CN109922072A - A kind of detecting method of distributed denial of service attacking and device - Google Patents
A kind of detecting method of distributed denial of service attacking and device Download PDFInfo
- Publication number
- CN109922072A CN109922072A CN201910203974.2A CN201910203974A CN109922072A CN 109922072 A CN109922072 A CN 109922072A CN 201910203974 A CN201910203974 A CN 201910203974A CN 109922072 A CN109922072 A CN 109922072A
- Authority
- CN
- China
- Prior art keywords
- real
- ratio
- time
- data
- threshold
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of detecting method of distributed denial of service attacking and devices, which comprises obtains the received data message of server in real time;The data message each in first preset time period is parsed, is counted, the real-time flow data of different dimensions is obtained;According to the second real-time flow data of the first real-time flow data of sync message field dimension and termination message field (MFLD) dimension, the ratio that first real-time flow data accounts for second real-time flow data is calculated, the first ratio is obtained;When first ratio is greater than first threshold, determining the server, there are sync message field extensive aggressions.The present invention is effectively and with targetedly determining server with the presence or absence of the sync message field extensive aggression in distributed denial of service attack.Real-time flow data embodies the dynamic change of association message field, so that it is more flexible to the judgement of sync message field extensive aggression accurate, reduce the generation situation of accidentally alarm.
Description
Technical field
The present invention relates to Internet communication technology field more particularly to a kind of detecting method of distributed denial of service attacking and
Device.
Background technique
SYN Flood (sync message field floods) attack is used as DDoS (Distributed Denial of
Service, distributed denial of service) attack one of mode, it utilizes TCP (Transmission Control
Protocol, transmission control protocol) loophole, send SYN (sync message field) connection request for largely forging so that
Offer service is refused by attacker's resource exhaustion (CPU at full capacity or low memory).2000, the several large scale business nets in the U.S.
It stands and (has Yahoo, eBay, CNN, Amazon etc.) and attacked in succession by SYN Flood, service paralysis is made up to as long as a few hours
At up to 1,200,000,000 dollars of economic loss.2005, domestic large scale business website 8848 was equally attacked by SYN Flood
It hits, the service paralysis time is up to 27 hours.SYN Flood attack seems simple, but defends extremely difficult, on the one hand, this
What kind attack utilized is the intrinsic loophole of TCP, will not all forbid SYN using proper network service;On the other hand, attacker is not required to
Obtain the return information of destination host, it is possible to which the source IP address of data falsification message makes destination host have no way of tracing.
Often subsequent defence is resisted to SYN flood attack at present, and SYN flood attack is to victim host at this time
Or target network causes certain injury.Accordingly, it is desirable to provide to SYN flood attack accurately and effectively detection side in advance
Case.
Summary of the invention
In order to solve the prior art apply detected when to SYN flood attack is resisted when accuracy is low, easy appearance accidentally alerts
The problems such as, the present invention provides a kind of detecting method of distributed denial of service attacking and devices:
On the one hand, the present invention provides a kind of detecting method of distributed denial of service attacking and devices, which comprises
The received data message of server is obtained in real time;
The data message each in first preset time period is parsed, is counted, the real-time streams of different dimensions are obtained
Magnitude;
According to the second real-time traffic of the first real-time flow data of sync message field dimension and termination message field (MFLD) dimension
Value calculates the ratio that first real-time flow data accounts for second real-time flow data, obtains the first ratio;
When first ratio is greater than first threshold, determining the server, there are sync message field extensive aggressions.
On the other hand a kind of Detection of Distributed Denial of Service Attacks device is provided, described device includes:
Data message obtains module: for obtaining the received data message of server in real time;
First statistical module: it for being parsed, being counted to the data message each in the first preset time period, obtains
The real-time flow data of different dimensions;
First computing module: for the first real-time flow data and termination message field (MFLD) dimension according to sync message field dimension
Second real-time flow data of degree calculates the ratio that first real-time flow data accounts for second real-time flow data, obtains first
Ratio;
Attacks results decision module: it is synchronized for when first ratio is greater than first threshold, determining that the server exists
Message field (MFLD) extensive aggression.
On the other hand a kind of server is provided, the server includes processor and memory, is deposited in the memory
Contain at least one instruction, at least a Duan Chengxu, code set or instruction set, at least one instruction, an at least Duan Cheng
Sequence, the code set or instruction set are loaded by the processor and are executed to realize that above-mentioned distributed denial of service attack such as is examined
Survey method.
On the other hand a kind of computer readable storage medium is provided, at least one finger is stored in the storage medium
Enable, at least a Duan Chengxu, code set or instruction set, at least one instruction, an at least Duan Chengxu, the code set or
Instruction set is loaded by processor and is executed to realize such as above-mentioned detecting method of distributed denial of service attacking.
A kind of detecting method of distributed denial of service attacking and device provided by the invention, have the following technical effect that
The present invention is effectively and with targetedly determining server with the presence or absence of the synchronization in distributed denial of service attack
Message field (MFLD) extensive aggression.Real-time flow data embodies the dynamic change of association message field, so that flooding to sync message field
The judgement of attack is more flexible accurate, can adapt to the complicated service traffics form of existing net, reduces the generation situation of accidentally alarm.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology and advantage, below will be to implementation
Example or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, the accompanying drawings in the following description is only
It is only some embodiments of the present invention, for those of ordinary skill in the art, without creative efforts,
It can also be obtained according to these attached drawings other attached drawings.
Fig. 1 is a kind of schematic diagram of application environment provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of detecting method of distributed denial of service attacking provided in an embodiment of the present invention;
Fig. 3 is a kind of process signal that real-time flow data provided in an embodiment of the present invention is compared with flow value baseline
Figure;
Fig. 4 is that the ratio provided in an embodiment of the present invention to the first real-time flow data and the second real-time flow data is compared
A kind of flow diagram;
Fig. 5 is provided in an embodiment of the present invention when first ratio is greater than first threshold, determines that the server is deposited
In a kind of flow diagram of sync message field extensive aggression;
Fig. 6 is a kind of composition block diagram of Detection of Distributed Denial of Service Attacks device provided in an embodiment of the present invention;
Fig. 7 is also a kind of composition block diagram of Detection of Distributed Denial of Service Attacks device provided in an embodiment of the present invention;
Fig. 8 is a kind of schematic diagram of model training provided in an embodiment of the present invention and model prediction;
Fig. 9 is a kind of schematic diagram of reflective sync message field extensive aggression provided in an embodiment of the present invention;
Figure 10 is a kind of real-time traffic detection process schematic diagram provided in an embodiment of the present invention;
Figure 11 is a kind of SYN extensive aggression detecting system schematic diagram provided in an embodiment of the present invention;
Figure 12 is a kind of composition block diagram of server provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art without making creative work it is obtained it is all its
His embodiment, shall fall within the protection scope of the present invention.
It should be noted that term " includes " and " tool in description and claims of this specification and above-mentioned attached drawing
Have " and their any deformation, it is intended that cover it is non-exclusive include, for example, containing a series of steps or units
Process, method, system, product or server those of are not necessarily limited to be clearly listed step or unit, but may include not having
Other step or units being clearly listed or intrinsic for these process, methods, product or equipment.
Referring to Figure 1, it illustrates application environments provided in an embodiment of the present invention, comprising: service request sender's cluster
110, Service Process Server 120 and flow detection server 130, wherein if the service request sender cluster 110 includes
Dry subscriber terminal equipment, the subscriber terminal equipment can be, but not limited to set for terminals such as mobile phone, tablet computer, desktop computers
It is standby.The Service Process Server 120 is used to receive and process the business service request of user's transmission;The flow detection service
Device 130 judges whether there is SYN Flood attack, and work as and detect the presence of SYN for detecting to the flow of inflow
When Flood is attacked, warning information is issued.It should be noted that Fig. 1 is only a kind of example.
In embodiments of the present invention, before flow enters core switch, by its mirror image portion to flow analysis system,
(classification, parsing, statistics, calculating and comparison in difference etc.) is further processed to flow in flow analysis system, and then according to place
Reason result show that server whether there is the judgement of SYN Flood attack.
In practical applications, flow detection server can be deployed on large and medium-sized network backbone router.
A kind of detecting method of distributed denial of service attacking of the present invention introduced below, Fig. 2 is provided in an embodiment of the present invention
A kind of flow diagram of detecting method of distributed denial of service attacking, present description provides as described in embodiment or flow chart
Method operating procedure, but based on conventional or may include more or less operating procedure without creative labor.It is real
Applying the step of enumerating in example sequence is only one of numerous step execution sequence mode, does not represent and unique executes sequence.
When system in practice or server product execute, can be executed according to embodiment or method shown in the drawings sequence or
It is parallel to execute (such as environment of parallel processor or multiple threads).Specifically as shown in Fig. 2, the method can wrap
It includes:
S201: the received data message of server is obtained in real time;
In embodiments of the present invention, as shown in figure 11, can be existed by data message described in optical splitter real-time mirror image, optical splitter
The data message, which is sent in the path of core switch 1110 by operator, makees mirror image, can get in real time in this way by
Operator is sent to the data message of server 1120 through core switch 1110.The data message is by light splitting exchange
After machine 1130, make according to binary group (source destination IP) distribution of different unpacking processing (by unpacking module 1140).No
It is the passive detection defendd afterwards again, but mirror image is detected before data message enters server, it can be effectively to tool
There is the feature field of SYN extensive aggression to make timely to filter (such as length filtration according to SYN) and clean, preferably guarantees clothes
The function of business device is realized.
S202: the data message each in the first preset time period is parsed, is counted, the reality of different dimensions is obtained
When flow value;
In embodiments of the present invention, each data message is parsed according to corresponding protocol stack specification, is exported
The message field (MFLD) of corresponding agreement.For example, can be according to UDP (User Datagram Protocol, User Datagram Protocol)
UDP message message is parsed, obtain header field (including pseudo- stem, source port, destination port, length and verification and) and
Data field.TCP data message can be parsed according to TCP (transmission control protocol), obtain sync message field
(SYN), message field (MFLD) (FIN), confirmation message field (ACK), reset message field (MFLD) (RST) etc. are terminated.Certainly based on to SYN
The detection of Flood attack, it is possible to use only TCP parses the data message each in the first preset time period, with
To the relevant information of SYN and FIN as detection parameters.As shown in figure 11, the stream in real-time detection module 1160 can be passed through
Statistical module 1162 is measured to realize.
In a specific embodiment, the statistics of the real-time flow data of different dimensions can be located as steps described below
Reason, firstly, statistics mark is respectively set under different dimensions;It is then detected that the statistics mark is corresponding in preset time window
Flow value.
For source port dimension:
Using IP+ source port as statistics mark, the flow value of source port dimension is counted based on IP and source port, in this way
The flow value of some source port of some destination IP can be detected in specific time window.Specifically, source port can be with
Take 53,123,161,1900,19,135,0 etc..
For destination port dimension:
Using IP+ destination port as statistics mark, the flow of destination port dimension is counted based on IP and destination port
Value, can thus detect the flow value of some destination port of some destination IP in specific time window.
For wrapping long dimension:
Assuming that maximum packet a length of 1500, obtains 15 divided by 100 with maximum packet is long, then being removed with any collected packet length
Fragmentation value M is obtained with 100, fragmentation value M can be fallen in a certain section between 0~15.Using IP+M as statistics mark, it is based on IP
+ M wraps the flow value of long dimension to count, some long section of packet of some destination IP can be thus detected in specific time window
Flow value.
For TTL (lifetime value, Time To Live) dimension:
It is similar with long dimension is wrapped, by collected ttl value divided by a preset value, such as 16, available fragmentation value N.
The flow value of TTL dimension is counted using IP+N, some destination IP some can be thus detected in specific time window
The flow value of TTL segmentation.
For TCP data message dimension, TCP marker can be set, TCP marker is directed toward the feature of TCP data message
(such as format of TCP data message) detects the flow value of TCP marker in specific time window.
For sync message field dimension, sync message field identification position can be set, sync message field identification position refers to
To SYN feature (for example SYN is set as 1, indicates that this is that a connection request or connection receive data message) in specific time
The flow value of detection sync message field identification position in window.
For terminating message field (MFLD) dimension, it can be set and terminate message field (MFLD) marker, terminate message field (MFLD) marker and refer to
To the feature of FIN, (for example FIN is set as 1, indicates that the data of the transmitting terminal of this message field (MFLD) have been sent, and require to discharge
Transmission connection) flow value of detection termination message field (MFLD) marker in specific time window.
For resetting message field (MFLD) dimension, it can be set and reset message field (MFLD) marker, reset message field (MFLD) marker and refer to
To RST feature (for example RST is set as 1, indicates critical errors occur in TCP connection, it is necessary to release connection, then again again
Establish transmission connection) flow value of detection reset message field (MFLD) marker in specific time window.
As shown in figure 3, described parse the data message each in the first preset time, count, it is based on
After the step of real-time flow data of different dimensions, further includes:
S301: the real-time flow data of each dimension is subjected to comparison in difference with corresponding flow value baseline;
In a specific embodiment, the flow value baseline of each dimension is in advance in the second preset time period
The data message of acquisition carries out what off-line calculation obtained.Second preset time period refers to current slot, and (namely first is default
Period) before a period of time.Such as can take nearest 7 days, i.e., before 0 point of today to when being pushed forward 7 days, this section
Between be the second preset time period.Here off-line calculation is to carry out flow portrait to each destination IP in fact, obtains each purpose
The traffic characteristic information of IP.The flow value baseline of each dimension obtains process: firstly, to pre-stored described second
Data message in preset time period makees noise reduction process.Noise reduction process can filter out non-company IP flow, screen mixes
Flow and filtering SYN extensive aggression flow etc..For filtering the operation of SYN extensive aggression flow, due to datagram here
Text is historical data, so having passed through detection at that time learns whether there are SYN extensive aggression flow;It may will influence above
The data message of attack judgement filters out, and can just obtain actual normal data message, that is, be not affected by the datagram of ddos attack
Text.Then, data smoothing processing is carried out to by the data message after noise reduction process.Data smoothing is handled
Remove burr point, and by the part of the missing flow value polishing of nearest a period of time, for example, can be with nearest 20 minutes
Interior maximum value carrys out polishing.Then, according to data processed result, the flow value baseline of each dimension is obtained.It can be by upper
After the Noise reducing of data processing stated and data smoothing processing, flow curve is fitted according to the data after processing, is obtained each
The flow value baseline of dimension.Here flow value baseline can be the normal stream magnitude within default a period of time.Specifically, right
In each specific moment point of each dimension, it is corresponding to have a flow value baseline.I.e. according to nearest 7 days
Data message carries out processing analysis, has finally shown that each dimension is in each moment point within one day for each destination IP
Standard reference flow value.Can also be calculated the statistical values of these data messages simultaneously, statistical value include maximin,
Mean value, variance and more times of mean square deviations etc..Flow value baseline and statistical value may be stored in database for real-time detection pass
Joint debugging is used.As shown in figure 11, off-line calculation module 1150 (including flow collection module 1152, the second memory module can be passed through
1154, data processing module 1156 and the first memory module 1158) the Lai Zhihang above process to be to obtain the flow value of each dimension
Baseline.
In practical applications, to some destination IP, can by source port, destination port, packet length, lifetime value,
The flow value of sync message field/termination message field (MFLD) flow value and the flow value of sync message field/TCP data message
Flow value etc. the flow of this destination IP described.Corresponding, the flow value baseline includes source port flow value baseline, mesh
Port flow magnitude baseline, the long flow value baseline of packet, lifetime value flow value baseline, sync message field/termination message word
Section flow value baseline (SYN/FI flow value baseline) and sync message field/TCP data message flow magnitude baseline (SYN/TCP stream
Magnitude baseline).Datagram according to the data message within acquisition above-mentioned 7 days, for every day, within nearest 7 days
Text is different, thus is also different according to the flow value baseline that the data message within this 7 days obtains, i.e., for each
The flow value baseline of each dimension of destination IP is dynamic change.Certainly, some destination IP, off-line calculation are obtained
The flow value baseline of corresponding dimension can be according to the destination IP and specifically be arranged.Such as by source port flow value baseline,
The real-time flow data of destination port flow value baseline, the long flow value baseline of packet, lifetime value flow value baseline and corresponding dimension
Carrying out comparison in difference just can obtain the attack detecting of default accuracy rate, then can not also be to SYN/FI flow value baseline and SYN/
TCP flow magnitude baseline makees off-line calculation, reduces computational burden while guaranteeing detection accuracy.
S302: when the result of the comparison in difference is unsatisfactory for preset condition, it is abnormal to determine that the server exists;
Each destination IP is obtained according to nearest 7 days data messages, each dimension is at every point of time within one day
Flow value, the flow value baseline at the real-time flow data of some dimension at some time point and corresponding time point is subjected to diversity ratio
Compared with.Corresponding threshold value can be respectively set for the flow value judgement of each dimension.As shown in figure 11, real-time detection mould can be passed through
The comparison in difference module 1164 of block 1160 obtains comparison in difference to execute real-time flow data and flow value baseline under corresponding dimension, is based on
The result of comparison in difference issues server by alarm module 1170 and there is abnormal alarm.
In a specific embodiment, by taking source port dimension as an example, it is assumed that preset time window is 10s, every two time
It is divided into 2s between point, there are 5 time points in such a time window, the flow of+53 port of destination IP is acquired, when by 5
Between put 5 points at flow value x=(x1, x2, x3, x4, x5) moment corresponding with+53 port of destination IP baseline value y=(y1,
Y2, y3, y4, y5) carry out comparison in difference.Here it can specifically be calculated using two methods of Euclidean distance and cosine similarity real-time
The deviation of flow value and source port flow value baseline, when deviation is more than the threshold value of setting, then by this dimension of+53 port of destination IP
The mark position of degree is set as 1.Due to being the calculating that two methods are respectively adopted and carry out deviation, the two can be taken to calculate larger
Deviation as final deviation.It can certainly be calculated by dynamic time warping (Dynamic Time Wrapping)
Method calculates above-mentioned deviation.
In another specific embodiment, by taking TCP data message dimension as an example, it can be counted most by CUSUM algorithm
The cumulant of nearly 5 catastrophe points.The flow value of each time point is compared with the flow value baseline at corresponding time point, if
The flow of some point increases above flow value baseline, then add up difference, does not otherwise add up.Finally by the cumulative of 5 points and with system
Evaluation compares, and statistical value here can be more times of mean square deviations or other statistical values, when cumulative and be more than corresponding statistical value
When, 1 is set by the mark position of TCP data message dimension.
As shown in Figure 10, comparison in difference judgement is carried out with corresponding flow value baseline in the real-time flow data to respective dimension
Afterwards, can continue to carry out difference association process based on the result after this comparison in difference, to obtain server with the presence or absence of abnormal announcement
Alert output.
Flow portrait is carried out to each destination IP using off-line calculation, is had more in the detection attacked SYN Flood
Specific aim is capable of the SYN extensive aggression of the different destination IPs of detection more flexible, with more adaptability.Meanwhile off-line calculation
Based on flow information be also dynamic change, accordingly even when for the same destination IP the detection of SYN extensive aggression also more
It is accurate and effective.
S203: real-time according to the second of the first real-time flow data of sync message field dimension and termination message field (MFLD) dimension
Flow value calculates the ratio that first real-time flow data accounts for second real-time flow data, obtains the first ratio;
The statistics of first real-time flow data and the second real-time flow data can be found in above-mentioned, does not repeat here.Here
Obtain the first ratio=first real-time flow data/second real-time flow data.
As shown in figure 4, first real-time flow data according to sync message field dimension and termination message field (MFLD) dimension
The second real-time flow data, calculate the ratio that first real-time flow data accounts for second real-time flow data, obtain the first ratio
Before the step of value, further includes:
S401: according to the data message, statistics obtains real-time total flow value;
The real-time total flow Data-Statistics of TCP data message can be found in above-mentioned, does not repeat here.
S402: the ratio that first real-time flow data accounts for the real-time total flow value is calculated, third ratio is obtained;
Here third ratio=first real-time flow data/real-time total flow value is obtained.
S403: when the third ratio is greater than four threshold values, first ratio is calculated and compares described first
Value is compared with the first threshold;
In practical applications, the 4th threshold value of setting is 0.15-1.Here it is 0.10 that the 4th threshold value, which can be taken, that is, third
When ratio is 0.2, continue to be calculated first ratio to the detection needs of SYN Flood attack and by first ratio
It is compared with the first threshold.Certainly, for the first real-time flow data, the second real-time flow data and real-time total flow value
Statistics obtain can with when synchronous, multilevel iudge to third ratio and the 4th threshold value and to the first ratio and first threshold
Multilevel iudge be also possible to it is synchronous.
By the multilevel iudge to third ratio and the 4th threshold value, reflect the flow value and TCP number of sync message field
According to relativeness between the flow value of message.4th threshold value can be to be obtained according to the long-time statistical experience of SYN extensive aggression detection
Out, third ratio illustrates that the flow value of sync message field is higher than normal value greater than the 4th threshold value to a certain extent.In this way
Help more comprehensive, the more accurate detection SYN extensive aggression together with other detection parameters and threshold value.
S204: when first ratio is greater than first threshold, determining the server, there are sync message fields to flood
Attack.
In practical applications, first threshold is greater than the 4th threshold value.It is 50-300 that first threshold, which can be set,.Here it can take
First threshold be the 80, that is, first ratio be 100 when, determining the server, there are sync message field extensive aggressions.When
When server is in normal condition, the first real-time flow data and the second real-time flow data should be not much different.For example it is set as 1
Sync message field number is not much different with the termination message field (MFLD) number for being set as 1 or even can be equal.First ratio is greater than
There is exception in the real-time flow data that first threshold reflects sync message field, the first ratio bigger (for example being much larger than 200) is more
A possibility that capable of illustrating server there are SYN extensive aggressions.
As shown in figure 5, it is described when first ratio is greater than first threshold, determine that there are sync messages for the server
The step of field extensive aggression, comprising:
S501: according to the third real-time flow data and second real-time flow data for resetting message field (MFLD) dimension, institute is calculated
The ratio that third real-time flow data accounts for second real-time flow data is stated, the second ratio is obtained;
The statistics of second real-time flow data and third real-time flow data can be found in above-mentioned, does not repeat here.Here
Obtain the second ratio=third real-time flow data/second real-time flow data.
S502: when second ratio is less than second threshold, determining the server, there are direct-type sync message words
Section extensive aggression;
In direct-type SYN flood attack, attacker directly to by attack host send a large amount of SYN for forging source IP address or
Person manipulates a large amount of puppet's machines and sends a large amount of SYN for forging source IP address to by attack host, since attacker or puppet's machine issue
SYN in source IP address be false IP address, be that the connection retains allocated resource always by attack host, until final
It abandons, side discharges above-mentioned resource.Under direct-type SYN flood attack state, a large amount of nothings can be flooded in attack mainframe network
SYN.The flow value of opposite FIN, the flow value of SYN sharply increase, and the flow value variation of RST is not obvious.
In practical applications, the second threshold is less than the first threshold.It is 0-0.1 that second threshold, which can be set,.This
In can take the second threshold to be 0, that is, when the second ratio tends to 0, determining the server, there are direct-type sync message words
Section extensive aggression.Flow can be made into migration process, migrated to the safeguard of corresponding direct-type SYN flood attack, Jin Erzuo
Flow cleaning is cleaned mainly for the feature of direct-type SYN flood attack.
S503: when second ratio is greater than third threshold value, determining the server, there are reflective sync message words
Section extensive aggression;
Wherein, the third threshold value is greater than the first threshold.
As shown in figure 9, attacker is palmed off using IP spoofing technology by the IP of attack host in reflective SYN flood attack
TCP connection request is forged in address, is sent to a large amount of randomly selected reflection hosts (reflection machine).It is regular according to TCP three-way handshake,
These reflection hosts will respond this request to a large amount of SYN+ACK or RST is returned by attack host (victim).Its result
Be be originally used for attack flood data flow by largely reflection host dispersed after, finally collect at by attack host or network
For flood, so that network congestion or being had no time to show interest in other use in the abnormal connection of processing by attack host is tired where attack host
The normal request at family, to reach attack purpose.Such invalid packet is also refused using RST by attack host at the same time
Section.Therefore, under reflective SYN flood attack state, a large amount of SYN is not only flooded with by attack mainframe network, while also filling
Denounce a large amount of RST.
In practical applications, the third threshold value is greater than the first threshold.It is 500-+ ∞ that third threshold value, which can be set,.
Here it is 1000000 that third threshold value, which can be taken, that is, when the second ratio tends to+∞, determines that there are reflective for the server
Sync message field extensive aggression.Flow can be made into migration process, migrate to the protection of the reflective SYN flood attack of correspondence and set
It is standby, and then make flow cleaning, it is cleaned mainly for the feature of reflective SYN flood attack.
Further, for the server with different business feature, the threshold value for the detection of SYN extensive aggression is also
Different.For example it carries the server of high flow capacity business (business of the hot products such as microblogging, wechat, Taobao), carried underground stream
It the server of amount business (certain Educational website flow during registration uprushes, flow is uprushed during spring transportation for certain trip website) and holds
The server of low discharge business is carried, their flow value baseline is different, the setting of specific threshold value is also different.It is right
In carrying high flow capacity business server, sometimes flow uprush (such as it is hot search, double 11), can be based on the similar time of history
Point or situation carry out threshold value setting.The flow that the server of carrying low discharge business faces changes (flow wave crest and flow trough)
It is relatively unobvious, and the flow that the server for carrying high flow capacity business faces changes and relatively obviously two classes can be taken in this way
The detection of the variation point of business device setting can also be according to different rules.
As shown in figure 8, SYN extensive aggression detection model can be obtained using machine learning model training, by current time
The collected data message of a certain preset time period before section (can be attacked as a sample data according to whether flooding there are SYN
Hit, sample data marked: positive example sample data and negative example sample data), multiple sample datas are defeated as training data
Enter preset machine learning model (such as deep neural network model, return machine learning model, decision tree machine learning model
Deng), realize that the above-mentioned off-line calculation to flow value baseline (can be dropped to data message by corresponding machine learning algorithm
Make an uproar and SYN extensive aggression flow be not filtered when handling) and to the real-time detection and comparison in difference of real-time flow data.It is instructing
The threshold value of model is constantly adjusted during practicing, among the above the value of first threshold, second threshold, third threshold value and the 4th threshold value
It can be used as the corresponding threshold value initial value of model.Mould is inputted using the collected data message of current slot as test data
Type, model output whether there is the prediction of SYN extensive aggression to server.When detecting SYN extensive aggression, announcement can be issued
It is alert.For the mistake alarm of sending, it is trained in a model after corresponding test data being marked as sample data.
Specifically, can wrap so that Logic Regression Models training training data obtains SYN extensive aggression detection model as an example
It includes: sample data (positive example sample data and negative example sample data) will have been marked and be input to Logic Regression Models, logistic regression mould
The output of type is to have marked the Probability p (number of the p between 0-1) that sample data is positive example sample data, and positive example sample number
Be respectively y according to the label with negative example sample data it is 1 and 0, the loss of sample label y and Probability p is defined as (y-p) ^2, phase
It answers, according to the available error e rror of (y-p) ^2 in training process;Using gradient descent method, each threshold value is updated, again
Training Logic Regression Models.The threshold value modified can make the error between the Probability p and sample label y of model output next time
Become smaller, when the error is less than certain value, current Logic Regression Models can be made to behavior SYN extensive aggression detection mould
Type
The SYN extensive aggression detection model with high generalization ability is obtained using machine learning model training in this way, in benefit
It can be improved when carrying out the detection of SYN extensive aggression with SYN extensive aggression detection model to the server with different business feature
Identification adaptability, and then can greatly improve SYN extensive aggression detection reliability and validity.
The technical solution provided by above this specification embodiment is as it can be seen that by presetting to first in this specification embodiment
Second real-time flow data of the first real-time flow data of sync message field dimension and termination message field (MFLD) dimension in period
Specific features are combined with flow work detection and determined by ratio calculation according to gained ratio compared with first threshold, effectively and
With targetedly determining server with the presence or absence of the sync message field extensive aggression in distributed denial of service attack.In real time
Flow value embodies the dynamic change of association message field, so as to the more flexible standard of judgement of sync message field extensive aggression
Really, it can adapt to the complicated service traffics form of existing net, reduce the generation situation of accidentally alarm.
The embodiment of the invention also provides a kind of Detection of Distributed Denial of Service Attacks devices, as shown in fig. 6, described device
Include:
Data message obtains module 61: for obtaining the received data message of server in real time;
First statistical module 62: it for being parsed, being counted to the data message each in the first preset time period, obtains
To the real-time flow data of different dimensions;
First computing module 63: for the first real-time flow data and termination message field (MFLD) according to sync message field dimension
Second real-time flow data of dimension calculates the ratio that first real-time flow data accounts for second real-time flow data, obtains the
One ratio;
Attacks results decision module 64: for it is same to determine that the server exists when first ratio is greater than first threshold
Walk message field (MFLD) extensive aggression.As shown in fig. 7, the attacks results decision module 64 includes: computing unit 641: for determining institute
Server is stated there are after sync message field extensive aggression, according to the third real-time flow data for resetting message field (MFLD) dimension and
Second real-time flow data calculates the ratio that the third real-time flow data accounts for second real-time flow data, obtains second
Ratio;Direct-type attacks results decision unit 642: for determining that the server is deposited when second ratio is less than second threshold
In direct-type sync message field extensive aggression;Reflective attacks results decision unit 643: for being greater than third when second ratio
When threshold value, determining the server, there are reflective sync message field extensive aggressions;Wherein, the second threshold is less than described
First threshold, the third threshold value are greater than the first threshold.
Described device further include:
Second statistical module: for before first ratio is calculated, according to the data message, statistics to be obtained
Real-time total flow value;
Third computing module: the ratio of the real-time total flow value is accounted for for calculating first real-time flow data, is obtained
Third ratio;
Trigger comparison module: for first ratio to be calculated simultaneously when the third ratio is greater than four threshold values
First ratio is compared with the first threshold;
Wherein, the 4th threshold value is less than the first threshold.
Described device further include:
Comparison module: after obtaining the real-time flow data based on different dimensions, by the reality of each dimension
When flow value and corresponding flow value baseline carry out comparison in difference;
Abnormal determination module: for determining the server when the result of the comparison in difference is unsatisfactory for preset condition
There are exceptions;
Wherein, the flow value baseline of each dimension be in advance to the data message acquired in the second preset time period into
Row off-line calculation obtains.The flow value baseline includes source port flow value baseline, destination port flow value baseline, Bao Changliu
Magnitude baseline, lifetime value flow value baseline, sync message field/termination message field (MFLD) flow value baseline (SYN/FI flow
It is worth baseline) and sync message field/TCP data message flow magnitude baseline (SYN/TCP flow value baseline).
It should be noted that the apparatus and method embodiment in described device embodiment is based on same inventive concept.
The embodiment of the invention provides a kind of server, which includes processor and memory, is deposited in the memory
At least one instruction, at least a Duan Chengxu, code set or instruction set are contained, which an at least Duan Chengxu, is somebody's turn to do
Code set or instruction set are loaded as the processor and are executed to realize the refusal clothes of the distribution as provided by above method embodiment
Business attack detection method.
Memory can be used for storing software program and module, and processor is stored in the software program of memory by operation
And module, thereby executing various function application and data processing.Memory can mainly include storing program area and storage number
According to area, wherein storing program area can application program needed for storage program area, function etc.;Storage data area can store basis
The equipment uses created data etc..In addition, memory may include high-speed random access memory, can also include
Nonvolatile memory, for example, at least a disk memory, flush memory device or other volatile solid-state parts.Phase
Ying Di, memory can also include Memory Controller, to provide access of the processor to memory.
The embodiment of the invention also provides a kind of structural schematic diagrams of server, please refer to Figure 12, which uses
In the detecting method of distributed denial of service attacking for implementing to provide in above-described embodiment, specifically, the server architecture can
To include above-mentioned Detection of Distributed Denial of Service Attacks device.The server 1200 can be generated because of configuration or performance difference to be compared
Big difference may include one or more central processing units (Central Processing Units, CPU) 1210
(for example, one or more processors) and memory 1230, one or more storage application programs 1223 or data
1222 storage medium 1220 (such as one or more mass memory units).Wherein, memory 1230 and storage medium
1220 can be of short duration storage or persistent storage.The program for being stored in storage medium 1220 may include one or more moulds
Block, each module may include to the series of instructions operation in server.Further, central processing unit 1210 can be set
It is set to and is communicated with storage medium 1220, the series of instructions operation in storage medium 1220 is executed on server 1200.Service
Device 1200 can also include one or more power supplys 1260, one or more wired or wireless network interfaces 1250,
One or more input/output interfaces 1240, and/or, one or more operating systems 1221, such as Windows
ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..
The embodiments of the present invention also provide a kind of storage medium, the storage medium be may be disposed among server to protect
It deposits for realizing relevant at least one instruction of detecting method of distributed denial of service attacking a kind of in embodiment of the method, at least one
Duan Chengxu, code set or instruction set, at least one instruction, an at least Duan Chengxu, the code set or the instruction set are by the processing
Device loads and executes the detecting method of distributed denial of service attacking to realize above method embodiment offer.
Optionally, in the present embodiment, above-mentioned storage medium can be located in multiple network servers of computer network
At least one network server.Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, only
Read memory (ROM, Read-Only Memory), random access memory (RAM, RandomAccess Memory), movement firmly
The various media that can store program code such as disk, magnetic or disk.
It should be understood that embodiments of the present invention sequencing is for illustration only, do not represent the advantages or disadvantages of the embodiments.
And above-mentioned this specification specific embodiment is described.Other embodiments are within the scope of the appended claims.One
In a little situations, the movement recorded in detail in the claims or step can be executed according to the sequence being different from embodiment and
Still desired result may be implemented.In addition, process depicted in the drawing not necessarily requires the particular order shown or company
Continuous sequence is just able to achieve desired result.In some embodiments, multitasking and parallel processing it is also possible or
It may be advantageous.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device and
For server example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to side
The part of method embodiment illustrates.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (10)
1. a kind of detecting method of distributed denial of service attacking, which is characterized in that the described method includes:
The received data message of server is obtained in real time;
The data message each in first preset time period is parsed, is counted, the real-time flow data of different dimensions is obtained;
According to the second real-time flow data of the first real-time flow data of sync message field dimension and termination message field (MFLD) dimension, meter
The ratio that first real-time flow data accounts for second real-time flow data is calculated, the first ratio is obtained;
When first ratio is greater than first threshold, determining the server, there are sync message field extensive aggressions.
2. the method according to claim 1, wherein it is described when first ratio be greater than first threshold when, sentence
Fixed server the step of there are sync message field extensive aggressions, comprising:
According to the third real-time flow data and second real-time flow data for resetting message field (MFLD) dimension, it is real-time to calculate the third
Flow value accounts for the ratio of second real-time flow data, obtains the second ratio;
When second ratio is less than second threshold, determines that the server floods there are direct-type sync message field and attack
It hits;
When second ratio is greater than third threshold value, determines that the server floods there are reflective sync message field and attack
It hits;
Wherein, the second threshold is less than the first threshold, and the third threshold value is greater than the first threshold.
3. according to claim 1 or 2 any methods, which is characterized in that described according to the of sync message field dimension
One real-time flow data and the second real-time flow data for terminating message field (MFLD) dimension calculate first real-time flow data and account for described the
The ratio of two real-time flow datas, before the step of obtaining the first ratio, further includes:
According to the data message, statistics obtains real-time total flow value;
The ratio that first real-time flow data accounts for the real-time total flow value is calculated, third ratio is obtained;
When the third ratio is greater than four threshold values, first ratio is calculated and will first ratio and described the
One threshold value is compared;
Wherein, the 4th threshold value is less than the first threshold.
4. according to the method described in claim 3, it is characterized in that, described to the data message each in the first preset time
After the step of being parsed, counted, obtaining the real-time flow data based on different dimensions, further includes:
The real-time flow data of each dimension is subjected to comparison in difference with corresponding flow value baseline;
When the result of the comparison in difference is unsatisfactory for preset condition, it is abnormal to determine that the server exists;
Wherein, the flow value baseline of each dimension be in advance to the data message acquired in the second preset time period carry out from
What line computation obtained.
5. according to the method described in claim 4, it is characterized in that, the flow value baseline include source port flow value baseline,
Destination port flow value baseline, the long flow value baseline of packet, lifetime value flow value baseline, sync message field/termination message
Field flow value baseline and sync message field/data message flow value baseline.
6. a kind of Detection of Distributed Denial of Service Attacks device, which is characterized in that described device includes:
Data message obtains module: for obtaining the received data message of server in real time;
First statistical module: for being parsed, being counted to the data message each in the first preset time period, difference is obtained
The real-time flow data of dimension;
First computing module: for the first real-time flow data and termination message field (MFLD) dimension according to sync message field dimension
Second real-time flow data calculates the ratio that first real-time flow data accounts for second real-time flow data, obtains the first ratio;
Attacks results decision module: for determining that there are sync messages for the server when first ratio is greater than first threshold
Field extensive aggression.
7. device according to claim 6, which is characterized in that the attacks results decision module includes:
Computing unit: for determining the server there are after sync message field extensive aggression, according to resetting message
The third real-time flow data of field dimension and second real-time flow data calculate the third real-time flow data and account for described second
The ratio of real-time flow data obtains the second ratio;
Direct-type attacks results decision unit: for it is straight to determine that the server exists when second ratio is less than second threshold
Connect formula sync message field extensive aggression;
Reflective attacks results decision unit: for it is anti-to determine that the server exists when second ratio is greater than third threshold value
Penetrate formula sync message field extensive aggression;
Wherein, second threshold is stated less than the first threshold, and the third threshold value is greater than the first threshold.
8. any device of according to claim 6 or 7, which is characterized in that described device further include:
Second statistical module: for before first ratio is calculated, according to the data message, statistics to be obtained in real time
Total flow value;
Third computing module: the ratio of the real-time total flow value is accounted for for calculating first real-time flow data, obtains third
Ratio;
Trigger comparison module: for first ratio being calculated and by institute when the third ratio is greater than four threshold values
The first ratio is stated to be compared with the first threshold;
Wherein, the 4th threshold value is less than the first threshold.
9. device according to claim 8, which is characterized in that described device further include:
Comparison module: after obtaining the real-time flow data based on different dimensions, by the real-time streams of each dimension
Magnitude carries out comparison in difference with corresponding flow value baseline;
Abnormal determination module: for when the result of the comparison in difference is unsatisfactory for preset condition, determining that the server exists
It is abnormal;
Wherein, the flow value baseline of each dimension be in advance to the data message acquired in the second preset time period carry out from
What line computation obtained.
10. device according to claim 9, which is characterized in that the flow value baseline include source port flow value baseline,
Destination port flow value baseline, the long flow value baseline of packet, lifetime value flow value baseline, sync message field/termination message
Field flow value baseline and sync message field/data message flow value baseline.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910203974.2A CN109922072B (en) | 2019-03-18 | 2019-03-18 | Distributed denial of service attack detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910203974.2A CN109922072B (en) | 2019-03-18 | 2019-03-18 | Distributed denial of service attack detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109922072A true CN109922072A (en) | 2019-06-21 |
CN109922072B CN109922072B (en) | 2021-07-16 |
Family
ID=66965339
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910203974.2A Active CN109922072B (en) | 2019-03-18 | 2019-03-18 | Distributed denial of service attack detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109922072B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365658A (en) * | 2019-06-25 | 2019-10-22 | 深圳市腾讯计算机***有限公司 | A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium |
CN110912927A (en) * | 2019-12-09 | 2020-03-24 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting control message in industrial control system |
CN112217828A (en) * | 2020-10-16 | 2021-01-12 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
CN112738238A (en) * | 2020-12-29 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Method, device and system for health check in load balancing |
CN113518057A (en) * | 2020-04-09 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Detection method and device for distributed denial of service attack and computer equipment thereof |
CN114944929A (en) * | 2022-03-24 | 2022-08-26 | 奇安信科技集团股份有限公司 | Network abnormal behavior detection method and device, electronic equipment and storage medium |
WO2023142045A1 (en) * | 2022-01-29 | 2023-08-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for determining alarm flood cause |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130031626A1 (en) * | 2011-07-29 | 2013-01-31 | Electronics And Telecommunications Research Institute | Methods of detecting dns flooding attack according to characteristics of type of attack traffic |
CN103441982A (en) * | 2013-06-24 | 2013-12-11 | 杭州师范大学 | Intrusion alarm analyzing method based on relative entropy |
US20170374098A1 (en) * | 2016-06-24 | 2017-12-28 | Fortinet, Inc. | Denial-of-service (dos) mitigation approach based on connection characteristics |
CN107623685A (en) * | 2017-09-08 | 2018-01-23 | 杭州安恒信息技术有限公司 | The method and device of quick detection SYN Flood attacks |
US20180091547A1 (en) * | 2016-09-26 | 2018-03-29 | Arbor Networks, Inc. | Ddos mitigation black/white listing based on target feedback |
CN108334774A (en) * | 2018-01-24 | 2018-07-27 | ***股份有限公司 | A kind of method, first server and the second server of detection attack |
CN108429761A (en) * | 2018-04-10 | 2018-08-21 | 北京交通大学 | Resource adaptation resolution server ddos attack detects defence method in wisdom contract network |
CN108965347A (en) * | 2018-10-10 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of detecting method of distributed denial of service attacking, device and server |
CN109067787A (en) * | 2018-09-21 | 2018-12-21 | 腾讯科技(深圳)有限公司 | Distributed Denial of Service (DDOS) attack detection method and device |
-
2019
- 2019-03-18 CN CN201910203974.2A patent/CN109922072B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130031626A1 (en) * | 2011-07-29 | 2013-01-31 | Electronics And Telecommunications Research Institute | Methods of detecting dns flooding attack according to characteristics of type of attack traffic |
CN103441982A (en) * | 2013-06-24 | 2013-12-11 | 杭州师范大学 | Intrusion alarm analyzing method based on relative entropy |
US20170374098A1 (en) * | 2016-06-24 | 2017-12-28 | Fortinet, Inc. | Denial-of-service (dos) mitigation approach based on connection characteristics |
US20180091547A1 (en) * | 2016-09-26 | 2018-03-29 | Arbor Networks, Inc. | Ddos mitigation black/white listing based on target feedback |
CN107623685A (en) * | 2017-09-08 | 2018-01-23 | 杭州安恒信息技术有限公司 | The method and device of quick detection SYN Flood attacks |
CN108334774A (en) * | 2018-01-24 | 2018-07-27 | ***股份有限公司 | A kind of method, first server and the second server of detection attack |
CN108429761A (en) * | 2018-04-10 | 2018-08-21 | 北京交通大学 | Resource adaptation resolution server ddos attack detects defence method in wisdom contract network |
CN109067787A (en) * | 2018-09-21 | 2018-12-21 | 腾讯科技(深圳)有限公司 | Distributed Denial of Service (DDOS) attack detection method and device |
CN108965347A (en) * | 2018-10-10 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of detecting method of distributed denial of service attacking, device and server |
Non-Patent Citations (1)
Title |
---|
彭在广: "基于欧氏距离的洪泛攻击检测方法研究", 《中国优秀硕士论文全文数据库信息科技辑》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365658A (en) * | 2019-06-25 | 2019-10-22 | 深圳市腾讯计算机***有限公司 | A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium |
CN110365658B (en) * | 2019-06-25 | 2022-04-19 | 深圳市腾讯计算机***有限公司 | Reflection attack protection and flow cleaning method, device, equipment and medium |
CN110912927A (en) * | 2019-12-09 | 2020-03-24 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting control message in industrial control system |
CN110912927B (en) * | 2019-12-09 | 2022-04-12 | 绿盟科技集团股份有限公司 | Method and device for detecting control message in industrial control system |
CN113518057A (en) * | 2020-04-09 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Detection method and device for distributed denial of service attack and computer equipment thereof |
CN113518057B (en) * | 2020-04-09 | 2024-03-08 | 腾讯科技(深圳)有限公司 | Method and device for detecting distributed denial of service attack and computer equipment thereof |
CN112217828A (en) * | 2020-10-16 | 2021-01-12 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
CN112738238A (en) * | 2020-12-29 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Method, device and system for health check in load balancing |
WO2023142045A1 (en) * | 2022-01-29 | 2023-08-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for determining alarm flood cause |
CN114944929A (en) * | 2022-03-24 | 2022-08-26 | 奇安信科技集团股份有限公司 | Network abnormal behavior detection method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN109922072B (en) | 2021-07-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109922072A (en) | A kind of detecting method of distributed denial of service attacking and device | |
CN110071941B (en) | Network attack detection method, equipment, storage medium and computer equipment | |
CN109617868B (en) | DDOS attack detection method and device and detection server | |
CN108600003B (en) | Intrusion detection method, device and system for video monitoring network | |
CN110417717B (en) | Login behavior identification method and device | |
CN106357685A (en) | Method and device for defending distributed denial of service attack | |
CN109309591B (en) | Traffic data statistical method, electronic device and storage medium | |
CN109167781A (en) | A kind of recognition methods of network attack chain and device based on dynamic associated analysis | |
CN112422554B (en) | Method, device, equipment and storage medium for detecting abnormal traffic external connection | |
CN101902349A (en) | Method and system for detecting scanning behaviors of ports | |
CN107241338A (en) | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control | |
CN108574668A (en) | A kind of ddos attack peak flow prediction technique based on machine learning | |
CN109347892A (en) | A kind of Internet Industry assets scanning processing method and device | |
CN112671759A (en) | DNS tunnel detection method and device based on multi-dimensional analysis | |
CN107426136B (en) | Network attack identification method and device | |
CN110351237A (en) | Honey jar method and device for numerically-controlled machine tool | |
CN116614287A (en) | Network security event evaluation processing method, device, equipment and medium | |
CN109413022B (en) | Method and device for detecting HTTP FLOOD attack based on user behavior | |
CN105939321B (en) | A kind of DNS attack detection method and device | |
CN113098827A (en) | Network security early warning method and device based on situation awareness | |
CN107528859B (en) | Defense method and device for DDoS attack | |
CN113765914B (en) | CC attack protection method, system, computer equipment and readable storage medium | |
CN110493240B (en) | Website tampering detection method and device, storage medium and electronic device | |
CN110162969B (en) | Flow analysis method and device | |
CN109617893A (en) | A kind of means of defence, device and the storage medium of Botnet ddos attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |