CN107528859B - Defense method and device for DDoS attack - Google Patents

Defense method and device for DDoS attack Download PDF

Info

Publication number
CN107528859B
CN107528859B CN201710908810.0A CN201710908810A CN107528859B CN 107528859 B CN107528859 B CN 107528859B CN 201710908810 A CN201710908810 A CN 201710908810A CN 107528859 B CN107528859 B CN 107528859B
Authority
CN
China
Prior art keywords
behavior
user
correlation degree
relevancy
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710908810.0A
Other languages
Chinese (zh)
Other versions
CN107528859A (en
Inventor
刘文辉
陈裕涛
何坤
张磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Nsfocus Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Nsfocus Technologies Inc filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201710908810.0A priority Critical patent/CN107528859B/en
Publication of CN107528859A publication Critical patent/CN107528859A/en
Application granted granted Critical
Publication of CN107528859B publication Critical patent/CN107528859B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a defense method and equipment for DDoS attack, which are used for improving the accuracy of distinguishing broiler users from a user group and further making an effective protection strategy. The defense method of the DDoS attack comprises the following steps: determining at least one behavior relevancy set of each user, wherein one behavior relevancy set comprises behavior relevancy between one behavior of the user interacting with the server and other behaviors respectively, and the behavior relevancy is used for indicating the relevancy between one behavior and any one behavior of the other behaviors respectively; determining at least one interval range according to a plurality of behavior relevancy included in at least one behavior relevancy set, wherein one behavior relevancy set corresponds to one interval range; and in a preset time period, if it is determined that each behavior correlation degree in all the behavior correlation degrees of the first user is not in the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, the IP address of the first user is forbidden.

Description

Defense method and device for DDoS attack
Technical Field
The invention relates to the technical field of network security, in particular to a defense method and defense equipment for DDoS attack.
Background
Distributed Denial of Service (DDoS) attacks are a network attack method, and generally, broiler chicken flocks are used as an attack platform or a special attack software tool is used to send a plausible Service request to a victim host to occupy a large amount of resources of a server, so that network congestion or server resource exhaustion is caused to cause that the server rejects legitimate users. The broiler chicken can be regarded as a medium Trojan horse virus and can be remotely controlled.
Due to the fact that the DDoS attack of the broiler group has certain similarity with the behaviors of normal users, the conventional DDoS defense method is caused, for example, analysis and verification of attacker protocol stack behaviors, watermarking algorithm and the like cannot strip broiler users from the normal users, and therefore the protection effect of the protection algorithm is not ideal, even the protection algorithm is invalid, and huge economic loss is caused to a service provider.
Therefore, how to distinguish broiler users from normal users is an urgent and urgent matter to timely and accurately extract broiler users from a user group and timely protect the broiler users. .
Disclosure of Invention
The embodiment of the invention provides a defense method and equipment for DDoS attack, which are used for improving the accuracy of distinguishing broiler users from user groups and further making an effective protection strategy.
In a first aspect, an embodiment of the present invention provides a defense method for DDoS attack, where the defense method includes:
determining at least one behavior relevancy set of each user; the behavior relevancy set comprises behavior relevancy between one behavior of a user interacting with the server and other behaviors, and the behavior relevancy is used for indicating the relevancy between the one behavior and any one of the other behaviors;
determining at least one interval range according to a plurality of behavior relevancy included in the at least one behavior relevancy set; the method comprises the steps that a behavior relevancy set corresponds to an interval range, and the interval range is used for indicating a preset fluctuation range of behavior relevancy between one behavior interacted with a server by a user and other behaviors;
and in a preset time period, if it is determined that each behavior correlation degree in all the behavior correlation degrees of the first user is not in an interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, the internet protocol IP address of the first user is forbidden.
Optionally, determining at least one behavior relevancy set of each user includes:
acquiring at least one behavior characteristic parameter of each user interacting with the server; wherein the behavior characteristic parameter is used for indicating the behavior of the user interacting with the server;
normalizing each behavior characteristic parameter in the at least one behavior characteristic parameter;
according to the normalized each behavior characteristic parameter, determining at least one behavior relevancy of each user through the following formula:
Figure BDA0001424488720000021
where cov (x, y) is the behavioral correlation between two behaviors, x is the value of one behavior characteristic parameter, y is the value of another behavior characteristic parameter,
Figure BDA0001424488720000022
is the average value of x in a preset time period,
Figure BDA0001424488720000023
is the average value of y in a preset time period, n is the number of the types of the behaviors of the user, wherein sxIs the standard deviation of x, syIs the standard deviation of y.
Optionally, determining at least one interval range according to the multiple behavior correlations included in the at least one behavior correlation set, including:
sequentially acquiring the maximum value and the minimum value of the behavior correlation degree in each behavior correlation degree set in the at least one behavior correlation degree set;
determining a range formed by the maximum value and the minimum value in each behavior correlation degree set as an interval range of each behavior correlation degree set.
Optionally, the blocking the internet protocol IP address of the first user includes:
if it is determined that each behavior correlation degree in all the behavior correlation degrees of the first user is not within the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, determining a plurality of durations for forbidding the IP address of the first user according to the behavior correlation degree of the first user, wherein each behavior correlation degree of the first user corresponds to one duration;
determining a first time length according to the plurality of time lengths, and forbidding the IP address of the first user in the first time length;
wherein each duration is determined by the following formula:
Figure BDA0001424488720000031
wherein, Time is a first duration, e is a constant, n is the number of at least one behavior correlation set, xiAnd the difference value is the difference value between the ith behavior correlation degree of the first user and the corresponding interval range, and the difference value is the difference value between the ith behavior correlation degree and the maximum value or the minimum value of the corresponding interval range.
Optionally, determining the first duration according to the plurality of durations includes:
determining any one of the plurality of time lengths as the first time length;
or, determining the longest duration of the plurality of durations as the first duration.
Optionally, the defense method further includes:
in the preset time period, if each behavior correlation degree in all the behavior correlation degrees of the first user is in an interval range corresponding to the behavior correlation degree set, recording the at least one behavior characteristic parameter of the first user;
re-determining at least one behavior correlation degree of the first user according to the recorded at least one behavior characteristic parameter;
updating the at least one behavior relatedness determined anew to the at least one behavior relatedness set.
Optionally, the behavior feature parameters include a duration of time for the user to access the server, a frequency of a preset behavior of the user interacting with the server, and a frequency of information input by the user.
In a second aspect, an embodiment of the present invention provides a defense apparatus for DDoS attack, where the defense apparatus includes:
the first determining module is used for determining at least one behavior relevancy set of each user; the behavior relevancy set comprises behavior relevancy between one behavior of a user interacting with the server and other behaviors, and the behavior relevancy is used for indicating the relevancy between the one behavior and any one of the other behaviors;
a second determining module, configured to determine at least one interval range according to a plurality of behavior correlations included in the at least one behavior correlation set; the method comprises the steps that a behavior relevancy set corresponds to an interval range, and the interval range is used for indicating a preset fluctuation range of behavior relevancy between one behavior interacted with a server by a user and other behaviors;
and the forbidding module is used for forbidding the internet protocol IP address of the first user if the fact that each behavior correlation degree in all the behavior correlation degrees of the first user is not in the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located is determined in a preset time period.
Optionally, the first determining module is specifically configured to:
acquiring at least one behavior characteristic parameter of each user interacting with the server; wherein the behavior characteristic parameter is used for indicating the behavior of the user interacting with the server;
normalizing each behavior characteristic parameter in the at least one behavior characteristic parameter;
according to the normalized each behavior characteristic parameter, determining at least one behavior relevancy of each user through the following formula:
Figure BDA0001424488720000041
where cov (x, y) is the behavioral correlation between two behaviors, x is the value of one behavior characteristic parameter, y is the value of another behavior characteristic parameter,
Figure BDA0001424488720000042
is the average value of x in a preset time period,
Figure BDA0001424488720000043
is the average value of y in a preset time period, n is the number of the types of the behaviors of the user, wherein sxIs the standard deviation of x, syIs the standard deviation of y.
Optionally, the second determining module is specifically configured to:
sequentially acquiring the maximum value and the minimum value of the behavior correlation degree in each behavior correlation degree set in the at least one behavior correlation degree set;
determining a range formed by the maximum value and the minimum value in each behavior correlation degree set as an interval range of each behavior correlation degree set.
Optionally, the blocking module is specifically configured to:
if it is determined that each behavior correlation degree in all the behavior correlation degrees of the first user is not within the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, determining a plurality of durations for forbidding the IP address of the first user according to the behavior correlation degree of the first user, wherein each behavior correlation degree of the first user corresponds to one duration;
determining a first time length according to the plurality of time lengths, and forbidding the IP address of the first user in the first time length;
wherein each duration is determined by the following formula:
Figure BDA0001424488720000051
wherein, Time is a first duration, e is a constant, n is the number of at least one behavior correlation set, xiAnd the difference value is the difference value between the ith behavior correlation degree of the first user and the corresponding interval range, and the difference value is the difference value between the ith behavior correlation degree and the maximum value or the minimum value of the corresponding interval range.
Optionally, the blocking module is further configured to:
determining any one of the plurality of time lengths as the first time length;
or, determining the longest duration of the plurality of durations as the first duration.
Optionally, the defense apparatus further includes an update module, and the update module is configured to:
in the preset time period, if each behavior correlation degree in all the behavior correlation degrees of the first user is in an interval range corresponding to the behavior correlation degree set, recording the at least one behavior characteristic parameter of the first user;
re-determining at least one behavior correlation degree of the first user according to the recorded at least one behavior characteristic parameter;
updating the at least one behavior relatedness determined anew to the at least one behavior relatedness set.
Optionally, the behavior feature parameters include a duration of time for the user to access the server, a frequency of a preset behavior of the user interacting with the server, and a frequency of information input by the user.
In a third aspect, an embodiment of the present invention also provides a computer apparatus, which includes a processor, which is configured to implement the steps of any one of the defense methods provided in the first aspect when executing a computer program stored in a memory.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of any one of the defense methods provided by the first aspect.
The embodiment of the invention provides a novel defense method for DDoS attack, which determines the behavior correlation degree between one behavior interacted between a user and a server and other behaviors, and further determines the preset fluctuation range of the behavior correlation degree between the behavior interacted between the user and the server and other behaviors, namely the daily behavior habit of the user. Therefore, if each behavior correlation degree in all the behavior correlation degrees of the user is not in the preset wave range corresponding to each behavior correlation degree within the preset time period, the behavior of the interaction between the user and the server can be considered to be different from the usual behavior habit, that is, the behavior habit of the user is completely different from the usual behavior, and the user can be considered as an illegal user performing DDoS attack on the server by using the account of the user. Therefore, broiler users can be determined, namely the accuracy of determining DDoS attacks is improved, and effective protection strategies such as the IP addresses of the users are forbidden at the moment.
Drawings
Fig. 1 is a flowchart of a defense method for DDoS attack according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a defense device for DDoS attack according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly and completely understood, the technical solutions in the embodiments of the present invention will be described below with reference to the accompanying drawings in the embodiments of the present invention.
Because the broiler group has certain similarity with the normal users or is infected normal users, the data packets sent by the broiler group are not different from the normal flow, so that the DDoS attack cannot be identified by a general defense method, and further the DDoS attack cannot be defended in time
In view of this, the embodiment of the present invention provides a new method for defending against DDoS attacks, where the method determines a behavior correlation between a behavior of a user interacting with a server and other behaviors, and if the behavior correlation of the user is within a corresponding preset fluctuation range, it may be considered that the behavior habit of the user at ordinary times is the same. Therefore, if each behavior correlation degree in all the behavior correlation degrees of the user is not in the preset wave range corresponding to each behavior correlation degree within the preset time period, it can be considered that the behavior of the interaction between the user and the server is different from the usual behavior habit, and the user may be infected with broiler chicken. The infected users are distinguished from the user group according to the daily behavior habits of the users, and then the infected users are prohibited by adopting an IP (Internet protocol) prohibition method.
The technical solution provided by the embodiments of the present invention is described in detail below with reference to the accompanying drawings.
Referring to fig. 1, an embodiment of the present invention provides a method for defending against DDoS attacks, where the method may be executed by any electronic device. The flow of the defense method is described as follows:
s101: determining at least one behavior relevancy set of each user, wherein one behavior relevancy set comprises behavior relevancy between one behavior of the user interacting with the server and other behaviors respectively, and the behavior relevancy is used for indicating the relevancy between one behavior and any one behavior of the other behaviors respectively;
s102: determining at least one interval range according to a plurality of behavior relevancy included in at least one behavior relevancy set, wherein one behavior relevancy set corresponds to one interval range, and the interval range is used for indicating a preset fluctuation range of the behavior relevancy between one behavior interacted with the server by the user and other behaviors;
s103: and in a preset time period, if it is determined that each behavior correlation degree in all the behavior correlation degrees of the first user is not in the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, the IP address of the first user is forbidden.
The behavior correlation degree refers to the degree of association between two behaviors of the user and the server interaction, and can be understood as the degree of association between one behavior of the user and the server interaction and any one behavior of other behaviors. Of course, the behavior of user interaction with the server varies depending on the application supported by the server. For example, if the application supported by the server is a chess game, the user's interaction with the server may be user's input of chat information, user's play of cards, or user's room switching. If the application supported by the server is a Role-playing game (RPG), the act of the user interacting with the server may be an act of selecting hero, an act of releasing the speed of the skill, etc.
The action relevancy is introduced by taking the application supported by the server as an example for playing chess and card games. For example, if a user is playing a chess game, the user's interaction with the server may include a user's chat message input behavior, a user's room switching behavior, and a user's card-out behavior. The degree of the action correlation included by the user can be considered as the degree of the correlation between the action of inputting the chat information by the user and the action of switching rooms by the user, the degree of the correlation between the action of inputting the chat information by the user and the action of playing cards by the user, and the degree of the correlation between the action of playing cards by the user and the action of switching rooms by the user.
Because the degree of association exists between one behavior of the interaction between the user and the server and various behaviors, the embodiment of the invention can divide the behavior correlation between one behavior of the interaction between the user and the server and other behaviors into a set, namely a behavior correlation set. Generally, for the same application supported by the server, the behavior habit of a user interacting with the server does not change much, that is, the behavior correlation degree between any one behavior of the user interacting with the server and other behaviors does not change much, that is, the fluctuation range of the maximum value or the minimum value included in the corresponding behavior correlation degree set is small. In the embodiment of the present invention, a fluctuation range corresponding to the behavior relevancy set is also referred to as an interval range, and the interval range may be used to indicate a preset fluctuation range of behavior relevancy between one behavior of user interaction with the server and another behavior. If the relevance of each of the multiple behaviors interacted between the user and the server and each of the other behaviors is within the corresponding interval range within a period of time, that is, the relevance of the multiple behaviors of the user is within the preset fluctuation range, the multiple behaviors of the user can be considered to be normal, and the behavior habit of the user accessing the server is the same. On the contrary, if each of the plurality of behavior relevancy degrees of the user in a certain period of time is not in the corresponding interval range, that is, the behavior of the user interacting with the server is different from the usual behavior habit of the user, the user may be infected, and therefore, once it is detected that each of the plurality of behavior relevancy degrees of the user is not in the corresponding preset fluctuation, the server may be attacked by DDoS, and at this time, the DDoS attack may be defended.
The defense method of DDoS attack provided by the embodiment of the invention compares the multiple behavior correlation degrees of a user with the previous multiple behavior correlation degrees of the user, judges whether the user performs DDoS attack on the server according to the comparison result, and defends the DDoS attack in time.
The embodiment of the invention can determine each behavior relevancy of a legal user in a period of time, thereby determining at least one behavior relevancy set, wherein each behavior relevancy set corresponds to an interval range. The embodiment of the invention can acquire at least one behavior characteristic parameter of each user interacting with the server, and determine each behavior relevancy according to the acquired at least one behavior characteristic parameter. The behavior feature parameters may be used to indicate the behavior of the user interacting with the server, one user corresponding to at least one behavior feature parameter. For example, if the application supported by the server is a chess game, the user's interaction with the server may include a user's action of drawing a card or next chess, a user's action of switching rooms, a user's action of inputting chat information, and the like. The behavior feature parameters may include a duration of time that the user accesses the server, a frequency of preset behaviors that the user interacts with the server, and a frequency of information input by the user. The preset behavior of the interaction between the user and the server in the embodiment of the present invention may be set correspondingly according to the type of the application supported by the server, for example, if the application supported by the server is a chess game, the preset behavior may include a behavior of the user playing a card or playing the next chess, a behavior of the user switching rooms, and the like.
How the embodiment of the present invention obtains at least one behavior feature parameter of the user is described below.
Because the behavior of the user interacting with the server has a temporal characteristic, for example, if the application supported by the server is a game-like application, the user may interact with the server more times in the evening and perform more activities, and may interact with the server less times and perform less activities in the morning. If the behavior correlation degree between every two behaviors of a user is determined by acquiring the interaction behavior of the user and a server in a certain time period, the accuracy is obviously low.
In view of this, the embodiment of the present invention may obtain at least one behavior feature parameter of at least one user interacting with the server according to the correlation between the user behavior and the time, and determine the behavior correlation between every two behaviors through the obtained at least one behavior feature parameter. In a possible implementation manner, the embodiment of the present invention may obtain at least one behavior feature parameter of at least one user interacting with the server within a preset time period T. The preset time period may be a time period set in advance, and various actions including at least one user interacting with the server in each time period may occur at least once as much as possible. For example, generally, a user interacts with a server more times and acts more in the evening, and interacts with the server less times and acts less in the morning, and the user may not interact with the server in the morning. The preset time period T may be 1 day, as long as various actions including at least one user interacting with the server in each time period occur at least once as far as possible, so as to avoid errors caused by time as much as possible. Of course, the preset time period T may also be other possible values, which is not necessarily exemplified here. In specific implementation, the embodiment of the present invention may adopt a stream mirroring manner, that is, a data stream generated when a user interacts with a server is mirrored to obtain a data stream flowing to the server, where the data stream generally includes an Internet Protocol (IP) address of the user, a duration of time for the user to access the server, a number of times of a preset behavior of the user interacting with the server, and a number of times of information input by the user. The embodiment of the invention can take the acquired times of the preset behaviors of the interaction between the user and the server and the times of the information input by the user as the behavior characteristic parameters, and can also convert the acquired times of the preset behaviors of the interaction between the user and the server and the times of the information input by the user into corresponding frequencies to be taken as the behavior characteristic parameters.
Due to the difference in the number of user interactions with the server over different time periods within the preset time period. For example, generally, a user interacts with a server more times and acts more in the evening, and interacts with the server less times and acts less in the morning, and the user may not interact with the server in the morning. If at least one behavior characteristic parameter of the user interacting with the server in the preset time period is obtained, obviously, the data stream flowing to the server is obtained in a larger amount, and the calculation amount for extracting at least one behavior characteristic parameter in the data stream is also larger, so that the burden of the electronic device is increased.
In view of this, the embodiment of the present invention may divide the preset time period into a plurality of time periods, for example, into a morning time period, a noon time period, an afternoon time period, an evening time period, and a morning time period, select some time periods from the plurality of time periods, and only obtain at least one behavior feature parameter of at least one user interacting with the server in some time periods. For example, generally, the number of times that the user interacts with the server is large in the midday period and the evening period, and then the behavior of the user interacting with the server is also large. Therefore, the behavior correlation degree between the two behaviors of the user can be determined through the behavior of the interaction between the user and the server in the two time periods. Therefore, only the data streams flowing to the server in the noon time period and the evening time period need to be acquired, the calculation amount for extracting at least one behavior characteristic parameter from the acquired data streams is small, and the burden of the electronic equipment can be relieved. In the embodiment of the present invention, the division of the preset time period is only an example, as for the division into several time periods, the duration of each time period may be set according to an actual situation, and the embodiment of the present invention is not limited thereto.
The embodiment of the invention can determine at least one behavior correlation degree of the user after acquiring at least one behavior characteristic parameter, and particularly can carry out normalization processing on each behavior characteristic parameter in the at least one behavior characteristic parameter so as to unify the at least one behavior characteristic parameter to the same reference system, so that each behavior characteristic parameter and other behavior characteristic parameters are not influenced with each other. And then determining at least one behavior relevancy of each user according to the normalized each behavior characteristic parameter through formula (1).
Figure BDA0001424488720000111
In formula (1), cov (x, y) is a behavior correlation degree between two behaviors, n is the number of at least one behavior category of the user, the behavior of the user interacting with the server is the user accessing the server, the user interacting with the server is preset behavior, such as playing cards and switching rooms, and the user inputs information, then the behavior of the user interacting with the server includes 4, and n is 4. x is the value of one behavior feature and y is the value of another behavior feature, for example, one behavior of a user is card-out, another behavior is room switching, and the frequency of card-out by the user is 10 times/minute, the frequency of room switching is 3 times/hour, then x is 10 times/minute and y is 3 times/hour.
Figure BDA0001424488720000112
Is the average value of x in a preset time period,
Figure BDA0001424488720000113
is the average value of y in a preset time period, wherein sxIs the standard deviation of x, syIs the standard deviation of y.
The behavior correlation degree between any two behaviors of one user can be calculated through the formula (1). The embodiment of the invention can determine the behavior correlation degree of the first behavior of the user with each behavior of other behaviors through the formula (1), and by analogy, the embodiment of the invention can determine the behavior correlation degree of any behavior of all behaviors of the user with each behavior of other behaviors, and the like.
After the behavior relevancy of any behavior of all the behaviors of each user and each behavior of other behaviors is determined, at least one behavior relevancy set of each user can be determined according to the types of the behaviors, and then the interval range corresponding to each behavior relevancy set is determined according to the behavior relevancy included in each behavior relevancy set of the at least one behavior relevancy set of each user.
For a behavior relevancy set, the embodiment of the present invention may obtain the maximum value and the minimum value of a plurality of behavior relevancy included in the behavior relevancy set, that is, the maximum value and the minimum value of behavior relevancy between a certain behavior of a user and other behaviors, respectively, and determine a range formed by the obtained maximum value and the obtained minimum value as an interval range of the behavior relevancy set. Generally speaking, the habit transformation range of the user is small, so the embodiment of the invention can approximate the obtained maximum value and the minimum value as two end values of the interval range. But the habit of the user is not constant and there are fluctuations in the maximum and minimum values. In view of this, one end of the range of the interval in the embodiment of the present invention may be the sum of the standard deviations of the maximum value and the maximum value, and the other end may be the difference between the standard deviations of the minimum value and the minimum value. The standard deviation can be used to characterize an error in behavioral relevance. Wherein the standard deviation of the maximum value can be calculated by formula (2).
Figure BDA0001424488720000121
Wherein σ is a standard deviation, S is a value of the first behavior feature parameter, μ is an average value of S in a preset time period, and N is the number of kinds of behaviors of the user.
According to the method, the interval range corresponding to each behavior relevancy set, namely at least one interval range, can be determined by traversing each behavior relevancy set in at least one behavior relevancy set. Each interval range can represent a behavior habit of a user interacting with the server, the behavior habit of the user interacting with the server can be determined from at least one interval range, if the user is infected and then used for carrying out DDoS attack on the server, the behavior habit of the infected user interacting with the server is different from the behavior habit of the normal user, namely, each behavior correlation degree in partial or all behavior correlation degrees of the user may not be in the corresponding interval range. Therefore, the embodiment of the invention can monitor all the behavior correlation degrees of any user in a preset time period to determine whether the user is an illegal user, namely whether the server is attacked by DDoS or not, and defend against the DDoS attack in time. The following describes how embodiments of the present invention defend against DDoS attacks by taking a user as an example.
Monitoring all the behavior relevancy of the first user, and detecting whether any one of the behavior relevancy is in an interval range corresponding to the behavior relevancy set where the behavior relevancy is located, wherein if the any one of the behavior relevancy is in the corresponding interval range, the behavior of the first user can be considered to be possibly normal. If not, it may be considered that the behavior of the first user may be abnormal and the first user may be infected. Therefore, in the embodiment of the present invention, if it is monitored that each behavior correlation degree in all the behavior correlation degrees of the first user is not within the range corresponding to the behavior correlation degree set in which each behavior correlation degree is located. Or if one or more preset behavior correlation degrees in all the behavior correlation degrees of the first user are not in the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, it can be considered that the behavior of the interaction between the first user and the server is abnormal and is likely to be infected, and then the IP address of the infected user can be blocked at this time, so as to prohibit the first user from accessing the server, and achieve the purpose of defending against DDoS attacks.
The embodiment of the invention can block the IP address of the first user within the first time period. The first time length may be determined according to a range corresponding to a behavior relevancy set where part or all of all the behavior relevancy of the first user and each of the part or all of the behavior relevancy are located. Any one of all the behavior relevancy of the first user can obtain a duration, and for any one of the behavior relevancy, a duration can be obtained through calculation according to formula (3).
Figure BDA0001424488720000131
In formula (3), Time is duration, e is a constant, i.e. logarithm of natural base number, n is the number of at least one behavior correlation set, xiThe difference value between the ith behavior correlation degree of the first user and the corresponding interval range is the difference value between the ith behavior correlation degree and the maximum value or the minimum value of the corresponding interval range. For example, if the ith behavior correlation of the first user is smaller than the minimum value of the corresponding interval range, the difference is the absolute value of the difference between the ith behavior correlation of the first user and the minimum value of the corresponding interval range. If the ith behavior correlation degree of the first user is greater than the maximum value of the corresponding interval range, the difference is the difference between the ith behavior correlation degree of the first user and the maximum value of the corresponding interval range.
The duration, i.e., a plurality of durations, corresponding to each behavior correlation degree in all the behavior correlation degrees of the first user can be obtained through the formula (3). The first duration may be determined to be any one of the plurality of durations. Or, the first time length may also be determined as the longest time length of the plurality of time lengths, so as to prevent DDoS attacks thoroughly by blocking the IP of the illegal user as much as possible.
The electronic equipment of the embodiment of the invention calculates a plurality of time lengths corresponding to all the behavior correlation degrees of the first user, the calculation amount is obviously larger, and the burden of the electronic equipment is possibly heavier. Therefore, in a possible implementation manner, the embodiment of the present invention may calculate only a plurality of durations corresponding to some of all the behavior relevance degrees, so as to reduce the burden of the electronic device. For example, the behavior correlation of the first behavior and the second behavior of the first user can obviously represent the behavior habit of the first user, and then the preset behavior correlation can be the behavior correlation of the first behavior and the second behavior of the first user. For another example, the behavior correlation degree between the first behavior and the second behavior of the first user and the behavior correlation degree between the third behavior and the fourth behavior of the first user may be combined to clearly characterize the behavior habit of the first user, and then the preset behavior correlation degree may be the behavior correlation degree between the first behavior and the second behavior of the first user and the behavior correlation degree between the third behavior and the fourth behavior of the first user.
If the first user is determined to be in the interval range corresponding to the behavior relevancy set, the first user is a legal user and is not infected. Then the behavior habit of a user interacting with the server may change, at this time, at least one behavior feature parameter of the first user may be recorded, at least one behavior correlation degree of the first user is re-determined through the recorded at least one behavior feature parameter, the re-determined at least one behavior correlation degree is updated to at least one behavior correlation degree set, that is, the behavior habit of the first user interacting with the server is re-determined, and the updated at least one behavior correlation degree set of the first user may be used as a standard for subsequent detection of an illegal user, so as to improve the detection accuracy.
The embodiment of the invention provides a novel defense method for DDoS attack, which determines the behavior habit of interaction between a user and a server at ordinary times by determining the behavior correlation degree between one behavior of the interaction between the user and the server and other behaviors. Therefore, if each behavior correlation degree in all the behavior correlation degrees of the user is not in the preset wave range corresponding to each behavior correlation degree within the preset time period, it may be considered that the behavior of the user interacting with the server is different from the usual behavior habit, and the user may be infected. The DDoS attack can be performed after the normal user is infected, the accuracy of determining the DDoS attack is improved, the IP address of the user can be sealed at the moment, and the DDoS attack can be defended in time.
The following describes the apparatus provided by the embodiment of the present invention with reference to the drawings.
Referring to fig. 2, based on the same inventive concept, an embodiment of the present invention provides a defense apparatus for DDoS attack, where the defense apparatus includes a first determining module 201, a second determining module 202, and a blocking module 203. The first determining module 201 may be configured to determine at least one behavior relevancy set for each user, where a behavior relevancy set includes behavior relevancy between a behavior of a user interacting with the server and other behaviors, and the behavior relevancy is used to indicate a degree of association between a behavior and any one of the other behaviors. The second determining module 202 may be configured to determine at least one interval range according to a plurality of behavior correlations included in at least one behavior correlation set, where one behavior correlation set corresponds to one interval range, and the interval range is used to indicate a preset fluctuation range of the behavior correlations between one behavior of the user interacting with the server and other behaviors, respectively. The block module 203 may be configured to block the IP address of the first user if it is determined that each of the all behavior correlations of the first user is not within the interval range corresponding to the behavior correlation set in which each of the behavior correlations is located within a preset time period.
Optionally, the first determining module 201 may specifically be configured to:
acquiring at least one behavior characteristic parameter of each user interacting with the server, wherein the behavior characteristic parameter is used for indicating the behavior of the user interacting with the server;
normalizing each behavior characteristic parameter in the at least one behavior characteristic parameter;
according to each behavior characteristic parameter after normalization, determining at least one behavior relevancy of each user through the following formula:
Figure BDA0001424488720000161
where cov (x, y) is the behavioral correlation between two behaviors, x is the value of one behavior characteristic parameter, y is the value of another behavior characteristic parameter,
Figure BDA0001424488720000162
is the average value of x in a preset time period,
Figure BDA0001424488720000163
is the average value of y in a preset time period, n is the number of the types of the behaviors of the user, wherein sxIs the standard deviation of x, syIs the standard deviation of y.
Optionally, the second determining module 202 may be specifically configured to:
sequentially acquiring the maximum value and the minimum value of the behavior correlation degree in each behavior correlation degree set in at least one behavior correlation degree set;
and determining a range formed by the maximum value and the minimum value in each behavior correlation degree set as an interval range of each behavior correlation degree set.
Optionally, the blocking module 203 may specifically be configured to:
if it is determined that each behavior correlation degree in all the behavior correlation degrees of the first user is not within the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, determining a plurality of durations for forbidding the IP address of the first user according to the behavior correlation degrees of the first user, wherein each behavior correlation degree of the first user corresponds to one duration;
determining a first time length according to the plurality of time lengths, and forbidding an IP address of a first user in the first time length;
wherein each duration is determined by the following formula:
Figure BDA0001424488720000164
wherein, Time is a first duration, e is a constant, and n is the number of at least one behavior correlation set,xiAnd the difference value is the difference value between the ith behavior correlation degree of the first user and the corresponding interval range, and the difference value is the difference value between the ith behavior correlation degree and the maximum value or the minimum value of the corresponding interval range.
Optionally, the blocking module 203 may further be configured to:
determining any one of a plurality of time lengths as a first time length;
or, determining the longest duration of the plurality of durations as the first duration.
Optionally, the defense device further includes an updating module 204, and the updating module 204 may be configured to:
in a preset time period, if each behavior correlation degree in all the behavior correlation degrees of the first user is in an interval range corresponding to the behavior correlation degree set, recording at least one behavior characteristic parameter of the first user;
re-determining at least one behavior correlation degree of the first user according to the recorded at least one behavior characteristic parameter;
and updating the re-determined at least one behavior correlation to at least one behavior correlation set.
Optionally, the behavior feature parameters include a duration of time for the user to access the server, a frequency of a preset behavior of the user interacting with the server, and a frequency of information input by the user.
The apparatus may be used to perform the method provided by the embodiment shown in fig. 1. Therefore, for functions and the like that can be realized by each functional module of the device, reference may be made to the description of the embodiment shown in fig. 1, which is not repeated.
Referring to fig. 3, an embodiment of the present invention further provides a computer apparatus, where the computer apparatus includes a processor 301, and the processor 301 is configured to implement the steps of the method for defending against DDoS attacks shown in fig. 1 according to the embodiment of the present invention when executing a computer program stored in a memory.
Optionally, the processor 301 may be a central processing unit, an Application Specific Integrated Circuit (ASIC), one or more Integrated circuits for controlling program execution, a hardware Circuit developed by using a Field Programmable Gate Array (FPGA), or a baseband processor.
Optionally, the processor 301 may include at least one processing core.
Optionally, the computer apparatus further includes a Memory 302, and the Memory 302 may include a Read Only Memory (ROM), a Random Access Memory (RAM), and a disk Memory. The memory 302 is used for storing data required by the processor 301 in operation. The number of the memories 302 is one or more. The memory 302 is also shown in fig. 3, but it should be understood that the memory 302 is not an optional functional module, and is therefore shown in fig. 3 by a dotted line.
It will be clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working processes of the system, the apparatus and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a Universal Serial Bus flash disk (usb flash disk), a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, and an optical disk.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (16)

1. A defense method for distributed denial of service (DDoS) attack is characterized by comprising the following steps:
determining at least one behavior relevancy set of each user; the behavior relevancy set comprises behavior relevancy between one behavior of a user interacting with the server and other behaviors, and the behavior relevancy is used for indicating the relevancy between the one behavior and any one of the other behaviors;
determining at least one interval range according to a plurality of behavior relevancy included in the at least one behavior relevancy set; the method comprises the steps that a behavior relevancy set corresponds to an interval range, and the interval range is used for indicating a preset fluctuation range of behavior relevancy between one behavior interacted with a server by a user and other behaviors;
and in a preset time period, if it is determined that each behavior correlation degree in all the behavior correlation degrees of the first user is not in an interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, the internet protocol IP address of the first user is forbidden.
2. The defense method of claim 1, wherein determining at least one set of behavioral correlations for each user comprises:
acquiring at least one behavior characteristic parameter of each user interacting with the server; wherein the behavior characteristic parameter is used for indicating the behavior of the user interacting with the server;
normalizing each behavior characteristic parameter in the at least one behavior characteristic parameter;
and determining at least one behavior correlation degree of each user according to the normalized each behavior characteristic parameter.
3. The defense method of claim 1, wherein determining at least one interval range from a plurality of behavioral correlations comprised by the at least one set of behavioral correlations comprises:
sequentially acquiring the maximum value and the minimum value of the behavior correlation degree in each behavior correlation degree set in the at least one behavior correlation degree set;
determining a range formed by the sum of the maximum value and the standard deviation and the sum of the minimum value and the standard deviation in each behavior correlation degree set as an interval range of each behavior correlation degree set.
4. The defense method of any of claims 1-3, wherein blocking the Internet Protocol (IP) address of the first user comprises:
if it is determined that each behavior correlation degree in all the behavior correlation degrees of the first user is not within the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, determining a plurality of durations for forbidding the IP address of the first user according to the behavior correlation degree of the first user, wherein each behavior correlation degree of the first user corresponds to one duration;
and determining a first time length according to the plurality of time lengths, and forbidding the IP address of the first user in the first time length.
5. The defense method of claim 4, wherein determining the first time period as a function of the plurality of time periods comprises:
determining any one of the plurality of time lengths as the first time length;
or, determining the longest duration of the plurality of durations as the first duration.
6. The defense method of claim 5, further comprising:
in the preset time period, if each behavior correlation degree in all the behavior correlation degrees of the first user is in an interval range corresponding to the behavior correlation degree set, recording the at least one behavior characteristic parameter of the first user;
re-determining at least one behavior correlation degree of the first user according to the recorded at least one behavior characteristic parameter;
updating the at least one behavior relatedness determined anew to the at least one behavior relatedness set.
7. The defense method of claim 6, wherein the behavior feature parameters include a length of time a user accesses the server, a frequency of preset behaviors a user interacts with the server, and a frequency of user input information.
8. A distributed denial of service (DDoS) attack defense apparatus, comprising:
the first determining module is used for determining at least one behavior relevancy set of each user; the behavior relevancy set comprises behavior relevancy between one behavior of a user interacting with the server and other behaviors, and the behavior relevancy is used for indicating the relevancy between the one behavior and any one of the other behaviors;
a second determining module, configured to determine at least one interval range according to a plurality of behavior correlations included in the at least one behavior correlation set; the method comprises the steps that a behavior relevancy set corresponds to an interval range, and the interval range is used for indicating a preset fluctuation range of behavior relevancy between one behavior interacted with a server by a user and other behaviors;
and the forbidding module is used for forbidding the internet protocol IP address of the first user if the fact that each behavior correlation degree in all the behavior correlation degrees of the first user is not in the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located is determined in a preset time period.
9. The defense device of claim 8, wherein the first determination module is specifically configured to:
acquiring at least one behavior characteristic parameter of each user interacting with the server; wherein the behavior characteristic parameter is used for indicating the behavior of the user interacting with the server;
normalizing each behavior characteristic parameter in the at least one behavior characteristic parameter;
and determining at least one behavior correlation degree of each user according to the normalized each behavior characteristic parameter.
10. The defense device of claim 8, wherein the second determination module is specifically configured to:
sequentially acquiring the maximum value and the minimum value of the behavior correlation degree in each behavior correlation degree set in the at least one behavior correlation degree set;
determining a range formed by the maximum value and the minimum value in each behavior correlation degree set as an interval range of each behavior correlation degree set.
11. The defense device of any one of claims 8-10, wherein the containment module is specifically configured to:
if it is determined that each behavior correlation degree in all the behavior correlation degrees of the first user is not within the interval range corresponding to the behavior correlation degree set in which each behavior correlation degree is located, determining a plurality of durations for forbidding the IP address of the first user according to the behavior correlation degree of the first user, wherein each behavior correlation degree of the first user corresponds to one duration;
and determining a first time length according to the plurality of time lengths, and forbidding the IP address of the first user in the first time length.
12. The defense device of claim 11, wherein the containment module is further to:
determining any one of the plurality of time lengths as the first time length;
or, determining the longest duration of the plurality of durations as the first duration.
13. The defense device of claim 12, further comprising an update module to:
in the preset time period, if each behavior correlation degree in all the behavior correlation degrees of the first user is in an interval range corresponding to the behavior correlation degree set, recording the at least one behavior characteristic parameter of the first user;
re-determining at least one behavior correlation degree of the first user according to the recorded at least one behavior characteristic parameter;
updating the at least one behavior relatedness determined anew to the at least one behavior relatedness set.
14. The defense device of claim 13, wherein the behavior feature parameters include a length of time a user accesses the server, a frequency of preset behaviors a user interacts with the server, and a frequency of user input information.
15. A computer arrangement, characterized in that the arrangement comprises a processor for implementing the steps of the method according to any one of claims 1-7 when executing a computer program stored in a memory.
16. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program realizing the steps of the method according to any one of claims 1-7 when executed by a processor.
CN201710908810.0A 2017-09-29 2017-09-29 Defense method and device for DDoS attack Active CN107528859B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710908810.0A CN107528859B (en) 2017-09-29 2017-09-29 Defense method and device for DDoS attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710908810.0A CN107528859B (en) 2017-09-29 2017-09-29 Defense method and device for DDoS attack

Publications (2)

Publication Number Publication Date
CN107528859A CN107528859A (en) 2017-12-29
CN107528859B true CN107528859B (en) 2020-07-10

Family

ID=60683953

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710908810.0A Active CN107528859B (en) 2017-09-29 2017-09-29 Defense method and device for DDoS attack

Country Status (1)

Country Link
CN (1) CN107528859B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111241543B (en) * 2020-01-07 2021-03-02 中国搜索信息科技股份有限公司 Method and system for intelligently resisting DDoS attack by application layer
CN112003873B (en) * 2020-08-31 2022-04-19 成都安恒信息技术有限公司 HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916365A (en) * 2012-12-31 2014-07-09 西门子公司 Method and apparatus for exporting and verifying network behavioral characteristics of malicious code
CN103944919A (en) * 2014-05-06 2014-07-23 浙江大学城市学院 Wireless multi-step attack mode excavation method for WLAN
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7848271B2 (en) * 2007-06-26 2010-12-07 Research In Motion Limited System and method for conserving power for a wireless device while maintaining a connection to a network
CN105210042B (en) * 2013-03-14 2019-07-12 班杜拉有限责任公司 Internet protocol threatens protection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916365A (en) * 2012-12-31 2014-07-09 西门子公司 Method and apparatus for exporting and verifying network behavioral characteristics of malicious code
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN103944919A (en) * 2014-05-06 2014-07-23 浙江大学城市学院 Wireless multi-step attack mode excavation method for WLAN
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device

Also Published As

Publication number Publication date
CN107528859A (en) 2017-12-29

Similar Documents

Publication Publication Date Title
JP6432210B2 (en) Security system, security method, security device, and program
CN107465651B (en) Network attack detection method and device
CN105577608B (en) Network attack behavior detection method and device
US10289838B2 (en) Scoring for threat observables
US8370389B1 (en) Techniques for authenticating users of massive multiplayer online role playing games using adaptive authentication
US20140157415A1 (en) Information security analysis using game theory and simulation
CN104836781B (en) Distinguish the method and device for accessing user identity
EP2863611B1 (en) Device for detecting cyber attack based on event analysis and method thereof
JP6528448B2 (en) Network attack monitoring device, network attack monitoring method, and program
CN110071941B (en) Network attack detection method, equipment, storage medium and computer equipment
US20130318615A1 (en) Predicting attacks based on probabilistic game-theory
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
CN106603555A (en) Method and device for preventing library-hit attacks
CN102291390A (en) Method for defending against denial of service attack based on cloud computation platform
CN107517200B (en) Malicious crawler defense strategy selection method for Web server
EP3270317A1 (en) Dynamic security module server device and operating method thereof
CN113329029A (en) Situation awareness node defense method and system for APT attack
CN110959158A (en) Information processing apparatus, information processing method, and information processing program
CN107528859B (en) Defense method and device for DDoS attack
JP2018073140A (en) Network monitoring device, program and method
EP3331210B1 (en) Apparatus, method, and non-transitory computer-readable storage medium for network attack pattern determination
JP6392985B2 (en) Detection system, detection device, detection method, and detection program
CN111478860A (en) Network control method, device, equipment and machine readable storage medium
Mezzour et al. Global mapping of cyber attacks
CN113765914B (en) CC attack protection method, system, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.