CN103746987B - Method and system for detecting DoS attack in semantic Web application - Google Patents
Method and system for detecting DoS attack in semantic Web application Download PDFInfo
- Publication number
- CN103746987B CN103746987B CN201310751402.0A CN201310751402A CN103746987B CN 103746987 B CN103746987 B CN 103746987B CN 201310751402 A CN201310751402 A CN 201310751402A CN 103746987 B CN103746987 B CN 103746987B
- Authority
- CN
- China
- Prior art keywords
- access
- accessing
- dos
- attack detecting
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and a system for detecting DoS attack in semantic Web application, wherein the method comprises the following steps that through adopting an RDF (resource description framework) statement materialization mode, the access behavior features of an access agent for accessing an access agent in an access control domain are subjected to individualization description, and the individualization description access behavior features are recorded in an access historical body base; the access behavior features generated by the access agent, an access object and an access control domain are respectively learned on the basis of the historical body base, and the three kinds of learning thresholds are counted and recorded; strategy thresholds of the corresponding DoS attack detection strategy rules are respectively determined according to the three kinds of learning thresholds; then, the DoS attack behaviors generated in the access control domain are detected according to the strategy thresholds. The method and the system provided by the invention can solve the problem that the current DoS detection and defense mechanism does not support the semantic Web technology on one hand and does not support the novel DoS attack behavior detection and dense initiated by self safety defects using the semantic Web technology per se.
Description
Technical field
The present invention relates to technical field of network security, more specifically, it is related to detection dos in a kind of semantic web application and attacks
The method and system hitting.
Background technology
Existing Internet is the set of webpage, and semantic web is computer and the Internet to network next stage
Develop made termization definition, its basic meaning sets up the connection of any small data based on network.
Semantic web by marking the semanteme of web resource using formal, machine accessible semantic web language,
Allow machine replace people to do more work eventually, realize the automatic discovery of different web resource on internet, be automatically integrating, share
And reuse, and support the trust interaction by the Internet.Issue with semantic web technologies and relevant criterion and semantic web skill
The maturation of art, also begins to emerge in large numbers based on the application of semantic web technologies.
Current semantic web standard is concentrated mainly on the aspects such as the representation function of data manipulation and metadata, and in safety
Aspect has only used the traditional digital signature of xml and encryption standard.Therefore, research in terms of Prevention-Security for the semantic web is obvious
Lag behind the development that metadata describes data interoperability.
But, in refusal service and distributed denial of service network attack today of growing in intensity, the traditional network equipment
Or perimeter security device does not possess perfect refusal service defence capability, substantially lags behind metadata description in Prevention-Security
In the case of the development of data interoperability, semantic web is easy to be utilized by malicious attacker.For example, following sparql
(simple protocol and rdf query language, simple protocol and rdf query language) is inquired about:
The purpose of this inquiry is to travel through whole ontology knowledge base, for semantic web this distributed knowledge model, so
Inquiry be clearly nonsensical.Although only having initiated a conversation request, enough to exhaust whole server and
Internet resources, thus affecting the access request of normal users, lead to dos to attack.
Although currently some open sparql inquiry end points do not do any response to sparql query statement as above, than
The sparql inquiry end points providing as dbpedia semantic knowledge-base, but the sparql query statement based on graph pattern matching is permissible
Convert multiple literary styles.Such as, above-mentioned sparql query statement can be transformed to following literary style:
The above-mentioned simply one of which conversion to sparql inquiry, can also have the conversion being much similar to, even certainly
Limit certain element in tlv triple, the data of the result obtained by its inquiry is still surprising, and a lot of semantic knowledge-base
The inquiry service providing is not checked to this and is constrained.
Although checking that the chart-pattern of sparql query statement can be found that some improper or malice inquiries, such
Inspection is far from being enough, is not enough to the malicious access behavior finding to pretend in a large number, and such as constantly dynamic mapping accesses main body body
Part or the inquiry of access target.
Because traditional dos attack detecting and defense mechanism do not support semantic web technologies, do not support using semantic yet
The safety defect of web technology itself and the detection of new aggressive behavior initiated, therefore, traditional dos attack detecting and defence
Mechanism None- identified goes out above-mentioned malice inquiry.Although the access control mechanisms being currently based on semantic web technologies support semantic web
Its Relevant Technology Standards, but its be used only to solve because traditional access control mechanisms cannot defend under semantic web environment by
Reasoning and the safety problem that causes and policy consistency problem, it does not provide the dos attack detecting work(under semantic web environment
Can, thus nor to detection and the defence accessing the malicious access behavior initiated of main body and carrying out dos attack.
Content of the invention
In view of the above problems, it is an object of the invention to provide a kind of semantic web application in detection dos attack method be
System, does not support semantic web technologies, and the visit based on semantic web technologies to solve current dos attack detecting and defense mechanism
Ask that control mechanism does not support the dos attack detecting initiated under semantic web environment using the safety defect of semantic web technologies itself
And missile defense.
According to an aspect of the present invention, provide a kind of method that in semantic web application, detection dos attacks, comprising:
In semantic web application, by way of rdf statement embodies, access in access control field to accessing main body
The access behavior characteristicss accessing object carry out embodying description, and the access behavior characteristicss record embodying description is being accessed history
In ontology library;
Based on described access History noumenon storehouse, in default learning cycle, special to the access behavior accessing main body respectively
The access behavior characteristicss that behavior characteristicss and access control field occurred that access levying, accessing object are learnt, statistics and three
Class accesses the corresponding training threshold value of behavior characteristicss, and is attacking accessing the corresponding training threshold value record of behavior characteristicss with three classes
Hit in detection ontology library;
Access the corresponding training threshold value of behavior characteristicss based on recorded in attack detecting ontology library with three classes, by plan
Slightly adjusting thresholds algorithm determines the policy threshold of corresponding dos attack detecting policing rule respectively;Wherein, by policy threshold record
In corresponding dos attack detecting policing rule, then dos attack detecting policing rule is saved in attack detecting rule base
In;
Based on determined by corresponding dos attack detecting policing rule policy threshold, occur in access control field
Dos aggressive behavior detected.
Wherein, based on corresponding with three classes access behavior characteristicss study threshold recorded in attack detecting ontology library
Value, during the policy threshold of corresponding dos attack detecting policing rule is determined respectively by policy threshold adjustment algorithm,
Replace the policy threshold setting by accessing the corresponding training threshold value of behavior characteristicss with three classes, as corresponding dos
The policy threshold of attack detecting policing rule;Or,
Take the greater accessing in the corresponding training threshold value of behavior characteristicss and the policy threshold of setting with three classes, as phase
The policy threshold of the dos attack detecting policing rule answered;Or,
Access the corresponding training threshold value of behavior characteristicss and the policy threshold setting based on three classes, by average weighted
Mode, using average weighted result as corresponding dos attack detecting policing rule policy threshold.
Wherein, during the dos aggressive behavior occurring in access control field being detected, accessing when detecting
When there is dos aggressive behavior in control domain, immediately dos aggressive behavior is on the defensive, the process of defence includes:
The same main body that accesses of statistics accesses all number of times accessing object within default access cycle;Wherein, when being united
The number of times of meter exceed determined by corresponding dos attack detecting policing rule policy threshold when, forbid accessing the access of main body
Behavior, and the access state accessing main body is recorded;
Statistics is same to access object within default access cycle by all number of times accessing principal access;Wherein, work as institute
The number of times of statistics exceed determined by corresponding dos attack detecting policing rule policy threshold when, access the accessed of object
State will be prohibited, simultaneously the accessed state of record access object;
Within default access cycle, all access objects being occurred in statistics access control field are by all access main bodys
The number of times accessing;Wherein, when all accessed number of times accessing object are more than or equal to corresponding dos attack detecting policing rule
Policy threshold when, according to access main body state denied access main body access request or limit access main body access speed
Rate.
On the other hand, the present invention also provides the system that in a kind of semantic web application, detection dos attacks, comprising:
Embody unit, in applying in semantic web, by way of rdf statement embodies, visiting to accessing main body
Ask that the access behavior characteristicss of access object in control domain carry out embodying description, the access behavior characteristicss of description will be embodied
Record is in accessing History noumenon storehouse;
Policy threshold unit, for based on accessing History noumenon storehouse, in default learning cycle, to access main body
Access behavior characteristicss, access object access the access behavior characteristicss that behavior characteristicss and access control field are occurred
Practise, statistics accesses the corresponding training threshold value of behavior characteristicss with three classes, and the corresponding study of behavior characteristicss will be accessed with three classes
Threshold value record is in attack detecting ontology library;
Policy threshold adjustment unit, for accessing behavior characteristicss phase based on recorded in attack detecting ontology library with three classes
Corresponding training threshold value, by policy threshold adjustment algorithm, determines the tactful threshold of corresponding dos attack detecting policing rule respectively
Value, wherein, by policy threshold record in corresponding dos attack detecting policing rule, then by dos attack detecting policing rule
It is saved in attack detecting rule base;
Attack detecting unit, for based on determined by corresponding dos attack detecting policing rule policy threshold, to
The dos aggressive behavior occurring in access control field is detected.
The method and system attacked using detection dos in the application of the above-mentioned semantic web according to the present invention, by from access master
The access behavior of body is started with and is detected and defend dos aggressive behavior such that it is able to shield in semantic web application, because of semantic web skill
Safety defect that art itself exists and the dos that introduces attacks it is ensured that the normal access of validated user, and can be to accessing main body
The concurrent access request initiated in access control field conducts interviews rate limit it is ensured that the query performance of query engine, improves
The access experience of validated user;Meanwhile, the access behavior characteristicss in self study access control field, and as attack detecting master
The policy threshold of body, prevents the unauthorized access of clearance user from asking and stoping the situation of Lawful access request from occurring.
In order to realize above-mentioned and related purpose, one or more aspects of the present invention include will be explained in below and
The feature particularly pointing out in claim.Description below and accompanying drawing are described in detail some illustrative aspects of the present invention.
However, some modes in the various modes of principle that the present invention only can be used of these aspects instruction.Additionally, the present invention
It is intended to including all these aspects and their equivalent.
Brief description
By reference to below in conjunction with the explanation of accompanying drawing and the content of claims, and with to the present invention more comprehensively
Understand, other purposes of the present invention and result will be more apparent and should be readily appreciated that.In the accompanying drawings:
Fig. 1 is the method flow schematic diagram attacked according to detection dos in the semantic web application of the embodiment of the present invention;
Fig. 2 is to carry out dos attack detecting and prevent for dos attack detecting main body to access main body according to the embodiment of the present invention
Imperial schematic flow sheet;
Fig. 3 is the system logic structure attacked according to detection dos in the semantic web application of the embodiment of the present invention;
Fig. 4 is the schematic flow sheet access behavior characteristicss accessing main body being learnt according to the embodiment of the present invention.
Identical label indicates similar or corresponding feature or function in all of the figs.
Specific embodiment
Below with reference to accompanying drawing, the specific embodiment of the present invention is described in detail.
Do not provide the dos under semantic web environment to detect for the aforementioned access control mechanisms being currently based on semantic web technologies
Function is it is impossible to problem that the dos aggressive behavior of malice is detected and defendd.The present invention passes through to access main body in access control
Access behavior in domain processed embodies, and the access being specific behavior record is being accessed in History noumenon storehouse, is then based on
Access behavior characteristicss in access control field are learnt, recording learning threshold value by this History noumenon storehouse, determine that dos attacks inspection
Survey the policy threshold of main body;Policy threshold determined by being based on, carries out dos attack detecting to the access behavior accessing main body.Logical
Cross the present invention and can solve the problem that on the one hand current dos detection and defense mechanism do not support semantic web technologies, on the other hand do not support
The detection of the new dos aggressive behavior initiated using the safety defect of semantic web technologies itself and missile defense;And it is current
Although the access control mechanisms based on semantic web technologies support semantic web Its Relevant Technology Standards, do not provide semantic web environment
Under dos attack detecting function it is impossible to problem that the dos aggressive behavior of malice is detected and defendd.
In order to the method that in the semantic web application that the present invention provides, detection dos attacks is described, Fig. 1 shows basis
The method flow that in the semantic web application of the embodiment of the present invention, detection dos attacks.
As shown in figure 1, the semantic web that the present invention provides detects that the method that dos attacks includes in applying:
S110: in semantic web application, by way of rdf statement embodies, to access main body in access control field
The access behavior characteristicss of access object carry out embodying description, and the access behavior characteristicss record embodying description is being accessed
In History noumenon storehouse.
It should be noted that carrying out to access main body access behavior characteristicss of access object in access control field
Before embodying description, also include building semantic knowledge-base, this semantic knowledge-base includes domain knowledge base and dislikes for detection dos
Meaning aggressive behavior and the attack detecting knowledge base that builds.Wherein, this attack detecting knowledge base includes accessing History noumenon storehouse, attack
Detection ontology library and attack detecting rule base, in domain knowledge base, storage is protected data, and attack detecting knowledge base
Storage is then the protective measure taken for the data in protection domain knowledge base.Wherein, described semantic knowledge-base (includes visiting
Ask History noumenon storehouse, attack detecting ontology library and attack detecting rule base) retouched with rdf model and semantic net description language
State, and stored using the data structure based on graph model.
That is, accessing History noumenon storehouse, attack detecting ontology library and attack detecting rule base to adopt rdf model and language
Adopted net description language is described, and is stored using the data structure based on graph model.Wherein, using based on graph model
The advantage that data structure is stored will be described in detail after having introduced the process of dos attack detecting and defence.
Specifically, based on rdf(resource description framework, resource description framework) language of model
In adopted knowledge base, all resources (including attribute resource) all have context semantic relation, and their elementary cell is tlv triple,
It is also called statement.In same name space (such as http://www.example.com/ontologies/2013/5/
Dso.owl# in), the id(such as p0001a of resource) it is unique, but be not have any implication (to adopt while sometimes in itself
The recognizable title representing in order to certain language), it is machine-readable.The semanteme of resource is by upper with resource associations
Hereafter, come to express, context semantic relation is abundanter for semantic relation, also more accurate to the semantic description of resource.In the present invention
An example in it is assumed that this semantic knowledge-base name space be ds.
Wherein, by way of rdf statement embodies, the visit of main body access object in access control field will be accessed
Ask that behavior characteristicss carry out embodying description.For example, Zhang San Jin Liao bookstore, Zhang San as accesses main body, and bookstore is access control
Domain, Zhang San enters bookstore's reading or the behavior buying book, is the concrete of this access behavior characteristics to Zhang San Jin Liao bookstore
Change description.Wherein, the access behavior characteristicss embodying description include: access main body, access object, access operation, access time
With access position.
Wherein, when the access behavior characteristicss accessing principal access access object are carried out embodying description, mainly include
To accessing the access operation of object, access time, access the materialization of place (accessing position).
Specifically, in semantic web application, any content that access main body is accessed is all a tlv triple, such as opens
Three identity information, Zhang San suffer from certain disease, the doctor in charge of Zhang San, member of Li Si etc..Access visitor in order to record these
Body, needs these tlv triple to be carried out embody description.So, certain accesses access behavior letter in access control field for the main body
Cease the materialization description information that just can state as these, and also turned to the metadata of tlv triple by semanteme.
For example, in one example of the present invention, by access main body accessed access object " ds:hasdisease (ds:
P0001a, ds:m.0c58k) " and " ds:owns (ds:p0001a, ds:pr_ Zhang San) " respectively be embodied as access object ah:
Triple0001a and ah:triple0001b.Wherein, ah is the name space accessing History noumenon storehouse.The visit of main body will be accessed
Ask operation " ah:hasaccessed (ds:p0001b, ah:triple0001a) " be embodied as access object ah:
Triple0002a, and other contextual informations of this operation are recorded based on this access object, including access time, access position
The information such as put.Often record an access time, with regard to representing, this access object is once accessed.
S120: based on accessing History noumenon storehouse, in default learning cycle, special to the access behavior accessing main body respectively
The access behavior characteristicss that behavior characteristicss and access control field occurred that access levying, accessing object are learnt, statistics and three
Class accesses the corresponding training threshold value of behavior characteristicss, and is attacking accessing the corresponding training threshold value record of behavior characteristicss with three classes
Hit in detection ontology library.
Specifically, access the access behavior that behavior characteristicss are related to three class objects, including access main body, access object and access
Control domain three class, corresponding, the study accessing behavior characteristicss also includes three kinds, that is, to access behavior characteristicss, the visit accessing main body
Ask that the access behavior characteristicss that behavior characteristicss and access control field occurred that access of object are learnt, count and record default
Learning cycle in these three access behavior characteristicss training threshold value.Count and record in default learning cycle, same
Access all number of times accessing object of principal access, same access object is accessed the number of times of principal access and accessing control by all
The all access objects occurring in domain processed are by all number of times accessing principal access.Wherein, count and the number of times that records is and learns
Practise threshold value.Access the training threshold value of behavior characteristicss in order to distinguish this three class, by the first training threshold value, the second training threshold value and the
Three training threshold value make a distinction to it.
That is, during respectively above-mentioned three classes access behavior characteristicss being learnt, by same access main body
Access all number of times accessing object, be recorded as the first training threshold value;By the same object that accesses by all access principal access
Number of times, is recorded as the second training threshold value;By all access objects occurring in access control field by all access principal access
Number of times, be recorded as the 3rd training threshold value.
S130: access the corresponding training threshold value of behavior characteristicss based on recorded in attack detecting ontology library with three classes,
Determine the policy threshold of corresponding dos attack detecting policing rule by policy threshold adjustment algorithm respectively;Wherein, by tactful threshold
Dos attack detecting policing rule, in corresponding dos attack detecting policing rule, is then saved in attack detecting rule by value record
Then in storehouse.
Wherein, policy threshold record is referred to based on attack detecting originally in corresponding dos attack detecting policing rule
The training threshold value corresponding with three classes access behavior characteristicss recorded in body storehouse, is determined respectively by policy threshold adjustment algorithm
The policy threshold of corresponding dos attack detecting policing rule is separately recorded in corresponding dos attack detecting policing rule.Will
Corresponding policy threshold record is in corresponding dos attack detecting policing rule.
It should be noted that corresponding based on accessing behavior characteristicss with three classes recorded in attack detecting ontology library
Training threshold value, determined respectively by policy threshold adjustment algorithm corresponding dos attack detecting policing rule policy threshold when, one
Class accesses the corresponding policy threshold determining a class dos attack detecting policing rule of training threshold value of behavior characteristicss.
That is, being based on for determination to the training threshold value accessing obtained by behavior characteristicss are learnt accessing main body
The policy threshold of the same dos attack detecting policing rule accessing main body;The access behavior characteristicss accessing object are learnt
Obtained training threshold value is used for determining the policy threshold based on the same dos attack detecting policing rule accessing object;To
The training threshold value accessing obtained by behavior characteristicss are learnt occurring in access control field is used for determination and is based on access control field
The policy threshold of interior dos attack detecting policing rule.
Wherein, based on corresponding with three classes access behavior characteristicss study threshold recorded in attack detecting ontology library
Value, during the policy threshold of corresponding dos attack detecting policing rule is determined respectively by policy threshold adjustment algorithm, will
Access the corresponding training threshold value of behavior characteristicss with three classes and replace the policy threshold setting, as dos attack detecting policing rule
Policy threshold;Or, take larger in the training threshold value corresponding with three classes access behavior characteristicss and the policy threshold of setting
Person, as the policy threshold of dos attack detecting policing rule;Or, access the corresponding study of behavior characteristicss based on three classes
Threshold value and the policy threshold setting, by average weighted mode, average weighted result are advised as dos attack detecting strategy
Policy threshold then.
S140: based on determined by corresponding dos attack detecting policing rule policy threshold, in access control field
The dos aggressive behavior occurring is detected.It should be noted that, dos attack detecting main body corresponding with accessing behavior characteristicss
Including accessing main body, accessing object and access control field three class, wherein, carry out in the access behavior to dos attack detecting main body
During detection,
1st, statistics is same accesses the main body number of times accessing all access objects per minute.
2nd, statistics is same accesses the object number of times by all access principal access per minute.
3rd, all access objects counting generation per minute in access control field are by all number of times accessing principal access.
Wherein, per minute it is default access cycle naturally it is also possible to hour or natural law for default access cycle.
It should be noted that above-mentioned three kinds of dos attack detecting main bodys are consistent with the classification accessing behavior characteristicss.That is, it is respectively
To access main body, to access object and access control field for dos attack detecting main body, this to generation in access control field parallel
Three classes access behavior and carry out dos attack detecting.
Wherein, during the dos aggressive behavior occurring in access control field being detected, (i.e. parallel in visit
Ask that this three class occurring in control domain accesses during behavior carries out the detection of dos attack), when detecting in access control field
During interior generation dos aggressive behavior, immediately dos aggressive behavior is on the defensive, defence process includes:
The same main body that accesses of statistics accesses all number of times accessing object within default access cycle;Wherein, when being united
The number of times of meter exceed determined by corresponding dos attack detecting policing rule policy threshold when, forbid the described main body that accesses
Access behavior, and the access state accessing main body is recorded;
Statistics is same to access object within default access cycle by all number of times accessing principal access;Wherein, work as institute
The number of times of statistics exceed determined by corresponding dos attack detecting policing rule policy threshold when, this access object interviewed
The state of asking will be prohibited, and record the accessed state of this access object simultaneously;
Within default access cycle, all access objects being occurred in statistics access control field are by all access main bodys
The number of times accessing;Wherein, be more than or equal to when all accessed number of times accessing objects determined by corresponding dos attack detecting
During the policy threshold of policing rule, the access request according to the state denied access main body accessing main body or restriction access main body
Access rate.
It is further to note that comprising in attack detecting rule base described three classes are accessed with the detected rule collection of behavior,
Access for each class and there may be regular dependence between the rule in the rule set of behavioral value, carrying out rule match
When, according to regular dependence order, the every rule in rule set will be judged, when meeting in regular dependence order last
During conjunctive conditions collection in the rule body of rule, just can obtain attack detecting result.
The side that in semantic web application provided by the present invention, detection dos attacks be can be seen that by the flow process shown in Fig. 1
Method, can shield semantic web application in, because semantic web technologies itself exist safety defect and introduce dos attack it is ensured that
The normal access of validated user;Meanwhile, the access behavior characteristicss in self study access control field, and as attack detecting master
The policy threshold of body, prevents the unauthorized access of clearance user from asking and stoping the situation of Lawful access request from occurring.
In order to the method that in semantic web application provided by the present invention, detection dos attacks, following generals are more clearly described
Respectively the learning process of access behavior characteristicss in access control field and the process of dos attack detecting and defence are retouched in detail
State.
In the method that detection dos attacks in semantic web provided by the present invention application, dislike to be effectively prevented from letting pass
The aggressive behavior of meaning or the situation generation stoping normal access request, by the access behavior characteristicss in access control field
Study, the access behavior of periodic record access main body, and using the training threshold value being learnt as determination dos attack detecting
The foundation of the policy threshold of policing rule, thus carrying out effective detection to the malicious access operation deviateing normal access behavior and preventing
Imperial.
Wherein, in above-mentioned process description, the unit of default learning cycle is minute, can arrange sky, hour and
Minute value, default learning cycle can be the cumulative of these three values.Because the demand of different access main bodys is different, different
Access that object is also different in the effect accessing main body, therefore by same main body and this classification of same access object of accessing
Access the study of behavior characteristicss, different policy threshold can be set up for different access main bodys and access object.
Access behavior characteristicss in access control field are learnt, is to control overall flowing of access, once always
Flowing of access reach policy threshold, new access request will be limited, is designed to ensure the visit of well afoot by this kind of
Ask that request normally completes.For example, in an access control field, the policy threshold setting allows at interior per minute as 300(
Access object to be accessed 300 times), if in a certain minute, the access times accessing object have exceeded 300, then now will
Limit the access request that new access main body is initiated, thus ensureing the normal of the access request of access main body of well afoot
Complete.
It is necessary first to set learning cycle before being learnt, and assign one initially for above-mentioned three kinds of training threshold value
Value.Following study taking the same study accessing main body this kind of access behavior characteristicss as a example to access behavior characteristicss are made specifically
Bright.
Fig. 4 shows the according to embodiments of the present invention flow process that the access behavior characteristicss accessing main body are learnt.As
Shown in Fig. 4,
S410: start intervalometer for accessing main body based on accessing History noumenon storehouse.
S420: count and record the same number of times accessing principal access access object in default learning cycle.
Wherein, statistical method is, compare access body operation embody attribute in access time (this access time exists
Access in History noumenon storehouse), access time is more than or equal to the learning cycle time started and is less than the learning cycle end time
The access times that all times represent are added up, and wherein each access time represents and once accesses.By this kind of method
Obtain accessing access times (i.e. training threshold value) in this learning cycle for the main body.
S430: based on study to threshold value (number of times being recorded) and setting policy threshold (set is initial
Value), the policy threshold of corresponding dos attack detecting policing rule is determined by policy threshold adjustment algorithm.
Wherein, by the threshold value being learnt record in attack detecting ontology library, determined by general, corresponding dos attacks inspection
The policy threshold record surveying policing rule is in attack detecting rule base.
Wherein, policy threshold adjustment algorithm has three kinds of selections:
1st, the threshold value (herein for the first training threshold value) with learning to arrive replaces policy threshold (wherein this setting setting all the time
Policy threshold be initial value or for front once determined by policy threshold);
2nd, comparative learning arrives threshold value and the policy threshold of setting, take wherein the greater;
3rd, policy threshold is obtained by Weighted Average Algorithm.Wherein, Weighted Average Algorithm is as follows:
new-threshold=(learned-threshold*weight+current-threshold*(100–
weight))/100
Wherein, current-threshold represents the policy threshold of setting, and learned-threshold represents that study is arrived
Threshold value, new-threshold represent by Developing Tactics obtained by policy threshold.Weight is weight, and span is
[0-100].When weight be 100 when, represent take every time study to value be new policy threshold, when weight is 0
When represent reservation original strategy threshold value, when whether weight is 50, represents and take the average of the two.Other two kinds access behaviors
The study of feature is similar with the determination method of policy threshold, and here is omitted.
After determining the policy threshold of dos attack detecting policing rule, be based on determined by policy threshold, right parallel
The dos aggressive behavior occurring in access control field is detected and is defendd.Wherein, in order to apparent description dos attacks
Detection to three kinds of dos attack detecting main bodys respectively and defence process are made more detailed by detection and the process of defence below
Description.
Fig. 2 shows and according to embodiments of the present invention carries out dos attack detecting to access main body for dos attack detecting main body
Flow process with defence.
As shown in Fig. 2 to access, main body carries out dos attack detecting for dos attack detecting main body and the process of defence is:
S210: when there being access main body to initiate to access, queried access result is simultaneously embodied, starts intervalometer simultaneously and enters
Row attack detecting.
The quantity that s220: this intervalometer accesses object for frequency to this access principal access with minute is counted (unites
Meter accesses the access times of main body).
S230: the number of times being counted is compared with the corresponding policy threshold determining, when the number of times being counted is more than
During policy threshold, enter step s240, otherwise return to step s220.
S240: terminate the access of this access main body immediately, simultaneously when forbidding access state and disabling of record access main body
Between.
That is, once attack (quantity counting exceedes the policy threshold of determination) is detected, terminating this visit immediately
Ask the access of main body, record this access main body forbids access state and disabling time (initiation parameter) simultaneously.Disabling accesses
After time is up, disabling access state is set to false, but does not delete disabled status record.
When this access main body is initiated to access again, obtain the access state of this access main body first, if this access master
Body forbid that access state is true, will refuse this access main body this access request.
Carry out dos attack detecting and the process of defence to access object for dos attack detecting main body, with above-mentioned to access master
Body for dos attack detecting main body carry out dos attack detecting with defence process similar, exceed when the number of times being counted determined by
During the policy threshold of dos attack detecting main body, the accessed state of this access object will be prohibited, and record this access object simultaneously
Accessed state.
It should be noted that in the detection and the defence that carry out dos attack with access control field for dos attack detecting main body
When, need to process the access request accessing main body according to default condition.Wherein, default condition is to access main body
The judgement of state.Specifically, the state accessing main body includes accessing the history access forbidding access state, access main body of main body
Record and access main body credit rating.
Specifically, carry out dos attack detecting with access control field for dos attack detecting main body and the process of defence be as follows:
Count within default access cycle, the accessed number of times of the access object that access control field is occurred;Work as access
The accessed number of times of object be more than or equal to determined by corresponding dos attack detecting policing rule policy threshold when, according to
The access request of default condition denied access main body or the access rate limiting access main body.
Wherein, default condition is to be set according to the state accessing main body, specifically:
1st, when accessing when forbidding that access state is false of main body, limit the access rate of this access main body, or refusal
The access request of this access main body.
2nd, when accessing main body no any history access record, refuse the access request of this access main body.
3rd, when access main body have history access record but do not have any forbid access state when (the access master of trust
Body), accept the access request of this access main body, but limit its access rate.
It should be noted that no matter being to determine that policy threshold is also by attack detecting, it is required for the visit accessing main body
Ask that record is inquired about and counted, and semantic knowledge-base is a semantic net (directed graph) being made up of tlv triple, this semantic net
Follow rdf standard, traditional relation data storage depends on correct structure that define, static state to carry out improving performance, due to flexible
Rdf model and traditional relation data storage how cannot efficiently to store and to access (i.e. compatible with work, therefore
Inquiry) rdf just becomes an extremely concerned research field.
Rdf storage based on relational database stores the tlv triple that subject, predicate and object are constituted using tables of data, is
There is provided the quick-searching to common statement, the present invention is wrapped in semantic knowledge-base using the rdf storage based on graph model
The statement containing carries out persistence.Basic ideas are as follows:
It is a kind of data that can more directly the structure of rdf data be modeled based on the rdf storage of graph model
Structure, it can alleviate the performance issue based on relational model storage.A given specific statement, the storage based on figure can
A kind of efficient way is provided to position the statement of shared same asset (subject, predicate and object), because setting according to this
Meter, they can be stored with the regionality (their storage location is adjacent to one another in other words) of height.
The realization of the common rdf storage based on figure employs the statement list interlinking, and so every shared identical
The statement of resource (these resources are possibly as statement subject, predicate or object) has just been arranged to a continuous link column
In table, or the statement being linked at rdf in figure adjacent (connection) using special index data structure.Which provides one
The mechanism of kind, can quickly travel through all statements comprising a certain specific resources (as subject, predicate or object in statement).
The characteristic of this design and rdb(relational database, relational database) column index in method and add list are very
Similar, and be general purposes it is not necessary to use the higher level knowledge stored along with data based on the implementation method of figure.
Therefore the present invention is carried out persistently to the statement included in semantic knowledge-base using the rdf storage based on graph model
Change, and in the semantic layer inquiry being also adopted by when record carries out query statistic based on figure that accesses to user, be capable of efficiently
Storage and access rdf.
Corresponding with said method, the present invention also provides the system that in a kind of semantic web application, detection dos attacks.Fig. 3 shows
Go out the system logic structure that in semantic web application according to embodiments of the present invention, detection dos attacks.
As shown in figure 3, the present invention provides the system 300 that in semantic web application, detection dos attacks to include embodying unit
310th, policy threshold unit 320, policy threshold adjustment unit 330 and attack detecting unit 340.
Wherein, embody unit 310 to be used in semantic web application, by way of rdf statement embodies, to access
Main body access behavior characteristicss of access object in access control field carry out embodying description, will embody the access of description
Behavior characteristicss record is in accessing History noumenon storehouse.
Wherein, embody unit 310 by way of rdf statement embodies, main body will be accessed and visit in access control field
Ask that the access behavior characteristicss accessing object carry out embodying description.Wherein, the access behavior characteristicss embodying description include: access
Main body, access object, access operation, access time and access position.
Policy threshold unit 320 is used for based on accessing History noumenon storehouse, in default learning cycle, respectively to visit
Ask accessing behavior characteristicss, accessing the access behavior characteristicss that the access behavior characteristicss of object and access control field are occurred of main body
Learnt, statistics accesses the corresponding training threshold value of behavior characteristicss with three classes, and will be corresponding with three classes access behavior characteristicss
Training threshold value record in attack detecting ontology library.
Wherein, access the access behavior that behavior characteristicss are related to three class objects, control including accessing main body, access object and access
Domain three processed class, corresponding, the study accessing behavior characteristicss also includes three kinds, that is, to access behavior characteristicss, the access accessing main body
The access behavior characteristicss that behavior characteristicss and access control field occurred that access of object are learnt, and count and record default
In learning cycle, these three access the training threshold value of behavior characteristicss.
Wherein, policy threshold unit 320 is accessing during behavior characteristicss learn respectively to above-mentioned three classes,
Access all number of times accessing object of principal access by same, be recorded as the first training threshold value;Same access object is owned
Access the number of times of principal access, be recorded as the second training threshold value;By all access objects occurring in access control field by institute
There is the number of times accessing principal access, be recorded as the 3rd training threshold value.
Policy threshold adjustment unit 330 is used for accessing behavior characteristicss based on recorded in attack detecting ontology library with three classes
Corresponding training threshold value, determines the strategy of corresponding dos attack detecting policing rule respectively by policy threshold adjustment algorithm
Dos attack detecting strategy, wherein, by policy threshold record in corresponding dos attack detecting policing rule, is then advised by threshold value
Then it is saved in attack detecting rule base.
Wherein, policy threshold adjustment unit 330 is accessing behavior based on recorded in attack detecting ontology library with three classes
The corresponding training threshold value of feature, determines corresponding dos attack detecting policing rule respectively by policy threshold adjustment algorithm
During policy threshold, replace, by accessing the corresponding training threshold value of behavior characteristicss with three classes, the policy threshold setting, as
The policy threshold of corresponding dos attack detecting policing rule;Or, take and access the corresponding training threshold value of behavior characteristicss with three classes
With set policy threshold in the greater, as the policy threshold of corresponding dos attack detecting policing rule;Or, it is based on
Access the corresponding training threshold value of behavior characteristicss and the policy threshold setting with three classes, by average weighted mode, will weight
Average result is as the policy threshold of corresponding dos attack detecting policing rule.
Attack detecting unit 340 be used for based on determined by corresponding dos attack detecting policing rule policy threshold, right
The dos aggressive behavior occurring in access control field is detected.
Wherein, the process that attack detecting unit 340 is detected to the dos aggressive behavior occurring in access control field
In, when generation dos aggressive behavior in access control field is detected, immediately dos aggressive behavior is on the defensive, defends process bag
Include:
The same main body that accesses of statistics accesses all number of times accessing object within default access cycle;Wherein, when being united
The number of times of meter exceed determined by corresponding dos attack detecting policing rule policy threshold when, forbid accessing the access of main body
Behavior, and the access state accessing main body is recorded;
Statistics is same to access object within default access cycle by all number of times accessing principal access;Wherein, work as institute
The number of times of statistics exceed determined by corresponding dos attack detecting policing rule policy threshold when, this access object interviewed
The state of asking will be prohibited, simultaneously the accessed state of record access object;
Within default access cycle, all access objects being occurred in statistics access control field are by all access main bodys
The number of times accessing;Wherein, be more than or equal to when the accessed number of times accessing object determined by corresponding dos attack detecting strategy
During the policy threshold of rule, the visit of the access request of the state denied access main body according to access main body or restriction access main body
Ask speed.
Wherein, when accessing when forbidding that access state is false of main body, limit the access rate of this access main body, or
Refuse the access request of this access main body;When accessing main body no any history access record, refuse the access of this access main body
Request;When access main body have history access record but do not have any forbid access state when (the access main body of trust), connect
By the access request of this access main body, but limit its access rate.
The method and system that in being applied by semantic web provided by the present invention, detection dos attacks, can shield semanteme
In web application, the safety defect that exists because of semantic web technologies itself and the dos attack that introduces are it is ensured that the positive frequentation of validated user
Ask;And rate limit can be conducted interviews it is ensured that looking into the concurrent access request that access main body is initiated in access control field
Ask the query performance of engine, improve the access experience of validated user;Meanwhile, the access behavior in self study access control field is special
Levy, and the policy threshold as attack detecting, prevent the unauthorized access of clearance user from asking and stoping Lawful access from being asked
Situation occur.
Describe in an illustrative manner according to detection dos attack in the semantic web application of the present invention above with reference to accompanying drawing
Method and system.It will be understood by those skilled in the art, however, that examining in the semantic web application being proposed for the invention described above
Survey the method and system that dos attacks, various improvement can also be made on the basis of without departing from present invention.Therefore, this
Bright protection domain should be determined by the content of appending claims.
Claims (10)
1. a kind of method that in semantic web application, detection dos attacks, comprising: in semantic web application, concrete by rdf statement
The mode changed, carries out embodying description to accessing main body access behavior characteristicss of access object in access control field, will
The access behavior characteristicss record embodying description is in accessing History noumenon storehouse;
Based on described access History noumenon storehouse, in default learning cycle, respectively to access behavior characteristicss, the visit accessing main body
Ask that the access behavior characteristicss that behavior characteristicss and access control field occurred that access of object are learnt, statistics is accessed with three classes
The corresponding training threshold value of behavior characteristicss, and attacking accessing the corresponding training threshold value record of behavior characteristicss with described three classes
In detection ontology library;Wherein, the training threshold value corresponding with three classes access behavior characteristicss being counted is: same access main body is visited
Ask all number of times accessing object, same access object by the number of times of all access principal access, in described access control field
The all access objects occurring are by all number of times accessing principal access;
Access the corresponding training threshold value of behavior characteristicss based on recorded in described attack detecting ontology library with described three classes, lead to
Cross the policy threshold that policy threshold adjustment algorithm determines corresponding dos attack detecting policing rule respectively;Wherein, by described strategy
Described dos attack detecting policing rule, in corresponding dos attack detecting policing rule, is then saved in attack by threshold value record
In detected rule storehouse;
Based on determined by corresponding dos attack detecting policing rule policy threshold, to the dos occurring in access control field
Aggressive behavior is detected.
2. the method that in semantic web application as claimed in claim 1, detection dos attacks, wherein, the described visit embodying description
Ask that behavior characteristicss include: access main body, access object, access operation, access time and access position.
3. the method that in semantic web application as claimed in claim 1, detection dos attacks, wherein, respectively to access main body
The access behavior characteristicss that access behavior characteristicss, the access behavior characteristicss of access object and access control field are occurred are learnt
During,
Access all number of times accessing object of principal access by same, be recorded as the first training threshold value;
By the same object that accesses by all number of times accessing principal access, it is recorded as the second training threshold value;
By all access objects occurring in described access control field by all number of times accessing principal access, it is recorded as the 3rd
Training threshold value.
4. the method that in semantic web application as claimed in claim 1, detection dos attacks, wherein, based on described attack detecting
The training threshold value corresponding with described three classes access behavior characteristicss recorded in ontology library, is divided by policy threshold adjustment algorithm
During not determining the policy threshold of corresponding dos attack detecting policing rule,
Replace the policy threshold setting by accessing the corresponding training threshold value of behavior characteristicss with described three classes, as corresponding dos
The policy threshold of attack detecting policing rule;Or,
Take the greater accessing in the corresponding training threshold value of behavior characteristicss and the policy threshold of setting with described three classes, as phase
The policy threshold of the dos attack detecting policing rule answered;Or,
Access the corresponding training threshold value of behavior characteristicss and the policy threshold setting based on described three classes, by average weighted
Mode, using average weighted result as corresponding dos attack detecting policing rule policy threshold.
5. the method that in semantic web application as claimed in claim 1, detection dos attacks, wherein, sends out in access control field
During raw dos aggressive behavior is detected, when generation dos aggressive behavior in described access control field is detected,
Immediately described dos aggressive behavior is on the defensive, the process of described defence includes:
The same main body that accesses of statistics accesses all number of times accessing object within default access cycle;Wherein, when being counted
Number of times exceed determined by corresponding dos attack detecting policing rule policy threshold when, forbid the described access accessing main body
Behavior, and the described access state accessing main body is recorded;
Statistics is same to access object within default access cycle by all number of times accessing principal access;Wherein, when being counted
Number of times exceed determined by corresponding dos attack detecting policing rule policy threshold when, described access object accessed
State will be prohibited, and record the described accessed state accessing object simultaneously;
Within default access cycle, count all access objects being occurred in described access control field by all access main bodys
The number of times accessing;Wherein, be more than or equal to when all accessed number of times accessing objects determined by corresponding dos attack detecting
During the policy threshold of policing rule, the access request according to the state denied access main body accessing main body or restriction access main body
Access rate.
6. the method that in semantic web application as claimed in claim 1, detection dos attacks, wherein, described access History noumenon
Storehouse, described attack detecting ontology library and described attack detecting rule base are described using rdf model and semantic net description language,
And stored using the data structure based on graph model.
7. the system that in a kind of semantic web application, detection dos attacks, comprising:
Embody unit, in applying in semantic web, by way of rdf statement embodies, access control to accessing main body
In domain processed, the access behavior characteristicss of access object carry out embodying description, will embody the access behavior characteristic information of description
Record is in accessing History noumenon storehouse;
Policy threshold unit, for based on described access History noumenon storehouse, in default learning cycle, to access main body
Access behavior characteristicss, access object access the access behavior characteristicss that behavior characteristicss and access control field are occurred
Practise, statistics accesses the corresponding training threshold value of behavior characteristicss with three classes, and will be corresponding with described three classes access behavior characteristicss
Training threshold value record is in attack detecting ontology library;Wherein, counted accesses the corresponding study threshold of behavior characteristicss with three classes
Be worth and be: same access principal access all access the number of times of object, same access object by all number of times accessing principal access,
The all access objects occurring in described access control field are by all number of times accessing principal access;
Policy threshold adjustment unit, for special based on accessing behavior with described three classes recorded in described attack detecting ontology library
Levy corresponding training threshold value, by policy threshold adjustment algorithm, determine the plan of corresponding dos attack detecting policing rule respectively
Slightly threshold value;Wherein, by described policy threshold record in corresponding dos attack detecting policing rule, then described dos is attacked
Inspection policies rule is saved in attack detecting rule base;
Attack detecting unit, for based on determined by corresponding dos attack detecting policing rule policy threshold, to accessing
The dos aggressive behavior occurring in control domain is detected.
8. the system that in semantic web application as claimed in claim 7, detection dos attacks, wherein, described materialization unit is concrete
The access behavior characteristicss changing description include: access main body, access object, access operation, access time and access position.
9. the system that in semantic web application as claimed in claim 7, detection dos attacks, wherein, described policy threshold adjustment is single
Unit is accessing the corresponding training threshold value of behavior characteristicss based on recorded in described attack detecting ontology library with described three classes, leads to
During crossing the policy threshold that policy threshold adjustment algorithm determines corresponding dos attack detecting policing rule respectively,
Replace the policy threshold setting by accessing the corresponding training threshold value of behavior characteristicss with described three classes, as corresponding dos
The policy threshold of attack detecting policing rule;Or,
Take the greater accessing in the corresponding training threshold value of behavior characteristicss and the policy threshold of setting with described three classes, as phase
The policy threshold of the dos attack detecting policing rule answered;Or,
Access the corresponding training threshold value of behavior characteristicss and the policy threshold setting based on described three classes, by average weighted
Mode, using average weighted result as corresponding dos attack detecting policing rule policy threshold.
10. the system that in semantic web application as claimed in claim 7, detection dos attacks, wherein, when described attack detecting list
Unit detects when there is dos aggressive behavior in described access control field, immediately described dos aggressive behavior is on the defensive, institute
The process stating defence includes:
The same main body that accesses of statistics accesses all number of times accessing object within default access cycle;Wherein, when being counted
Number of times exceed determined by corresponding dos attack detecting policing rule policy threshold when, forbid the described access accessing main body
Behavior, and the described access state accessing main body is recorded;
Statistics is same to access object within default access cycle by all number of times accessing principal access;Wherein, when being counted
Number of times exceed determined by corresponding dos attack detecting policing rule policy threshold when, described access object accessed
State will be prohibited, and record the described accessed state accessing object simultaneously;
Within default access cycle, count the accessed number of times of all access objects being occurred in described access control field;
Wherein, be more than or equal to when all accessed number of times accessing objects determined by corresponding dos attack detecting policing rule
During policy threshold, the access request according to the state denied access main body accessing main body or the access of restriction access main body are fast
Rate.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310751402.0A CN103746987B (en) | 2013-12-31 | 2013-12-31 | Method and system for detecting DoS attack in semantic Web application |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310751402.0A CN103746987B (en) | 2013-12-31 | 2013-12-31 | Method and system for detecting DoS attack in semantic Web application |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103746987A CN103746987A (en) | 2014-04-23 |
CN103746987B true CN103746987B (en) | 2017-02-01 |
Family
ID=50503974
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310751402.0A Active CN103746987B (en) | 2013-12-31 | 2013-12-31 | Method and system for detecting DoS attack in semantic Web application |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103746987B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107592300A (en) * | 2017-08-16 | 2018-01-16 | 中国银行股份有限公司 | A kind of method and system of anti-robot attack |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105187224B (en) * | 2014-06-17 | 2018-05-01 | 腾讯科技(深圳)有限公司 | Intrusion detection method and device |
CN105656843B (en) * | 2014-11-11 | 2020-07-24 | 腾讯数码(天津)有限公司 | Application layer protection method and device based on verification and network equipment |
CN104462476A (en) * | 2014-12-19 | 2015-03-25 | 科大国创软件股份有限公司 | Method for implementing service protection on service access frequency based on control time window |
CN104954188B (en) * | 2015-06-30 | 2018-05-01 | 北京奇安信科技有限公司 | Web log file safety analytical method based on cloud, device and system |
CN104935609A (en) * | 2015-07-17 | 2015-09-23 | 北京京东尚科信息技术有限公司 | Network attack detection method and detection apparatus |
CN108737351B (en) * | 2017-04-25 | 2021-03-16 | ***通信有限公司研究院 | Distributed denial of service attack defense control method and scheduling equipment |
CN107948197A (en) * | 2017-12-26 | 2018-04-20 | 北京星河星云信息技术有限公司 | Defend the method and half-connection attack defending platform of half-connection attack |
CN114244564B (en) * | 2021-11-16 | 2024-04-16 | 北京网宿科技有限公司 | Attack defense method, device, equipment and readable storage medium |
CN116708013B (en) * | 2023-07-25 | 2024-06-11 | 深圳市锐速云计算有限公司 | DDoS protection method and device |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101635703A (en) * | 2008-07-24 | 2010-01-27 | 北京启明星辰信息技术股份有限公司 | Method for detecting WEB service abnormality |
CN102821002A (en) * | 2011-06-09 | 2012-12-12 | ***通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20120066465A (en) * | 2010-12-14 | 2012-06-22 | 한국전자통신연구원 | Method for blocking denial-of-service attack |
-
2013
- 2013-12-31 CN CN201310751402.0A patent/CN103746987B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101635703A (en) * | 2008-07-24 | 2010-01-27 | 北京启明星辰信息技术股份有限公司 | Method for detecting WEB service abnormality |
CN102821002A (en) * | 2011-06-09 | 2012-12-12 | ***通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107592300A (en) * | 2017-08-16 | 2018-01-16 | 中国银行股份有限公司 | A kind of method and system of anti-robot attack |
Also Published As
Publication number | Publication date |
---|---|
CN103746987A (en) | 2014-04-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103746987B (en) | Method and system for detecting DoS attack in semantic Web application | |
da Silva et al. | Heuristic-based strategy for Phishing prediction: A survey of URL-based approach | |
US20220336290A1 (en) | User Model-Based Data Loss Prevention | |
CN112073411B (en) | Network security deduction method, device, equipment and storage medium | |
US9336388B2 (en) | Method and system for thwarting insider attacks through informational network analysis | |
Moynihan | The application of international law to state cyberattacks | |
Morel | Artificial intelligence and the future of cybersecurity | |
CN109299135A (en) | Abnormal inquiry recognition methods, identification equipment and medium based on identification model | |
CN103336927A (en) | Data classification based data leakage prevention method and system | |
Yamada et al. | Exploiting privacy policy conflicts in online social networks | |
CN109684072A (en) | The system and method for being used to detect the computing resource of malicious file based on machine learning model management | |
CN109587151A (en) | Access control method, device, equipment and computer readable storage medium | |
CN116668197B (en) | Method and device for realizing network forced access control of information flow interference-free strategy | |
CN106850675A (en) | A kind of determination method and device of attack | |
Kebande et al. | Active machine learning adversarial attack detection in the user feedback process | |
Sun et al. | A matrix decomposition based webshell detection method | |
CN108134774B (en) | Privacy protection method and device based on content privacy and user security grading | |
Ro et al. | Detection Method for Distributed Web‐Crawlers: A Long‐Tail Threshold Model | |
Chertoff et al. | Policing the Dark Web: Legal Challenges in the 2015 Playpen Case | |
Suthaharan et al. | An approach for automatic selection of relevance features in intrusion detection systems | |
Möller | Cyberattacker Profiles, Cyberattack Models and Scenarios, and Cybersecurity Ontology | |
Boruah et al. | An MEBN framework as a dynamic firewall's knowledge flow architecture | |
Taylor | Defending Against Typosquatting Attacks In Programming Language-Based Package Repositories | |
Feng et al. | Moving target defense in preventing sql injection | |
Kiran et al. | A Critical study of information security risk assessment using fuzzy and entropy methodologies |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |