CN113051558A - Data packet detection system for Slow HTTP POST attack - Google Patents
Data packet detection system for Slow HTTP POST attack Download PDFInfo
- Publication number
- CN113051558A CN113051558A CN202110284958.8A CN202110284958A CN113051558A CN 113051558 A CN113051558 A CN 113051558A CN 202110284958 A CN202110284958 A CN 202110284958A CN 113051558 A CN113051558 A CN 113051558A
- Authority
- CN
- China
- Prior art keywords
- data packet
- attack
- detection
- data
- http post
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 60
- 238000012549 training Methods 0.000 claims abstract description 27
- 239000013598 vector Substances 0.000 claims abstract description 22
- 238000007781 pre-processing Methods 0.000 claims abstract description 12
- 238000012545 processing Methods 0.000 claims abstract description 8
- 238000000034 method Methods 0.000 claims description 6
- 238000003064 k means clustering Methods 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000007621 cluster analysis Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Probability & Statistics with Applications (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of detecting Slow HTTP POST attack, and discloses a data packet detection system facing the Slow HTTP POST attack, which comprises: the data packet detection system software running on the Web server consists of a data packet preprocessing module, a detection model training module and an attack detection module; the data packet preprocessing module carries out dimensionless standardization processing on sample values of elements in the attribute state vector of the data packet; the detection model training module performs model training on data samples of a data packet sent by a normal user when the normal user accesses the Web server to obtain a data packet behavior model under normal access; the attack detection module firstly filters data packets which are obviously impossible to be attacked by Slow HTTP POST, then compares the data packets to be detected with the training model and carries out threshold value analysis, and when the result deviates from the model and the times exceed a set threshold value, the data packets to be detected are shown as attack data packets. The invention solves the problem of how to effectively detect the Slow HTTP POST attack.
Description
Technical Field
The invention relates to the technical field of detecting Slow HTTP POST attacks, in particular to a data packet detection system for the Slow HTTP POST attacks.
Background
The Slow HTTP POST attack is a sub type of a novel application layer Slow HTTP denial of service attack, mainly utilizes the characteristics of HTTP protocol persistent connection and HTTP POST request that data transmission is finished by a client, and when an HTTP POST request message is sent to a server, a great Content Length value (Content-Length) is set in a header. However, when the client performs actual data transmission, the extremely small data transmission size is set in the transmission body and is slowly sent to the server, so that the Web server considers that the requested data is not completely transmitted, and continues to maintain the current request connection. After the attack end sends a plurality of attack requests to the Web server, the connection resource pool of the Web server is occupied, and the server refuses service.
The Slow HTTP POST attack only uses a small amount of attack traffic, and the existing unbalanced proportional traffic detection method is difficult to detect; the method for signing the incoming data packet is only suitable for the condition that the data packet in the attack request is different from the data packet in the normal legal request, and is not suitable for the Slow HTTP POST attack of the attack request which is sent and has the same structure with the data packet of the legal request; and the false alarm rate of the abnormal network flow detected by adopting the maximum entropy estimation method is high.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a data packet detection system facing to the Slow HTTP POST attack, and aims to solve the technical problem of how to effectively detect the Slow HTTP POST attack.
(II) technical scheme
In order to achieve the purpose, the invention provides the following technical scheme:
a data packet detection system facing to Slow HTTP POST attack comprises: the data packet detection system software is installed and operated on the Web server and consists of a data packet preprocessing module, a detection model training module and an attack detection module;
the data packet preprocessing module is used for extracting attributes of a data packet sent by a user when the user accesses a Web server and carrying out dimensionless standardization processing on sample values of elements in a data packet attribute state vector;
the detection model training module performs model training on a data sample of a data packet sent by a normal user when the normal user accesses the Web server by using K-means clustering with a rapid convergence characteristic to obtain a data packet behavior model under normal access;
the attack detection module comprises a coarse-grained detection submodule and a fine-grained detection submodule, the coarse-grained detection submodule filters data packets which are obviously impossible to be attacked by Slow HTTP POST, the fine-grained detection submodule compares the data packets to be detected with the training model through clustering analysis and carries out threshold value analysis, and when the result deviates from the model and the times exceed a set threshold value, the data packets to be detected are shown as attack data packets.
Further, the data packet preprocessing module collects data packets sent by normal users when accessing the Web server, extracts three basic attributes of the data packets, forms the three basic attributes into a data packet attribute state set, counts values corresponding to the attributes to obtain a data packet attribute state vector, and performs dimensionless standardization processing on sample values of elements in the data packet attribute state vector.
Further, the three basic attributes of the data packet are specifically: the average message length Ls from the Web server to the client, the average message length Lc from the client to the Web server, and the average time interval delta t of the messages reaching the Web server.
Further, the training method of the detection model training module specifically includes:
step1, where X is { X in the data set of the packet attribute state vector1,X2,……,XnRandomly selecting central points of state clusters of k initial data packets, C0]=X1,…C[i]=Xi…C[k-1]=Xm;
Step2, for X1,X2,……,XnAre respectively reacted with C0]=X1,……C[k-1]=XmA comparison is made, assuming a comparison with cluster C [ i ]]The Euclidean distance of the center is minimum, and the sample is marked as i;
step3, recalculating C [ i ] ═ the sum of the packet attribute state vectors of all points marked i/the number of points marked i for all points marked i };
step4, repeat Step2 to Step3 until the criterion function converges.
(III) advantageous technical effects
Compared with the prior art, the invention has the following beneficial technical effects:
the data packet preprocessing module of the invention extracts the attributes of the data packet sent by a normal user when accessing the Web server, obtains the attribute state vector of the data packet by counting the values corresponding to the attributes, the sample values of the elements in the attribute state vector of the data packet are input into a detection model training module for training after dimensionless standardization processing is carried out on the sample values of the elements in the attribute state vector of the data packet, a data packet behavior model under normal access is obtained, a coarse-grained detection submodule carries out anomaly detection on all connections established with a Web server on a coarse-grained level, filtering data packets which are obviously impossible to be attacked by Slow HTTP POST, comparing the data packets to be detected with a training model by a fine-grained detection submodule through cluster analysis, performing threshold analysis, when the result deviates from the model and the times exceed a set threshold value, the data packet to be detected is represented as an attack data packet;
therefore, the technical problem of how to effectively detect the Slow HTTP POST attack is solved.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A data packet detection system facing to Slow HTTP POST attack comprises: the data packet detection system software is installed and operated on the Web server and consists of a data packet preprocessing module, a detection model training module and an attack detection module;
the data packet preprocessing module is used for extracting attributes of a data packet sent by a user when the user accesses a Web server, and performing dimensionless standardization processing on sample values of elements in the data packet attribute state vector by counting values corresponding to the attributes to obtain a data packet attribute state vector;
the detection model training module performs model training on a data sample of a data packet sent by a normal user when the normal user accesses the Web server by using K-means clustering with a rapid convergence characteristic to obtain a data packet behavior model under normal access;
the attack detection module comprises a coarse-grained detection submodule and a fine-grained detection submodule, wherein the coarse-grained detection submodule carries out abnormal detection on all connections established with the Web server on a coarse-grained level and filters data packets which are obviously impossible to be attacked by Slow HTTP POST, the fine-grained detection submodule compares the data packets to be detected with the training model through clustering analysis and carries out threshold analysis, and when the results deviate from the model and the times exceed a set threshold, the data packets to be detected are shown as attack data packets;
the detection method of the data packet detection system for the data packet comprises the following steps:
the method comprises the steps that firstly, a data packet preprocessing module collects data packets sent by a normal user when the normal user accesses a Web server, three basic attributes of the data packets are extracted, the three basic attributes form a data packet attribute state set, a data packet attribute state vector is obtained by counting values corresponding to the attributes, and dimensionless standardization processing is carried out on sample values of elements in the data packet attribute state vector;
the three basic attributes of the data packet are specifically: the average message length Ls sent by the Web server to the client, the average message length Lc sent by the client to the Web server, and the average time interval delta t of the messages reaching the Web server;
the normalization method of the sample value Gi of a certain element G in the data packet attribute state vector is as follows:
in the above equation, Pi is the result of Gi normalization in the sample,
taking the mean value of all sample data, and S is the standard deviation of all sample data;
inputting the standardized data packet attribute state vector into a training model of a detection model training module, and performing model training on a data sample by using K-means clustering with a rapid convergence characteristic to obtain a data packet behavior model under normal access, wherein the method specifically comprises the following steps:
step1, where X is { X in the data set of the packet attribute state vector1,X2,……,XnRandomly selecting central points of state clusters of k initial data packets, C0]=X1,…C[i]=Xi…C[k-1]=Xm;
Step2, for X1,X2,……,XnAre respectively reacted with C0]=X1,……C[k-1]=XmA comparison is made, assuming a comparison with cluster C [ i ]]The Euclidean distance of the center is minimum, and the sample is marked as i;
step3, recalculating C [ i ] ═ the sum of the packet attribute state vectors of all points marked i/the number of points marked i for all points marked i };
step4, repeating Step2 to Step3 until the criterion function converges;
thirdly, a coarse-grained detection submodule of the attack detection module performs anomaly detection on all connections established with the Web server on a coarse-grained level through statistics on the duration time of the data packets, filters the data packets which are obviously impossible to be attacked by Slow HTTP POST, and then transfers the data packets with the duration time exceeding a certain threshold value into a fine-grained anomaly detection submodule;
and thirdly, comparing the data packet to be detected with the training model through cluster analysis by a fine-grained detection submodule of the attack detection module, carrying out threshold analysis, indicating that the data packet to be detected is an attack data packet when the result deviates from the model and the times exceed a set threshold, and carrying out statistics on related data by the system to generate alarm information.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (4)
1. A data packet detection system facing to Slow HTTP POST attack is characterized by comprising: the data packet detection system software is installed and operated on the Web server and consists of a data packet preprocessing module, a detection model training module and an attack detection module;
the data packet preprocessing module is used for extracting attributes of a data packet sent by a user when the user accesses a Web server and carrying out dimensionless standardization processing on sample values of elements in a data packet attribute state vector;
the detection model training module performs model training on a data sample of a data packet sent by a normal user when the normal user accesses the Web server by using K-means clustering with a rapid convergence characteristic to obtain a data packet behavior model under normal access;
the attack detection module comprises a coarse-grained detection submodule and a fine-grained detection submodule, the coarse-grained detection submodule filters data packets which are obviously impossible to be attacked by Slow HTTP POST, the fine-grained detection submodule compares the data packets to be detected with the training model through clustering analysis and carries out threshold value analysis, and when the result deviates from the model and the times exceed a set threshold value, the data packets to be detected are shown as attack data packets.
2. The Slow HTTP POST attack-oriented data packet detection system according to claim 1, wherein the data packet preprocessing module collects data packets sent by normal users when accessing a Web server, extracts three basic attributes of the data packets, combines the three basic attributes into a data packet attribute state set, counts values corresponding to the attributes to obtain a data packet attribute state vector, and performs dimensionless standardization processing on sample values of elements in the data packet attribute state vector.
3. The Slow HTTP POST attack-oriented data packet detection system according to claim 2, wherein three basic attributes of the data packet are specifically: the average message length Ls from the Web server to the client, the average message length Lc from the client to the Web server, and the average time interval delta t of the messages reaching the Web server.
4. The Slow HTTP POST attack-oriented data packet detection system according to claim 3, wherein the training method of the detection model training module specifically comprises the following steps:
step1, where X is { X in the data set of the packet attribute state vector1,X2,……,XnRandomly selecting central points of state clusters of k initial data packets, C0]=X1,…C[i]=Xi…C[k-1]=Xm;
Step2, for X1,X2,……,XnAre respectively reacted with C0]=X1,……C[k-1]=XmA comparison is made, assuming a comparison with cluster C [ i ]]The Euclidean distance of the center is minimum, and the sample is marked as i;
step3, recalculating C [ i ] ═ the sum of the packet attribute state vectors of all points marked i/the number of points marked i for all points marked i };
step4, repeat Step2 to Step3 until the criterion function converges.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110284958.8A CN113051558A (en) | 2021-03-17 | 2021-03-17 | Data packet detection system for Slow HTTP POST attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110284958.8A CN113051558A (en) | 2021-03-17 | 2021-03-17 | Data packet detection system for Slow HTTP POST attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113051558A true CN113051558A (en) | 2021-06-29 |
Family
ID=76512958
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110284958.8A Withdrawn CN113051558A (en) | 2021-03-17 | 2021-03-17 | Data packet detection system for Slow HTTP POST attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113051558A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338171A (en) * | 2021-12-29 | 2022-04-12 | 中国建设银行股份有限公司 | Black product attack detection method and device |
-
2021
- 2021-03-17 CN CN202110284958.8A patent/CN113051558A/en not_active Withdrawn
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338171A (en) * | 2021-12-29 | 2022-04-12 | 中国建设银行股份有限公司 | Black product attack detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| CN108965347B (en) | Distributed denial of service attack detection method, device and server | |
| CN108282497B (en) | DDoS attack detection method for SDN control plane | |
| CN104113519B (en) | Network attack detecting method and its device | |
| CN112398779A (en) | Network traffic data analysis method and system | |
| CN111092862B (en) | Method and system for detecting communication traffic abnormality of power grid terminal | |
| CN107592312A (en) | A kind of malware detection method based on network traffics | |
| CN109150859B (en) | Botnet detection method based on network traffic flow direction similarity | |
| CN103746982B (en) | A kind of http network condition code automatic generation method and its system | |
| CN112261000B (en) | LDoS attack detection method based on PSO-K algorithm | |
| CN112235288B (en) | NDN network intrusion detection method based on GAN | |
| CN107070930B (en) | Host-oriented suspicious network connection identification method | |
| CN110166464B (en) | Method and system for detecting content-centric network interest flooding attack | |
| CN112434298B (en) | Network threat detection system based on self-encoder integration | |
| CN110493260A (en) | A kind of network flood model attack detection method | |
| CN100352208C (en) | Detection and defence method for data flous of large network station | |
| WO2024065956A1 (en) | Network abnormal behavior detection method based on data multi-dimensional entropy fingerprints | |
| CN112788007A (en) | DDoS attack detection method based on convolutional neural network | |
| CN113051558A (en) | Data packet detection system for Slow HTTP POST attack | |
| CN113645182A (en) | Random forest detection method for denial of service attack based on secondary feature screening | |
| CN116938507A (en) | Electric power internet of things security defense terminal and control system thereof | |
| CN108667804B (en) | DDoS attack detection and protection method and system based on SDN architecture | |
| CN112788039A (en) | DDoS attack identification method, device and storage medium | |
| CN109257384B (en) | Application layer DDoS attack identification method based on access rhythm matrix | |
| CN116170227A (en) | Flow abnormality detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210629 |
|
| WW01 | Invention patent application withdrawn after publication |