defending system.
Description of drawings
Fig. 1 is the Business Stream recognition methods schematic flow diagram according to embodiment of the present invention;
Fig. 2 is the distributed refusal service attack defending method schematic flow diagram according to embodiment of the present invention;
Fig. 3 is the distributed refusal service attack defending system schematic according to embodiment of the present invention.
Embodiment
The inventor is by discovering in a large number: in ddos attack, though on the angle of message characteristic and message behavior, attack traffic stream has nothing different with general traffics, and still, attack traffic stream and general traffics are distinguishing on the user of access destination system.Its difference is: initiate because ddos attack is a large amount of puppet's main frames, send out so attack traffic stream is a large amount of puppet's main frames; And being validated users, general traffics send out.In general, validated user access destination system is expected, and puppet's host access goal systems can not be expected.
The inventor has utilized these characteristics of expection property of the validated user access destination system of above-mentioned discovery just, realizes what Business Stream identification and ddos attack were defendd.That is to say that because validated user access destination system meets certain user capture statistical model, therefore, embodiment of the present invention has utilized the user capture statistical model to predict validated user or disabled user.Prediction validated user or disabled user's a concrete example is: according to the historical information of user capture goal systems, the probability that prediction may conduct interviews to operation system under the ddos attack state, and judge that according to the probability that dopes the user is a validated user, or disabled user, write down the identification information of validated user if desired, then when judging validated user, from the Business Stream of user capture goal systems, obtain the user totem information of this user's correspondence, and be recorded in the user totem information set, this moment, the user totem information set of record can be user's white list; Write down disabled user's user totem information if desired, then when judging the disabled user, from the Business Stream of user capture goal systems, obtain the user totem information of this user's correspondence, and be recorded in the user totem information set, this moment, the user totem information set of record can be subscriber blacklist.For example the big probability user who dopes can be defined as validated user, from the Business Stream of this user's access destination system, obtain corresponding user totem information then, and record.Then, can discern legitimate traffic stream and illegal service stream according to the user totem information of record.Because the user totem information that produces according to the user capture statistical model can as far as possible accurately identify and close/disabled user, therefore, the user totem information by record accurate recognition as far as possible goes out legitimate traffic stream and illegal service stream.The process of above-mentioned identification legitimate traffic stream and illegal service stream can be applied in the ddos attack defence.Promptly when carrying out the ddos attack defence, can allow the legitimate traffic stream that identifies is carried out follow-up normal process operation, can refuse the illegal service stream that identifies is carried out follow-up normal process operation.Promptly carrying out ddos attack when defence, can according to expection may the access destination system the user label information of user's correspondence come identification services stream, and closing of identifying/illegal service stream is carried out the corresponding subsequent processing operation.Thereby embodiment of the present invention is when effectively having guaranteed the normal visit of validated user to goal systems, the attack of effectively having tackled illegal service stream.
The Business Stream recognition methods that at first embodiment of the present invention is provided describes below.
In the execution mode of Business Stream recognition methods, be provided with the user totem information set.The mode that user totem information set is set is: account of the history that goal systems is conducted interviews according to the user and user capture statistical model that set in advance, certain dope and close/disabled user, as dope under the ddos attack state may the access destination system the user and/or user that can not the access destination system, then, obtain may access destination system the user and/or can not the Business Stream user, the access destination system of access destination system in corresponding user label information.User totem information can be the IP address, also can for other can identifying user in network message information, as Cookie field in the HTTP message etc.Embodiment of the present invention is not got rid of the mode that adopts the static configuration user totem information.The user totem information set that is provided with in the embodiment of the present invention can be the identification information set of validated user, and at this moment, the set of the user totem information of setting can be called user's white list.The user totem information set of above-mentioned setting also can be disabled user's identification information set, and at this moment, the set of the user totem information of setting can be called subscriber blacklist.The user capture statistical model can be provided with according to the actual conditions of network, and the mode that the user capture statistical model is set has multiple, embodiment of the present invention is the concrete manifestation form of restricting user access statistical model not, also the concrete manifestation form of limited subscriber identification information not.
In carrying out the Business Stream identifying, need to extract the user totem information in the Business Stream, the user totem information of this user totem information in should/blacklist white with the user is corresponding, as the user white/user totem information in the blacklist is the IP address, then needs to extract from Business Stream source IP address.After from Business Stream, having extracted user totem information, need compare the user totem information of extraction and the user totem information of above-mentioned setting, compare with the user totem information in user's white list as the user totem information that will extract, with the user totem information determining from Business Stream, to extract whether with user's white list in user totem information mate.If the coupling of the user totem information in the user totem information that from Business Stream, extracts and the user's white list, represent that then the user totem information that extracts is the validated user identification information from Business Stream, this Business Stream is that validated user sends, and this Business Stream is a legitimate traffic stream; If the user totem information in the user totem information that extracts from Business Stream and the user's white list does not match, represent that then the user totem information that extracts is disabled user's identification information from Business Stream, this Business Stream is that illegal user sends, and this Business Stream is an illegal service stream.
Above-mentioned description at the Business Stream identifying is that example describes with user's white list, if what utilize that the user capture statistical model generates is subscriber blacklist, its Business Stream identifying and foregoing description are basic identical, no longer are repeated in this description at this.
Above-mentioned Business Stream identifying can be applied in the multiple defense technique scheme, as being applied in the ddos attack defense technique scheme.The ddos attack defence method that embodiment of the present invention is provided describes below.
In the ddos attack defence process, utilized above-mentioned Business Stream identifying.Identify Business Stream in the Business Stream identifying of utilizing foregoing description and be legitimate traffic stream still behind the illegal service stream, can allow the legitimate traffic stream that identifies is carried out follow-up normal process operation, as allowing normal transmission etc.; Can refuse the illegal service stream that identifies is carried out follow-up normal process operation, abandon as the refusal normal transmission and with the illegal service stream that identifies etc.
Above-mentioned ddos attack defence process can start when ddos attack occurring.Starting mode can start for manual configuration, also can start for detection of dynamic.Detection of dynamic starts as service traffics is detected, and judges testing result, to determine whether to occur ddos attack; When determining ddos attack to occur, begin to extract the user totem information in the Business Stream, and carry out subsequent processes such as Business Stream identification.Service traffics are detected and have multiplely according to the implementation that testing result determines whether to occur ddos attack, and embodiment of the present invention can adopt existing method to detect and judge whether to occur ddos attack.Embodiment of the present invention does not limit and detects the specific implementation that judges whether to occur ddos attack.
After identifying legitimate traffic stream and illegal service stream, can carry out subsequent treatment to Business Stream according to priority.The priority here can dynamically generate by the user capture statistical model; As in detecting the historical visit data process of user, utilize user capture statistical model dynamic prediction to go out the user of possibility access destination system in the ddos attack process or the user and the corresponding priorities information of impossible access destination system to goal systems.According to above-mentioned expection may the access destination system or user that can not the access destination system and precedence information dynamically generation comprise the user's white list or the subscriber blacklist of user totem information and corresponding priorities information.dynamically generated the user who comprises precedence information white/blacklist after, if detect ddos attack and started the ddos attack defence, the mode of Business Stream being handled according to precedence information has multiple, as allowing legitimate traffic stream to carry out follow-up normal process flow process according to priority order from high to low, when ddos attack is serious, also can flow for another example according to the suitable legitimate traffic that abandons from low to high.Embodiment of the present invention does not limit the specific implementation of Business Stream being handled according to precedence information.
Below with user's white list be example, the Business Stream recognition methods that in conjunction with the accompanying drawings embodiment of the present invention provided describes.
The Business Stream recognition methods that embodiment of the present invention provides as shown in Figure 1.
Among Fig. 1, step 1, the user capture statistical model is set.Simple user visit statistical model can be for visiting goal systems according to history access record, perhaps for to visit goal systems pre-determined number or the like according to history access record.Here only for two examples of simple user visit statistical model very, the user capture statistical model can be diversified.
The situation that step 2, detection user conduct interviews to goal systems, dynamically generate user totem information according to the user capture statistical model, as determine the probability of this user possibility access destination system in the ddos attack process according to the user capture statistical model, and go out this user when the validated user according to the probabilistic determination of determining, from the Business Stream of this user capture goal systems, obtain corresponding user totem information.In step 2, also can dynamically generate user totem information and this user totem information corresponding priorities information, as determine this user's precedence information according to the probability that dopes according to the user capture statistical model.
Step 3, the user totem information that will dynamically generate are stored in user's white list.
If in step 2, dynamically generated this user totem information corresponding priorities information, then in step 3, user totem information and the precedence information that dynamically generates can be stored in user's white list.
When needs carry out Business Stream identification, to step 4, extract the user totem information in the Business Stream, as from Business Stream, extracting source IP address etc.
Step 5, the user totem information that extracts is compared with the user totem information in user's white list,, then arrive step 6 from Business Stream if the user totem information in the user totem information that extracts and the user's white list mates; Otherwise to step 7.
Step 6, confirm that this Business Stream is that validated user sends, exporting this Business Stream is the information of legitimate traffic stream.If include precedence information in user's white list, then in step 6, can export this Business Stream is information and this legitimate traffic stream corresponding priorities information of legitimate traffic stream.
Step 7, confirm that this Business Stream is that illegal user sends, and exports the information that this Business Stream is an illegal service stream.
Below in conjunction with accompanying drawing the ddos attack defence method that embodiment of the present invention provides is described.
The ddos attack defence method that embodiment of the present invention provides as shown in Figure 2.
Among Fig. 2, step 1, the user capture statistical model is set.Simple user visit statistical model can be for visiting goal systems according to history access record, perhaps for to visit goal systems pre-determined number or the like according to history access record.Here only for two examples of simple user visit statistical model very, the user capture statistical model can be diversified.
Step 2, the Business Stream that sends according to the user detect the situation that the user conducts interviews to goal systems, dynamically generate user totem information and this user totem information corresponding priorities information according to the user capture statistical model.For example determine the probability of this user possibility access destination system in the ddos attack process according to the user capture statistical model, and go out this user when the validated user according to the probabilistic determination of determining, from the Business Stream of this user capture goal systems, obtain the relative users identification information, and determine this user's precedence information according to the probability of determining.
Step 3, the user totem information that will dynamically generate and precedence information are stored in user's white list.
Step 4, detect service traffics, and judge whether to occur ddos attack according to the service traffics testing result, if ddos attack, to step 5; If ddos attack do not occur, still carry out the service traffics testing process.
Step 5 is extracted the user totem information in the Business Stream, as extract source IP address etc. from Business Stream.
Step 6, the user totem information that extracts is compared with the user totem information in user's white list,, then arrive step 7 from Business Stream if the user totem information in the user totem information that extracts and the user's white list mates; Otherwise to step 8.
Step 7, confirm that this Business Stream is that validated user sends, allow this Business Stream is carried out follow-up normal process operation according to this Business Stream corresponding priorities information.
Step 8, confirm that this Business Stream is that illegal user sends, refusal carries out follow-up normal process operation to this Business Stream, and abandons this Business Stream.
In above-mentioned description at Fig. 2, can there be sequencing between these two steps of step 2 and step 3 and the step 4, the implementation that is step 2 and step 3 is independently, there is not precedence relationship with the execution of step 4, the implementation of step 4 is independently, does not have precedence relationship with the execution of step 2 and step 3.Embodiment of the present invention can also continue service traffics are detected after detecting ddos attack, determine the ddos attack end according to the service traffics testing result after, stops execution in step 5 to step 8, and continues execution in step 2, step 3.This flow process only is a signal, and concrete realization flow can have multiple, exemplifies no longer one by one at this.
The Business Stream recognition device that embodiment of the present invention is provided describes below.
The Business Stream recognition device that embodiment of the present invention provides comprises: first module, second module and three module.
First module is mainly used in and detects the visit of user to goal systems, and the visit of goal systems and preset user visit statistical model dynamically being generated user totem information according to detected user, the user totem information that first module will dynamically generate is stored to second module.And first module can also dynamically generate user totem information corresponding priorities information to the visit of goal systems and preset user visit statistical model according to detected user, and the precedence information that will dynamically generate is stored to second module.For example, first module is at the probability that dopes this user possibility access destination system in the ddos attack process according to the user capture statistical model, and go out this user when the validated user according to the probabilistic determination of determining, from the Business Stream of this user capture goal systems, obtain the relative users identification information, and determine this user's precedence information then user totem information and precedence information to be stored to second module according to the probability of determining.
Second module is mainly used in the user totem information that receives the output of first module, and is stored as the user ID set.The user totem information set of storing in second module can be called user's white list.And when first module transmits user ID corresponding priorities information, can also comprise user totem information corresponding priorities information in user's white list of storing in second module.
Three module is mainly used in the user totem information that extracts in the Business Stream, the user totem information of storing in the user totem information that extracts and second module is compared, whether mate with the user totem information in definite Business Stream and the user totem information of second module stores; When the user totem information of the user totem information in judging Business Stream and second module stores mates, determine whether this Business Stream is legitimate traffic stream, and outgoing traffic stream is the judged result information of legitimate traffic stream, when storing user ID corresponding priorities information in second module, three module can also be exported this legitimate traffic stream corresponding priorities information; When the user totem information of the user totem information in judging Business Stream and second module stores does not match, determine that this Business Stream is an illegal service stream, and outgoing traffic stream is the judged result information of illegal service stream.
The ddos attack system of defense that embodiment of the present invention is provided describes below.
The ddos attack system of defense that embodiment of the present invention provides comprises: first module, second module, three module, four module and the 5th module.
First module is mainly used in and detects the visit of user to goal systems, and the visit of goal systems and preset user visit statistical model are dynamically generated user totem information according to detected user, perhaps dynamically generate user totem information and user totem information corresponding priorities information.Then, first module and be stored to second module with user totem information or with user totem information and precedence information.For example, first module is at the probability that dopes this user possibility access destination system in the ddos attack process according to the user capture statistical model, and go out this user when the validated user according to the probabilistic determination of determining, from the Business Stream of this user capture goal systems, obtain the relative users identification information, and determine this user's precedence information then user totem information and precedence information to be stored to second module according to the probability of determining.
First module can be made up of sub module stored, detection sub-module and the first dynamic submodule, also can be made up of sub module stored, detection sub-module, the first dynamic submodule and the second dynamic submodule.
Sub module stored is mainly used in storage user capture statistical model.
Detection sub-module is mainly used in the visit situation of user to goal systems that detect, and the user capture statistical model of storing in the visit situation of goal systems, the sub module stored is dynamically generated user totem information according to detected user, dope the probability of this user possibility access destination system in the ddos attack process, and export this probabilistic information.
When the first dynamic submodule is mainly used in and judges this user for validated user according to the probabilistic information of detection sub-module output, from the Business Stream of this user capture goal systems, obtain the relative users identification information, then user totem information is stored to second module.When the first dynamic submodule also can be determined this user for the disabled user, from the Business Stream of this user capture goal systems, obtain the relative users identification information, then user totem information is stored to second module.
The second dynamic submodule is mainly used in according to the probabilistic information of detection sub-module output determines this user's corresponding priorities information, and precedence information is transferred to second module stores.The second dynamic submodule can be determined this user's corresponding priorities information when the first dynamic submodule is judged this user for validated user, and output; The second dynamic submodule also can be directly judges whether that according to the probability threshold value of its storage inside needs determine precedence information, when judging needs according to probability threshold value and determine precedence information, determines this user's corresponding priorities information and output.
Second module is mainly used in and receives user totem information and the precedence information that the transmission of first module comes, and storage, receive user totem information and the storage that the first dynamic submodule transmission comes as second module, second module receives precedence information and the storage that the second dynamic submodule transmission comes for another example.User totem information of storing in second module and precedence information can be called user's white list.Canned data also can be called subscriber blacklist in second module.
Three module is mainly used in the user totem information that extracts in the Business Stream, the user totem information of storing in the user totem information that extracts and second module is compared, whether mate with the user totem information in definite Business Stream and the user totem information of second module stores; When the user totem information of the user totem information in judging Business Stream and second module stores mates, determine whether this Business Stream is legitimate traffic stream, and outgoing traffic stream is the judged result information of legitimate traffic stream, when storing user ID corresponding priorities information in second module, three module can also be exported this legitimate traffic stream corresponding priorities information; When the user totem information of the user totem information in judging Business Stream and second module stores does not match, determine that this Business Stream is an illegal service stream, and outgoing traffic stream is the judged result information of illegal service stream.
Three module can be according to the user totem information in the notice startup extraction Business Stream of the 5th module and the operation of follow-up comparison procedure.Certainly, when not comprising the 5th module in this system, three module can start the user totem information that extracts in the Business Stream and the operation of follow-up comparison procedure according to alternate manners such as manual configuration.
Four module is mainly used in whether the Business Stream that receives three module output is the judged result information of legitimate traffic, when the judged result information of three module output is legitimate traffic, permission is carried out follow-up normal process operation to this Business Stream, as allows the continuation transmission of this Business Stream; When the judged result information of three module output was illegal business, refusal carried out follow-up normal process operation to this Business Stream, as forbade the continuation transmission of this Business Stream, this Business Stream was abandoned etc.When the information of three module output comprises precedence information, when four module carries out follow-up normal process operation in permission to this Business Stream, should carry out the operation of follow-up normal process according to this Business Stream corresponding priorities, as four module according to the precedence information of each legitimate traffic stream, allow Business Stream to continue transmission successively according to from high to low order.
The 5th module is mainly used in the detection service traffics, and judges the service traffics testing result, when determining ddos attack to occur according to the service traffics testing result, notifies the user totem information in the three module extraction Business Stream.After determining ddos attack to occur according to the service traffics testing result, the 5th module still can continue to detect service traffics, and the service traffics testing result is judged in continuation, when determining that according to the service traffics testing result ddos attack disappears, notify three module to stop to extract user totem information in the Business Stream.Three module can stop the post-treatment operations of extracting and judging when receiving expiry notification.In system implementation mode of the present invention, the 5th module can be optional module.
The system that embodiment of the present invention provides can be at a goal systems, also can be at a plurality of goal systems.That is to say that the system that embodiment of the present invention provides can provide the ddos attack defence for some goal systems, also can provide the ddos attack defence for a plurality of goal systems simultaneously.When system that embodiment of the present invention provides provided the ddos attack defence for some goal systems, this system can be the front-end system of goal systems, and can be independent of the goal systems setting, also can be arranged in the goal systems.
Below in conjunction with accompanying drawing the ddos attack system of defense that embodiment of the present invention provides is described.
The ddos attack system of defense that Fig. 3 provides for embodiment of the present invention.
System among Fig. 3 comprises: DDoS detection module, packet filtering device, user's white list and priority block, user capture statistical model module.The DDoS detection module is above-mentioned the 5th module.The packet filtering device is above-mentioned three module and four module.User's white list and priority block are above-mentioned second module.User capture statistical model module is above-mentioned first module.
The packet filtering device is mainly used in the Business Stream of finishing attempting the access service system and filters, and promptly the message bag is filtered.The packet filtering device can be based on that in user's white list and the priority block canned data filters.For example, the packet filtering device filters the message bag according to the IP address in the source IP address in the message bag, user's white list and the priority block.The operation system here is above-mentioned goal systems.
Canned data is the user's white list that comprises precedence information in user's white list and the priority block.User totem information of storing in user's white list and the priority block and precedence information can exist with the form of list item.Record user totem information and this user totem information corresponding priorities information thereof that to visit this operation system in user's white list and the priority list item.
Above-mentioned user's white list and priority list item are safeguarded by user capture statistical model module.When ddos attack was defendd, above-mentioned user's white list and priority list item provided inquiry for the packet filtering device.
User capture statistical model module is mainly used under normal circumstances and according to the user visit situation of operation system is set up and maintenance customer's white list and priority list item.User capture statistical model module set up and the list item safeguarded for the statement of user capture statistical model, be subjected under the ddos attack situation, allowing the user totem information and the precedence information of access service system.If the corresponding high priority of user totem information then can be illustrated in this operation system of visit that the user that under the normal condition that is not subjected to ddos attack, often visits this operation system can be subjected under the ddos attack situation, have no to limit.If the corresponding low priority of user totem information then can be illustrated under the normal condition that is not subjected to ddos attack, the user of accidental access service system is being subjected under the ddos attack situation, needing this operation system of restricted visit.
The ddos attack detection module is mainly used in the service traffics that detect operation system, determining whether operation system is subjected to ddos attack at present, after detecting operation system and being subjected to ddos attack, gives notice to the packet filtering module, as sending filtering instructions etc.
Below the branch normal condition, under fire state describes the workflow of above-mentioned system of defense.
Under normal condition, the packet filtering module is carried out the transparent transmission operation, promptly Business Stream is not carried out any processing.User capture statistical model module detects the visit situation of user to operation system, and dynamically generates the user capture white list that comprises each user's corresponding priorities according to the user capture statistical model.The user capture white list that comprises priority can use during ddos attack.The ddos attack detection module continues the service traffics of operation system are detected, to determine whether to occur ddos attack.
Be subjected under the ddos attack state, the packet filtering module begins to extract the user totem information of Business Stream, and according to the filtering rule that user's white list and priority list item are claimed the Business Stream of attempting the access service system is filtered, to guarantee that the user in user's white list can be according to priority orders access service system.User capture statistical model module decommissions.The ddos attack detection module continues service traffics are detected, to determine whether ddos attack disappears.
Above-mentioned normal condition is triggered by the ddos attack detection module with the switching that is subjected to the ddos attack state.Be the ddos attack detection module when detecting operation system and ddos attack occurs, then trigger the packet filtering module, the ddos attack system of defense is entered be subjected to the ddos attack state, when the ddos attack detection module disappears at the ddos attack that detects operation system, then trigger the packet filtering module, make the ddos attack system of defense enter normal condition.
Above-mentioned user capture statistical model module can integratedly be arranged in the operation system.The DDOS attack detection module can be closed with the packet filtering device and is located in the same equipment, and DDOS attack detection module, packet filtering device and user's white list and priority block also can be closed and be located in the same equipment.
The device that embodiment of the present invention is provided describes below.
The device that embodiment of the present invention provides comprises first module and second module.First module can be made up of sub module stored, detection sub-module and the first dynamic submodule, also can be made up of sub module stored, detection sub-module, the first dynamic submodule and the second dynamic submodule.Operation that above-mentioned each module, submodule are performed such as the description in the above-mentioned execution mode are in this no longer repeat specification.
The device that embodiment of the present invention provides can produce the equipment of user's white list and/or blacklist for the needs such as server of operation system.
Embodiment of the present invention dynamically generates user totem information by utilizing the user capture statistical model, makes user totem information be easy to safeguard and makes the user totem information of generation can identify validated user as far as possible accurately; Therefore when utilizing the user totem information that dynamically generates that legal Business Stream and illegal service stream are discerned, can improve the accuracy of identification legitimate traffic stream; Because embodiment of the present invention can accurately identify legitimate traffic stream, therefore, embodiment of the present invention can effectively prevent the distributed denial of service attack that illegal service stream brings; Be the distributed denial of service attack that embodiment of the present invention adopts user capture model and the defence of packet filtering interlock, when having avoided victim to lose the legitimate traffic flow phenomenon, improved the defence capability of distributed refusal service attack defending system.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, and the claim of application documents of the present invention comprises these distortion and variation.

Claims (11)

1, a kind of Business Stream recognition methods is characterized in that, described method comprises:
The user capture goal systems is detected;
According to described detected user the visit of goal systems and preset user visit statistical model are dynamically generated the user totem information set;
Extract the user totem information in the Business Stream;
Whether the user totem information in the user totem information of more described extraction and the described set mates with the user totem information of definite described extraction and the user totem information in the described set;
Determine according to described definite comparative result that whether mates whether described Business Stream is legitimate traffic stream.
2, a kind of distributed refusal service attack defending method is characterized in that, described method comprises:
The user capture goal systems is detected;
According to described detected user the visit of goal systems and preset user visit statistical model are dynamically generated the user totem information set;
Extract the user totem information in the Business Stream;
Whether the user totem information in the user totem information of more described extraction and the described set mates with the user totem information of definite described extraction and the user totem information in the described set;
Determine according to described definite comparative result that whether mates whether described Business Stream is legitimate traffic stream.
Permission is carried out follow-up normal process operation to described definite legitimate traffic stream, and refusal carries out follow-up normal process operation to described definite illegal service stream.
3, method as claimed in claim 2 is characterized in that, the step of the user totem information in the described extraction Business Stream comprises:
Detect service traffics, when determining distributed denial of service attack to occur, extract the user totem information in the Business Stream according to the service traffics testing result.
4, as claim 2 or 3 described methods, it is characterized in that described method also comprises:
According to described detected user the visit of goal systems and preset user visit statistical model are dynamically generated user totem information corresponding priorities information;
And described permission comprises the step that described definite legitimate traffic stream carries out follow-up normal process operation: determine the user totem information corresponding priorities information of described legitimate traffic stream, allow described definite legitimate traffic stream is carried out follow-up normal process operation according to described definite precedence information.
5, a kind of Business Stream recognition device is characterized in that, described device comprises:
First module: be used to detect the visit of user to goal systems, and according to visit and the preset user visit statistical model dynamic user totem information that generate of described detected user to goal systems, and output;
Second module: be used to receive the user totem information of first module output, and be stored as the user totem information set;
Three module: the user totem information that is used for extracting Business Stream, the user totem information of storing in the user totem information of described extraction and described second module is compared, whether mate with the user totem information in definite described Business Stream and the user totem information of described second module stores, whether and judge according to the comparative result that whether mates whether described Business Stream is legitimate traffic stream, and to export described Business Stream be the judged result information of legitimate traffic stream.
6, a kind of distributed refusal service attack defending system is characterized in that described system comprises:
First module: be used to detect the visit of user to goal systems, and according to visit and the preset user visit statistical model dynamic user totem information that generate of detected user to goal systems, and output;
Second module: be used to receive the user totem information of first module output, and be stored as the user totem information set;
Three module: the user totem information that is used for extracting Business Stream, the user totem information of storing in the user totem information of described extraction and described second module is compared, whether mate with the user totem information in definite described Business Stream and the user totem information of described second module stores, whether and judge according to the comparative result that whether mates whether described Business Stream is legitimate traffic stream, and to export described Business Stream be the judged result information of legitimate traffic stream;
Four module: whether the Business Stream that is used to receive three module output is the judged result information of legitimate traffic, and allow described definite legitimate traffic stream is carried out follow-up normal process operation, refusal carries out follow-up normal process operation to described definite illegal service stream.
7, system as claimed in claim 6 is characterized in that, described system also comprises:
The 5th module: be used to detect service traffics, and when determining distributed denial of service attack to occur, notify three module to extract user totem information in the Business Stream according to the service traffics testing result.
As claim 6 or 7 described systems, it is characterized in that 8, described first module comprises:
Sub module stored: be used to store the user capture statistical model;
Detection sub-module: be used to detect the visit of user, and the user capture statistical model of storing in the visit information of goal systems, the sub module stored determined the probability of user capture goal systems according to detected user to goal systems;
The first dynamic submodule: be used for determining that according to the probability that detection sub-module is determined needs when the Business Stream of user capture goal systems obtains user totem information, obtain user totem information, and output;
The second dynamic submodule: be used for dynamically generating user totem information corresponding priorities information according to the probability that detection sub-module is determined, and output;
Described precedence information is by second module stores;
And when described four module carries out follow-up normal process operation in permission to described definite legitimate traffic stream, determine the user totem information corresponding priorities of described legitimate traffic stream according to canned data in second module, and according to described definite priority permission described definite legitimate traffic stream is carried out follow-up normal process and operate.
9, as claim 6 or 7 described systems, it is characterized in that, described first module is arranged in the goal systems, perhaps described first module is independent of the goal systems setting, perhaps described first module and second module are arranged in the goal systems, and perhaps described first module and second module are independent of the goal systems setting.
10, as claim 6 or 7 described systems, it is characterized in that the described corresponding goal systems of distributed refusal service attack defending system or corresponding a plurality of goal systems.
11, a kind of device is characterized in that, comprises in the described device:
First module: be used to detect the visit of user to goal systems, and according to visit and the preset user visit statistical model dynamic user totem information that generate of detected user to goal systems, and output;
Second module: be used to receive the user totem information of first module output, and be stored as the user totem information set.
CNA2007100988798A 2007-04-28 2007-04-28 Service flow recognition method, apparatus and method and system for defending distributed refuse attack Pending CN101039326A (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CNA2007100988798A CN101039326A (en) 2007-04-28 2007-04-28 Service flow recognition method, apparatus and method and system for defending distributed refuse attack
CN2007101387844A CN101136922B (en) 2007-04-28 2007-08-20 Service stream recognizing method, device and distributed refusal service attack defending method, system
EP08715357A EP2136526A4 (en) 2007-04-28 2008-03-28 Method, device for identifying service flows and method, system for protecting against a denial of service attack
PCT/CN2008/070621 WO2008131667A1 (en) 2007-04-28 2008-03-28 Method, device for identifying service flows and method, system for protecting against a denial of service attack
US12/607,854 US20100095351A1 (en) 2007-04-28 2009-10-28 Method, device for identifying service flows and method, system for protecting against deny of service attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2007100988798A CN101039326A (en) 2007-04-28 2007-04-28 Service flow recognition method, apparatus and method and system for defending distributed refuse attack

Publications (1)

Publication Number Publication Date
CN101039326A true CN101039326A (en) 2007-09-19

Family

ID=38889958

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2007100988798A Pending CN101039326A (en) 2007-04-28 2007-04-28 Service flow recognition method, apparatus and method and system for defending distributed refuse attack

Country Status (1)

Country Link
CN (1) CN101039326A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008131667A1 (en) * 2007-04-28 2008-11-06 Huawei Technologies Co., Ltd. Method, device for identifying service flows and method, system for protecting against a denial of service attack
CN102263788A (en) * 2011-07-14 2011-11-30 百度在线网络技术(北京)有限公司 Method and equipment for defending against denial of service (DDoS) attack to multi-service system
CN103139246A (en) * 2011-11-25 2013-06-05 百度在线网络技术(北京)有限公司 Load balancing device and load balancing and defending method
CN103248472A (en) * 2013-04-16 2013-08-14 华为技术有限公司 Operation request processing method and system and attack identification device
CN105302839A (en) * 2014-07-31 2016-02-03 腾讯科技(深圳)有限公司 File filtration method and system
CN105450619A (en) * 2014-09-28 2016-03-30 腾讯科技(深圳)有限公司 Method, device and system of protection of hostile attacks
CN105991587A (en) * 2015-02-13 2016-10-05 ***通信集团山西有限公司 Intrusion detection method and system
CN107483425A (en) * 2017-08-08 2017-12-15 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN109005175A (en) * 2018-08-07 2018-12-14 腾讯科技(深圳)有限公司 Network protection method, apparatus, server and storage medium
CN109040121A (en) * 2018-09-14 2018-12-18 中国铁路总公司 The means of defence of distributed denial of service attack based on RSSP-II agreement
CN110636508A (en) * 2018-06-25 2019-12-31 ***通信有限公司研究院 Method for controlling denial of service Detach and network equipment

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008131667A1 (en) * 2007-04-28 2008-11-06 Huawei Technologies Co., Ltd. Method, device for identifying service flows and method, system for protecting against a denial of service attack
CN102263788A (en) * 2011-07-14 2011-11-30 百度在线网络技术(北京)有限公司 Method and equipment for defending against denial of service (DDoS) attack to multi-service system
CN102263788B (en) * 2011-07-14 2014-06-04 百度在线网络技术(北京)有限公司 Method and equipment for defending against denial of service (DDoS) attack to multi-service system
CN103139246B (en) * 2011-11-25 2016-06-15 百度在线网络技术(北京)有限公司 Load balancing equipment and load balancing and defence method
CN103139246A (en) * 2011-11-25 2013-06-05 百度在线网络技术(北京)有限公司 Load balancing device and load balancing and defending method
CN103248472A (en) * 2013-04-16 2013-08-14 华为技术有限公司 Operation request processing method and system and attack identification device
CN105302839A (en) * 2014-07-31 2016-02-03 腾讯科技(深圳)有限公司 File filtration method and system
CN105450619A (en) * 2014-09-28 2016-03-30 腾讯科技(深圳)有限公司 Method, device and system of protection of hostile attacks
CN105991587A (en) * 2015-02-13 2016-10-05 ***通信集团山西有限公司 Intrusion detection method and system
CN105991587B (en) * 2015-02-13 2019-10-15 ***通信集团山西有限公司 A kind of intrusion detection method and system
CN107483425A (en) * 2017-08-08 2017-12-15 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN110636508A (en) * 2018-06-25 2019-12-31 ***通信有限公司研究院 Method for controlling denial of service Detach and network equipment
CN109005175A (en) * 2018-08-07 2018-12-14 腾讯科技(深圳)有限公司 Network protection method, apparatus, server and storage medium
CN109040121A (en) * 2018-09-14 2018-12-18 中国铁路总公司 The means of defence of distributed denial of service attack based on RSSP-II agreement

Similar Documents

Publication Publication Date Title
CN101039326A (en) Service flow recognition method, apparatus and method and system for defending distributed refuse attack
CN101136922B (en) Service stream recognizing method, device and distributed refusal service attack defending method, system
US7540025B2 (en) Mitigating network attacks using automatic signature generation
US9628508B2 (en) Discovery of suspect IP addresses
CN107018084B (en) DDOS attack defense network security method based on SDN framework
CN1874303A (en) Method for implementing black sheet
US20060129810A1 (en) Method and apparatus for evaluating security of subscriber network
US20110154492A1 (en) Malicious traffic isolation system and method using botnet information
CN1612532A (en) Host-based network intrusion detection systems
CN1878082A (en) Protective method for network attack
CN1720459A (en) Active network defense system and method
EP2115688A1 (en) Correlation and analysis of entity attributes
KR100996288B1 (en) A method for neutralizing the ARP spoofing attack by using counterfeit MAC addresses
US11930036B2 (en) Detecting attacks and quarantining malware infected devices
CN101056306A (en) Network device and its access control method
CN108259473B (en) Web server scanning protection method
CN101064597A (en) Network security device and method for processing packet data using the same
JP2006350561A (en) Attack detection device
US20090240804A1 (en) Method and apparatus for preventing igmp packet attack
CN1175621C (en) Method of detecting and monitoring malicious user host machine attack
CN101034974A (en) Associative attack analysis and detection method and device based on the time sequence and event sequence
CN111541670A (en) Novel dynamic honeypot system
CN1298141C (en) Safety platform for network data exchange
CN1820452A (en) Detecting and protecting against worm traffic on a network
CN1801030A (en) Method for distinguishing baleful program behavior

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication