CN116232767B - DDoS defense method, device, computer equipment and storage medium - Google Patents

DDoS defense method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN116232767B
CN116232767B CN202310500459.7A CN202310500459A CN116232767B CN 116232767 B CN116232767 B CN 116232767B CN 202310500459 A CN202310500459 A CN 202310500459A CN 116232767 B CN116232767 B CN 116232767B
Authority
CN
China
Prior art keywords
terminal
tested
access information
access
trusted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310500459.7A
Other languages
Chinese (zh)
Other versions
CN116232767A (en
Inventor
柳遵梁
王月兵
毛菲
周杰
闻建霞
覃锦端
刘聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Meichuang Technology Co ltd
Original Assignee
Hangzhou Meichuang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Meichuang Technology Co ltd filed Critical Hangzhou Meichuang Technology Co ltd
Priority to CN202310500459.7A priority Critical patent/CN116232767B/en
Publication of CN116232767A publication Critical patent/CN116232767A/en
Application granted granted Critical
Publication of CN116232767B publication Critical patent/CN116232767B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a DDoS defense method, a DDoS defense device, computer equipment and a storage medium. The method comprises the following steps: analyzing the data packet information of the trusted terminal to form a trusted terminal ID set; collecting access information characteristics of a corresponding trusted terminal, and generating a trusted terminal access information characteristic library; determining fingerprint information of a terminal to be tested; determining access information characteristics of a terminal to be tested; ID matching is carried out on the fingerprint information of the terminal to be detected and the ID set of the trusted terminal so as to judge whether the terminal to be detected is trusted or not; when the terminal to be tested is not trusted and the communication time or the fixed access times of the terminal to be tested do not accord with the set condition; and when the terminal to be tested is credible and the access information characteristics of the terminal to be tested are not in one-to-one correspondence with elements in the credible terminal access information characteristic library, determining that DDoS attack behaviors exist in the access of the terminal to be tested, and performing exception handling. By implementing the method provided by the embodiment of the invention, the DDoS attack behavior can be accurately judged.

Description

DDoS defense method, device, computer equipment and storage medium
Technical Field
The present invention relates to computers, and more particularly, to a DDoS defense method, a DDoS defense device, a computer apparatus, and a storage medium.
Background
DDoS (distributed denial of service attack ) refers to massive denial of service attacks that rely on distributed attack sources. Such attacks are multiple increases in the power of denial of service attacks by manipulating a large number of "zombie" computers, creating an attack network, while launching the attack on one or more targets at a violent frequency and speed. Because DDoS attack consumes network bandwidth or system resources, network or system overload is caused, and thus a target system or network is nearly paralyzed or even down occurs.
In the field of network security, DDoS becomes the most popular attack method by virtue of concealment and high efficiency, and an attacker continuously improves the complexity of the attack means and uses a changeable and various attack method to continuously obtain a remarkable attack effect by virtue of a high-strength novel method. While existing DDoS defense techniques are difficult to mitigate against increasingly severe DDoS attack situations.
Therefore, a new method is necessary to be designed to realize the accurate discrimination of the DDoS attack behaviors, so as to accurately defend the DDoS attack behaviors.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a DDoS defense method, a DDoS defense device, a computer device and a storage medium.
In order to achieve the above purpose, the present invention adopts the following technical scheme: a DDoS defense method comprising:
acquiring data packet information sent by a trusted terminal;
analyzing the data packet information to obtain the fingerprint information of the trusted terminal, and forming a trusted terminal ID set;
collecting access information characteristics of the corresponding trusted terminal according to the trusted terminal ID set, and generating a trusted terminal access information characteristic library according to the access information characteristics;
acquiring information of a data packet to be tested sent by a terminal to be tested and access information of the terminal to be tested;
analyzing the information of the data packet to be detected to obtain fingerprint information of the terminal to be detected;
analyzing the terminal access information to be tested to obtain the terminal access information characteristics to be tested;
ID matching is carried out on the fingerprint information of the terminal to be detected and the ID set of the trusted terminal so as to judge whether the terminal to be detected is trusted or not;
if the terminal to be detected is not trusted, judging whether the communication time or the fixed access times of the terminal to be detected do not accord with the set condition according to the access information characteristics of the terminal to be detected;
if the communication time or the fixed access times of the terminal to be tested do not meet the set conditions, determining that DDoS attack behaviors exist in the access of the terminal to be tested, and performing exception handling on the access of the terminal to be tested;
If the terminal to be tested is credible, judging whether the terminal to be tested access information characteristics are matched with elements in the credible terminal access information characteristic library in a one-to-one correspondence manner;
and if the access information features of the terminal to be tested are not in one-to-one correspondence with the elements in the trusted terminal access information feature library, executing the DDoS attack behavior of the access of the terminal to be tested, and carrying out exception handling on the access of the terminal to be tested.
The further technical scheme is as follows: after judging whether the communication time or the fixed access times of the terminal to be tested do not meet the set condition according to the access information characteristics of the terminal to be tested, the method further comprises the steps of:
if the communication time and the fixed access times of the terminal to be tested meet the set conditions, determining that the access of the terminal to be tested does not have DDoS attack, and releasing the access of the terminal to be tested.
The further technical scheme is as follows: the analyzing the data packet information to obtain the fingerprint information of the trusted terminal to form a trusted terminal ID set, including:
carrying out characteristic analysis on the data packet information according to the IP address, the MAC address, the size range of the service data packet and the serial number to obtain a trusted terminal fingerprint;
Calculating the fingerprint of the trusted terminal to generate a trusted terminal ID number;
and counting all the trusted terminal ID numbers to obtain a trusted terminal ID number set.
The further technical scheme is as follows: the acquiring the access information characteristics of the corresponding trusted terminal according to the trusted terminal ID set, and generating a trusted terminal access information characteristic library according to the access information characteristics, comprising:
acquiring access information characteristics of a corresponding trusted terminal in the trusted terminal ID set in learning time through agent software;
counting each access information feature on the trusted terminal corresponding to the trusted terminal ID number set to obtain an access information feature set;
and de-duplicating the access information features in the access information feature set to obtain a trusted terminal access information feature library.
The further technical scheme is as follows: the step of judging whether the communication time or the fixed access times of the terminal to be tested do not meet the set conditions according to the access information characteristics of the terminal to be tested comprises the following steps:
judging whether the communication time of the terminal to be tested is in a fixed communication time period according to the access information characteristics of the terminal to be tested;
if the communication time of the terminal to be tested is not in the fixed communication time period, determining that the communication time of the terminal to be tested does not accord with the set condition;
If the communication time of the terminal to be tested is within the fixed communication time period, determining that the communication time of the terminal to be tested meets the set condition;
releasing the access information of the terminal to be tested, and recording the access times of the terminal to be tested in unit time aiming at the access target to obtain the access frequency;
judging whether the access frequency is within a fixed access frequency range of a set unit time;
if the access frequency is within the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested meets the set requirement;
if the access frequency is not in the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested does not meet the set requirement.
The further technical scheme is as follows: the judging whether the terminal access information feature to be detected is matched with the element in the trusted terminal access information feature library in a one-to-one correspondence mode comprises the following steps:
judging whether an access target in the access information characteristics of the terminal to be tested is consistent with a first element of each characteristic in the trusted terminal access information characteristic library;
if the access target in the terminal access information feature to be tested is inconsistent with the first element of each feature in the trusted terminal access information feature library, determining that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner;
If the access target in the terminal access information feature to be tested is consistent with the first element of each feature in the trusted terminal access information feature library, judging whether the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library;
if the communication time in the terminal access information feature to be tested is inconsistent with the second element of each feature in the trusted terminal access information feature library, executing the determination that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner;
if the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library, judging whether the access times of the terminal access information feature to be tested in unit time aiming at an access target is consistent with the third element of each feature in the trusted terminal access information feature library;
if the access times of the access information features of the terminal to be tested in the unit time are inconsistent with the third element of each feature in the trusted terminal access information feature library, executing the determination that the elements in the trusted terminal access information feature library are not in one-to-one correspondence matching with the access information features of the terminal to be tested;
And if the access times of the access information features of the terminal to be tested in unit time are consistent with the third element of each feature in the trusted terminal access information feature library, determining that the access information features of the terminal to be tested are matched with the elements in the trusted terminal access information feature library in a one-to-one correspondence manner.
The invention also provides a DDoS defending device, which comprises:
the trusted information acquisition unit is used for acquiring data packet information sent by the trusted terminal;
the first analyzing unit is used for analyzing the data packet information to obtain the fingerprint information of the trusted terminal and form a trusted terminal ID set;
the acquisition unit is used for acquiring access information characteristics of the corresponding trusted terminal according to the trusted terminal ID set and generating a trusted terminal access information characteristic library according to the access information characteristics;
the information acquisition unit to be measured is used for acquiring information of a data packet to be measured sent by the terminal to be measured and access information of the terminal to be measured;
the second analysis unit is used for analyzing the data packet information to be detected so as to obtain fingerprint information of the terminal to be detected;
the third analysis unit is used for analyzing the terminal access information to be detected so as to obtain the terminal access information characteristic to be detected;
The ID matching unit is used for carrying out ID matching on the fingerprint information of the terminal to be detected and the trusted terminal ID set so as to judge whether the terminal to be detected is trusted or not;
the first judging unit is used for judging whether the communication time or the fixed access times of the terminal to be tested do not meet the set condition according to the access information characteristics of the terminal to be tested if the terminal to be tested is not trusted;
the first determining unit is used for determining that the access of the terminal to be tested has DDoS attack behavior if the communication time or the fixed access times of the terminal to be tested do not accord with the set condition, and performing exception handling on the access of the terminal to be tested;
the second judging unit is used for judging whether the access information characteristics of the terminal to be detected are matched with elements in the access information characteristic library of the trusted terminal in a one-to-one correspondence mode if the terminal to be detected is trusted; and if the access information features of the terminal to be tested are not in one-to-one correspondence with the elements in the trusted terminal access information feature library, executing the DDoS attack behavior of the access of the terminal to be tested, and carrying out exception handling on the access of the terminal to be tested.
The further technical scheme is as follows: further comprises:
And the second determining unit is used for determining that the access of the terminal to be tested does not have DDoS attack behavior and releasing the access of the terminal to be tested if the communication time and the fixed access times of the terminal to be tested meet the set conditions.
The invention also provides a computer device which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the method when executing the computer program.
The present invention also provides a storage medium storing a computer program which, when executed by a processor, implements the above method.
Compared with the prior art, the invention has the beneficial effects that: according to the method, the device and the system, the trusted terminal ID set and the trusted terminal access information feature library are constructed, the to-be-detected data packet information and the to-be-detected terminal access information sent by the to-be-detected terminal are analyzed, the analysis result is matched with the trusted terminal ID set and the trusted terminal access information feature library, so that access of the terminal with DDoS attack is prevented, the trusted terminal fingerprint information strategy is utilized, the trusted terminal access information feature library is used as a basis, the trusted terminal and the terminal access information are automatically judged, and therefore the DDoS attack is accurately judged.
The invention is further described below with reference to the drawings and specific embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an application scenario schematic diagram of a DDoS defense method provided by an embodiment of the present invention;
fig. 2 is a flow chart of a DDoS defending method provided by an embodiment of the present invention;
fig. 3 is a schematic block diagram of a DDoS defending device 300 provided by an embodiment of the present invention;
fig. 4 is a schematic block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic diagram of an application scenario of a DDoS defending method according to an embodiment of the present invention. Fig. 2 is a schematic flow chart of a DDoS defending method provided by an embodiment of the present invention. The DDoS defense method is applied to the server. The server performs data interaction with the terminal, and terminal fingerprint information collection is performed on specific data packet information sent to the server by the terminal, so as to generate a trusted terminal ID; based on the ID of the trusted terminal, learning the access target, the communication time period and the access frequency of the trusted terminal, and generating a trusted terminal access information feature library; when detecting that a terminal sends a specific data packet and terminal access information to a server, carrying out ID matching of the trusted terminal in sequence, matching a feature library of the trusted terminal access information, judging whether DDoS attack exists according to a matching result, and carrying out abnormal alarm and blocking on the DDoS attack to accurately judge the DDoS attack.
Fig. 2 is a flow chart of a DDoS defending method provided by an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S210.
S110, acquiring data packet information sent by the trusted terminal.
In this embodiment, the server needs to count the specific data packets sent by the terminal group T within the time U, i.e. for the terminal group T { T } 1 ,T 2 ,……,T n }, T therein 1 ,T 2 ,……,T n For each terminal code, acquiring a specific data packet sent by each terminal in time U, and generating a terminal specific data packet set RT { R } T1 ,R T2 ,……,R Tn -a }; u is a designated time period, defaults to a certain value and can be set manually.
S120, analyzing the data packet information to obtain the fingerprint information of the trusted terminal, and forming a trusted terminal ID set.
In this embodiment, the trusted terminal ID set refers to a set formed by all the trusted terminal fingerprint information.
In one embodiment, the step S120 may include steps S121 to S123.
And S121, carrying out characteristic analysis on the data packet information according to the IP address, the MAC address, the service data packet size range and the serial number so as to obtain the fingerprint of the trusted terminal.
Specifically, the terminal-specific data packet set R collected for the server T {R T1 ,R T2 … …, RTn, resolving according to four characteristics of IP address, MAC address, service data packet size range and serial number to generate specific data packet R Tn Corresponding terminal T n Terminal fingerprint R of (2) Tn {AR Tn :BR Tn :CR Tn :DR Tn -wherein AR Tn For a particular data packet R Tn Corresponding terminal T n IP address, BR Tn Terminal T corresponding to specific data packet RTn n MAC address, CR of (C) Tn For a particular data packet R Tn Corresponding terminal T n Service data packet size range, DR Tn For a particular data packet R Tn Corresponding terminal T n Is a sequence number of (c).
S122, calculating the fingerprint of the trusted terminal to generate a trusted terminal ID number.
In the present embodiment, there is an algorithm F1, which is specific to a particular data packet R Tn Corresponding terminal T n Terminal fingerprint R of (2) Tn {AR Tn :BR Tn :CR Tn :DR Tn Calculation and generation of specific data packet R Tn Terminal ID number E of corresponding terminal Tn Tn
S123, counting all the trusted terminal ID numbers to obtain a trusted terminal ID number set.
In the present embodiment, the specific data packet R generated by the algorithm F1 is counted Tn Corresponding terminal T n Generates a trusted terminal ID number set E T {E T1 ,E T2 ,……,E Tn }。
S130, acquiring access information features of the corresponding trusted terminal according to the trusted terminal ID set, and generating a trusted terminal access information feature library according to the access information features.
In this example, the trusted terminal access information feature library refers to a set of each access information feature in the set of trusted terminal ID numbers.
In one embodiment, the step S130 may include steps S131-S133.
S131, acquiring access information characteristics of the corresponding trusted terminal in the trusted terminal ID set in the learning time through agent software.
In the present embodiment, by the trusted terminal ID number E T {E T1 ,E T2 ,……,E Tn Agent software is installed in the trusted terminal corresponding to the trusted terminal, and access information of the trusted terminal in the learning time Q is collectedThe characteristics include access targets of the terminals, communication time periods and access times in unit time. Setting the ID number of the current trusted terminal as E Tn 1 piece of access information on the terminal is characterized by G y E Tn {AG y E Tn ,{AG y E Tn :BG y E Tn },{AG y E Tn :BG y E Tn :CG y E Tn }, wherein AG y E Tn ID number E for trusted terminal Tn 1 access target on the corresponding trusted terminal, BG y E Tn CG for a communication period corresponding to its access destination y E Tn The number of accesses to its access destination per unit time (default unit: minutes).
S132, counting each piece of access information feature on the trusted terminal corresponding to the trusted terminal ID number set to obtain an access information feature set.
In this embodiment, the ID number E of the trusted terminal is counted Tn Each access information feature on the corresponding trusted terminal generates an ID number E of the trusted terminal Tn All access information feature sets GE on the corresponding trusted terminals Tn {G 1 E Tn ,G 2 E Tn ,……,G y E Tn }。
S133, performing deduplication on the access information features in the access information feature set to obtain a trusted terminal access information feature library.
In this embodiment, the trusted terminal ID number E is counted T {E T1 ,E T2 ,……,E Tn Access information characteristics of the trusted terminals corresponding to the information, and generating access information characteristic sets GE of all the trusted terminals T {GE T1 ,GE T2 ,……,GE Tn And performing deduplication on the access information features to generate a complete and unique trusted terminal access information feature library W.
S140, acquiring information of the data packet to be tested sent by the terminal to be tested and access information of the terminal to be tested.
In the present embodiment, the agent softwares are installed in the serverAnd monitoring whether the access information to be detected exists or not, namely the access information of the terminal to be detected. If the access information to be detected exists, acquiring the code number T of the terminal to be detected x And the terminal sends a specific data packet S to be detected and terminal access information K to be detected to the server.
And S150, analyzing the information of the data packet to be detected to obtain fingerprint information of the terminal to be detected.
In this embodiment, the access information feature G is collected by analyzing the access information feature of the access information K of the terminal to be tested kTx {AG kTx ,(AG kTx :BG kTx ) }, wherein AG kTx The BG is an access target of the access information K of the terminal to be tested kTx The communication time corresponding to the access target.
S160, analyzing the terminal access information to be tested to obtain the terminal access information characteristics to be tested.
In this embodiment, the specific data packet S to be detected is parsed, and the corresponding terminal T to be detected is collected x Terminal fingerprint R of (2) STx {AR STx :BR STx :CR STx :DR STx },AR STx For the terminal T to be tested corresponding to the specific data packet S to be tested x IP address, BR STx For the terminal T to be tested corresponding to the specific data packet S to be tested x MAC address, CR of (C) STx For the terminal T to be tested corresponding to the specific data packet S to be tested x Service data packet size range, DR STx For the terminal T to be tested corresponding to the specific data packet S to be tested x Is a sequence number of (c).
S170, carrying out ID matching on the fingerprint information of the terminal to be detected and the ID set of the trusted terminal so as to judge whether the terminal to be detected is trusted or not.
Specifically, the algorithm F1 is used for the terminal T to be detected corresponding to the specific data packet S to be detected x Terminal fingerprint R of (2) STx {AR STx :BR STx :CR STx :DR STx Calculating and generating a terminal T to be detected corresponding to the specific data packet S to be detected x ID number E of STx
In the present embodimentThere is an algorithm of F2{ (E) STx ,E T ) The algorithm is aimed at the terminal ID number E corresponding to the specific data packet S to be detected STx With trusted terminal ID number set E T And matching is carried out, and whether the terminal is a trusted terminal is judged.
When (when)When F2{ (E) STx ,E T ) The terminal T to be detected corresponding to the specific data packet S to be detected is considered to be 0 } = x The method includes the steps that an algorithm F3 and an algorithm F4 are entered, and fixed communication time periods and fixed access times in unit time are judged;
when E is STx ∈E T When F2{ (E) STx ,E T ) The terminal T to be detected corresponding to the specific data packet S to be detected is considered to be (1) x And (4) for the trusted terminal, sequentially entering an algorithm F5, an algorithm F6 and an algorithm F7, and performing trusted terminal access information feature library matching.
And S180, if the terminal to be detected is not trusted, judging whether the communication time or the fixed access times of the terminal to be detected do not meet the set conditions according to the access information characteristics of the terminal to be detected.
In one embodiment, the step S180 may include steps S181 to S187.
S181, judging whether the communication time of the terminal to be tested is in a fixed communication time period according to the access information characteristics of the terminal to be tested;
s182, if the communication time of the terminal to be tested is not in the fixed communication time period, determining that the communication time of the terminal to be tested does not accord with the set condition;
s183, if the communication time of the terminal to be tested is within the fixed communication time period, determining that the communication time of the terminal to be tested meets the set condition;
s184, releasing the access information of the terminal to be tested, and recording the access times of the terminal to be tested in unit time aiming at the access target to obtain the access frequency;
S185, determining whether the access frequency is within a fixed access frequency range of a set unit time.
In this embodiment, there is an algorithm of F3{ (BG) kTx P) for which the algorithm is directed to the terminal T to be tested x On the premise of being an unreliable terminal, the communication time BG of the terminal to be tested accessing the information K is determined kTx Matching with a fixed communication time period P, wherein P is a designated time period, defaults to a certain value, can be set manually, and judges whether the fixed communication time period is met;
when (when)When F3{ (BG) kTx P) } =0, and the communication time BG of the terminal to be tested accessing the information K is considered kTx If the fixed communication time period is not met, namely DDoS attack behavior exists, exception processing is carried out, and the terminal access information is intercepted or alarmed;
when BG kTx When E is P, F3{ (BG) kTx P) } =1, regarding the communication time BG of the terminal to be tested accessing the information K kTx The fixed communication time period is met, namely the terminal access information is normal, the terminal access information is released, and the terminal T to be detected corresponding to the terminal access information K to be detected is recorded at the same time x For access target AG kTx Number of accesses CG in unit time (default unit: min) kTx And then enters an algorithm F4 to judge the access frequency.
S186, if the access frequency is within the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested meets the set requirement;
And S187, if the access frequency is not in the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested does not meet the set requirement.
In the present embodiment, there is an algorithm f4{ (CG) kTx H) for the terminal T to be tested x Communication time BG for accessing information K by untrusted terminal and terminal to be tested kTx On the premise of conforming to the fixed communication time period, the terminal T to be detected corresponding to the terminal access information K to be detected is carried out x For access target AG kTx At a unit timeNumber of accesses CG in (default Unit: minutes) kTx Comparing with a fixed access frequency H (H is a specified threshold value, is a fixed value and can be set manually) in unit time (default unit: minutes), and judging whether the fixed access frequency is met;
when CG is at kTx >In the case of H, F4{ (CG) kTx H) } =0, and considering that the terminal Tx corresponding to the terminal access information K to be tested is directed against the access target AG kTx Number of accesses CG per unit time kTx If the DDoS attack behavior is not in the fixed access frequency range of the unit time, abnormal processing is carried out, and the terminal access information is intercepted or alarmed;
when CG is at kTx When H is less than or equal to H, F4{ (CG) kTx H) } =1, and considers the terminal T to be detected corresponding to the terminal access information K to be detected x For access target AG kTx Number of accesses CG per unit time kTx And in the fixed access frequency range of unit time, the terminal access information is normal, and the terminal access information is released.
S190, if the communication time or the fixed access times of the terminal to be tested do not meet the set conditions, determining that DDoS attack behaviors exist in the access of the terminal to be tested, and performing exception handling on the access of the terminal to be tested;
and S200, if the terminal to be tested is credible, judging whether the terminal access information feature to be tested is matched with the element in the credible terminal access information feature library in a one-to-one correspondence manner.
In one embodiment, the step S200 may include steps S201 to S205.
S201, judging whether an access target in the access information characteristics of the terminal to be tested is consistent with a first element of each characteristic in the trusted terminal access information characteristic library;
s202, if the access target in the terminal access information feature to be tested is inconsistent with the first element of each feature in the trusted terminal access information feature library, determining that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner.
In the present embodiment, there is an algorithm F5{ AG kTx ,W[1]The algorithm aims at an access target AG of the access information K of the terminal to be tested kTx Matching with the first element of each feature in the trusted terminal access information feature library W, namely on the premise that the terminal Tx is a trusted terminal, the access target AG of the terminal access information K to be tested is accessed kTx Matching with a terminal access target in a trusted terminal access information feature library W; when (when) When F5{ AG kTx ,W[1]The access target AG of the terminal access information K to be detected is considered to be 0 kTx The access target of the terminal in the trusted terminal access information feature library W is not matched, namely DDoS attack behavior exists, exception processing is carried out, and the terminal access information is intercepted or alarmed; when AG kTx ∈W[1]When F5{ AG kTx ,W[1]The access target AG of the terminal access information K to be detected is considered to be (1) kTx And matching with a terminal access target in the trusted terminal access information feature library W, namely entering an algorithm F6, and matching the communication time period in the trusted terminal access information feature library W.
S203, if the access target in the terminal access information feature to be tested is consistent with the first element of each feature in the trusted terminal access information feature library, judging whether the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library;
In this embodiment, there is an algorithm F6{ (AG) kTx :BG kTx ),W[2]The algorithm aims at the communication time BG of the access information K of the terminal to be tested kTx Matching with the second element of each feature in the trusted terminal access information feature library W, namely on the premise that the terminal Tx is a trusted terminal and accords with the terminal access target in the trusted terminal access information feature library W, the communication time BG of the terminal access information K to be tested kTx Matching with a communication time period in the trusted terminal access information feature library W;
when (when)When F6{ (AG) kTx :BG kTx ),W[2]Communication time BG of terminal access information K to be measured is considered to be 0 } = kTx The communication time period is not matched with the communication time period in the trusted terminal access information feature library W, namely DDoS attack behavior exists, exception processing is carried out, and the terminal access information is intercepted or alarmed;
when BG kTx ∈W[2]When F6{ (AG) kTx :BG kTx ),W[2]Communication time BG of terminal access information K to be measured is considered to be } =1 kTx Matching with the communication time period in the trusted terminal access information feature library W, namely, ensuring that the terminal access information is normal, releasing the terminal access information, and simultaneously recording the access target AG of the terminal Tx corresponding to the terminal access information K to be tested kTx Number of accesses CG in unit time (default unit: min) kTx And entering an algorithm F7, and matching the access times in unit time in the trusted terminal access information feature library W.
If the communication time in the terminal access information feature to be tested is inconsistent with the second element of each feature in the trusted terminal access information feature library, executing the step S202;
s204, if the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library, judging whether the access times of the terminal access information feature to be tested in unit time aiming at the access target is consistent with the third element of each feature in the trusted terminal access information feature library.
In the present embodiment, there is an algorithm F7{ CG ] kTx ,W[3]The algorithm aims at the terminal T to be tested corresponding to the terminal access information K to be tested x For access target AG kTx Number of accesses CG per unit time kTx The third element of each feature in the information feature library W is accessed by the trusted terminalThe elements are matched, namely, under the premise that the terminal Tx is a trusted terminal and accords with a terminal access target and a communication time period in a trusted terminal access information feature library W, the terminal Tx corresponding to the terminal access information K to be detected is aimed at an access target AG kTx Number of accesses CG per unit time kTx Access target AG for trusted terminal in unit time in information feature library W kTx Comparing the access times of the number of the access times;
when CG is at kTx >W[3]Then F7{ CG kTx ,W[3]The terminal Tx corresponding to the terminal access information K to be detected is considered to be aimed at the access target AG kTx Number of accesses CG per unit time kTx For which access target AG is not made in unit time in trusted terminal access information feature library W kTx In the access frequency range, namely, DDoS attack behaviors exist, exception processing is carried out, and the terminal access information is intercepted or alarmed;
when CG is at kTx ≤W[3]Then F7{ CG kTx ,W[3]The terminal Tx corresponding to the terminal access information K to be detected is considered to be aimed at the access target AG (access target AG) kTx Number of accesses CG per unit time kTx For which access target AG is to be made within unit time in trusted terminal access information feature library W kTx And (3) within the access frequency range, namely the terminal access information is normal, and the terminal access information is released.
If the number of accesses to the access information feature of the terminal to be tested in the unit time is inconsistent with the third element of each feature in the trusted terminal access information feature library, executing the step S202;
s205, if the access times of the access information features of the terminal to be tested in unit time are consistent with the third element of each feature in the trusted terminal access information feature library, determining that the access information features of the terminal to be tested are matched with the elements in the trusted terminal access information feature library in a one-to-one correspondence.
And if the terminal access information feature to be tested is not in one-to-one correspondence with the element in the trusted terminal access information feature library, executing the step S190.
S210, if the communication time and the fixed access times of the terminal to be tested meet the set conditions, determining that the access of the terminal to be tested does not have DDoS attack, and releasing the access of the terminal to be tested.
If the terminal to be tested is trusted, executing the step S210;
and if the terminal access information feature to be tested is matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner, executing the step S210.
For example:
in this embodiment, the terminal group T includes 10 terminals, namely T { T } 1 ,T 2 ,……,T 10 }. The server side needs to obtain specific data packets sent by each terminal in time U to obtain a terminal specific data packet set R T {R T1 ,R T2 ,……,R T10 }。
Terminal specific data packet set R collected for server T {R T1 ,R T2 ,……,R T10 Analyzing according to the four characteristics of the IP address, the MAC address, the size range of the service data packet and the Serial Number, wherein the Serial Number is the unique Serial Number of the terminal, the Windows system can be obtained through a command of wmic bios get serialnumber, and the Linux system can be obtained through a command of dmidecode-t system|grep 'Serial Number'. In the present embodiment, the terminal-specific data packet R is used T1 For example, a specific data packet R is obtained after parsing T1 Corresponding terminal T 1 Terminal fingerprint R of (2) T1 {AR T1 :BR T1 :CR T1 :DR T1 }. Similarly, sequentially analyzing the terminal-specific data packet set R T {R T1 ,R T2 ,……,R T10 The characteristics of each specific data packet in the terminal group T are finally obtained.
In specific data packets R T1 Corresponding terminal T 1 Terminal fingerprint R of (2) T1 {AR T1 :BR T1 :CR T1 :DR T1 By way of example, through calculationAfter the method F1 is calculated, a specific data packet R is obtained T1 Corresponding terminal T 1 Terminal ID number ET1 of (a). And so on, the algorithm F1 is used for sequentially calculating the terminal fingerprints of each terminal in the terminal group T, obtaining the terminal ID numbers of the terminals, and finally generating a trusted terminal ID number set E T {E T1 ,E T2 ,……,E T10 }。
With ID number E of trusted terminal T1 The corresponding trusted terminal is exemplified by 5 access features:
feature 1: g 1 E T1 {AG y E T1 ,{AG1E T1 :B1GyE T1 },{AG1E T1 :BGyE T1 :CG1E T1 }}
Feature 2: g 2 E T1 {AG 2 E T1 ,{AG 2 ET1:BG 2 ET1},{AG 2 E T1 :BG 2 E T1 :CG 2 E T1 }}
Feature 3: g 3 E T1 {AG 3 E T1 ,{AG 3 E T1 :BG 3 E T1 },{AG 3 E T1 :BG 3 E T1 :CG 3 E T1 }}
Feature 4: g 4 E T1 {AG 4 E T1 ,{AG 4 E T1 :BG 4 E T1 },{AG 4 E T1 :BG 4 E T1 :CG 4 E T1 }}
Feature 5: g 5 E T1 {AG 5 E T1 ,{AG 5 E T1 :BG 5 E T1 },{AG 5 E T1 :BG 5 E T1 :CG 5 E T1 }}。
Counting ID number E of trusted terminal T1 The 5 access information features in the corresponding trusted terminal obtain the ID number E of the trusted terminal T1 All access information feature sets GE on the corresponding trusted terminals T1 {G 1 E T1 ,G 2 E T1 ,G 3 E T1 ,G 2 E T1 ,G 5 E T1 }。
Sequentially counting ID numbers E of trusted terminals T {E T1 ,E T2 ,……,E Tn The access information feature of each trusted terminal corresponding to the information feature to obtain the access information feature set GE of all the trusted terminals T {GE T1 ,GE T2 ,……,GE T5 }. And performing deduplication on the access information features to obtain a complete and unique trusted terminal access information feature library W.
Detecting terminal T 1 The content of the sent 1 specific data packet to be detected and 1 terminal access information to be detected is as follows:
terminal T 1 Terminal fingerprint R of (2) ST1 {AR ST1 :BR ST1 :CR ST1 :DR ST1 };
Access information G to be detected of terminal T1 kT1 {AG kT1 ,(AG kT1 :BG kT1 )};
Detecting terminal T 2 The content of the sent 1 specific data packet to be detected and 1 terminal access information to be detected is as follows:
terminal T 2 Terminal fingerprint R of (2) ST2 {AR ST2 :BR ST2 :CR ST2 :DR ST2 };
Terminal T 2 Is to be detected access information G kT2 {AG kT2 ,(AG kT2 :BG kT2 )}。
Using algorithm F1, for terminal T 1 And terminal T 2 Is calculated to generate a terminal T 1 ID number E of ST1 Terminal T 2 ID number E of ST2
F2{ (E) STx ,E T ) 0, consider terminal T 1 If the terminal is an unreliable terminal, the terminal enters an algorithm F3 and an algorithm F4, and the fixed communication time period and the fixed access times in unit time are judged.
E ST2 ∈E T F2{ (E) STx ,E T ) } =1, consider terminal T 2 If the terminal is a trusted terminal, the algorithm F5, the algorithm F6 and the algorithm F7 are sequentially entered, and the trusted terminal access information feature library matching is performed.
In the present embodiment, BG kT2 E P, F3{ (BG) kTx P) } =1, regarding the communication time BG in the access information to be detected of the terminal T1 kT1 And if the fixed communication time period is met, the terminal access information is normal, and the terminal access information is released. Simultaneous recording terminal T 1 For access target AG kT1 Number of accesses CG in unit time (default unit: min) kT1 And proceeds to algorithm F4.
At terminal T 1 Is an untrusted terminal and terminal T 1 Communication time BG in terminal access information to be tested kT1 By means of the algorithm F4{ (CG) under the premise of conforming to the fixed communication time period kTx H) for the access target AG by the terminal T1 kT1 The number of accesses CGkT1 in a unit time (default unit: minute) is compared with the fixed number of accesses H (H is a specified threshold, default is a certain value, and can be manually set) in a unit time (default unit: minute), and whether the fixed number of accesses is satisfied is determined.
In the present embodiment, CG kT1 >H, then F4{ (CG) kTx H) } =0, and the terminal T1 is considered to be directed to the access target AG kT1 Number of accesses CG per unit time kT1 If the DDoS attack behavior is not in the fixed access frequency range of the unit time, the abnormal processing is carried out, and the terminal access information is intercepted or alarmed.
By the algorithm F5{ AGkTx, W [1 ]]' terminal T }, terminal T 2 Access target AG in the access information to be detected kT2 Matching with the first element of each feature in the trusted terminal access information feature library W, i.e. at the terminal T 2 On the premise of being a trusted terminal, the terminal T is provided with 2 The access target AGkT2 in the access information to be detected is matched with the terminal access target in the trusted terminal access information feature library W.
In the present embodimentIn the examples, AG kT2 ∈W[1]F5{ AG kTx ,W[1]} =1, consider terminal T 2 Access target AG in the access information to be detected kT2 And if the terminal access target is matched with the terminal access target in the trusted terminal access information feature library W, entering an algorithm F6.
By the algorithm F6{ (AG) kTx :BG kTx ),W[2]' terminal T }, terminal T 2 For access target AG in the access information to be detected kT2 Communication time BG of (a) kT2 Matching with the second element of each feature in the trusted terminal access information feature library W, namely at the terminal T2 On the premise that the terminal is a trusted terminal and accords with a terminal access target in a trusted terminal access information feature library W, the terminal T is provided 2 For access target AG in the access information to be detected kT2 Communication time BG of (a) kT2 Matching with the communication time period in the trusted terminal access information feature library W.
In the present embodiment, BG kT2 ∈W[2]F6{ (AG) kTx :BG kTx ),W[2]} =1, consider terminal T 2 For access target AG in the access information to be detected kT2 Communication time BG of (a) kT2 And if the terminal access information is matched with the communication time period in the trusted terminal access information feature library W, the terminal access information is normal, and the terminal access information is released. Simultaneous recording terminal T 2 For access target AG kT2 Number of accesses CG in unit time (default unit: min) kT2 And proceeds to algorithm F7.
By algorithm F7{ CG kTx ,W[3]' terminal T }, terminal T 2 For access target AG kT2 Number of accesses CG in unit time (default unit: min) kT2 Matching with the third element of each feature in the trusted terminal access information feature library W, namely at the terminal T 2 On the premise that the terminal is a trusted terminal and accords with a terminal access target and a communication time period in a trusted terminal access information feature library W, the terminal T is provided with a terminal access target and a communication time period 2 For access target AG kT2 Number of accesses CG per unit time kT2 Access target AG for trusted terminal in unit time in information feature library W kT2 Access times of (a)And (5) performing comparison.
In the present embodiment, CG kT2 >W[3]F7{ CG kTx ,W[3]0, consider terminal T 2 For access target AG kT2 Number of accesses CG per unit time kT2 For which access target AG is not made in unit time in trusted terminal access information feature library W kT2 If the access times range is within the access times range, the DDoS attack behavior exists, the exception handling is carried out, and the terminal access information is intercepted or alarmed.
According to the DDoS defending method, the trusted terminal ID set and the trusted terminal access information feature library are constructed, the to-be-tested data packet information and the to-be-tested terminal access information sent by the to-be-tested terminal are analyzed, the analysis result is matched with the trusted terminal ID set and the trusted terminal access information feature library, so that access of the terminal with DDoS attack behaviors is defended, the trusted terminal fingerprint information strategy is utilized, the trusted terminal access information feature library is used as a basis, the trusted terminal and the terminal access information are automatically distinguished, and therefore the DDoS attack behaviors are accurately distinguished.
Fig. 3 is a schematic block diagram of a DDoS defending device 300 provided by an embodiment of the present invention. As shown in fig. 3, the present invention also provides a DDoS defending device 300 corresponding to the above DDoS defending method. The DDoS defending apparatus 300 includes a unit for performing the above-described DDoS defending method, and may be configured in a server. Specifically, referring to fig. 3, the DDoS defending apparatus 300 includes a trusted information obtaining unit 301, a first analyzing unit 302, an acquisition unit 303, a to-be-tested information obtaining unit 304, a second analyzing unit 305, a third analyzing unit 306, an ID matching unit 307, a first judging unit 308, a first determining unit 309, a second judging unit 310, and a second determining unit 311.
A trusted information obtaining unit 301, configured to obtain packet information sent by a trusted terminal; a first parsing unit 302, configured to parse the data packet information to obtain fingerprint information of a trusted terminal, so as to form a trusted terminal ID set; the acquisition unit 303 is configured to acquire access information features of a corresponding trusted terminal according to the trusted terminal ID set, and generate a trusted terminal access information feature library according to the access information features; the to-be-detected information obtaining unit 304 is configured to obtain to-be-detected data packet information sent by the to-be-detected terminal and to-be-detected terminal access information; a second parsing unit 305, configured to parse the information of the to-be-detected data packet to obtain fingerprint information of the to-be-detected terminal; a third parsing unit 306, configured to parse the terminal access information to be tested to obtain the terminal access information feature to be tested; an ID matching unit 307, configured to perform ID matching on the fingerprint information of the terminal to be tested and the ID set of the trusted terminal, so as to determine whether the terminal to be tested is trusted; a first judging unit 308, configured to judge whether the communication time or the fixed access number of the terminal to be tested does not meet a set condition according to the access information feature of the terminal to be tested if the terminal to be tested is not trusted; a first determining unit 309, configured to determine that a DDoS attack exists in the access of the terminal to be tested if the communication time or the fixed access number of the terminal to be tested does not meet a set condition, and perform exception handling on the access of the terminal to be tested; a second judging unit 310, configured to judge whether the terminal access information feature to be tested is matched with an element in the trusted terminal access information feature library in a one-to-one correspondence manner if the terminal to be tested is trusted; and if the access information features of the terminal to be tested are not in one-to-one correspondence with the elements in the trusted terminal access information feature library, executing the DDoS attack behavior of the access of the terminal to be tested, and carrying out exception handling on the access of the terminal to be tested. And the second determining unit 311 is configured to determine that the access of the terminal to be tested does not have a DDoS attack if the communication time and the fixed access times of the terminal to be tested meet the set conditions, and release the access of the terminal to be tested.
In an embodiment, the first parsing unit includes a feature parsing subunit, a computing subunit, and a first system Ji Zi unit.
The characteristic analysis subunit is used for carrying out characteristic analysis on the data packet information according to the IP address, the MAC address, the size range of the service data packet and the serial number so as to obtain a trusted terminal fingerprint; a calculating subunit, configured to calculate the trusted terminal fingerprint to generate a trusted terminal ID number; and the first statistics subunit is used for counting all the trusted terminal ID numbers to obtain a trusted terminal ID number set.
In an embodiment, the acquisition unit comprises a feature acquisition subunit, a second statistics subunit, and a deduplication subunit.
The characteristic acquisition subunit is used for acquiring access information characteristics of the corresponding trusted terminal in the trusted terminal ID set in the learning time through agent software; the second statistics subunit is used for counting each access information feature on the trusted terminal corresponding to the trusted terminal ID number set to obtain an access information feature set; and the deduplication subunit is used for deduplicating the access information features in the access information feature set to obtain a trusted terminal access information feature library.
In an embodiment, the first judging unit includes a communication time judging subunit, a third determining subunit, a fourth determining subunit, a recording subunit, a frequency judging subunit, a fifth determining subunit, and a sixth determining subunit.
The communication time judging subunit is used for judging whether the communication time of the terminal to be tested is in a fixed communication time period according to the access information characteristics of the terminal to be tested; a third determining subunit, configured to determine that the communication time of the terminal to be tested does not meet the set condition if the communication time of the terminal to be tested is not within the fixed communication time period; a fourth determining subunit, configured to determine that the communication time of the terminal to be tested meets a set condition if the communication time of the terminal to be tested is within a fixed communication time period; the recording subunit is used for releasing the access information of the terminal to be tested and recording the access times of the terminal to be tested in unit time aiming at the access target so as to obtain the access frequency; a frequency judging subunit, configured to judge whether the access frequency is within a fixed access frequency range of a set unit time; a fifth determining subunit, configured to determine that the fixed access frequency of the terminal to be tested meets a set requirement if the access frequency is within a set fixed access frequency range of unit time; and the sixth determining subunit is configured to determine that the fixed access frequency of the terminal to be tested does not meet the set requirement if the access frequency is not within the set fixed access frequency range of the unit time.
In an embodiment, the second judging unit includes a first element judging subunit, a seventh determining subunit, a second element judging subunit, a third element judging subunit, and an eighth determining subunit.
A first element judging subunit, configured to judge whether an access target in the access information feature of the to-be-detected terminal is consistent with a first element of each feature in the trusted terminal access information feature library; a seventh determining subunit, configured to determine that the access information feature of the to-be-detected terminal is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner if the access target in the access information feature of the to-be-detected terminal is inconsistent with the first element of each feature in the trusted terminal access information feature library; a second element judging subunit, configured to judge whether the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library if the access target in the terminal access information feature to be tested is consistent with the first element of each feature in the trusted terminal access information feature library; if the communication time in the terminal access information feature to be tested is inconsistent with the second element of each feature in the trusted terminal access information feature library, executing the determination that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner; a third element judging subunit, configured to judge whether the number of accesses to the access information feature of the to-be-detected terminal in unit time is consistent with the third element of each feature in the trusted terminal access information feature library if the communication time in the access information feature of the to-be-detected terminal is consistent with the second element of each feature in the trusted terminal access information feature library; if the access times of the access information features of the terminal to be tested in the unit time are inconsistent with the third element of each feature in the trusted terminal access information feature library, executing the determination that the elements in the trusted terminal access information feature library are not in one-to-one correspondence matching with the access information features of the terminal to be tested; and the eighth determining subunit is configured to determine that the terminal access information feature to be tested is matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner if the number of access times of the access target in unit time in the terminal access information feature to be tested is consistent with the third element of each feature in the trusted terminal access information feature library.
It should be noted that, as will be clearly understood by those skilled in the art, the specific implementation process of the DDoS defending device 300 and each unit can refer to the corresponding description in the foregoing method embodiment, and for convenience and brevity of description, the description is omitted here.
The DDoS defending apparatus 300 described above can be implemented in the form of a computer program that can run on a computer device as shown in fig. 4.
Referring to fig. 4, fig. 4 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, where the server may be a stand-alone server or may be a server cluster formed by a plurality of servers.
With reference to FIG. 4, the computer device 500 includes a processor 502, memory, and a network interface 505, connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer program 5032 includes program instructions that, when executed, cause the processor 502 to perform a DDoS defense method.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of a computer program 5032 in the non-volatile storage medium 503, which computer program 5032, when executed by the processor 502, causes the processor 502 to perform a DDoS defense method.
The network interface 505 is used for network communication with other devices. It will be appreciated by those skilled in the art that the architecture shown in fig. 4 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting of the computer device 500 to which the present inventive arrangements may be implemented, and that a particular computer device 500 may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
Wherein the processor 502 is configured to execute a computer program 5032 stored in a memory to implement the steps of:
acquiring data packet information sent by a trusted terminal; analyzing the data packet information to obtain the fingerprint information of the trusted terminal, and forming a trusted terminal ID set; collecting access information characteristics of the corresponding trusted terminal according to the trusted terminal ID set, and generating a trusted terminal access information characteristic library according to the access information characteristics; acquiring information of a data packet to be tested sent by a terminal to be tested and access information of the terminal to be tested; analyzing the information of the data packet to be detected to obtain fingerprint information of the terminal to be detected; analyzing the terminal access information to be tested to obtain the terminal access information characteristics to be tested; ID matching is carried out on the fingerprint information of the terminal to be detected and the ID set of the trusted terminal so as to judge whether the terminal to be detected is trusted or not; if the terminal to be detected is not trusted, judging whether the communication time or the fixed access times of the terminal to be detected do not accord with the set condition according to the access information characteristics of the terminal to be detected; if the communication time or the fixed access times of the terminal to be tested do not meet the set conditions, determining that DDoS attack behaviors exist in the access of the terminal to be tested, and performing exception handling on the access of the terminal to be tested; if the terminal to be detected is credible, judging whether the fingerprint information of the terminal to be detected is matched with elements in the credible terminal access information feature library in a one-to-one correspondence manner; and if the fingerprint information of the terminal to be tested is not in one-to-one correspondence with the elements in the trusted terminal access information feature library, executing the determination that the DDoS attack behavior exists in the access of the terminal to be tested, and carrying out exception handling on the access of the terminal to be tested.
In an embodiment, after implementing the step of determining whether the communication time or the fixed access frequency of the terminal to be tested does not meet the set condition according to the access information feature of the terminal to be tested, the processor 502 further implements the following steps:
if the communication time and the fixed access times of the terminal to be tested meet the set conditions, determining that the access of the terminal to be tested does not have DDoS attack, and releasing the access of the terminal to be tested.
In an embodiment, when the processor 502 performs the step of parsing the data packet information to obtain the fingerprint information of the trusted terminal and form the set of trusted terminal IDs, the following steps are specifically implemented:
carrying out characteristic analysis on the data packet information according to the IP address, the MAC address, the size range of the service data packet and the serial number to obtain a trusted terminal fingerprint; calculating the fingerprint of the trusted terminal to generate a trusted terminal ID number; and counting all the trusted terminal ID numbers to obtain a trusted terminal ID number set.
In an embodiment, when the step of collecting the access information features of the corresponding trusted terminal according to the set of the IDs of the trusted terminal and generating the trusted terminal access information feature library according to the access information features is implemented by the processor 502, the following steps are specifically implemented:
Acquiring access information characteristics of a corresponding trusted terminal in the trusted terminal ID set in learning time through agent software; counting each access information feature on the trusted terminal corresponding to the trusted terminal ID number set to obtain an access information feature set; and de-duplicating the access information features in the access information feature set to obtain a trusted terminal access information feature library.
In an embodiment, when the step of determining whether the communication time or the fixed access frequency of the terminal to be tested does not meet the set condition according to the access information feature of the terminal to be tested is implemented by the processor 502, the following steps are specifically implemented:
judging whether the communication time of the terminal to be tested is in a fixed communication time period according to the access information characteristics of the terminal to be tested; if the communication time of the terminal to be tested is not in the fixed communication time period, determining that the communication time of the terminal to be tested does not accord with the set condition; if the communication time of the terminal to be tested is within the fixed communication time period, determining that the communication time of the terminal to be tested meets the set condition; releasing the access information of the terminal to be tested, and recording the access times of the terminal to be tested in unit time aiming at the access target to obtain the access frequency; judging whether the access frequency is within a fixed access frequency range of a set unit time; if the access frequency is within the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested meets the set requirement; if the access frequency is not in the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested does not meet the set requirement.
In an embodiment, when implementing the step of determining whether the feature of the terminal access information to be tested matches an element in the trusted terminal access information feature library, the processor 502 specifically implements the following steps:
judging whether an access target in the access information characteristics of the terminal to be tested is consistent with a first element of each characteristic in the trusted terminal access information characteristic library; if the access target in the terminal access information feature to be tested is inconsistent with the first element of each feature in the trusted terminal access information feature library, determining that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner; if the access target in the terminal access information feature to be tested is consistent with the first element of each feature in the trusted terminal access information feature library, judging whether the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library; if the communication time in the terminal access information feature to be tested is inconsistent with the second element of each feature in the trusted terminal access information feature library, executing the determination that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner; if the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library, judging whether the access times of the terminal access information feature to be tested in unit time aiming at an access target is consistent with the third element of each feature in the trusted terminal access information feature library; if the access times of the access information features of the terminal to be tested in the unit time are inconsistent with the third element of each feature in the trusted terminal access information feature library, executing the determination that the elements in the trusted terminal access information feature library are not in one-to-one correspondence matching with the access information features of the terminal to be tested; and if the access times of the access information features of the terminal to be tested in unit time are consistent with the third element of each feature in the trusted terminal access information feature library, determining that the access information features of the terminal to be tested are matched with the elements in the trusted terminal access information feature library in a one-to-one correspondence manner.
It should be appreciated that in an embodiment of the application, the processor 502 may be a central processing unit (CentralProcessing Unit, CPU), the processor 502 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those skilled in the art will appreciate that all or part of the flow in a method embodying the above described embodiments may be accomplished by computer programs instructing the relevant hardware. The computer program comprises program instructions, and the computer program can be stored in a storage medium, which is a computer readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present application also provides a storage medium. The storage medium may be a computer readable storage medium. The storage medium stores a computer program which, when executed by a processor, causes the processor to perform the steps of:
Acquiring data packet information sent by a trusted terminal; analyzing the data packet information to obtain the fingerprint information of the trusted terminal, and forming a trusted terminal ID set; collecting access information characteristics of the corresponding trusted terminal according to the trusted terminal ID set, and generating a trusted terminal access information characteristic library according to the access information characteristics; acquiring information of a data packet to be tested sent by a terminal to be tested and access information of the terminal to be tested; analyzing the information of the data packet to be detected to obtain fingerprint information of the terminal to be detected; analyzing the terminal access information to be tested to obtain the terminal access information characteristics to be tested; ID matching is carried out on the fingerprint information of the terminal to be detected and the ID set of the trusted terminal so as to judge whether the terminal to be detected is trusted or not; if the terminal to be detected is not trusted, judging whether the communication time or the fixed access times of the terminal to be detected do not accord with the set condition according to the access information characteristics of the terminal to be detected; if the communication time or the fixed access times of the terminal to be tested do not meet the set conditions, determining that DDoS attack behaviors exist in the access of the terminal to be tested, and performing exception handling on the access of the terminal to be tested; if the terminal to be tested is credible, judging whether the terminal to be tested access information characteristics are matched with elements in the credible terminal access information characteristic library in a one-to-one correspondence manner; and if the access information features of the terminal to be tested are not in one-to-one correspondence with the elements in the trusted terminal access information feature library, executing the DDoS attack behavior of the access of the terminal to be tested, and carrying out exception handling on the access of the terminal to be tested.
In an embodiment, after executing the computer program to implement the step of determining whether the communication time or the fixed access frequency of the terminal to be tested does not meet the set condition according to the access information feature of the terminal to be tested, the processor further implements the following steps:
if the communication time and the fixed access times of the terminal to be tested meet the set conditions, determining that the access of the terminal to be tested does not have DDoS attack, and releasing the access of the terminal to be tested.
In one embodiment, when the processor executes the computer program to parse the data packet information to obtain the fingerprint information of the trusted terminal, the steps of forming the set of IDs of the trusted terminal are specifically implemented as follows:
carrying out characteristic analysis on the data packet information according to the IP address, the MAC address, the size range of the service data packet and the serial number to obtain a trusted terminal fingerprint; calculating the fingerprint of the trusted terminal to generate a trusted terminal ID number; and counting all the trusted terminal ID numbers to obtain a trusted terminal ID number set.
In an embodiment, when the processor executes the computer program to realize the steps of collecting access information features of the corresponding trusted terminal according to the trusted terminal ID set and generating the trusted terminal access information feature library according to the access information features, the specific implementation steps are as follows:
Acquiring access information characteristics of a corresponding trusted terminal in the trusted terminal ID set in learning time through agent software; counting each access information feature on the trusted terminal corresponding to the trusted terminal ID number set to obtain an access information feature set; and de-duplicating the access information features in the access information feature set to obtain a trusted terminal access information feature library.
In an embodiment, when the processor executes the computer program to realize the step of judging whether the communication time or the fixed access frequency of the terminal to be tested does not meet the set condition according to the access information feature of the terminal to be tested, the specific implementation steps are as follows:
judging whether the communication time of the terminal to be tested is in a fixed communication time period according to the access information characteristics of the terminal to be tested; if the communication time of the terminal to be tested is not in the fixed communication time period, determining that the communication time of the terminal to be tested does not accord with the set condition; if the communication time of the terminal to be tested is within the fixed communication time period, determining that the communication time of the terminal to be tested meets the set condition; releasing the access information of the terminal to be tested, and recording the access times of the terminal to be tested in unit time aiming at the access target to obtain the access frequency; judging whether the access frequency is within a fixed access frequency range of a set unit time; if the access frequency is within the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested meets the set requirement; if the access frequency is not in the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested does not meet the set requirement.
In an embodiment, when the processor executes the computer program to implement the step of determining whether the feature of the terminal access information to be tested matches with an element in the trusted terminal access information feature library in a one-to-one correspondence manner, the following steps are specifically implemented:
judging whether an access target in the access information characteristics of the terminal to be tested is consistent with a first element of each characteristic in the trusted terminal access information characteristic library; if the access target in the terminal access information feature to be tested is inconsistent with the first element of each feature in the trusted terminal access information feature library, determining that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner; if the access target in the terminal access information feature to be tested is consistent with the first element of each feature in the trusted terminal access information feature library, judging whether the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library; if the communication time in the terminal access information feature to be tested is inconsistent with the second element of each feature in the trusted terminal access information feature library, executing the determination that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner; if the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library, judging whether the access times of the terminal access information feature to be tested in unit time aiming at an access target is consistent with the third element of each feature in the trusted terminal access information feature library; if the access times of the access information features of the terminal to be tested in the unit time are inconsistent with the third element of each feature in the trusted terminal access information feature library, executing the determination that the elements in the trusted terminal access information feature library are not in one-to-one correspondence matching with the access information features of the terminal to be tested; and if the access times of the access information features of the terminal to be tested in unit time are consistent with the third element of each feature in the trusted terminal access information feature library, determining that the access information features of the terminal to be tested are matched with the elements in the trusted terminal access information feature library in a one-to-one correspondence manner.
The storage medium may be a U-disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, or other various computer-readable storage media that can store program codes.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be combined, divided and deleted according to actual needs. In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The integrated unit may be stored in a storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a terminal, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (7)

  1. A ddos defense method, comprising:
    acquiring data packet information sent by a trusted terminal;
    analyzing the data packet information to obtain the fingerprint information of the trusted terminal, and forming a trusted terminal ID set;
    collecting access information characteristics of the corresponding trusted terminal according to the trusted terminal ID set, and generating a trusted terminal access information characteristic library according to the access information characteristics;
    acquiring information of a data packet to be tested sent by a terminal to be tested and access information of the terminal to be tested;
    analyzing the information of the data packet to be detected to obtain fingerprint information of the terminal to be detected;
    analyzing the terminal access information to be tested to obtain the terminal access information characteristics to be tested;
    ID matching is carried out on the fingerprint information of the terminal to be detected and the ID set of the trusted terminal so as to judge whether the terminal to be detected is trusted or not;
    if the terminal to be detected is not trusted, judging whether the communication time or the fixed access times of the terminal to be detected do not accord with the set condition according to the access information characteristics of the terminal to be detected;
    if the communication time or the fixed access times of the terminal to be tested do not meet the set conditions, determining that DDoS attack behaviors exist in the access of the terminal to be tested, and performing exception handling on the access of the terminal to be tested;
    If the terminal to be tested is credible, judging whether the terminal to be tested access information characteristics are matched with elements in the credible terminal access information characteristic library in a one-to-one correspondence manner;
    if the access information features of the terminal to be tested are not in one-to-one correspondence with the elements in the trusted terminal access information feature library, executing the DDoS attack behavior of the access of the terminal to be tested, and carrying out exception handling on the access of the terminal to be tested;
    the access information features comprise access targets of the terminal, communication time periods and access times in unit time;
    the analyzing the data packet information to obtain the fingerprint information of the trusted terminal to form a trusted terminal ID set, including:
    carrying out characteristic analysis on the data packet information according to the IP address, the MAC address, the size range of the service data packet and the serial number to obtain a trusted terminal fingerprint;
    calculating the fingerprint of the trusted terminal to generate a trusted terminal ID number;
    counting all the ID numbers of the trusted terminals to obtain a set of ID numbers of the trusted terminals;
    the step of judging whether the communication time or the fixed access times of the terminal to be tested do not meet the set conditions according to the access information characteristics of the terminal to be tested comprises the following steps:
    Judging whether the communication time of the terminal to be tested is in a fixed communication time period according to the access information characteristics of the terminal to be tested;
    if the communication time of the terminal to be tested is not in the fixed communication time period, determining that the communication time of the terminal to be tested does not accord with the set condition;
    if the communication time of the terminal to be tested is within the fixed communication time period, determining that the communication time of the terminal to be tested meets the set condition;
    releasing the access information of the terminal to be tested, and recording the access times of the terminal to be tested in unit time aiming at the access target to obtain the access frequency;
    judging whether the access frequency is within a fixed access frequency range of a set unit time;
    if the access frequency is within the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested meets the set requirement;
    if the access frequency is not in the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested does not meet the set requirement;
    the judging whether the terminal access information feature to be detected is matched with the element in the trusted terminal access information feature library in a one-to-one correspondence mode comprises the following steps:
    Judging whether an access target in the access information characteristics of the terminal to be tested is consistent with a first element of each characteristic in the trusted terminal access information characteristic library;
    if the access target in the terminal access information feature to be tested is inconsistent with the first element of each feature in the trusted terminal access information feature library, determining that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner;
    if the access target in the terminal access information feature to be tested is consistent with the first element of each feature in the trusted terminal access information feature library, judging whether the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library;
    if the communication time in the terminal access information feature to be tested is inconsistent with the second element of each feature in the trusted terminal access information feature library, executing the determination that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner;
    If the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library, judging whether the access times of the terminal access information feature to be tested in unit time aiming at an access target is consistent with the third element of each feature in the trusted terminal access information feature library;
    if the access times of the access information features of the terminal to be tested in the unit time are inconsistent with the third element of each feature in the trusted terminal access information feature library, executing the determination that the elements in the trusted terminal access information feature library are not in one-to-one correspondence matching with the access information features of the terminal to be tested;
    and if the access times of the access information features of the terminal to be tested in unit time are consistent with the third element of each feature in the trusted terminal access information feature library, determining that the access information features of the terminal to be tested are matched with the elements in the trusted terminal access information feature library in a one-to-one correspondence manner.
  2. 2. The DDoS defense method of claim 1, wherein after determining whether the communication time or the fixed access frequency of the terminal to be tested does not meet the set condition according to the access information feature of the terminal to be tested, further comprises:
    If the communication time and the fixed access times of the terminal to be tested meet the set conditions, determining that the access of the terminal to be tested does not have DDoS attack, and releasing the access of the terminal to be tested.
  3. 3. The DDoS defense method of claim 1, wherein the collecting access information features of the corresponding trusted terminal according to the set of trusted terminal IDs and generating the trusted terminal access information feature library according to the access information features comprises:
    acquiring access information characteristics of a corresponding trusted terminal in the trusted terminal ID set in learning time through agent software;
    counting each access information feature on the trusted terminal corresponding to the trusted terminal ID number set to obtain an access information feature set;
    and de-duplicating the access information features in the access information feature set to obtain a trusted terminal access information feature library.
  4. A ddos defending device, comprising:
    the trusted information acquisition unit is used for acquiring data packet information sent by the trusted terminal;
    the first analyzing unit is used for analyzing the data packet information to obtain the fingerprint information of the trusted terminal and form a trusted terminal ID set;
    The acquisition unit is used for acquiring access information characteristics of the corresponding trusted terminal according to the trusted terminal ID set and generating a trusted terminal access information characteristic library according to the access information characteristics;
    the information acquisition unit to be measured is used for acquiring information of a data packet to be measured sent by the terminal to be measured and access information of the terminal to be measured;
    the second analysis unit is used for analyzing the data packet information to be detected so as to obtain fingerprint information of the terminal to be detected;
    the third analysis unit is used for analyzing the terminal access information to be detected so as to obtain the terminal access information characteristic to be detected;
    the ID matching unit is used for carrying out ID matching on the fingerprint information of the terminal to be detected and the trusted terminal ID set so as to judge whether the terminal to be detected is trusted or not;
    the first judging unit is used for judging whether the communication time or the fixed access times of the terminal to be tested do not meet the set condition according to the access information characteristics of the terminal to be tested if the terminal to be tested is not trusted;
    the first determining unit is used for determining that the access of the terminal to be tested has DDoS attack behavior if the communication time or the fixed access times of the terminal to be tested do not accord with the set condition, and performing exception handling on the access of the terminal to be tested;
    The second judging unit is used for judging whether the access information characteristics of the terminal to be detected are matched with elements in the access information characteristic library of the trusted terminal in a one-to-one correspondence mode if the terminal to be detected is trusted; if the access information features of the terminal to be tested are not in one-to-one correspondence with the elements in the trusted terminal access information feature library, executing the DDoS attack behavior of the access of the terminal to be tested, and carrying out exception handling on the access of the terminal to be tested;
    the access information features comprise access targets of the terminal, communication time periods and access times in unit time;
    the analyzing the data packet information to obtain the fingerprint information of the trusted terminal to form a trusted terminal ID set, including:
    carrying out characteristic analysis on the data packet information according to the IP address, the MAC address, the size range of the service data packet and the serial number to obtain a trusted terminal fingerprint;
    calculating the fingerprint of the trusted terminal to generate a trusted terminal ID number;
    counting all the ID numbers of the trusted terminals to obtain a set of ID numbers of the trusted terminals;
    the step of judging whether the communication time or the fixed access times of the terminal to be tested do not meet the set conditions according to the access information characteristics of the terminal to be tested comprises the following steps:
    Judging whether the communication time of the terminal to be tested is in a fixed communication time period according to the access information characteristics of the terminal to be tested;
    if the communication time of the terminal to be tested is not in the fixed communication time period, determining that the communication time of the terminal to be tested does not accord with the set condition;
    if the communication time of the terminal to be tested is within the fixed communication time period, determining that the communication time of the terminal to be tested meets the set condition;
    releasing the access information of the terminal to be tested, and recording the access times of the terminal to be tested in unit time aiming at the access target to obtain the access frequency;
    judging whether the access frequency is within a fixed access frequency range of a set unit time;
    if the access frequency is within the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested meets the set requirement;
    if the access frequency is not in the set fixed access frequency range of the unit time, determining that the fixed access frequency of the terminal to be tested does not meet the set requirement;
    the judging whether the terminal access information feature to be detected is matched with the element in the trusted terminal access information feature library in a one-to-one correspondence mode comprises the following steps:
    Judging whether an access target in the access information characteristics of the terminal to be tested is consistent with a first element of each characteristic in the trusted terminal access information characteristic library;
    if the access target in the terminal access information feature to be tested is inconsistent with the first element of each feature in the trusted terminal access information feature library, determining that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner;
    if the access target in the terminal access information feature to be tested is consistent with the first element of each feature in the trusted terminal access information feature library, judging whether the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library;
    if the communication time in the terminal access information feature to be tested is inconsistent with the second element of each feature in the trusted terminal access information feature library, executing the determination that the terminal access information feature to be tested is not matched with the element in the trusted terminal access information feature library in a one-to-one correspondence manner;
    If the communication time in the terminal access information feature to be tested is consistent with the second element of each feature in the trusted terminal access information feature library, judging whether the access times of the terminal access information feature to be tested in unit time aiming at an access target is consistent with the third element of each feature in the trusted terminal access information feature library;
    if the access times of the access information features of the terminal to be tested in the unit time are inconsistent with the third element of each feature in the trusted terminal access information feature library, executing the determination that the elements in the trusted terminal access information feature library are not in one-to-one correspondence matching with the access information features of the terminal to be tested;
    and if the access times of the access information features of the terminal to be tested in unit time are consistent with the third element of each feature in the trusted terminal access information feature library, determining that the access information features of the terminal to be tested are matched with the elements in the trusted terminal access information feature library in a one-to-one correspondence manner.
  5. 5. The DDoS defending apparatus of claim 4, further comprising:
    And the second determining unit is used for determining that the access of the terminal to be tested does not have DDoS attack behavior and releasing the access of the terminal to be tested if the communication time and the fixed access times of the terminal to be tested meet the set conditions.
  6. 6. A computer device, characterized in that it comprises a memory on which a computer program is stored and a processor which, when executing the computer program, implements the method according to any of claims 1-3.
  7. 7. A storage medium storing a computer program which, when executed by a processor, implements the method of any one of claims 1 to 3.
CN202310500459.7A 2023-05-06 2023-05-06 DDoS defense method, device, computer equipment and storage medium Active CN116232767B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310500459.7A CN116232767B (en) 2023-05-06 2023-05-06 DDoS defense method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310500459.7A CN116232767B (en) 2023-05-06 2023-05-06 DDoS defense method, device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116232767A CN116232767A (en) 2023-06-06
CN116232767B true CN116232767B (en) 2023-08-15

Family

ID=86585833

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310500459.7A Active CN116232767B (en) 2023-05-06 2023-05-06 DDoS defense method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116232767B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117113340B (en) * 2023-10-20 2024-01-23 杭州美创科技股份有限公司 Host computer sag detection method, device, computer equipment and storage medium
CN117688540B (en) * 2024-02-01 2024-04-19 杭州美创科技股份有限公司 Interface sensitive data leakage detection defense method and device and computer equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110944016A (en) * 2019-12-25 2020-03-31 中移(杭州)信息技术有限公司 DDoS attack detection method, device, network equipment and storage medium
CN112019508A (en) * 2020-07-28 2020-12-01 杭州安恒信息技术股份有限公司 Method, system and electronic device for detecting DDos attack based on Web log analysis
CN112751815A (en) * 2019-10-31 2021-05-04 华为技术有限公司 Message processing method, device, equipment and computer readable storage medium
CN114726579A (en) * 2022-03-08 2022-07-08 北京百度网讯科技有限公司 Method, apparatus, device, storage medium and program product for defending against network attacks

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160173526A1 (en) * 2014-12-10 2016-06-16 NxLabs Limited Method and System for Protecting Against Distributed Denial of Service Attacks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112751815A (en) * 2019-10-31 2021-05-04 华为技术有限公司 Message processing method, device, equipment and computer readable storage medium
CN110944016A (en) * 2019-12-25 2020-03-31 中移(杭州)信息技术有限公司 DDoS attack detection method, device, network equipment and storage medium
CN112019508A (en) * 2020-07-28 2020-12-01 杭州安恒信息技术股份有限公司 Method, system and electronic device for detecting DDos attack based on Web log analysis
CN114726579A (en) * 2022-03-08 2022-07-08 北京百度网讯科技有限公司 Method, apparatus, device, storage medium and program product for defending against network attacks

Also Published As

Publication number Publication date
CN116232767A (en) 2023-06-06

Similar Documents

Publication Publication Date Title
CN116232767B (en) DDoS defense method, device, computer equipment and storage medium
US8805995B1 (en) Capturing data relating to a threat
US8776226B2 (en) Method and apparatus for detecting SSH login attacks
US9276950B2 (en) Apparatus method and medium for detecting payload anomaly using N-gram distribution of normal data
US20160359870A1 (en) Method and apparatus for detecting malware infection
US9705899B2 (en) Digital filter correlation engine
CN113329029B (en) Situation awareness node defense method and system for APT attack
US7500266B1 (en) Systems and methods for detecting network intrusions
CN111507597A (en) Network information security risk assessment model and method
EP2284752B1 (en) Intrusion detection systems and methods
CN109344611B (en) Application access control method, terminal equipment and medium
CN112839017B (en) Network attack detection method and device, equipment and storage medium thereof
CN110417747B (en) Method and device for detecting violent cracking behavior
CN106878314A (en) Network malicious act detection method based on confidence level
CN114785567A (en) Traffic identification method, device, equipment and medium
CN111901286B (en) APT attack detection method based on flow log
Moustafa et al. RCNF: Real-time collaborative network forensic scheme for evidence analysis
CN112199668A (en) Method and device for detecting DoS attack of CPU consumed by application layer in container
CN115296855B (en) User behavior baseline generation method and related device
CN116527307A (en) Botnet detection algorithm based on community discovery
CN113726775B (en) Attack detection method, device, equipment and storage medium
Sievierinov et al. Analysis of correlation rules in Security information and event management systems
EP3484122A1 (en) Malicious relay and jump-system detection using behavioral indicators of actors
Hiruta et al. Ids alert priority determination based on traffic behavior
Al-Hammadi et al. Performance evaluation of DCA and SRC on a single bot detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant