[go: up one dir, main page]

CN105554016A - Network attack processing method and device - Google Patents

Network attack processing method and device Download PDF

Info

Publication number
CN105554016A
CN105554016A CN201511029329.1A CN201511029329A CN105554016A CN 105554016 A CN105554016 A CN 105554016A CN 201511029329 A CN201511029329 A CN 201511029329A CN 105554016 A CN105554016 A CN 105554016A
Authority
CN
China
Prior art keywords
data
packet
dimension data
characteristic dimension
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201511029329.1A
Other languages
Chinese (zh)
Inventor
刘小东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hillstone Networks Co Ltd
Original Assignee
Hillstone Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hillstone Networks Co Ltd filed Critical Hillstone Networks Co Ltd
Priority to CN201511029329.1A priority Critical patent/CN105554016A/en
Publication of CN105554016A publication Critical patent/CN105554016A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network attack processing method and device. The method comprises the following steps: collecting data packet information in data stream; analyzing the data packet information to obtain attack detection dimension data and packet characteristic dimension data; comparing the attack detection dimension data and the packet characteristic dimension data with preset/learnt data to judge whether the attack detection dimension data and the packet characteristic dimension data are abnormal; when the judgment result is positive, reporting an abnormal event, and detecting whether the packet characteristic dimension data have abnormal characteristics according to the preset/learnt data; when the judgment result is negative, matching a corresponding easing scheme according to the packet characteristic dimension data; and executing the easing scheme. The network attack processing method and device disclosed by the invention are used for solving the technical problems in the prior art that the accidental damage to a data packet with normal flow in a flooding attack easing process is large, the attach confirmation precision is low and large system resources are consumed for preventing flooding attacks.

Description

The processing method of network attack and device
Technical field
The present invention relates to Computer Applied Technology field, in particular to a kind of processing method and device of network attack.
Background technology
Along with the development of the Internet, while the Internet facilitates people's life, the typical feature Internet era that network attack and network security becoming, wherein, it is the one that Denial of Service attack hits that inundation DOSFlood attacks, and Attack Theory is simple, cost is low, harm is large, is difficult to take precautions against, and the safety of short time to network can bring serious destruction.Common DOSFlood attacks handshake flood attack (SynchronousFlood, be called for short SYNFlood), reset and connect flood attack (RestTheconectionFlood, be called for short RSTFlood), close and connect flood attack (FinishFlood, be called for short FINFlood), confirmation signal flood attack ACKFlood, User Datagram Protocol flood attack (UserDertagramProtocol, be called for short UDPFlood), Internet Control Message Protocol flood attack (InternetControlMessageProtocol is called for short ICMPFlood).
First assailant breaks through a large amount of computer, the equipment such as mobile terminal are as " broiler chicken " of assailant, initiate Flood by a large amount of " broiler chicken " to attack, make attack traffic and normal discharge mixed in together, also Flood attack can be initiated by forging source IP address, exhaust the resource of goal systems, cause the paralysis of goal systems and cannot normal response service.Because the large feature of Flood attack traffic is not obvious, and normal discharge is mixed in together, is difficult to attack be detected, namely allows to detect, when being also difficult to accomplish to block exception stream, normal stream amount does not affect.Therefore instantly for Flood attack detection and alleviate mainly there is following problem: 1, under different network environments, attack cannot be detected when there is no human intervention, fast and accurately.2, after attack being detected, accurately abnormal flow cannot be navigated to, also attack cannot be alleviated accurately.3, even if detect for the Flood attack of spoofed IP address, little to the true normal discharge " accidental injury " being forged IP while being also difficult to accomplish to alleviate attack.
Correlation technique mainly contains following scheme in the process solving above-mentioned flood attack:
Scheme one; current most Network Security Device or attack protection software are all by the threshold value to protected default resource access; exceed threshold value and then think there is exception, such as SYNFlood attack detection method be exactly the SYN bag number of accessing protected system in 1 minute is set can not more than 5000.That is, the upper limit of SYN bag in the protected system unit time is set, after the SYN bag number of accessing protected system in the unit interval exceedes threshold value, thinks that SYNFlood occurs to be attacked, and wrapped by the SYN that abandons of probability, alleviate attack.But the random SYN that abandons wraps, can cause serious " accidental injury ", while blocking abnormal flow, normal discharge is blocked equally, and the situation of random TCP connection request failure can occur all like this visitors, and the method for the alleviation of scheme one cannot accept.Based on the method; in order to improve the precision of alleviation; the stint no sacrifice huge memory source of some security firms; do the statistics based on source IP; namely in the statistical unit time, each source IP accesses the SYN bag number of protected resource; although SYN bag can be abandoned based on source IP after attack being detected; alleviation scope comparatively above method more accurate; but attack traffic and the normal discharge of source IP cannot be distinguished; still can " accidentally injure " for normal discharge like this, detection simultaneously itself consumes huge memory source and systematic function.
The defect of scheme one is that detection method is single, be not suitable with different network environments, also the situation that in different cycles, threshold value is different cannot be solved, more cannot do the attack detected " cleaning " of intelligence, but it is simple according to source IP address discarded packets, result is that abnormal flow and normal discharge are all blocked, and the method for this alleviation itself is also denial of service.
Scheme two, instantly attacking modal risk prevention instruments for SYNFlood is open SYNCookie function.Its principle is when TCP server end receives SYN bag, and is its Resources allocation not in time, but calculates a Cookie value according to this SYN bag, is judged the legitimacy of ACK by the confirmation number of checking ACK bag.If legal, then allow this TCP connection establishment, otherwise abandon the request of SYN bag.Namely, SYNCookies generates initial sequence number according to information such as timestamp, MSS (MaximumSegmentSize), IP address and port numbers according to certain rule encoding, as the sequence number of the SYN+ACK bag of server response, according to TCP specification, when client beam back TCPACK wrap wrap with the SYN+ACK of response server to server time, client must use the initial sequence number sent by server to add 1 as the confirmation number in packet.Server then from confirmation number deduct 1 so that reduce to client send original SYNCookie.
The defect of scheme two is to only have 3 binary space to can be used for representing MSS (MaximumSegmentSize) coding, eight kinds of MSS numerical value so server can only be encoded; The object that tcp option reaches protection connection is sacrificed in order to save space requirement; This function itself consumes memory source, calculation resources, the bandwidth of safety means and causes safety means hydraulic performance decline very much; Some manufacturers have small innovation on this basis, such as SYNCookie function is applied in network equipment transparent mode, or white list etc. is added to SYNCooike, fundamentally or SYNCookie, large for SYNFlood attack traffic, the time complexity of SYNCookie computing and checking is high, and itself also need to consume a lot of memory source, and be subject to the restriction of capacity, actual suffer that serious SYNFlood attacks time, safety means itself also can be subject to serious impact and harm.
Scheme three, by gathering TCP header packet information, hash Hash list being built to the hash value of each information, identifies that those information have exception according to certain algorithm, when the hash value place bucket of packet corresponding information is marked as exception, then abandon this bag.That is, need the collection of all TCP header packet informations, and generate the hash table of corresponding information, in being shown to hash by the hashing information gathered, the situation according to certain bucket value change in hash table has determined whether exception, if having abnormal, marks exception.The hash value place bucket corresponding when the TCP header packet information received is marked as exception, then discarded packets.The object IP in such as TCP packet header and destination interface, when certain port access amount is too large, then think that Flood attacks, and abandons this port bag of access.
The defect of scheme three is the alleviation of the detection of attacking and attack independently not to be separated, and does not think there is attack, the Probability maximum of wrong report like this, do not have attack detection method accurately by simple bag feature abnormalities; Just statistics TCP header packet information, can not find the feature of attack more accurately; Flood just for TCP attacks, and attacks helpless for more common UDPFlood, ICMPFlood.
Scheme four, attacks, by building two binary tree A and B for UDPFlood, tree A such as is used for storing at the UDP message bag to be analyzed, tree B is used for storing the host ip carrying out UDPFlood attack be detected, if source IP is in tree B, then abandons the UDP bag of this source IP.That is, when receiving UDP bag, the node of coupling first whether is had by source IP search tree B, if had, then discarded packets, otherwise go down the operation in the face of tree A.The node of this IP whether is had by source IP search tree A, if no, by this source IP node city tree A, and record the content of UDP bag, if find this node, the UDP bag content of preserving with node compares, if content is identical, then " the coupling counting " of present node adds 1, otherwise " do not mate counting " and add 1, when in certain hour, " coupling counting " is greater than certain value, then think that this source IP initiates UDPFlood and attacks, and this IP is added in tree B.
The defect of scheme four is first the UDP bag content recording each source IP, equally very consume memory source, when in real network, source IP is many, tree A can be very large, wanting search tree A for each UDP bag, be time complexity or space complexity is all unacceptable; Comparison between detecting methods is single, is just judged by UDP bag content, when content is random character, the method lost efficacy, and for forging the attack of source IP, be likely that attack traffic and non-attack flow are mixed in together, the bag of first the source IP received is exactly not necessarily attack packets; Remission method, just based on source IP discarded packets, can normal stream amount have comparatively large " accidental injury "; Can only detect UDPFlood to attack, other attack type cannot detect.
Accidentally injure large in the process of alleviation flood attack for the above-mentioned packet due to normal stream amount in correlation technique, confirm the problem that the precision of attack system resource that is low and that prevent flood attack and consume is large not yet to propose effective solution at present.
Summary of the invention
Embodiments provide a kind of processing method and device of network attack, accidentally injure large in the process of alleviation flood attack with the packet at least solved due to normal stream amount in correlation technique, confirm the technical problem that the precision of attack system resource that is low and that prevent flood attack and consume is large.
According to an aspect of the embodiment of the present invention, provide a kind of processing method of network attack, comprising: the packet information in image data stream; Resolution data package informatin, obtains attack detecting dimension data and bag characteristic dimension data; Attack detecting dimension data and bag characteristic dimension data are compared with default/learning data, judges whether attack detecting dimension data and bag characteristic dimension data exist exception; When judged result is no, attack detecting dimension data and bag characteristic dimension data are inputted the analytical model set up in advance respectively, generate corresponding analysis data; When judged result is for being, reporting anomalous event, and whether there is off-note according to default/learning data detection bag characteristic dimension data, there is the threat of flood attack in the anomalous event packet be used to indicate in data flow; When the test results is yes, according to the mitigation scheme that bag characteristic dimension Data Matching is corresponding; Perform mitigation scheme.
According to the another aspect of the embodiment of the present invention, additionally provide a kind of processing unit of network attack, comprising: acquisition module, for the packet information in image data stream; Parsing module, for resolution data package informatin, obtains attack detecting dimension data and bag characteristic dimension data; Judge module, for attack detecting dimension data and bag characteristic dimension data being compared with default/learning data, judges whether attack detecting dimension data and bag characteristic dimension data exist exception; Data update module, during for being no when judged result, inputs attack detecting dimension data and bag characteristic dimension data the analytical model set up in advance respectively, generates corresponding analysis data; Abnormality detection module, for when judged result is for being, reports anomalous event, and whether there is off-note according to default/learning data detection bag characteristic dimension data, and the anomalous event packet be used to indicate in data flow exists the threat of flood attack; Matching module, for when the test results is yes, according to the mitigation scheme that bag characteristic dimension Data Matching is corresponding; Executive Module, for performing mitigation scheme.
In embodiments of the present invention, by the packet information in image data stream; Resolution data package informatin, obtains attack detecting dimension data and bag characteristic dimension data; Attack detecting dimension data and bag characteristic dimension data are compared with default/learning data, judges whether attack detecting dimension data and bag characteristic dimension data exist exception; When judged result is no, attack detecting dimension data and bag characteristic dimension data are inputted the analytical model set up in advance respectively, generate corresponding analysis data; When judged result is for being, reporting anomalous event, and whether there is off-note according to default/learning data detection bag characteristic dimension data, there is the threat of flood attack in the anomalous event packet be used to indicate in data flow; When the test results is yes, according to the mitigation scheme that bag characteristic dimension Data Matching is corresponding; Perform mitigation scheme, reach the object of accurate preventing flooding attack, thus achieve the precision promoting and confirm flood attack and the technique effect saving system resource, and then the packet solved due to normal stream amount in correlation technique is accidentally injured large in the process of alleviation flood attack, confirm the technical problem that the precision of attack system resource that is low and that prevent flood attack and consume is large.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the schematic flow sheet of the processing method of network attack according to the embodiment of the present invention;
Fig. 2 is the schematic diagram of the processing method of network attack according to the embodiment of the present invention;
Fig. 3 is the schematic flow sheet of the execution mitigation scheme provided in the processing method according to the network attack of the embodiment of the present invention;
Fig. 4 is the schematic flow sheet of the processing method of a kind of network attack according to the embodiment of the present invention;
Fig. 5 is the schematic diagram of the application scenarios provided in the processing method according to the network attack of the embodiment of the present invention;
Fig. 6 is the structural representation of the processing unit of network attack according to the embodiment of the present invention;
Fig. 7 is the structural representation of the processing unit of a kind of network attack according to the embodiment of the present invention;
Fig. 8 is the structural representation of the processing unit of another kind of network attack according to the embodiment of the present invention;
Fig. 9 is the structural representation of the processing unit of another network attack according to the embodiment of the present invention;
Figure 10 is the structural representation of the processing unit of another network attack according to the embodiment of the present invention;
Figure 11 is the structural representation of the processing unit of network attack according to another embodiment of the present invention;
Figure 12 is a kind of according to another embodiment of the present invention structural representation of processing unit of network attack.
Embodiment
The present invention program is understood better in order to make those skilled in the art person, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, should belong to the scope of protection of the invention.
It should be noted that, term " first ", " second " etc. in specification of the present invention and claims and above-mentioned accompanying drawing are for distinguishing similar object, and need not be used for describing specific order or precedence.Should be appreciated that the data used like this can be exchanged in the appropriate case, so as embodiments of the invention described herein can with except here diagram or describe those except order implement.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, such as, contain those steps or unit that the process of series of steps or unit, method, system, product or equipment is not necessarily limited to clearly list, but can comprise clearly do not list or for intrinsic other step of these processes, method, product or equipment or unit.
Embodiment one
According to the embodiment of the present invention, provide a kind of embodiment of the method for processing method of network attack, it should be noted that, can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although show logical order in flow charts, in some cases, can be different from the step shown or described by order execution herein.
Fig. 1 is the schematic flow sheet of the processing method of network attack according to the embodiment of the present invention, and as shown in Figure 1, the method comprises the steps:
Step S102, the packet information in image data stream;
Here the packet information in the data flow gathered can comprise flow information and the bag characteristic information of packet, and wherein, flow information can be the percentage of packet shared by present flow rate of each network protocol type; Bag characteristic information can be the data packet head field information of each packet, such as, gathers IP packet header each field information: as IP version number, COS, total length, TTL, mark, head School Affairs, grading excursion etc.; Gather each field information in TCP packet header, as source port, destination interface, sequence number, confirmation number, length, window, School Affairs etc.; Gather each field information in UDP packet header, comprise front 16 bytes of data content in source port, destination interface, length, School Affairs image data bag.
The packet information that the embodiment of the present application provides only is described for above-mentioned, is as the criterion, does not specifically limit with the processing method realizing the network attack that the embodiment of the present application provides.
Step S104, resolution data package informatin, obtains attack detecting dimension data and bag characteristic dimension data;
Concrete, in the process of resolving this packet information, by adding up protected resource data package informatin, obtain in current data stream, the data packet head field information of the network protocol type of the packet of protected resource, the ratio shared by whole data flow and each packet, wherein, using the packet of each network protocol type in the ratio shared by whole data flow as attack detecting dimension data; Using the network protocol type of packet and data packet head field information as characteristic information.Namely; suppose that protected resource is the packet for server S erver; the destination address that can obtain each network type is thus the packet of Server; the number-of-packet of above-mentioned packet in this flow is added up; and obtain the data packet head field information of this packet; thus, above-mentioned attack detecting dimension data and bag characteristic dimension data are obtained.
Step S106, compares attack detecting dimension data and bag characteristic dimension data with default/learning data, judges whether attack detecting dimension data and bag characteristic dimension data exist exception;
Concrete, each attack detecting dimension and bag characteristic dimension are independent dimensions, according to the feature of different dimensions, be divided into fixed threshold dimension and training threshold value dimension, can not change after fixed threshold dimension presets, threshold value study when the dimension data inputted does not have exception of study obtains, and the dimension data of input compares with the dimension data preset/learnt.
Step S108, when judged result is no, inputs attack detecting dimension data and bag characteristic dimension data the analytical model set up in advance respectively, generates corresponding analysis data;
Concrete, the certain multiple of default/learning data is not exceeded at the dimension data of judged result input, inputted the analytical model set up in advance, generate and analyze data, the attack detecting dimension data that the analysis Data Comparison that can generate according to this in subsequently received packet is thus corresponding and bag characteristic dimension data, thus reach the effect of model dynamic learning, improve module to the whether abnormal recognition capability of packet.
Step S110, when judged result is for being, reports anomalous event, and whether there is off-note according to default/learning data detection bag characteristic dimension data, and the anomalous event packet be used to indicate in data flow exists the threat of flood attack;
Here, when judged result is for being, being according to when the data of multiple dimension occur abnormal in attack detecting dimension data and bag characteristic dimension data, determining to there is anomalous event.
Step S112, when the test results is yes, according to the mitigation scheme that bag characteristic dimension Data Matching is corresponding;
Concrete, the alleviation rule proposed in the embodiment of the present application, for when anomalous event occurs, detects abnormal generation of those bag characteristic dimension generation and alleviates rule;
Step S114, performs mitigation scheme.
Concrete, based on step S110 and S112, in some cycles, certain all detection dimensions of attacking all produces exception, then report anomalous event, and check that those bag characteristic dimension have exception, exception according to bag characteristic dimension produces the rule alleviated, in a stream, article one, attack traffic can mate many alleviation rules, every bar is alleviated rule and is abandoned abnormal bag according to a certain percentage, serial performs alleviates action, alleviation dynamics superposes, thus be reached through the dynamic remission effect of gradient alleviation, only have when in some cycles, alleviate the packet of rule without coupling in data flow, then delete this and alleviate rule, and then solve flood attack accurately, " accidental injury " that reduce packet may.
The processing method of the network attack that the embodiment of the present application provides goes for preventing network attack field, particularly go for terminal protection aspect, the processing method of the network attack that the embodiment of the present application provides is by the packet information in image data stream, this packet information of further parsing obtains attack detecting dimension data and bag characteristic dimension data, by by the attack detecting obtained dimension data and bag characteristic dimension data with prestore preset/learning data compares, judge whether this attack detecting dimension data and bag characteristic dimension data possess bag feature, and prevent, wherein, be in the process prevented, when judging this attack detecting dimension data and bag characteristic dimension data possess bag feature, report this attack (namely, flood attack), and by storing this bag feature, again according to the mitigation scheme that this bag characteristic matching is corresponding, after the scheme of being eased, flood attack is solved by performing this mitigation scheme.
Because correlation technique great majority attack the different detection of employing and prevention method for dissimilar Flood, be difficult to safeguard, be not easy to implement.And the different Flood that the processing method of the network attack that the embodiment of the present application provides can accurately detect and alleviate by a kind of more common method under different network environments attack, and while alleviating, do not affect the process of normal discharge, avoid goal systems to be subject to serious destruction.
Based on above-mentioned, Fig. 2 is the schematic diagram of the processing method of network attack according to the embodiment of the present invention, as shown in Figure 2, acquisition module Sensor in Fig. 2 is used for the dimensional information that needs in image data stream and protected system data package informatin (that is, the step S102 in the embodiment of the present application); Input module Input is used for the information of collection to deliver in model M odel by special modality; Model M odel is used for carrying out cycle modeling study to the data of a large amount of input, and carries out abnormality detection to current input data, if any abnormal results, abnormal results is delivered to analysis module Analyzer; Analysis module Analyzer is used for according to dimension abnormal results, analyzes and whether there is certain attack, extracts abnormal feature (that is, the step S104 to S110 in the embodiment of the present application) of wrapping when finding to attack; Executive Module Action is used for doing different attacks different slowing down action (that is, the step S112 in the embodiment of the present application); Output module Output is used for the action of alleviation to issue to be given in flow filter (Filter); Filter F ilter is used for filtering (that is, the step S114 in the embodiment of the present application) bag according to slowing down rule.
By above-mentioned steps S102 to S112, the processing method of the network attack that the embodiment of the present application provides by the packet information in data flow promptly and accurately flood attack detected, and slow down attack accurately fast, normal stream amount minimum " injury " simultaneously.
In the processing method of the network attack that the embodiment of the present application provides, by the packet information in image data stream; Resolution data package informatin, obtains attack detecting dimension data and bag characteristic dimension data; Attack detecting dimension data and bag characteristic dimension data are compared with default/learning data, judges whether attack detecting dimension data and bag characteristic dimension data exist exception; When judged result is no, attack detecting dimension data and bag characteristic dimension data are inputted the analytical model set up in advance respectively, generate corresponding analysis data; When judged result is for being, reporting anomalous event, and whether there is off-note according to default/learning data detection bag characteristic dimension data, there is the threat of flood attack in the anomalous event packet be used to indicate in data flow; When the test results is yes, according to the mitigation scheme that bag characteristic dimension Data Matching is corresponding; Perform mitigation scheme, reach the object of accurate preventing flooding attack, thus achieve the precision promoting and confirm flood attack and the technique effect saving system resource, and then the packet solved due to normal stream amount in correlation technique is accidentally injured large in the process of alleviation flood attack, confirm the technical problem that the precision of attack system resource that is low and that prevent flood attack and consume is large.
It should be noted that, the processing method of the network attack that the embodiment of the present application provides goes for handshake flood attack (SynchronousFlood, be called for short SYNFlood), reset and connect flood attack (RestTheconectionFlood, be called for short RSTFlood), close and connect flood attack (FinishFlood, be called for short FINFlood), confirmation signal flood attack ACKFlood, User Datagram Protocol flood attack (UserDertagramProtocol, be called for short UDPFlood), Internet Control Message Protocol flood attack (InternetControlMessageProtocol, be called for short ICMPFlood), wherein, the embodiment of the present application is with handshake flood attack (SynchronousFlood, be called for short SYNFlood) be described for example, specific as follows:
Optionally, when packet information comprises the packet sum in type of data packet, the packet number of each type and data flow, resolution data package informatin in step S104, obtains attack detecting dimension data and bag characteristic dimension data comprise:
Step1, classifies the type of packet in the data flow collected, and obtains the packet sum in type of data packet, the packet number of each type and data flow;
Step2, according to the number of the packet of each type, obtains the packet ratio that the packet of type is shared in a stream;
Step3, using the packet ratio of each type data packets as attack detecting dimension data;
Step4, gathers type of data packet and the data packet header information of the packet of each type, obtains bag characteristic dimension data.
Concrete, flood attack type flaw attack is changeable, but flood attack is also the data flow exceeding normal discharge situation occurred based on each network type in data traffic or protocol version, therefore, no matter whether flood attack occurs, and all can classify to the packet in data flow, and then obtains type of data packet, the packet number that each type is corresponding, and the sum of packet in this data flow.The meaning obtaining above-mentioned feature is, can know the proportion of each type in current data stream, and the detailed characteristic information of each type data packets, the encapsulation value, path, state value etc. of such as heading.
For SYNFlood, SYNFlood is attacked, according to the statistics of the TCP bag ratio in real network, find no matter be that network traffics are large or little, no matter be that Transmission Control Protocol bag is many or other protocol package is many, SYN wraps the ratio accounting for TCP bag scarcely can more than 1/7 in real network environment, and under normal circumstances after Server responds SYN+ACK bag, Client end can be responded ACK bag and set up " three-way handshake " connection, but for most of SYNFlood attack tool in order to the performance improving attack can not respond ACK bag.
Can be summed up by above descriptor and obtain two attack detecting dimensions below:
A, the ratio of SYN bag in protected system data flow;
B, does not have the SYN bag ratio of ACK in protected system data flow.
Above two dimensions are needed to gather following data message:
A ', in data flow, object is the SYN bag number of protected system and the TCP bag sum of protected system acceptance and transmission;
B ', in data flow, object is protected system and the SYN bag number not having ACK " three-way handshake " to respond.
Such as: on fire compartment wall or fail-safe software; to collect object IP in 1 minute be the SYN bag number of protected system is 100; protected system acceptance and transmission TCP bag add up to 1500; then the value of dimension " SYN bag ratio " is 1/15; so this dimension thinks normal; on duty when being greater than 1/7, then think abnormal.The statistics that dimension " does not have the SYN bag ratio of ACK ", calculate similar.
Like this by " the SYN bag ratio " of the protected goal systems of statistics, and detect SYNFlood without these two dimensions of ratio that SYN bag number and the SYN of ACK wrap sum and attack, for different network topologies and network environment detection attack more accurate.
Equally, for UDPFlood attack, by statistics UDP bag account for IP bag ratio, and sessionless newly receive UDP bag account for UDP bag sum ratio and UDP bag these three dimensions of number to detect UDPFlood attack, other attack detection method is similar.
Optionally, when default/learning data comprises default/learning attack detection dimensions data and presets/learn bag characteristic dimension data, in step S106, dimension data and bag characteristic dimension data are compared with default/learning data, judge whether attack detecting dimension data and bag characteristic dimension data exist abnormal comprising:
Step1, by dimension data with corresponding to preset/learning attack detection dimensions data contrast, to judge whether attack detecting dimension data is greater than default/learn the first predetermined threshold value of dimension data;
Concrete, for the fixing dimension preset (such as, SYN bag ratio), the dimension data of input is greater than preset data, think that dimension is abnormal, for the dimension learnt (such as, the value of UDP bag ratio or TTLhashbuckets), (namely the dimension data of input is greater than the certain multiple of default/learning data, the first predetermined threshold value mentioned in Step1), think that dimension is abnormal, when dimension does not have exception, present input data is combined the data that the data learnt obtain new study.
Bag characteristic dimension data and corresponding bag characteristic dimension data of presetting/learn are contrasted, judge whether the data packet header information in bag characteristic dimension data is greater than the second predetermined threshold value of default/study/learning characteristic data by Step2.
Concrete, each bag feature be a dimension (such as, TTL in IP head, seq in TCP head), each characteristic dimension is that the respective field statistics of the packet being reserved resource is entered by object by a hashbucket, such as, the ttl value of current data packet is 50, so the value of the bucket [50] of dimension TTL (ttl value %256=50) adds 1, in one-period, the TTL of all packets is added up into, certain multiple is exceeded (namely when the new dimension data inputted and the data preset/learn compare, the second predetermined threshold value mentioned in Step2), think that this bucket of dimension has extremely (such as, the value that the bucket [50] of dimension TTL has learnt is 1000, current input be 5000, so think that TTL%256==50 is a feature of abnormal bag, namely the destination address of packet is protected resource, the TTL of IP head and 256 remainders are 50, then this packet is abnormal bag).
Here Step1, attack detecting dimension data and the dimension data preset/learnt are compared, exceed certain multiple, then judge that the dimension data of current input has exception and preserves abnormal data, otherwise by current input value and the study of having preserved to value weighted average learn instantly dimension values;
Step2, to the data manipulation of bag characteristic dimension and Step1 similar;
Concrete, in conjunction with Step1 and Step2, in the single cycle, first judge whether attack coherent detection dimension has exception, when attack all coherent detection dimension same cycles have abnormal, determine the generation of attacking, afterwards by checking that whether all bag characteristic dimension are abnormal, the characterization rules extracting abnormal bag generates alleviates rule, when off-note extracts unsuccessfully, for the flood attack except SYNFlood attack, (this remission method is a kind of supplementary method to issue " the ACK/FIN/RST/UDP/ICMP bag abandoning sessionless coupling ", the fire compartment wall or the relevant device that are only adapted to state realize, session tokens a flow, by source IP, source Port, object IP, object Port, IP agreement determines), SYNFlood is attacked, issue the function (this alleviates the equipment that compensation process is also only suitable for SYNCooike function) starting SYNCooike, when the success of alleviation Rule Extraction, except issue above said alleviation rule as a supplement except, under give out a contract for a project characteristic filter alleviate rule, alleviate attack packets (attack message of the most attack tool of actual verification is characteristic) more accurately
In conjunction with Step1 and Step2; step S106 provides a kind of method determining whether abnormal flow; judge attack detecting dimension data and bag characteristic dimension data whether with acquire/preset/learning data compared with; belong in zone of reasonableness; then think normal; otherwise be abnormal; (object is protected resource address to generate alleviation rule according to abnormal bag feature; and packet meets rule feature, such as IP packet header feature (TTL%256==50) & & (Total_Len%1024==100)).
Optionally, in step S108, attack detecting dimension data and bag characteristic dimension data are inputted the analytical model set up in advance respectively, generate corresponding analysis data and comprise:
Attack detecting dimension data and bag characteristic dimension data are combined with default/learning data, computing obtains analyzing data.
Concrete, the processing method of the network attack that the embodiment of the present application provides provides a kind of dynamic model learning method, and the database of model only stores attack detecting dimension data and the bag characteristic dimension data of normal flow, to make when there is flood attack, when there is abnormal dimension data, can by contrasting with the dimension data of the normal flow stored, obtain the prediction of attack, and carry out Packet Filtering by the alleviation packet filtering rules that abnormal bag characteristic dimension is produced, accurately location flood attack packet;
It can thus be appreciated that, by the attack detecting dimension data that adds and bag characteristic dimension data at every turn, model carries out data study, and each learning outcome acquired from attack detecting dimension data and bag characteristic dimension data is stored, to reach the effect of dynamic adjustment model, evade the problem of model learning length cycle time in correlation technique.Whether abnormal the effect of this dynamic learning, improve module to packet recognition capability, improve the precision of mark attack traffic.
Optionally, in step 110 according to presetting/whether learning data detects bag characteristic dimension data exists off-note and comprises:
Step1, extracts the field information of the data packet head in bag characteristic dimension data;
Step2, according to presetting/learning data matching field information, whether detected field information mates with the off-note in default/learning data.
Concrete, gather different bag characteristic dimension data according to the different agreement type of packet, this bag characteristic dimension data type is as follows:
Feature A: gather IP packet header each field information, as IP version number, COS, total length, TTL, mark, head School Affairs, grading excursion etc.;
Feature B: gather each field information in TCP packet header, as source port, destination interface, sequence number, confirmation number, length, window, School Affairs etc.;
Feature C: gather each field information in UDP packet header, comprise source port, destination interface, length, School Affairs;
Feature D: front 16 bytes of data content in image data bag;
Feature E: define corresponding white list to above field information, avoids " accidental injury ", if IP version number is 4 or 6, does not think off-note;
By gathering above data message, carry out modeling study, the result passing through model learning and prediction in time finding to attack extracts the feature (the abnormal bag feature extracted needs the filtration through corresponding white list) of abnormal bag, feature according to abnormal bag carrys out discarded packets, so both played and accurately slowed down effect, again greatly by the probability of low " accidental injury " to what attack.
Above-mentioned Step1 and Step2 supports common TCPFlood, UDPFlood and ICMPFlood attacks.
Optionally, comprise according to the mitigation scheme that bag characteristic dimension Data Matching is corresponding in step S112:
Step1, according to the alleviation rule of the corresponding abnormal aggression bag of bag characteristic dimension data genaration;
Step2, according to alleviating mitigation scheme corresponding to rule match bag characteristic dimension data.
Here specific as follows according to the mitigation scheme that bag characteristic dimension Data Matching is corresponding in step S110 and S112:
Step1, in the single cycle, judges whether to attack relevant all detection dimensions abnormal;
Step2, all detection dimensions of attacking when certain are abnormal, then think and attack detected;
Step3, under the prerequisite that Step2 sets up, checks whether the exception of bag characteristic dimension;
Step4; if Step3 does not detect bag off-note; only issue and abandon address that object is protected resource and (ACKFlood attacks as detected without the bag of coupling session; this mitigation strategy for " object is protected resource address, the ACK bag of sessionless coupling abandons according to a certain percentage ").
Step5; if Step3 is checked through the exception of bag characteristic dimension; then except issuing the mitigation strategy of Step4; also to give out a contract for a project down characteristic filter mitigation strategy (as ACKFlood attack; " object is protected resource address, and the IP head of packet meets " (TTL%256==50) & & (Total_Len%1024==100) " then discarded packets according to a certain percentage).
Concrete, in conjunction with Step1 to Step5, step S112 proposes a kind of mitigation scheme of the correspondence that can provide for the network protocol type of each packet, traffic filtering scheme corresponding thus, and this traffic filtering scheme is performed as mitigation scheme.Step S114 is shown in concrete execution.
Concrete, whether can be matched by packet and alleviate rule, match and abandon abnormal bag according to a certain percentage, the packet of the raw flood attack of mitigation scheme accurate place to go haircut can be made.How to alleviate flood attack, specific as follows:
Optionally, perform mitigation scheme in step S114 to comprise:
Steps A, according to the packet that preset ratio discarded packets characteristic dimension data are corresponding;
Step B, whether the attack detecting dimension data and the bag characteristic dimension data that detect the packet in data flow exist exception;
Step C, when testing result is for being, according to the packet that preset ratio discarded packets characteristic dimension data are corresponding, until to the attack detecting dimension data of the packet in data flow and bag characteristic dimension Data Detection less than time abnormal, stop performing mitigation scheme.
Integrating step A is to step C, for the embodiment of the present application provides dynamic adjusting method, specific as follows:
Steps A, judges whether to exist and alleviates rule, if had, then check message, otherwise directly let pass;
Step B, checks whether the packet in data flow mates alleviation rule;
Step C, when check result is for being, abandons exception bag corresponding to the abnormal packet filtering rules of coupling according to preset ratio
Step D, if it is inadequate to alleviate dynamics, then whole attack detection system still can detect attack, still can extract bag feature simultaneously, and issues same alleviation rule
Step e, alleviate rule can superpose, same session (source IP/Port, object IP/Port, the packet that protocol number is all identical thinks same session) packet can alleviate rule-based filtering through too much bar, such alleviation dynamics regulates automatically according to the effect of actual treatment, is also a point of this patent application
Step F, alleviates rule for certain, when the packet of nothing coupling in data flow in certain hour, then deletes this and alleviates rule.
Concrete, integrating step A to F, Fig. 3 is the schematic flow sheet of the execution mitigation scheme provided in the processing method according to the network attack of the embodiment of the present invention, as shown in Figure 3, the satisfied abnormal data bag alleviating rule is abandoned according to certain proportion, if it is large not to alleviate dynamics, the method that the embodiment of the present application detects flood attack still can detect attack, still issue again simultaneously and alleviate rule, alleviate the stepped alleviation rule of rule composition for many like this, strengthen the alleviation dynamics of attacking, be not enough to play attack function until attack the attack traffic being blocked completely or letting pass.
Suppose, abandon in current alleviation rule abnormal data bag preset/study ratio is 50%, that is, when abandoning abnormal data bag, discard the bag number of abnormal data bag half; If there is Article 2 to alleviate rule and coupling, then 50% be dropped 50% again by what let slip, that is, whole abnormal flow is abandoned 75% by entirety, and by parity of reasoning, until almost all abandon (the coupling number according to alleviating rule is felt).
The schematic flow sheet of the processing method of a kind of network attack according to the embodiment of the present invention to step S114, Fig. 4 in conjunction with above-mentioned steps S102; As shown in Figure 4, the processing method of network attack that provides of the embodiment of the present application is specific as follows:
1. the cycle gathers the dimensional information of protected system;
2. the cycle gathers bag characteristic information in the data flow of protected system;
3. the bag feature collected is delivered in packet feature analyzer;
The result of attack detecting dimension data and the study of handbag characteristic dimension data is saved in Result by 4 & 4 ';
5 & 5 ' are when there being new input data, and current learning outcome Predict;
6., when model finds the results abnormity of dimension Predict, be reported in attack analysis device by abnormal for dimension;
7. attack analysis device finds attack according to various dimensions are simultaneously abnormal, after discovery is attacked, extracts abnormal bag feature from bag feature analyzer;
8. the abnormal bag feature obtained is issued to attack and alleviates module (Mitigation);
9. attack alleviation module be protected system according to the object IP of packet and meet abnormal bag feature, then abandon in proportion, if without the packet of this Mitigation of coupling in some cycles, then delete this Mitigation.
To sum up, Fig. 5 is the schematic diagram of the application scenarios provided in the processing method according to the network attack of the embodiment of the present invention, as shown in Figure 5, Flood attacks very common in a network environment, anyone can be launched a offensive to goal systems by open-and-shut instrument, plays the effect of " throwing a sprat to catch a herring ", and this invention can realize in the software of personal terminal, also may be used on fire compartment wall, detect and alleviate Flood and attack.Fig. 5 is the scene that fire compartment wall is disposed.Flood attack is carried out in the IP address that assailant can copy User, and such fire compartment wall not only will detect that Flood attacks, and while will blocking attack stream, does not affect the normal stream of User as far as possible simultaneously.Assailant also can capture some User and become " broiler chicken ", and victim utilizes, and requires that fire compartment wall still accurately can detect attack, can block the attack traffic of " broiler chicken " simultaneously, can allow passing through of normal discharge again.
The processing method of the network attack that the embodiment of the present application provides solves and cannot detect with little cost the predicament that Flood attacks fast and accurately at present, precisely can alleviate attack simultaneously, and the minimum impact causing normal stream amount.Protected resource is played a protective role, avoids Flood to attack the serious harm brought.
Embodiment two
Fig. 6 is the structural representation of the processing unit of network attack according to the embodiment of the present invention, as shown in Figure 6, this device comprises: acquisition module 61, parsing module 62, judge module 63, data update module 64, abnormality detection module 65, matching module 66 and Executive Module 67, wherein
Acquisition module 61, for the packet information in image data stream;
Parsing module 62, for resolution data package informatin, obtains attack detecting dimension data and bag characteristic dimension data;
Judge module 63, for attack detecting dimension data and bag characteristic dimension data being compared with default/learning data, judges whether attack detecting dimension data and bag characteristic dimension data exist exception;
Data update module 64, during for being no when judged result, inputs attack detecting dimension data and bag characteristic dimension data the analytical model set up in advance respectively, generates corresponding analysis data;
Abnormality detection module 65, for when judged result is for being, reports anomalous event, and whether there is off-note according to default/learning data detection bag characteristic dimension data, and the anomalous event packet be used to indicate in data flow exists the threat of flood attack;
Matching module 66, for when the test results is yes, according to the mitigation scheme that bag characteristic dimension Data Matching is corresponding;
Executive Module 67, for performing mitigation scheme.
In the processing unit of the network attack that the embodiment of the present application provides, by the packet information in image data stream; Resolution data package informatin, obtains attack detecting dimension data and bag characteristic dimension data; Attack detecting dimension data and bag characteristic dimension data are compared with default/learning data, judges whether attack detecting dimension data and bag characteristic dimension data exist exception; When judged result is no, attack detecting dimension data and bag characteristic dimension data are inputted the analytical model set up in advance respectively, generate corresponding analysis data; When judged result is for being, reporting anomalous event, and whether there is off-note according to default/learning data detection bag characteristic dimension data, there is the threat of flood attack in the anomalous event packet be used to indicate in data flow; When the test results is yes, according to the mitigation scheme that bag characteristic dimension Data Matching is corresponding; Perform mitigation scheme, reach the object of accurate preventing flooding attack, thus achieve the precision promoting and confirm flood attack and the technique effect saving system resource, and then the packet solved due to normal stream amount in correlation technique is accidentally injured large in the process of alleviation flood attack, confirm the technical problem that the precision of attack system resource that is low and that prevent flood attack and consume is large.
Optionally, Fig. 7 is the structural representation of the processing unit of a kind of network attack according to the embodiment of the present invention, and as shown in Figure 7, parsing module 62 comprises: data sorting unit 621, data preparation unit 622, first dispensing unit 623 and the second dispensing unit 624, wherein
Data sorting unit 621, for comprising the packet sum in type of data packet, the packet number of each type and data flow in packet information, the type of packet in the data flow collected is classified, obtains the packet sum in type of data packet, the packet number of each type and data flow;
Data preparation unit 622, for the number of the packet according to each type, obtains the packet ratio that the packet of type is shared in a stream;
First dispensing unit 623, for using the packet ratio of each type data packets as attack detecting dimension data;
Second dispensing unit 624, for gathering type of data packet and the data packet header information of the packet of each type, obtains bag characteristic dimension data.
Optionally, Fig. 8 is the structural representation of the processing unit of another kind of network attack according to the embodiment of the present invention, and as shown in Figure 8, judge module 63 comprises: the first judging unit 631 and the second judging unit 632, wherein,
First judging unit 631, for comprising default/learning attack detection dimensions data at default/learning data and presetting/learn bag characteristic dimension data, by dimension data with corresponding to preset/and learning attack detection dimensions data contrast, and to judge whether attack detecting dimension data is greater than default/learn the first predetermined threshold value of dimension data;
Second judging unit 632, for bag characteristic dimension data and corresponding bag characteristic dimension data of presetting/learn being contrasted, judges whether the data packet header information in bag characteristic dimension data is greater than the second predetermined threshold value of default/study/learning characteristic data.
Optionally, Fig. 9 is the structural representation of the processing unit of another network attack according to the embodiment of the present invention, and as shown in Figure 9, data update module 64 comprises: data updating unit 641, wherein,
Data updating unit 641, for attack detecting dimension data and bag characteristic dimension data being combined with default/learning data, computing obtains analyzing data.
Optionally, Figure 10 is the structural representation of the processing unit of another network attack according to the embodiment of the present invention, and as shown in Figure 10, abnormality detection module 65 comprises: extraction unit 651 and detecting unit 652, wherein,
Extraction unit 651, for extracting the field information of the data packet head in bag characteristic dimension data;
Detecting unit 652, for according to presetting/learning data matching field information, detected field information is default with described/learning data in off-note whether mate.
Optionally, Figure 11 is the structural representation of the processing unit of network attack according to another embodiment of the present invention, and as shown in figure 11, matching module 66 comprises: alleviate rule generating unit 661 and matching unit 662, wherein,
Alleviate rule generating unit 661, for the alleviation rule according to the corresponding abnormal aggression bag of bag characteristic dimension data genaration;
Matching unit 662, alleviates mitigation scheme corresponding to rule match bag characteristic dimension data for foundation.
Optionally, Figure 12 is a kind of according to another embodiment of the present invention structural representation of processing unit of network attack, and as shown in figure 12, Executive Module 67 comprises: the first performance element 671, detecting unit 672 and the second performance element 673, wherein,
First performance element 671, for the packet that foundation preset ratio discarded packets characteristic dimension data are corresponding;
Whether detecting unit 672, exist exception for the attack detecting dimension data and bag characteristic dimension data detecting the packet in data flow;
Second performance element 673, for when testing result is for being, according to the packet that preset ratio discarded packets characteristic dimension data are corresponding, until to the attack detecting dimension data of the packet in data flow and bag characteristic dimension Data Detection less than time abnormal, stop performing mitigation scheme.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
In the above embodiment of the present invention, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.
In several embodiments that the application provides, should be understood that, disclosed technology contents, the mode by other realizes.Wherein, device embodiment described above is only schematic, the such as division of described unit, can be that a kind of logic function divides, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of unit or module or communication connection can be electrical or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed on multiple unit.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.
If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprises all or part of step of some instructions in order to make a computer equipment (can be personal computer, server or the network equipment etc.) perform method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), portable hard drive, magnetic disc or CD etc. various can be program code stored medium.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (14)

1. a processing method for network attack, is characterized in that, comprising:
Packet information in image data stream;
Resolve described packet information, obtain attack detecting dimension data and bag characteristic dimension data;
Described attack detecting dimension data and described bag characteristic dimension data are compared with default/learning data, judges whether described attack detecting dimension data and described bag characteristic dimension data exist exception;
When judged result is no, described attack detecting dimension data and described bag characteristic dimension data are inputted the analytical model set up in advance respectively, generate corresponding analysis data;
When judged result is for being, reporting anomalous event, and detect described bag characteristic dimension data whether there is off-note according to default/learning data, there is the threat of flood attack in the described anomalous event packet be used to indicate in described data flow;
When the test results is yes, according to the mitigation scheme that described bag characteristic dimension Data Matching is corresponding;
Perform described mitigation scheme.
2. method according to claim 1, it is characterized in that, when described packet information comprises the packet sum in type of data packet, the packet number of each type and described data flow, the described packet information of described parsing, obtains attack detecting dimension data and bag characteristic dimension data comprise:
The type of packet in the described data flow collected is classified, obtains the packet sum in described type of data packet, the packet number of described each type and described data flow;
According to the number of the packet of described each type, obtain the packet ratio that the packet of described type is shared in described data flow;
Using the packet ratio of described each type data packets as described attack detecting dimension data;
Gather described type of data packet and the data packet header information of the packet of described each type, obtain described bag characteristic dimension data.
3. method according to claim 1, it is characterized in that, when described preset/learning data comprise default/learning attack detection dimensions data and preset/study bag characteristic dimension data, described by described dimension data and described bag characteristic dimension data with preset/learning data compares, and judges whether described attack detecting dimension data and described bag characteristic dimension data exist abnormal comprising:
By described dimension data with corresponding describedly to preset/and learning attack detection dimensions data contrast, and judge whether described attack detecting dimension data is greater than and describedly to preset/the first predetermined threshold value of study dimension data;
By described bag characteristic dimension data with corresponding describedly to preset/and study bag characteristic dimension data contrast, and whether the data packet header information judging in described bag characteristic dimension data is greater than describedly is preset/the second predetermined threshold value of learning characteristic data.
4. method according to claim 1, is characterized in that, described described attack detecting dimension data and described bag characteristic dimension data is inputted the analytical model set up in advance respectively, generates corresponding analysis data and comprises:
Described attack detecting dimension data and described bag characteristic dimension data are preset with described/learning data is combined, and computing obtains described analysis data.
5. method according to claim 1, is characterized in that, and described foundation presets/and whether learning data detects described bag characteristic dimension data exists off-note and comprises:
Extract the field information of the data packet head in described bag characteristic dimension data;
According to describedly presetting/learning data mates described field information, detect described field information default with described/learning data in described off-note whether mate.
6. method according to claim 1, is characterized in that, the described mitigation scheme corresponding according to described bag characteristic dimension Data Matching comprises:
According to the alleviation rule of the corresponding abnormal aggression bag of described bag characteristic dimension data genaration;
According to the mitigation scheme that bag characteristic dimension data described in described alleviation rule match are corresponding.
7. method according to claim 6, is characterized in that, the described mitigation scheme of described execution comprises:
Packet corresponding to described bag characteristic dimension data is abandoned according to preset ratio; Whether the described attack detecting dimension data and the described bag characteristic dimension data that detect the packet in described data flow exist exception;
When testing result is for being, packet corresponding to described bag characteristic dimension data is abandoned according to described preset ratio, until to the described attack detecting dimension data of the packet in described data flow and described bag characteristic dimension Data Detection less than time abnormal, stop performing described mitigation scheme.
8. a processing unit for network attack, is characterized in that, comprising:
Acquisition module, for the packet information in image data stream;
Parsing module, for resolving described packet information, obtains attack detecting dimension data and bag characteristic dimension data;
Judge module, for described attack detecting dimension data and described bag characteristic dimension data being compared with default/learning data, judges whether described attack detecting dimension data and described bag characteristic dimension data exist exception;
Data update module, during for being no when judged result, inputs described attack detecting dimension data and described bag characteristic dimension data the analytical model set up in advance respectively, generates corresponding analysis data;
Abnormality detection module, for when judged result is for being, reporting anomalous event, and detect described bag characteristic dimension data whether there is off-note according to default/learning data, there is the threat of flood attack in the described anomalous event packet be used to indicate in described data flow;
Matching module, for when the test results is yes, according to the mitigation scheme that described bag characteristic dimension Data Matching is corresponding;
Executive Module, for performing described mitigation scheme.
9. device according to claim 8, is characterized in that, described parsing module comprises:
Data sorting unit, for comprising the packet sum in type of data packet, the packet number of each type and described data flow in described packet information, the type of packet in the described data flow collected is classified, obtains the packet sum in described type of data packet, the packet number of described each type and described data flow;
Data preparation unit, for the number of the packet according to described each type, obtains the packet ratio that the packet of described type is shared in described data flow;
First dispensing unit, for using the packet ratio of described each type data packets as described attack detecting dimension data;
Second dispensing unit, for gathering described type of data packet and the data packet header information of the packet of described each type, obtains described bag characteristic dimension data.
10. device according to claim 8, is characterized in that, described judge module comprises:
First judging unit, for when described preset/learning data comprise default/learning attack detection dimensions data and preset/study bag characteristic dimension data, by described dimension data with corresponding describedly to preset/and learning attack detection dimensions data contrast, and judge whether described attack detecting dimension data is greater than and describedly to preset/the first predetermined threshold value of study dimension data;
Second judging unit, for by described bag characteristic dimension data with corresponding describedly to preset/study bag characteristic dimension data contrast, whether the data packet header information judging in described bag characteristic dimension data is greater than describedly is preset/the second predetermined threshold value of learning characteristic data.
11. devices according to claim 8, is characterized in that, described data update module comprises:
Data updating unit, for described attack detecting dimension data and described bag characteristic dimension data are preset with described/learning data is combined, and computing obtains described analysis data.
12. devices according to claim 8, is characterized in that, described abnormality detection module comprises:
Extraction unit, for extracting the field information of the data packet head in described bag characteristic dimension data;
Detecting unit, for according to describedly presetting/learning data mates described field information, detect described field information default with described/learning data in described off-note whether mate.
13. devices according to claim 8, is characterized in that, described matching module comprises:
Alleviate rule generating unit, for the alleviation rule according to the corresponding abnormal aggression bag of described bag characteristic dimension data genaration;
Matching unit, for according to mitigation scheme corresponding to bag characteristic dimension data described in described alleviation rule match.
14. devices according to claim 8, is characterized in that, described Executive Module comprises:
First performance element, for abandoning packet corresponding to described bag characteristic dimension data according to preset ratio;
Whether detecting unit, exist exception for the described attack detecting dimension data and described bag characteristic dimension data detecting the packet in described data flow;
Second performance element, for when testing result is for being, packet corresponding to described bag characteristic dimension data is abandoned according to described preset ratio, until to the described attack detecting dimension data of the packet in described data flow and described bag characteristic dimension Data Detection less than time abnormal, stop performing described mitigation scheme.
CN201511029329.1A 2015-12-31 2015-12-31 Network attack processing method and device Pending CN105554016A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511029329.1A CN105554016A (en) 2015-12-31 2015-12-31 Network attack processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511029329.1A CN105554016A (en) 2015-12-31 2015-12-31 Network attack processing method and device

Publications (1)

Publication Number Publication Date
CN105554016A true CN105554016A (en) 2016-05-04

Family

ID=55832950

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511029329.1A Pending CN105554016A (en) 2015-12-31 2015-12-31 Network attack processing method and device

Country Status (1)

Country Link
CN (1) CN105554016A (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790193A (en) * 2016-12-30 2017-05-31 山石网科通信技术有限公司 The method for detecting abnormality and device of Intrusion Detection based on host network behavior
CN106973051A (en) * 2017-03-27 2017-07-21 山石网科通信技术有限公司 Set up method, device, storage medium and the processor of detection Cyberthreat model
CN107528812A (en) * 2016-06-21 2017-12-29 北京金山云网络技术有限公司 A kind of attack detection method and device
CN107707509A (en) * 2016-08-08 2018-02-16 阿里巴巴集团控股有限公司 Identify and assist in identifying the method, apparatus and system of false flow
CN107944293A (en) * 2017-11-20 2018-04-20 上海携程商务有限公司 Fictitious assets guard method, system, equipment and storage medium
CN108282460A (en) * 2017-12-19 2018-07-13 中国科学院信息工程研究所 A kind of the chain of evidence generation method and device of network-oriented security incident
CN108768935A (en) * 2018-04-12 2018-11-06 国家计算机网络与信息安全管理中心 Support the separate system and method for shellring road flow detection and anti-DDOS attack
CN109413095A (en) * 2018-11-29 2019-03-01 新华三大数据技术有限公司 The method and device of defensive attack
CN109474573A (en) * 2017-12-30 2019-03-15 北京安天网络安全技术有限公司 A kind of method, apparatus and storage medium of identification inactivation trojan horse program
CN109561052A (en) * 2017-09-26 2019-04-02 北京国双科技有限公司 The detection method and device of website abnormal flow
CN109660517A (en) * 2018-11-19 2019-04-19 北京天融信网络安全技术有限公司 Anomaly detection method, device and equipment
CN110311925A (en) * 2019-07-30 2019-10-08 百度在线网络技术(北京)有限公司 Detection method and device, computer equipment and the readable medium of DDoS reflection-type attack
CN111092889A (en) * 2019-12-18 2020-05-01 贾海芳 Distributed data node abnormal behavior detection method and device and server
CN111447086A (en) * 2020-03-20 2020-07-24 支付宝(杭州)信息技术有限公司 Service processing method and device and electronic equipment
CN112769790A (en) * 2020-12-30 2021-05-07 杭州迪普科技股份有限公司 Traffic processing method, device, equipment and storage medium
CN113746781A (en) * 2020-05-28 2021-12-03 深信服科技股份有限公司 Network security detection method, device, equipment and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006040880A1 (en) * 2004-10-12 2006-04-20 Nippon Telegraph And Telephone Corporation Service disabling attack protecting system, service disabling attack protecting method, and service disabling attack protecting program
CN101465760A (en) * 2007-12-17 2009-06-24 北京启明星辰信息技术股份有限公司 Method and system for detecting abnegation service aggression
CN101631026A (en) * 2008-07-18 2010-01-20 北京启明星辰信息技术股份有限公司 Method and device for defending against denial-of-service attacks
CN101640666A (en) * 2008-08-01 2010-02-03 北京启明星辰信息技术股份有限公司 Device and method for controlling flow quantity facing to target network
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 A DDOS attack detection method
CN103546465A (en) * 2013-10-15 2014-01-29 北京交通大学长三角研究院 Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006040880A1 (en) * 2004-10-12 2006-04-20 Nippon Telegraph And Telephone Corporation Service disabling attack protecting system, service disabling attack protecting method, and service disabling attack protecting program
CN101465760A (en) * 2007-12-17 2009-06-24 北京启明星辰信息技术股份有限公司 Method and system for detecting abnegation service aggression
CN101631026A (en) * 2008-07-18 2010-01-20 北京启明星辰信息技术股份有限公司 Method and device for defending against denial-of-service attacks
CN101640666A (en) * 2008-08-01 2010-02-03 北京启明星辰信息技术股份有限公司 Device and method for controlling flow quantity facing to target network
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 A DDOS attack detection method
CN103546465A (en) * 2013-10-15 2014-01-29 北京交通大学长三角研究院 Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107528812A (en) * 2016-06-21 2017-12-29 北京金山云网络技术有限公司 A kind of attack detection method and device
CN107528812B (en) * 2016-06-21 2020-05-01 北京金山云网络技术有限公司 An attack detection method and device
US10848511B2 (en) 2016-08-08 2020-11-24 Alibaba Group Holding Limited Method and apparatus for identifying fake traffic
CN107707509A (en) * 2016-08-08 2018-02-16 阿里巴巴集团控股有限公司 Identify and assist in identifying the method, apparatus and system of false flow
CN107707509B (en) * 2016-08-08 2020-09-29 阿里巴巴集团控股有限公司 Method, device and system for identifying and assisting in identifying false traffic
CN106790193B (en) * 2016-12-30 2019-11-08 山石网科通信技术股份有限公司 The method for detecting abnormality and device of Intrusion Detection based on host network behavior
CN106790193A (en) * 2016-12-30 2017-05-31 山石网科通信技术有限公司 The method for detecting abnormality and device of Intrusion Detection based on host network behavior
CN106973051B (en) * 2017-03-27 2019-11-19 山石网科通信技术股份有限公司 Establish the method, apparatus and storage medium of detection Cyberthreat model
CN106973051A (en) * 2017-03-27 2017-07-21 山石网科通信技术有限公司 Set up method, device, storage medium and the processor of detection Cyberthreat model
CN109561052A (en) * 2017-09-26 2019-04-02 北京国双科技有限公司 The detection method and device of website abnormal flow
CN109561052B (en) * 2017-09-26 2022-01-28 北京国双科技有限公司 Method and device for detecting abnormal flow of website
CN107944293B (en) * 2017-11-20 2019-09-24 上海携程商务有限公司 Fictitious assets guard method, system, equipment and storage medium
CN107944293A (en) * 2017-11-20 2018-04-20 上海携程商务有限公司 Fictitious assets guard method, system, equipment and storage medium
CN108282460A (en) * 2017-12-19 2018-07-13 中国科学院信息工程研究所 A kind of the chain of evidence generation method and device of network-oriented security incident
CN108282460B (en) * 2017-12-19 2020-06-09 中国科学院信息工程研究所 Evidence chain generation method and device for network security event
CN109474573A (en) * 2017-12-30 2019-03-15 北京安天网络安全技术有限公司 A kind of method, apparatus and storage medium of identification inactivation trojan horse program
CN109474573B (en) * 2017-12-30 2021-05-25 北京安天网络安全技术有限公司 Method, device and storage medium for identifying inactivated Trojan horse program
CN108768935A (en) * 2018-04-12 2018-11-06 国家计算机网络与信息安全管理中心 Support the separate system and method for shellring road flow detection and anti-DDOS attack
CN109660517A (en) * 2018-11-19 2019-04-19 北京天融信网络安全技术有限公司 Anomaly detection method, device and equipment
CN109660517B (en) * 2018-11-19 2021-05-07 北京天融信网络安全技术有限公司 Abnormal behavior detection method, device and equipment
CN109413095A (en) * 2018-11-29 2019-03-01 新华三大数据技术有限公司 The method and device of defensive attack
CN110311925A (en) * 2019-07-30 2019-10-08 百度在线网络技术(北京)有限公司 Detection method and device, computer equipment and the readable medium of DDoS reflection-type attack
CN111092889B (en) * 2019-12-18 2020-11-20 江苏美杜莎信息科技有限公司 Distributed data node abnormal behavior detection method and device and server
CN111092889A (en) * 2019-12-18 2020-05-01 贾海芳 Distributed data node abnormal behavior detection method and device and server
CN111447086A (en) * 2020-03-20 2020-07-24 支付宝(杭州)信息技术有限公司 Service processing method and device and electronic equipment
CN111447086B (en) * 2020-03-20 2023-03-24 支付宝(杭州)信息技术有限公司 Service processing method and device and electronic equipment
CN113746781A (en) * 2020-05-28 2021-12-03 深信服科技股份有限公司 Network security detection method, device, equipment and readable storage medium
CN112769790A (en) * 2020-12-30 2021-05-07 杭州迪普科技股份有限公司 Traffic processing method, device, equipment and storage medium
CN112769790B (en) * 2020-12-30 2022-06-28 杭州迪普科技股份有限公司 Traffic processing method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN105554016A (en) Network attack processing method and device
CN109951500B (en) Network attack detection method and device
Gogoi et al. Packet and flow based network intrusion dataset
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
KR101860395B1 (en) Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol
US20160352759A1 (en) Utilizing Big Data Analytics to Optimize Information Security Monitoring And Controls
US8677488B2 (en) Distributed denial of service attack detection apparatus and method, and distributed denial of service attack detection and prevention apparatus for reducing false-positive
CN101789931B (en) Network intrusion detection system and method based on data mining
US8634717B2 (en) DDoS attack detection and defense apparatus and method using packet data
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
KR100684602B1 (en) Scenario-based Intrusion Response System using Session State Transition and Its Method
Sathya et al. Discriminant analysis based feature selection in kdd intrusion dataset
CN114143037B (en) Malicious encrypted channel detection method based on process behavior analysis
CN107370752B (en) Efficient remote control Trojan detection method
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
US20230115046A1 (en) Network security system for preventing unknown network attacks
CN104660552A (en) Wireless local area network (WLAN) intrusion detection system
KR101488271B1 (en) Apparatus and method for ids false positive detection
CN117640214A (en) Linkage response method and system based on multi-source security system
Fenil et al. Towards a secure software defined network with adaptive mitigation of DDoS attacks by machine learning approaches
CN103501302B (en) Method and system for automatically extracting worm features
Zhang et al. The application of machine learning methods to intrusion detection
CN116032534B (en) Network security processing system based on cooperative intrusion detection
Sapozhnikova et al. Intrusion detection system based on data mining technics for industrial networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 215163 No. 181 Jingrun Road, Suzhou High-tech Zone, Jiangsu Province

Applicant after: SHANSHI NETWORK COMMUNICATION TECHNOLOGY CO., LTD.

Address before: 215163 3rd Floor, 7th Floor, Keling Road, Suzhou Science and Technology City, Jiangsu Province

Applicant before: HILLSTONE NETWORKS

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160504