[go: up one dir, main page]

CN110505232A - The detection method and device of network attack, electronic equipment, storage medium - Google Patents

The detection method and device of network attack, electronic equipment, storage medium Download PDF

Info

Publication number
CN110505232A
CN110505232A CN201910800363.6A CN201910800363A CN110505232A CN 110505232 A CN110505232 A CN 110505232A CN 201910800363 A CN201910800363 A CN 201910800363A CN 110505232 A CN110505232 A CN 110505232A
Authority
CN
China
Prior art keywords
terminal
access
target
data
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910800363.6A
Other languages
Chinese (zh)
Inventor
朱利军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201910800363.6A priority Critical patent/CN110505232A/en
Publication of CN110505232A publication Critical patent/CN110505232A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

This application discloses the detection method and device of network attack, electronic equipment, storage mediums, are related to network attack field.Specific implementation are as follows: it is abnormal to detect that the flowing of access data of client access target server exist, flowing of access data characterization client sends accessing request information to destination server and is formed by data on flows, and accessing request information at least characterizes the characteristic information for being equipped with the terminal of client;Statistics within a preset period of time at least one client to destination server send accessing request information be formed by target access data on flows, and the characteristic information of the terminal characterized based on accessing request information in target access data on flows, obtain terminal accounting feature corresponding to target access data on flows;Terminal accounting feature is compared with default terminal accounting feature, to determine terminal accounting corresponding to target access data on flows with the presence or absence of exception, based on whether there is abnormal judging result determines whether there is assault.

Description

Network attack detection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of computers, and more particularly, to the field of network attacks.
Background
Challenge black hole (CC) attack is a Distributed Denial of Service (DDoS) and disguised network attack mode based on pages, and an attacker generates a legal request pointing to a target server (such as a victim host) by using a proxy server, thereby realizing network attack; here, since the request initiated by the attacker is legal, the attack request cannot be identified by using the legality and traffic characteristics of the request as in the case of protecting against other DDos attacks, and therefore, the CC attack detection technology arises, but how to quickly detect the CC attack and how to reduce false alarms become an urgent problem to be solved in the CC attack detection technology.
Disclosure of Invention
The embodiment of the application provides a network attack detection method and device, electronic equipment and a storage medium, which are used for rapidly detecting whether a network attack event occurs or not under the condition of large flow and on the basis of reducing false alarm.
In a first aspect, an embodiment of the present application provides a method for detecting a network attack, including:
detecting that access flow data of a client accessing a target server is abnormal, wherein the access flow data represents flow data formed by the client sending access request information to the target server, and the access request information at least represents characteristic information of a terminal provided with the client;
counting target access traffic data formed by at least one client sending access request information to a target server within a preset time period, and obtaining terminal proportion characteristics corresponding to the target access traffic data based on characteristic information of a terminal represented by the access request information in the target access traffic data;
and comparing the terminal proportion characteristic with a preset terminal proportion characteristic to determine whether the terminal proportion corresponding to the target access traffic data is abnormal or not, and determining whether a network attack event exists or not based on the judgment result of whether the abnormality exists or not.
In this regard, on one hand, since the detection flow of the subsequent network attack event is automatically triggered after the access traffic data is determined to have the abnormality, the automatic detection flow is realized, and a foundation is laid for engineering.
On the other hand, in practical applications, in a normal network access state, the actual terminal occupancy characteristics are related to parameters such as the terminal market share, but not related to the access traffic, and the like, and in the presence of a network attack event, the terminal occupancy characteristics in this state may exist in a state that is not consistent with the related parameters such as the actual terminal market share, and particularly, after the data volume is larger, the actual terminal occupancy characteristics may fluctuate within a certain range in the normal network access state, but may not exceed the fluctuation range with the increase of the access volume,
based on the principle that the actual terminal ratio characteristics exceed the fluctuation range when a network attack event occurs, the embodiment of the application determines whether a network attack event mode exists or not by comparing the terminal ratio characteristics with the preset terminal ratio characteristics, can realize the detection of the network attack event under the condition of large flow, and has high preparation rate; moreover, because the detection process can be realized only by obtaining the actual terminal ratio characteristic without acquiring the page access frequency, compared with the existing detection mode of acquiring the page access frequency to carry out the network attack event, the method has the advantages of low resource consumption and high detection speed.
On the other hand, in a normal network access state, because the actual terminal occupation ratio characteristic does not change with the increase of the access amount, when a business is held for activities or sales promotion, even if a large number of users can increase page access in a short time, as long as the access is normal access, the actual terminal occupation ratio characteristic cannot be abnormal, and therefore, the method of the embodiment of the application cannot give a false alarm; and the missing report of the situation that a hacker uses a large number of attack IPs, each attack IP controls the access frequency, the attack IP control access frequency is lower than the threshold value, and at the moment, even if the access frequency is lower than the threshold value, the detection can be carried out as long as the terminal occupation ratio is abnormal in the state, so the detection accuracy is further improved.
In one embodiment, detecting that the access traffic data of the client accessing the target server is abnormal comprises:
acquiring access flow data of a client accessing a target server;
and comparing the access flow data with the historical flow data, and determining that the access flow data is abnormal after determining that the exceeding part of the access flow data exceeding the historical flow data is greater than a preset threshold value.
The detection flow of the abnormal condition is an automatic process, namely whether the current access flow data is abnormal or not can be automatically judged, so that the foundation is laid for the automatic detection flow of the network attack event, and meanwhile, the foundation is laid for engineering application.
In one embodiment, obtaining a terminal proportion characteristic corresponding to target access traffic data based on characteristic information of a terminal represented by access request information in the target access traffic data includes:
analyzing a client identification field set by access request information corresponding to target access flow data to obtain characteristic information of a terminal represented by the client identification field;
and obtaining the terminal proportion characteristics corresponding to the target access flow data based on the characteristic information of the terminal corresponding to the target access flow data.
Here, in the embodiment of the present application, only one field, that is, the client identification field, needs to be analyzed to obtain the required terminal feature information and further obtain the terminal duty feature, so that compared with the existing detection method of acquiring the page access frequency to perform the network attack event, the embodiment provides a feasible scheme with low resource consumption, and lays a foundation for realizing the high-flow performance detection; meanwhile, a foundation is laid for realizing engineering application by being compatible with the prior art.
In one embodiment, comparing the terminal proportion characteristic with a preset terminal proportion characteristic to determine whether the terminal proportion corresponding to the target access traffic data is abnormal includes:
and comparing the actual occupation interval of the target terminal in the terminal occupation characteristic with the preset interval of the target terminal in the preset terminal occupation characteristic, and comparing whether the actual occupation interval of the target terminal exceeds the preset interval or not so as to determine whether the terminal occupation ratio corresponding to the target access flow data is abnormal or not.
Here, because the actual terminal occupation characteristic fluctuates in a certain range in the normal access state of the network, the actual terminal occupation characteristic does not exceed the fluctuation range with the increase of the access amount and is consistent with the terminal market share and the like; however, when a network attack event occurs, the actual terminal occupation characteristics are not matched or matched with the terminal market share, for example, when the network attack event occurs, the access amount of a certain type of terminal is greatly increased, so that the terminal occupation of the type of terminal is improved and exceeds the fluctuation range; or, the network attack event makes the proportion orientation of the terminal average, and at this time, the proportion orientation is not consistent with the market share of the terminal, based on this, the embodiment provides a specific, simple and feasible rapid detection scheme, compares the actual proportion of the specific terminal with the preset interval to judge whether the actual proportion interval is abnormal, and further judges whether the network attack event exists; therefore, a foundation is laid for engineering application.
In one embodiment, the method further comprises:
after the actual occupation ratio interval of the target terminal exceeds the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is abnormal; or,
and after the actual occupation interval of the target terminal does not exceed the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is normal.
After the actual proportion interval of the target terminal exceeds the preset interval, the actual proportion of the target terminal is not consistent with parameters such as the terminal market share and the like, so that the abnormality is determined to exist at the moment, and further the network attack event is determined to exist at the moment; otherwise, when the actual occupation interval of the target terminal does not exceed the preset interval, the actual occupation interval of the target terminal is proved to be identical with parameters such as the market share of the terminal, and the like, so that the abnormality is determined to be absent at the moment, and further the network attack event is determined to be absent at the moment; therefore, the embodiment provides a specific, simple and feasible rapid detection scheme, and lays a foundation for engineering application.
In one embodiment, counting target access traffic data formed by at least one client sending access request information to a target server within a preset time period includes:
acquiring first network flow mirror image data;
and acquiring target access flow data formed by sending access request information to a target server by at least one client within a preset time period when the access flow data is abnormal from the first network flow mirror data.
Here, to avoid data loss and improve the usability of the method, data may be backed up, for example, access traffic data is backed up, so that the target access traffic data is obtained by backing up the data, and the security of the method is improved.
In one embodiment, the method further comprises:
acquiring second network flow mirror image data;
preprocessing the second network traffic mirror image data to filter out abnormal access traffic data;
and obtaining a preset terminal proportion characteristic at least based on the preprocessed network flow mirror image data.
Here, to avoid data loss and improve the usability of the method, data may be backed up, for example, access traffic data is backed up, so that the target access traffic data is obtained by backing up the data, and the security of the method is improved. Meanwhile, the method and the device can avoid inaccurate preset terminal occupation ratio characteristics serving as a base line, for example, unidentified network attack events exist in source data used for calculating the preset terminal occupation ratio characteristics, at the moment, the preset terminal occupation ratio characteristics determined based on the source data can be inaccurate, so that the source data, for example, second network traffic mirror image data, is preprocessed in the specific mode to filter out abnormal access traffic data, so that the determined preset terminal occupation ratio characteristics are accurate, and a foundation is laid for improving detection accuracy in final detection.
In a second aspect, an embodiment of the present application provides a device for detecting a network attack, including:
the detection unit is used for detecting that the access flow data of the client accessing the target server is abnormal, the access flow data represents the flow data formed by the client sending access request information to the target server, and the access request information at least represents the characteristic information of the terminal provided with the client;
the processing unit is used for counting target access traffic data formed by at least one client sending access request information to a target server within a preset time period, and obtaining terminal proportion characteristics corresponding to the target access traffic data based on characteristic information of a terminal represented by the access request information in the target access traffic data;
and the attack event judging unit is used for comparing the terminal proportion characteristic with a preset terminal proportion characteristic to determine whether the terminal proportion corresponding to the target access traffic data is abnormal or not, and determining whether a network attack event exists or not based on the judgment result of whether the abnormality exists or not.
In one embodiment, the detection unit is further configured to:
acquiring access flow data of a client accessing a target server;
and comparing the access flow data with the historical flow data, and determining that the access flow data is abnormal after determining that the exceeding part of the access flow data exceeding the historical flow data is greater than a preset threshold value.
In one embodiment, the processing unit is further configured to:
analyzing a client identification field set by access request information corresponding to target access flow data to obtain characteristic information of a terminal represented by the client identification field;
and obtaining the terminal proportion characteristics corresponding to the target access flow data based on the characteristic information of the terminal corresponding to the target access flow data.
In one embodiment, the attack event determination unit is further configured to:
and comparing the actual occupation interval of the target terminal in the terminal occupation characteristic with the preset interval of the target terminal in the preset terminal occupation characteristic, and comparing whether the actual occupation interval of the target terminal exceeds the preset interval or not so as to determine whether the terminal occupation ratio corresponding to the target access flow data is abnormal or not.
In one embodiment, the attack event determination unit is further configured to:
after the actual occupation ratio interval of the target terminal exceeds the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is abnormal; or,
and after the actual occupation interval of the target terminal does not exceed the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is normal.
In one embodiment, the processing unit is further configured to:
acquiring first network flow mirror image data;
and acquiring target access flow data formed by sending access request information to a target server by at least one client within a preset time period when the access flow data is abnormal from the first network flow mirror data.
In one embodiment, the processing unit is further configured to:
acquiring second network flow mirror image data;
preprocessing the second network traffic mirror image data to filter out abnormal access traffic data;
and obtaining a preset terminal proportion characteristic at least based on the preprocessed network flow mirror image data.
In a third aspect, an embodiment of the present application provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method described above.
In a fourth aspect, embodiments of the present application provide a non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the above-described method.
One embodiment in the above application has the following advantages or benefits:
because the detection process of the subsequent network attack event is automatically triggered after the access flow data is determined to be abnormal, the embodiment of the application realizes the automatic detection process and lays a foundation for engineering application; meanwhile, whether a network attack event mode exists is determined by comparing the terminal proportion characteristic with the preset terminal proportion characteristic, so that the resource consumption is low, the detection speed is high, the detection of the network attack event can be realized under the condition of large flow, and the technical problems that the existing resource consumption is high, the detection speed is low, and the network attack event cannot be realized under the condition of large flow are solved. Moreover, the condition of missing report is avoided, and the detection accuracy is further improved.
Other effects of the above-described alternative will be described below with reference to specific embodiments.
Drawings
The drawings are included to provide a better understanding of the present solution and are not intended to limit the present application. Wherein:
FIG. 1 is a schematic diagram according to a first embodiment of the present application;
FIG. 2 is a schematic diagram according to a second embodiment of the present application;
FIG. 3 is a schematic illustration according to a third embodiment of the present application;
fig. 4 is a block diagram of an apparatus for implementing the network attack detection method according to the embodiment of the present application;
fig. 5 is a block diagram of an electronic device for implementing the network attack detection method according to the embodiment of the present application.
Detailed Description
The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Here, the CC attack detection technology refers to finding a HyperText Transfer Protocol (HTTP) layer DDoS attack initiated by a hacker in a large-scale network traffic. In the existing internet HTTP application layer DDoS attack detection, in order to accurately identify CC attacks initiated by hackers, HTTP analysis is usually performed on 7 layers of flow to obtain page access frequency, and whether CC attacks exist is judged according to the page access frequency; for example, the data analyzed by HTTP is determined as follows:
the first method is as follows: and counting the number of requests sent by the same source IP address in unit time, and if the number reaches a certain threshold value, determining that the source IP address has an attack behavior, namely determining the source IP address is a CC attack.
The second method comprises the following steps: and counting the total number of data packets or the number of requests reaching the same port or different ports of the same target server in unit time, and determining that the target server is abnormal or attacked if a certain threshold value is reached, namely determining that the target server is attacked by CC.
The third method comprises the following steps: and counting the number of requests for accessing the same page by the same source IP in unit time, and if a certain threshold value is reached, determining that the source IP address has an attack behavior, namely determining that the source IP address is in CC attack.
However, since the detection method needs to analyze HTTP content and obtain page access frequency, the resource consumption is high, the detection speed is slow, and the performance cannot be supported at a large flow rate. Moreover, when business is held or promoted, a large number of users can increase page access in a short time, but the detection method can generate a large number of false alarms due to the rapid increase of access, so that the detection accuracy is reduced.
Meanwhile, there is also a false alarm condition, for example, if a hacker uses a large number of attack IPs, each attack IP controls the access frequency, so that the access frequency of the attack IP control is lower than the threshold value in the first mode, the detection scheme cannot detect the false alarm condition.
Therefore, a new and efficient detection method is needed to rapidly detect the CC attack event under a large flow rate and on the basis of reducing false alarms.
Based on this, an embodiment of the present application provides a method for detecting a network attack, as shown in fig. 1, the method includes:
step S101: detecting that the access flow data of the client accessing the target server is abnormal, wherein the access flow data represents the flow data formed by the client sending access request information to the target server, and the access request information at least represents the characteristic information of the terminal provided with the client.
In practical applications, the target server may be a server providing an online information browsing service, for example, a Web server, that is, when a client accesses a Web page, access request information needs to be sent to the target server, so that the client and the server are connected to complete network connection, thereby implementing access of the client to the Web page.
Here, the access traffic data may be embodied as traffic data formed by different or the same clients sending access request information to the target server. For example, the traffic data formed by the access request information sent by different or the same clients to the same port of the target server, and/or the traffic data formed by the access request information sent by different or the same clients to different ports of the target server.
In a specific example, the access traffic data represents access volumes corresponding to different or the same clients sending the access request information to the target server. Based on this, the access traffic data of the embodiment of the present application includes at least one access request message for at least one client. Here, in practical applications, the access request information may be specifically an HTTP-based request message.
In a specific example, multiple fields may be set in the access request information, and different information is carried by the multiple fields, for example, a client identification field is set, and the characteristic information of the terminal in which the client is installed is carried by the client identification field; in practical applications, the characteristic information of the terminal includes, but is not limited to, the following information: terminal brand, terminal model, etc.
Here, in practical applications, the target server may be a server that provides a browsing service for a plurality of web pages, or may be a server that provides a browsing service for only one web page; at this time, the access flow data may be flow data of at least one webpage of a plurality of webpages supported by the target server accessed by the client, or may also be flow data of only one webpage supported by the target server accessed by the client, which is not limited in the present application. The plurality of fingers is two or more.
In one embodiment, to automate the network attack event detection process, the network attack event detection process may be automatically triggered by monitoring access traffic data; the method comprises the following specific steps:
acquiring access flow data of a client accessing a target server;
and comparing the access flow data with the historical flow data, and determining that the access flow data is abnormal after determining that the exceeding part of the access flow data exceeding the historical flow data is greater than a preset threshold value.
For example, current access traffic data is periodically acquired, the current access traffic data is compared with historical traffic data in the same period, and when traffic is increased suddenly, for example, an exceeding portion of the current access traffic data exceeding the historical traffic data in the same period is greater than a preset threshold, it is determined that the current access traffic data is abnormal, and a subsequent network attack event detection process is started, that is, the step after step S102 is started. Otherwise, the subsequent detection process of the network attack event is not started, and the access flow data is continuously and periodically acquired, so that the automatic detection of the network attack event is circularly realized. Here, the preset threshold is an empirical value and can be set according to actual requirements.
Step S102: and counting target access traffic data formed by at least one client sending access request information to a target server within a preset time period, and obtaining terminal proportion characteristics corresponding to the target access traffic data based on the characteristic information of the terminal represented by the access request information in the target access traffic data.
Here, the target access traffic data is similar to the above access traffic data, and is not described here again.
In practical application, as described above, the access request information may carry the characteristic information of the terminal in a field setting manner, for example, a client identifier field is set, at this time, the step of obtaining the terminal proportion characteristic corresponding to the target access traffic data in step S102 may specifically include:
analyzing a client identification field set by access request information corresponding to target access flow data to obtain characteristic information of a terminal represented by the client identification field;
and obtaining the terminal proportion characteristics corresponding to the target access flow data based on the characteristic information of the terminal corresponding to the target access flow data.
That is, the characteristic information of the terminal is obtained by analyzing the client identifier field set by the access request information, and similarly, the characteristic information of the terminal of all the access request information included in the target access traffic data is obtained, and further, the terminal occupation ratio characteristic corresponding to the target access traffic data is obtained based on the characteristic information of the terminal corresponding to all the access request information.
Here, since the clients sending the access request information may be the same or different clients, and different clients correspond to the same or different terminals, the terminal occupation characteristics of different or same terminals corresponding to the target access traffic data can be obtained based on the characteristic information of all the terminals of the access request information, thus laying a foundation for the detection of the subsequent network attack event.
Furthermore, in the embodiment of the application, only one field, namely the client identification field, needs to be analyzed to obtain the required terminal feature information and further obtain the terminal proportion feature, so that compared with the existing detection mode of acquiring the page access frequency to carry out the network attack event, the embodiment provides a feasible scheme with low resource consumption, and lays a foundation for realizing the large-flow performance detection; meanwhile, a foundation is laid for realizing engineering application by being compatible with the prior art.
In an embodiment, to avoid data loss and improve the usability of the method, data is backed up, for example, access traffic data is backed up, so that target access traffic data is obtained through the backup data, and the security of the method is improved. The method comprises the following specific steps:
acquiring first network flow mirror image data;
and acquiring target access flow data formed by sending access request information to a target server by at least one client within a preset time period when the access flow data is abnormal from the first network flow mirror data.
That is to say, the obtained target access traffic data includes traffic data when the access traffic data is abnormal, so that a foundation is laid for subsequently confirming whether the condition that the access traffic data is abnormal is caused by a network attack event.
In an embodiment, to avoid data loss and improve the usability of the method, data is backed up, for example, access traffic data is backed up, so that target access traffic data is obtained through the backup data, and the security of the method is improved. Meanwhile, the method and the device can avoid inaccurate preset terminal occupation ratio characteristics serving as a base line, for example, unidentified network attack events exist in source data used for calculating the preset terminal occupation ratio characteristics, at the moment, the preset terminal occupation ratio characteristics determined based on the source data can be inaccurate, so that the source data, for example, second network traffic mirror image data, is preprocessed in the specific mode to filter out abnormal access traffic data, so that the determined preset terminal occupation ratio characteristics are accurate, and a foundation is laid for improving detection accuracy in final detection. The method comprises the following specific steps:
acquiring second network flow mirror image data;
preprocessing the second network traffic mirror image data to filter out abnormal access traffic data;
and obtaining a preset terminal proportion characteristic at least based on the preprocessed network flow mirror image data.
In a specific example, the preset terminal occupation ratio characteristics can be obtained together by referring to parameters such as the terminal market share and/or the browser market share; since the preset terminal occupation ratio characteristic is fitted to parameters such as the terminal market share and the browser market share in the normal network access state, and the fitting degree is higher as the data amount is larger, the factors such as the terminal market share and/or the browser market share can be referred to when the terminal occupation ratio characteristic is preset. Here, the browser market share refers to a market share of a browser corresponding to the client of the embodiment of the present application.
Here, the manner of filtering the abnormal access traffic data may refer to a method of determining whether the access traffic data is abnormal, for example, the access traffic data is compared with the historical traffic data in the same period, and after determining that the exceeding portion of the access traffic data exceeding the historical traffic data in the same period is greater than the preset threshold, it is determined that the access traffic data is abnormal, which is not described herein again. Of course, in practical application, other determination methods may also be adopted, and the present application does not limit this.
Here, it should be noted that, in an actual application, the period and the manner of the data mirroring may be determined according to an actual requirement, and the embodiment of the present application does not limit this.
In a specific example, the second network traffic mirror data is different from the first network traffic mirror data, and the second network traffic mirror data is data before the access traffic data has an abnormal state, for example, data that is earlier than the abnormal state by a certain time length; the first network flow mirror image data is data in a specific time period after and before the abnormal state occurs, and the first network flow mirror image data and the abnormal state do not have intersection; certainly, in practical application, the two may also have an intersection, and even if the second network traffic mirror data includes abnormal data, the embodiment of the present application may also reject the abnormal data in a preprocessing manner, thereby ensuring the accuracy of the detection result.
Step S103: and comparing the terminal proportion characteristic with a preset terminal proportion characteristic to determine whether the terminal proportion corresponding to the target access traffic data is abnormal or not, and determining whether a network attack event exists or not based on the judgment result of whether the abnormality exists or not.
In one embodiment, comparing the terminal proportion characteristic with a preset terminal proportion characteristic to determine whether the terminal proportion corresponding to the target access traffic data is abnormal includes:
and comparing the actual occupation interval of the target terminal in the terminal occupation characteristic with the preset interval of the target terminal in the preset terminal occupation characteristic, and comparing whether the actual occupation interval of the target terminal exceeds the preset interval or not so as to determine whether the terminal occupation ratio corresponding to the target access flow data is abnormal or not.
Here, because the actual terminal occupation characteristic fluctuates in a certain range in the normal access state of the network, the actual terminal occupation characteristic does not exceed the fluctuation range with the increase of the access amount and is consistent with the terminal market share and the like; however, when a network attack event occurs, the actual terminal occupation characteristics are not matched or matched with the terminal market share, for example, when the network attack event occurs, the access amount of a certain type of terminal is greatly increased, so that the terminal occupation of the type of terminal is improved and exceeds the fluctuation range; or, the network attack event makes the proportion orientation of the terminal average, and at the moment, the proportion orientation is not consistent with the market share of the terminal, based on this, the embodiment can judge whether the actual proportion interval is abnormal or not by comparing the actual proportion of the specific terminal with the preset interval, and further judge whether the network attack event exists or not, thus, a simple and feasible rapid detection scheme is provided, and a foundation is laid for engineering application.
In one embodiment, the method further comprises:
after the actual occupation ratio interval of the target terminal exceeds the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is abnormal; or,
and after the actual occupation interval of the target terminal does not exceed the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is normal.
Here, as shown in fig. 2, step S201: and detecting that the access flow data of the client accessing the target server is abnormal. Step S202: and counting target access traffic data formed by at least one client sending access request information to a target server within a preset time period, and obtaining terminal proportion characteristics corresponding to the target access traffic data based on the characteristic information of the terminal represented by the access request information in the target access traffic data. Step S203: comparing the actual occupation interval of the target terminal in the terminal occupation characteristics determined in the step S202 with the preset interval of the target terminal in the preset terminal occupation characteristics, and judging whether the actual occupation interval of the target terminal exceeds the preset interval; if yes, go to step S204, otherwise go to step S205. Step S204: and determining that the actual occupation ratio of the target terminal is not matched with parameters such as the market share of the terminal, determining that the occupation ratio of the terminal corresponding to the target access flow data is abnormal, and further determining that a network attack event exists at the moment. In other words, the phenomenon that the access traffic data is abnormal is considered to be caused by a network attack event. Step S205: and determining that the actual occupation ratio of the target terminal is identical with parameters such as the market share of the terminal, determining that the occupation ratio of the terminal corresponding to the target access flow data is normal, and further determining that no network attack event exists at the moment. In other words, the phenomenon that the access traffic data is abnormal is not considered to be caused by the network attack event.
Therefore, a specific, simple and feasible rapid detection scheme is provided, and a foundation is laid for engineering application.
Therefore, on one hand, the detection process of the subsequent network attack event is automatically triggered after the access flow data is determined to be abnormal, so that the automatic detection process is realized, and a foundation is laid for engineering.
On the other hand, in practical application, in a normal network access state, the actual terminal share characteristic is related to parameters such as terminal market share and the like, but is not related to access flow and the like, and when a network attack event exists, the terminal occupation characteristic in this state may have a state that is not consistent with the relevant parameters such as the actual terminal market share, especially when the data volume is larger, in the normal access state of the network, the actual terminal occupancy characteristics will fluctuate within a certain range, not out of the fluctuation range with increasing access volume, based on the principle that the actual terminal ratio characteristics exceed the fluctuation range when a network attack event occurs, the embodiment of the application determines whether a network attack event mode exists or not by comparing the terminal ratio characteristics with the preset terminal ratio characteristics, can realize the detection of the network attack event under the condition of large flow, and has high preparation rate; moreover, because the detection process can be realized only by obtaining the actual terminal ratio characteristic without acquiring the page access frequency, compared with the existing detection mode of acquiring the page access frequency to carry out the network attack event, the method has the advantages of low resource consumption and high detection speed.
On the other hand, in a normal network access state, because the actual terminal occupation ratio characteristic does not change with the increase of the access amount, when a business is held for activities or sales promotion, even if a large number of users can increase page access in a short time, as long as the access is normal access, the actual terminal occupation ratio characteristic cannot be abnormal, and therefore, the method of the embodiment of the application cannot give a false alarm; and the missing report of the situation that a hacker uses a large number of attack IPs, each attack IP controls the access frequency, the attack IP control access frequency is lower than the threshold value, and at the moment, even if the access frequency is lower than the threshold value, the detection can be carried out as long as the terminal occupation ratio is abnormal in the state, so the detection accuracy is further improved.
It should be noted that the network attack event in the embodiment of the present application may specifically be a CC attack event, and further, the method in the embodiment of the present application may be applied to the following scenarios:
the system comprises a CC attack detection system in a cloud computing platform environment, a CC attack detection system in an Internet Data Center (IDC) environment and a CC attack detection system in a large-flow enterprise.
Here, the terminal according to the embodiment of the present application may be specifically a mobile terminal (e.g., a mobile phone, a smart watch, etc.), or a Personal Computer (PC) terminal.
The following describes the embodiments of the present application in further detail with reference to a specific example, and selects a User Agent (UA) distribution as an examination variable, so as to detect a CC attack event. Here, the UA distribution can characterize the terminal distribution, that is, the terminal occupation ratio characteristic described above. Under the normal access of a website, when the access amount reaches a certain scale, factors such as UA distribution, mainstream terminal market share, browser market share and the like are very fitted; the larger the amount of data, the higher the degree of fit. Moreover, in an actual process, a hacker often accesses a website by using a random UA (such as a random-type mobile phone) or a fixed UA (such as a fixed-type smart watch), so that after an attack event occurs, the UA distribution in the period becomes very even or severely inclined, and the effect is more obvious when the attack is larger. Based on the principle, whether the CC event is real or not can be determined by using a UA distribution mode.
As shown in fig. 3, the specific process includes:
firstly, network traffic mirror image data is used for counting UA distribution conditions in a period (such as within 6 hours) before a suspicious attack event occurs, and duty intervals of different UAs are recorded. At this stage, when the website has no traffic or the traffic is particularly small, the UA distribution situation can be obtained by learning a large amount of website logs. The method comprises the following specific steps:
step S301: and counting the UA distribution condition of a previous period (such as within 6 hours) before the suspicious attack event occurs by using the network traffic mirror image data, and recording the occupation intervals of different UAs. Specifically, network traffic mirror image data in a period (for example, within 6 hours) before a suspicious attack event occurs is obtained, and HTTP traffic is obtained; analyzing a UA field in the HTTP and extracting the UA; and counting to obtain the UA distribution condition of the suspicious attack event in the previous period.
Step S302: counting up the UA distribution condition of each small period (for example, within 30S) when a suspicious attack event occurs, calculating the occupancy intervals of different UAs, comparing the occupancy intervals with the UA occupancy interval in step S301, and if the occupancy intervals are seriously deviated from the UA occupancy interval in step S301, for example, if a certain UA occupancy interval is more than 5 times of the UA occupancy in step S301, determining that a CC attack event exists. Alternatively, if the calculated UA distribution is very average, it is also determined that a true CC attack is present.
Therefore, the CC attack event which is not easy to find in the existing scheme can be detected, the resources are efficiently saved, only UA fields of HTTP are analyzed, and the performance is 20 times faster than that of the traditional scheme. Meanwhile, the CC attack can be accurately identified under the sudden conditions such as an active period.
An embodiment of the present application further provides a device for detecting a network attack, which implements the method described above, and as shown in fig. 4, the device 400 includes:
the detection unit 401 is configured to detect that there is an abnormality in access traffic data for the client to access the target server, where the access traffic data represents traffic data formed by the client sending access request information to the target server, and the access request information represents at least characteristic information of a terminal on which the client is installed;
a processing unit 402, configured to count target access traffic data formed by at least one client sending access request information to a target server within a preset time period, and obtain a terminal proportion feature corresponding to the target access traffic data based on feature information of a terminal represented by the access request information in the target access traffic data;
an attack event determining unit 403, configured to compare the terminal proportion characteristic with a preset terminal proportion characteristic, to determine whether the terminal proportion corresponding to the target access traffic data is abnormal, and determine whether a network attack event exists based on a determination result of whether the terminal proportion is abnormal.
In one embodiment, the detection unit 401 is further configured to:
acquiring access flow data of a client accessing a target server;
and comparing the access flow data with the historical flow data, and determining that the access flow data is abnormal after determining that the exceeding part of the access flow data exceeding the historical flow data is greater than a preset threshold value.
In one embodiment, the processing unit 402 is further configured to:
analyzing a client identification field set by access request information corresponding to target access flow data to obtain characteristic information of a terminal represented by the client identification field;
and obtaining the terminal proportion characteristics corresponding to the target access flow data based on the characteristic information of the terminal corresponding to the target access flow data.
In one embodiment, the attack event determination unit 403 is further configured to:
and comparing the actual occupation interval of the target terminal in the terminal occupation characteristic with the preset interval of the target terminal in the preset terminal occupation characteristic, and comparing whether the actual occupation interval of the target terminal exceeds the preset interval or not so as to determine whether the terminal occupation ratio corresponding to the target access flow data is abnormal or not.
In one embodiment, the attack event determination unit 403 is further configured to:
after the actual occupation ratio interval of the target terminal exceeds the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is abnormal; or,
and after the actual occupation interval of the target terminal does not exceed the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is normal.
In one embodiment, the processing unit 402 is further configured to:
acquiring first network flow mirror image data;
and acquiring target access flow data formed by sending access request information to a target server by at least one client within a preset time period when the access flow data is abnormal from the first network flow mirror data.
In one embodiment, the processing unit 402 is further configured to:
acquiring second network flow mirror image data;
preprocessing the second network traffic mirror image data to filter out abnormal access traffic data;
and obtaining a preset terminal proportion characteristic at least based on the preprocessed network flow mirror image data.
Here, it should be noted that: the descriptions of the embodiments of the apparatus are similar to the descriptions of the methods, and have the same advantages as the embodiments of the methods, and therefore are not repeated herein. For technical details not disclosed in the embodiments of the apparatus of the present application, those skilled in the art should refer to the description of the embodiments of the method of the present application for understanding, and for the sake of brevity, will not be described again here.
According to an embodiment of the present application, an electronic device and a readable storage medium are also provided.
Fig. 5 is a block diagram of an electronic device according to the network attack detection method in the embodiment of the present application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.
As shown in fig. 5, the electronic apparatus includes: one or more processors 501, memory 502, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display Graphical information for a Graphical User Interface (GUI) on an external input/output device, such as a display device coupled to the Interface. In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations (e.g., as a server array, a group of blade servers, or a multi-processor system). In fig. 5, one processor 501 is taken as an example.
Memory 502 is a non-transitory computer readable storage medium as provided herein. The memory stores instructions executable by the at least one processor, so that the at least one processor executes the network attack detection method provided by the application. The non-transitory computer-readable storage medium of the present application stores computer instructions for causing a computer to execute the method for detecting a network attack provided by the present application.
The memory 502, which is a non-transitory computer-readable storage medium, may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as program instructions/modules corresponding to the network attack detection method in the embodiment of the present application (for example, the detection unit 401, the processing unit 402, and the attack event determination unit 403 shown in fig. 4). The processor 501 executes various functional applications of the server and data processing by running non-transitory software programs, instructions, and modules stored in the memory 502, that is, implements the network attack detection method in the above method embodiment.
The memory 502 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the electronic device of the detection method of the network attack, and the like. Further, the memory 502 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 502 may optionally include a memory remotely located from the processor 501, and these remote memories may be connected to the electronic device of the network attack detection method through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The electronic device of the network attack detection method may further include: an input device 503 and an output device 504. The processor 501, the memory 502, the input device 503 and the output device 504 may be connected by a bus or other means, and fig. 5 illustrates the connection by a bus as an example.
The input device 503 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic apparatus of the network attack detection method, such as an input device of a touch screen, a keypad, a mouse, a track pad, a touch pad, a pointing stick, one or more mouse buttons, a track ball, a joystick, or the like. The output devices 504 may include a display device, auxiliary lighting devices (e.g., LEDs), and haptic feedback devices (e.g., vibrating motors), among others. The Display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) Display, and a plasma Display. In some implementations, the display device can be a touch screen.
Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, Integrated circuitry, Application Specific Integrated Circuits (ASICs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
These computer programs (also known as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (Cathode Ray Tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
According to the technical scheme of the embodiment of the application, on one hand, the detection process of the subsequent network attack event is automatically triggered after the access flow data is determined to be abnormal, so that the automatic detection process is realized, and a foundation is laid for engineering.
On the other hand, in practical application, in a normal network access state, the actual terminal share characteristic is related to parameters such as terminal market share and the like, but is not related to access flow and the like, and when a network attack event exists, the terminal occupation characteristic in this state may have a state that is not consistent with the relevant parameters such as the actual terminal market share, especially when the data volume is larger, in the normal access state of the network, the actual terminal occupancy characteristics will fluctuate within a certain range, not out of the fluctuation range with increasing access volume, based on the principle that the actual terminal ratio characteristics exceed the fluctuation range when a network attack event occurs, the embodiment of the application determines whether a network attack event mode exists or not by comparing the terminal ratio characteristics with the preset terminal ratio characteristics, can realize the detection of the network attack event under the condition of large flow, and has high preparation rate; moreover, because the detection process can be realized only by obtaining the actual terminal ratio characteristic without acquiring the page access frequency, compared with the existing detection mode of acquiring the page access frequency to carry out the network attack event, the method has the advantages of low resource consumption and high detection speed.
On the other hand, in a normal network access state, because the actual terminal occupation ratio characteristic does not change with the increase of the access amount, when a business is held for activities or sales promotion, even if a large number of users can increase page access in a short time, as long as the access is normal access, the actual terminal occupation ratio characteristic cannot be abnormal, and therefore, the method of the embodiment of the application cannot give a false alarm; and the missing report of the situation that a hacker uses a large number of attack IPs, each attack IP controls the access frequency, the attack IP control access frequency is lower than the threshold value, and at the moment, even if the access frequency is lower than the threshold value, the detection can be carried out as long as the terminal occupation ratio is abnormal in the state, so the detection accuracy is further improved.
Here, it should be noted that: the description of the embodiment of the electronic device is similar to the description of the method, and has the same beneficial effects as the embodiment of the method, and therefore, the description is omitted. For technical details not disclosed in the embodiments of the apparatus of the present application, those skilled in the art should refer to the description of the embodiments of the method of the present application for understanding, and for the sake of brevity, will not be described again here.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, and the present invention is not limited thereto as long as the desired results of the technical solutions disclosed in the present application can be achieved.
The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A method for detecting network attacks is characterized by comprising the following steps:
detecting that access flow data of a client accessing a target server is abnormal, wherein the access flow data represents flow data formed by the client sending access request information to the target server, and the access request information at least represents characteristic information of a terminal provided with the client;
counting target access traffic data formed by at least one client sending access request information to the target server within a preset time period, and obtaining terminal proportion characteristics corresponding to the target access traffic data based on characteristic information of a terminal represented by the access request information in the target access traffic data;
and comparing the terminal proportion characteristic with a preset terminal proportion characteristic to determine whether the terminal proportion corresponding to the target access traffic data is abnormal or not, and determining whether a network attack event exists or not based on the determination result of whether the abnormality exists or not.
2. The method of claim 1, wherein the detecting that the access traffic data of the client accessing the target server is abnormal comprises:
acquiring access flow data of a client accessing a target server;
and comparing the access flow data with historical flow data, and determining that the access flow data is abnormal after determining that the exceeding part of the access flow data exceeding the historical flow data is greater than a preset threshold value.
3. The method according to claim 1, wherein obtaining the terminal proportion characteristic corresponding to the target access traffic data based on the characteristic information of the terminal characterized by the access request information in the target access traffic data comprises:
analyzing a client identification field set by the access request information corresponding to the target access flow data to obtain characteristic information of the terminal represented by the client identification field;
and obtaining the terminal proportion characteristics corresponding to the target access flow data based on the characteristic information of the terminal corresponding to the target access flow data.
4. The method according to claim 1, wherein the comparing the terminal proportion characteristic with a preset terminal proportion characteristic to determine whether the terminal proportion corresponding to the target access traffic data is abnormal includes:
and comparing the actual occupation interval of the target terminal in the terminal occupation characteristic with a preset interval of the target terminal in a preset terminal occupation characteristic, and comparing whether the actual occupation interval of the target terminal exceeds the preset interval to determine whether the terminal occupation corresponding to the target access traffic data is abnormal.
5. The method of claim 4, further comprising:
after the actual occupation ratio interval of the target terminal exceeds the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is abnormal; or,
and after the actual occupation interval of the target terminal does not exceed the preset interval, determining that the terminal occupation ratio corresponding to the target access flow data is normal.
6. The method of claim 1, wherein counting target access traffic data formed by at least one client sending access request information to the target server within a preset time period comprises:
acquiring first network flow mirror image data;
and acquiring target access flow data formed by at least one client side sending access request information to the target server within a preset time period when the access flow data is abnormal from the first network flow mirror data.
7. The method of claim 1, further comprising:
acquiring second network flow mirror image data;
preprocessing the second network traffic mirror image data to filter out abnormal access traffic data;
and obtaining a preset terminal proportion characteristic at least based on the preprocessed network flow mirror image data.
8. An apparatus for detecting a cyber attack, comprising:
the detection unit is used for detecting that the access flow data of the client accessing the target server is abnormal, the access flow data represents the flow data formed by the client sending access request information to the target server, and the access request information at least represents the characteristic information of the terminal provided with the client;
the processing unit is used for counting target access traffic data formed by at least one client sending access request information to the target server within a preset time period, and obtaining terminal proportion characteristics corresponding to the target access traffic data based on characteristic information of a terminal represented by the access request information in the target access traffic data;
and the attack event judging unit is used for comparing the terminal proportion characteristic with a preset terminal proportion characteristic to determine whether the terminal proportion corresponding to the target access traffic data is abnormal or not, and determining whether a network attack event exists or not based on the judgment result of whether the abnormality exists or not.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-7.
CN201910800363.6A 2019-08-27 2019-08-27 The detection method and device of network attack, electronic equipment, storage medium Pending CN110505232A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910800363.6A CN110505232A (en) 2019-08-27 2019-08-27 The detection method and device of network attack, electronic equipment, storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910800363.6A CN110505232A (en) 2019-08-27 2019-08-27 The detection method and device of network attack, electronic equipment, storage medium

Publications (1)

Publication Number Publication Date
CN110505232A true CN110505232A (en) 2019-11-26

Family

ID=68590008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910800363.6A Pending CN110505232A (en) 2019-08-27 2019-08-27 The detection method and device of network attack, electronic equipment, storage medium

Country Status (1)

Country Link
CN (1) CN110505232A (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111177513A (en) * 2019-12-31 2020-05-19 北京百度网讯科技有限公司 Method and device for determining abnormal access address, electronic equipment and storage medium
CN111698174A (en) * 2020-04-28 2020-09-22 平安普惠企业管理有限公司 Dynamic flow distribution method, device, equipment and storage medium
CN112099983A (en) * 2020-09-22 2020-12-18 北京知道创宇信息技术股份有限公司 Service exception handling method and device, electronic equipment and computer readable storage medium
CN112134723A (en) * 2020-08-21 2020-12-25 杭州数梦工场科技有限公司 Network anomaly monitoring method and device, computer equipment and storage medium
CN112241535A (en) * 2020-10-20 2021-01-19 福建奇点时空数字科技有限公司 Server security policy configuration method based on flow data analysis
CN112351042A (en) * 2020-11-16 2021-02-09 百度在线网络技术(北京)有限公司 Attack flow calculation method and device, electronic equipment and storage medium
CN112953938A (en) * 2021-02-20 2021-06-11 百度在线网络技术(北京)有限公司 Network attack defense method and device, electronic equipment and readable storage medium
CN113297241A (en) * 2021-06-11 2021-08-24 工银科技有限公司 Method, device, equipment, medium and program product for judging network flow
CN113347186A (en) * 2021-06-01 2021-09-03 百度在线网络技术(北京)有限公司 Reflection attack detection method and device and electronic equipment
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113837318A (en) * 2021-10-20 2021-12-24 北京明略软件系统有限公司 Determination method and device, electronic device and storage medium for flow determination scheme
CN113920398A (en) * 2021-10-13 2022-01-11 广东电网有限责任公司广州供电局 Abnormal equipment identification method and device, computer equipment and storage medium
CN113949525A (en) * 2021-09-07 2022-01-18 中云网安科技有限公司 Detection method, device, storage medium and electronic device for abnormal access behavior
CN114124492A (en) * 2021-11-12 2022-03-01 中盈优创资讯科技有限公司 Network traffic anomaly detection and analysis method and device
CN114584623A (en) * 2022-03-10 2022-06-03 广州方硅信息技术有限公司 Traffic request cleaning method and device, storage medium and computer equipment
CN115459977A (en) * 2022-08-31 2022-12-09 北京百度网讯科技有限公司 Network attack confrontation behavior detection method, device and electronic equipment
CN115499184A (en) * 2022-09-06 2022-12-20 北京天融信网络安全技术有限公司 Network proxy service identification method and device, electronic equipment and storage medium
CN115733632A (en) * 2021-08-26 2023-03-03 腾讯科技(深圳)有限公司 Target object detection method and device, computer equipment and storage medium
CN118611981A (en) * 2024-07-04 2024-09-06 湖北省电子信息产品质量监督检验院 A data management method and management system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104202336A (en) * 2014-09-22 2014-12-10 浪潮电子信息产业股份有限公司 A DDoS attack detection method based on information entropy
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN105337966A (en) * 2015-10-16 2016-02-17 中国联合网络通信集团有限公司 Processing method for network attacks and device
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device
CN106161451A (en) * 2016-07-19 2016-11-23 青松智慧(北京)科技有限公司 The method of defence CC attack, Apparatus and system
CN107426136A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 A kind of recognition methods of network attack and device
CN108600145A (en) * 2017-12-25 2018-09-28 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of determining ddos attack equipment
US10122740B1 (en) * 2015-05-05 2018-11-06 F5 Networks, Inc. Methods for establishing anomaly detection configurations and identifying anomalous network traffic and devices thereof
CN108780479A (en) * 2015-09-05 2018-11-09 万事达卡技术加拿大无限责任公司 Systems and methods for detecting and scoring anomalies

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN104202336A (en) * 2014-09-22 2014-12-10 浪潮电子信息产业股份有限公司 A DDoS attack detection method based on information entropy
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device
US10122740B1 (en) * 2015-05-05 2018-11-06 F5 Networks, Inc. Methods for establishing anomaly detection configurations and identifying anomalous network traffic and devices thereof
CN108780479A (en) * 2015-09-05 2018-11-09 万事达卡技术加拿大无限责任公司 Systems and methods for detecting and scoring anomalies
CN105337966A (en) * 2015-10-16 2016-02-17 中国联合网络通信集团有限公司 Processing method for network attacks and device
CN107426136A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 A kind of recognition methods of network attack and device
CN106161451A (en) * 2016-07-19 2016-11-23 青松智慧(北京)科技有限公司 The method of defence CC attack, Apparatus and system
CN108600145A (en) * 2017-12-25 2018-09-28 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of determining ddos attack equipment

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111177513A (en) * 2019-12-31 2020-05-19 北京百度网讯科技有限公司 Method and device for determining abnormal access address, electronic equipment and storage medium
CN111177513B (en) * 2019-12-31 2023-10-31 北京百度网讯科技有限公司 Method, device, electronic equipment and storage medium for determining abnormal access address
CN113452647B (en) * 2020-03-24 2022-11-29 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN111698174A (en) * 2020-04-28 2020-09-22 平安普惠企业管理有限公司 Dynamic flow distribution method, device, equipment and storage medium
CN111698174B (en) * 2020-04-28 2024-02-20 山东八浚通信科技有限公司 Traffic dynamic allocation method, device, equipment and storage medium
CN112134723A (en) * 2020-08-21 2020-12-25 杭州数梦工场科技有限公司 Network anomaly monitoring method and device, computer equipment and storage medium
CN112099983A (en) * 2020-09-22 2020-12-18 北京知道创宇信息技术股份有限公司 Service exception handling method and device, electronic equipment and computer readable storage medium
CN112241535A (en) * 2020-10-20 2021-01-19 福建奇点时空数字科技有限公司 Server security policy configuration method based on flow data analysis
CN112351042A (en) * 2020-11-16 2021-02-09 百度在线网络技术(北京)有限公司 Attack flow calculation method and device, electronic equipment and storage medium
CN112351042B (en) * 2020-11-16 2023-04-07 百度在线网络技术(北京)有限公司 Attack flow calculation method and device, electronic equipment and storage medium
CN112953938A (en) * 2021-02-20 2021-06-11 百度在线网络技术(北京)有限公司 Network attack defense method and device, electronic equipment and readable storage medium
CN112953938B (en) * 2021-02-20 2023-04-28 百度在线网络技术(北京)有限公司 Network attack defense method, device, electronic equipment and readable storage medium
CN113347186B (en) * 2021-06-01 2022-05-06 百度在线网络技术(北京)有限公司 Reflection attack detection method and device and electronic equipment
CN113347186A (en) * 2021-06-01 2021-09-03 百度在线网络技术(北京)有限公司 Reflection attack detection method and device and electronic equipment
CN113297241A (en) * 2021-06-11 2021-08-24 工银科技有限公司 Method, device, equipment, medium and program product for judging network flow
CN115733632A (en) * 2021-08-26 2023-03-03 腾讯科技(深圳)有限公司 Target object detection method and device, computer equipment and storage medium
CN113949525A (en) * 2021-09-07 2022-01-18 中云网安科技有限公司 Detection method, device, storage medium and electronic device for abnormal access behavior
CN113920398A (en) * 2021-10-13 2022-01-11 广东电网有限责任公司广州供电局 Abnormal equipment identification method and device, computer equipment and storage medium
CN113837318A (en) * 2021-10-20 2021-12-24 北京明略软件系统有限公司 Determination method and device, electronic device and storage medium for flow determination scheme
CN114124492B (en) * 2021-11-12 2023-07-25 中盈优创资讯科技有限公司 Network traffic anomaly detection and analysis method and device
CN114124492A (en) * 2021-11-12 2022-03-01 中盈优创资讯科技有限公司 Network traffic anomaly detection and analysis method and device
CN114584623A (en) * 2022-03-10 2022-06-03 广州方硅信息技术有限公司 Traffic request cleaning method and device, storage medium and computer equipment
CN114584623B (en) * 2022-03-10 2024-03-29 广州方硅信息技术有限公司 Flow request cleaning method and device, storage medium and computer equipment
CN115459977A (en) * 2022-08-31 2022-12-09 北京百度网讯科技有限公司 Network attack confrontation behavior detection method, device and electronic equipment
CN115499184A (en) * 2022-09-06 2022-12-20 北京天融信网络安全技术有限公司 Network proxy service identification method and device, electronic equipment and storage medium
CN118611981A (en) * 2024-07-04 2024-09-06 湖北省电子信息产品质量监督检验院 A data management method and management system

Similar Documents

Publication Publication Date Title
CN110505232A (en) The detection method and device of network attack, electronic equipment, storage medium
US12267347B2 (en) System and method for comprehensive data loss prevention and compliance management
US11757920B2 (en) User and entity behavioral analysis with network topology enhancements
US11647039B2 (en) User and entity behavioral analysis with network topology enhancement
EP3369232B1 (en) Detection of cyber threats against cloud-based applications
US10594714B2 (en) User and entity behavioral analysis using an advanced cyber decision platform
US10560483B2 (en) Rating organization cybersecurity using active and passive external reconnaissance
CN110417778B (en) Access request processing method and device
US10666680B2 (en) Service overload attack protection based on selective packet transmission
US11374954B1 (en) Detecting anomalous network behavior
US9462009B1 (en) Detecting risky domains
US20170126712A1 (en) Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
EP3494506A1 (en) Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform
CN111711617A (en) Method and device for detecting web crawler, electronic equipment and storage medium
CN105009132A (en) Event correlation based on confidence factor
US20230007041A1 (en) Detection and mitigation of denial of service attacks in distributed networking environments
KR20200007912A (en) Methods, devices, and systems for monitoring data traffic
CN110650215A (en) Function execution method and device of edge network
EP4014112B1 (en) Summarized event data responsive to a query
CN105493096A (en) Distributed pattern discovery
CN112825519A (en) Method and device for identifying abnormal login
CN115499202A (en) Network data processing method, device, system, processing equipment and storage medium
CN113452647B (en) Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
US10701178B2 (en) Method and apparatus of web application server for blocking a client session based on a threshold number of service calls

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191126