TWI717454B - Method, device and system for quantifying defense results - Google Patents
Method, device and system for quantifying defense results Download PDFInfo
- Publication number
- TWI717454B TWI717454B TW106101916A TW106101916A TWI717454B TW I717454 B TWI717454 B TW I717454B TW 106101916 A TW106101916 A TW 106101916A TW 106101916 A TW106101916 A TW 106101916A TW I717454 B TWI717454 B TW I717454B
- Authority
- TW
- Taiwan
- Prior art keywords
- data flow
- defense
- suspicious
- target
- flow volume
- Prior art date
Links
- 230000007123 defense Effects 0.000 title claims abstract description 307
- 238000000034 method Methods 0.000 title claims abstract description 69
- 230000008569 process Effects 0.000 claims abstract description 40
- 238000004140 cleaning Methods 0.000 claims description 95
- 230000008859 change Effects 0.000 claims description 58
- 230000004044 response Effects 0.000 claims description 29
- 238000001514 detection method Methods 0.000 claims description 27
- 230000000694 effects Effects 0.000 claims description 26
- 238000012806 monitoring device Methods 0.000 claims description 12
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000011156 evaluation Methods 0.000 abstract description 11
- 238000010586 diagram Methods 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 5
- 230000007423 decrease Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000012790 confirmation Methods 0.000 description 3
- 239000013307 optical fiber Substances 0.000 description 3
- 238000005406 washing Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011002 quantification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本發明實施例提供量化防禦結果的方法及系統,其中方法包括:獲取可疑資料流程量集合,可疑資料流程量集合為位於雲平台的防禦端由所述原始資料流程量所包含的可疑IP位址集合中每個可疑IP位址對應的資料流程量所組成的;獲取正常資料流程量,正常資料流程量為所述防禦端對所述可疑資料流程量集合按預設防禦策略清洗後剩餘的資料流程量;授權主機性能參數,主機性能參數為所述防禦端在將所述正常資料流程量發送至目標端後,在所述目標端上提取得到的參數的集合;基於目標參數集合來量化防禦結果;所述目標參數集合至少包括:可疑資料流程量集合、正常資料流程量和主機性能參數。由於本發明計算防禦結果的評價角度和指標較為全面,從而使得防禦結果較為準確。 The embodiment of the present invention provides a method and system for quantifying defense results, wherein the method includes: obtaining a suspicious data flow set, the suspicious data flow set is the suspicious IP address contained in the original data flow at the defense end of the cloud platform The data flow volume corresponding to each suspicious IP address in the collection is composed; the normal data flow volume is obtained, and the normal data flow volume is the remaining data after the suspicious data flow volume set is cleaned by the defense end according to the preset defense strategy Process volume; authorized host performance parameters, host performance parameters are the set of parameters extracted from the target end after the defense end sends the normal data flow volume to the target end; quantified defense based on the target parameter set Result; the target parameter set includes at least: suspicious data flow set, normal data flow, and host performance parameters. Since the evaluation angle and index of the calculated defense result of the present invention are more comprehensive, the defense result is more accurate.
Description
本發明涉及網路技術領域,尤其涉及量化防禦結果的方法、裝置及系統。 The present invention relates to the field of network technology, in particular to methods, devices and systems for quantifying defense results.
隨著網路技術的不斷進步,網路領域中的網路攻擊也越來越多。目前,在眾多網路攻擊中分散式拒絕服務攻擊(Distributed Denial of Service,DDoS)已經成為較為嚴重的攻擊手段。為此,在原有系統架構中加入防禦端來阻擋DDoS攻擊。 With the continuous advancement of network technology, there are more and more network attacks in the network field. At present, distributed denial of service (DDoS) has become a more serious attack method among many network attacks. For this reason, a defensive end is added to the original system architecture to block DDoS attacks.
如圖1所示,為現有網路系統架構的一種示意圖。由圖示可知,系統架構包含業務端、路由設備、防禦端和目標端。其中,業務端包含正常業務端和攻擊端。攻擊端發送多種形式的攻擊資料流程量,防禦端依據自身內部的防禦策略阻擋攻擊資料流程量。 As shown in Figure 1, it is a schematic diagram of the existing network system architecture. As can be seen from the figure, the system architecture includes the business end, routing equipment, defense end and target end. Among them, the business end includes the normal business end and the attack end. The attacker sends various forms of attack data flow, and the defender blocks the attack data flow according to its own internal defense strategy.
防禦端中的防禦策略過鬆,則會導致大量的攻擊流量攻擊目標端;但是防禦策略過緊,則會影響正常業務端向目標端發送正常的資料流程量。因此,需要評估防禦端防禦策略的防禦結果,並根據防禦結果來確定適當的防禦策 略。 If the defense strategy in the defense end is too loose, it will cause a large amount of attack traffic to attack the target end; but if the defense strategy is too tight, it will affect the normal business end to send normal data flow to the target end. Therefore, it is necessary to evaluate the defense results of the defense strategy on the defensive side, and determine an appropriate defense strategy based on the defense results.
目前,由於評估防禦結果過程中使用方法不完善、參數指標不全面以及資料流程量不完整,所以導致評估防禦結果的結果不準確。 At present, due to imperfect use of methods, incomplete parameter indicators, and incomplete data flow in the process of evaluating defense results, the results of evaluating defense results are inaccurate.
本發明提供了量化防禦結果的方法、裝置及系統,藉由改進評估方法,提高評估防禦結果的準確性。另外,結合雲平台更進一步提高資料流程量的完整性。 The present invention provides a method, device and system for quantifying the defense result, and by improving the evaluation method, the accuracy of evaluating the defense result is improved. In addition, combined with the cloud platform to further improve the integrity of the data flow.
為了實現上述目的,本發明採用以下技術手段:一種量化防禦結果的方法,包括:獲取可疑資料流程量集合,所述可疑資料流程量集合為位於雲平台的防禦端經核心路由牽引業務端接取目標端的原始資料流程量後,由所述原始資料流程量所包含的可疑IP位址集合中每個可疑IP位址對應的資料流程量所組成的,所述可疑IP位址集合為依據預設檢測規則在所述原始資料流程量中確定的;獲取正常資料流程量,所述正常資料流程量為所述防禦端對所述可疑資料流程量集合按預設防禦策略清洗後剩餘的資料流程量;授權主機性能參數,所述主機性能參數為所述防禦端在將所述正常資料流程量發送至目標端後,在所述目標端上提取得到的參數的集合;基於目標參數集合來量化防禦結果;其中,所述目標 參數集合至少包括:所述可疑資料流程量集合、正常資料流程量和主機性能參數。 In order to achieve the above objective, the present invention adopts the following technical means: a method for quantifying the defense results, including: obtaining a set of suspicious data flow, the set of suspicious data flow is taken by the defense end of the cloud platform via the core routing service end After the raw data flow volume of the target end, it is composed of the data flow volume corresponding to each suspicious IP address in the suspicious IP address set included in the raw data flow volume, and the suspicious IP address set is preset based on The detection rules are determined in the original data flow volume; the normal data flow volume is obtained, and the normal data flow volume is the remaining data flow volume after the defense end cleans the suspicious data flow volume set according to the preset defense strategy Authorized host performance parameters, the host performance parameters are the set of parameters extracted on the target end after the defense end sends the normal data flow to the target end; quantified defense based on the target parameter set Result; wherein, the target parameter set includes at least: the suspicious data flow set, normal data flow, and host performance parameters.
優選的,所述目標參數集合還包括:與所述防禦端相連的業務監控裝置發送的接取成功率;其中,所述接取成功率為所述業務監控裝置在控制多個位於不同地理位置的業務端接取所述目標端後,依據所述目標端回饋的請求成功率和請求時間延遲計算得到的。 Preferably, the target parameter set further includes: an access success rate sent by a service monitoring device connected to the defense end; wherein the access success rate is when the service monitoring device is controlling multiple locations located in different geographic locations. After receiving the target terminal, the service terminal is calculated according to the request success rate and the request time delay returned by the target terminal.
優選的,所述目標參數集合還包括網路服務品質;其中,所述網路服務品質為所述防禦端依據可疑資料流程量集合和所述正常資料流量計算得到的。 Preferably, the target parameter set further includes network service quality; wherein, the network service quality is calculated by the defense end based on the suspicious data flow set and the normal data flow.
優選的,所述可疑流量清洗裝置中的所述預設防禦策略對應期望SLA等級;則所述基於目標參數集合來量化防禦結果包括:利用所述目標參數集合以及預設參數集合確定所述各個參數的變化值集合;其中,所述預設參數集合為預先存儲的、無攻擊資料流程量的情況下各個參數的集合;將所述各個參數的變化值集合與所述期望SLA等級中的各個參數範圍進行匹配;若匹配成功,則確定所述防禦端的防禦效果達到所述期望SLA等級;若匹配不成功,則確定所述防禦端的防禦效果未達到所述期望SLA等級。 Preferably, the preset defense strategy in the suspicious traffic cleaning device corresponds to the expected SLA level; then the quantifying the defense result based on the target parameter set includes: using the target parameter set and the preset parameter set to determine the respective A set of parameter change values; wherein, the preset parameter set is a set of various parameters stored in advance without attacking data flow; the change value set of each parameter is compared with each of the expected SLA levels The parameter range is matched; if the matching is successful, it is determined that the defense effect of the defense end reaches the expected SLA level; if the matching is unsuccessful, it is determined that the defense effect of the defense end does not reach the expected SLA level.
優選的,還包括:若匹配不成功,則將當前的防禦策略的前一防禦策 略,確定為所述預設防禦策略;其中,所述防禦端中存儲有按順序排列的多個SLA等級,以及,與每個SLA等級對應的一個防禦策略,SLA等級越小表示目標端所享受的服務等級越高,並且,前一SLA等級的對應的防禦策略優於後一SLA等級對應的防禦策略。 Preferably, the method further includes: if the matching is unsuccessful, determining the previous defense strategy of the current defense strategy as the preset defense strategy; wherein the defense terminal stores a plurality of SLA levels arranged in order, And, a defense strategy corresponding to each SLA level, the smaller the SLA level, the higher the service level enjoyed by the target end, and the defense strategy corresponding to the previous SLA level is better than the defense strategy corresponding to the latter SLA level.
優選的,所述利用所述目標參數集合以及預設參數集合確定所述各個參數的變化值集合,包括:依據所述可疑資料流程量集合和所述正常資料流程量,計算輸入協定信息和輸出協定信息變化率的變化量集合;其中,所述輸入協議信息從所述可疑資料流程量集合中提取得到的,所述輸出協議信息從所述正常資料流程量中提取得到;和,計算所述正常資料流程量的核心資料集與所述預設參數集合中的預設核心資料集之間的標準差集合;其中,所述核心資料集包括請求應答率、業務成功率、30x狀態碼的所佔比例、40x狀態碼的所佔比例、50x狀態碼的所佔比例和正常用戶請求的時間延遲;和,計算所述主機性能參數和所述預設參數集合中的預設主機性能參數之間的第二變化值集合;和/或,計算所述接取成功率與所述預設參數集合中預設接取成功率的第三變化值集合;和/或,計算所述網路服務品質與所述預設參數集合中預設網路服務品質的第四變化值集合。 Preferably, the use of the target parameter set and the preset parameter set to determine the change value set of each parameter includes: calculating input agreement information and output based on the suspicious data flow set and the normal data flow set A set of changes in the rate of change of agreement information; wherein the input protocol information is extracted from the suspicious data flow set, and the output protocol information is extracted from the normal data flow; and, calculating the The standard deviation set between the core data set of the normal data flow volume and the preset core data set in the preset parameter set; wherein, the core data set includes the request response rate, the business success rate, and the total value of the 30x status code. Percentage, percentage of 40x status code, percentage of 50x status code, and time delay of normal user request; and, calculating between the host performance parameter and the preset host performance parameter in the preset parameter set And/or calculate the access success rate and the third variation value set of the preset access success rate in the preset parameter set; and/or calculate the network service quality And the fourth change value set of the preset network service quality in the preset parameter set.
優選的,依據所述可疑資料流程量集合和所述正常資料流程量,計算輸入協定信息和輸出協定信息變化率的變化量集合,包括:計算輸入方向的syn信息與輸出方向的syn信息的差值,將該差值與所述輸入方向的syn信息的比值作為syn信息的增加率;計算輸入方向的syn-ack信息與輸出方向的syn-ack信息的差值,將該差值與所述輸入方向的syn-ack信息比值作為的syn-ack信息的增加率;將所述syn信息的增加率與所述syn-ack信息的增加率的差值,確定為所述變化量集合。 Preferably, based on the suspicious data flow set and the normal data flow set, calculating the change set of the input agreement information and the change rate of the output agreement information includes: calculating the difference between syn information in the input direction and syn information in the output direction Value, the ratio of the difference to the syn information in the input direction is taken as the increase rate of the syn information; the difference between the syn-ack information in the input direction and the syn-ack information in the output direction is calculated, and the difference is compared with the The syn-ack information ratio in the input direction is used as the increase rate of the syn-ack information; the difference between the increase rate of the syn information and the increase rate of the syn-ack information is determined as the change amount set.
優選的,所述計算所述正常資料流程量的核心資料集與所述預設參數集合中的預設核心資料集之間的標準差集合,包括:計算所述核心資料集與預設核心資料集中,針對請求應答率的第一標準差、針對業務成功率的第二標準差、針對30x狀態碼的所佔比例的第三標準差、針對40x狀態碼的所佔比例的第四標準差、針對50x狀態碼的所佔比例的第五標準差和針對正常用戶請求的時間延遲的第六標準差;將所述第一標準差、所述第二標準差、所述第三標準差、所述第四標準差、所述第五標準差和所述第六標準差的集合,確定為所述標準差集合。 Preferably, the calculating the standard deviation set between the core data set of the normal data flow volume and the preset core data set in the preset parameter set includes: calculating the core data set and the preset core data Concentrated, for the first standard deviation of the request response rate, the second standard deviation for the business success rate, the third standard deviation for the proportion of 30x status codes, the fourth standard deviation for the proportion of 40x status codes, The fifth standard deviation for the proportion of 50x status codes and the sixth standard deviation for the time delay requested by normal users; the first standard deviation, the second standard deviation, the third standard deviation, and the The set of the fourth standard deviation, the fifth standard deviation, and the sixth standard deviation is determined as the set of standard deviations.
優選的,所述接取成功率包括請求成功率和請求時間 延遲;則所述計算所述接取成功率與所述預設參數集合中預設接取成功率的第三變化值集合,包括:計算所述接取成功率中請求成功率與預設接取成功率中請求成功率的變化率;計算所述接取成功率中請求時間延遲與預設接取成功率中請求時間延遲的變化量;將所述變化率和所述變化量,確定為所述第三變化值集合。 Preferably, the access success rate includes a request success rate and a request time delay; then the calculation of the access success rate and the third change value set of the preset access success rate in the preset parameter set includes : Calculate the request success rate in the access success rate and the change rate of the request success rate in the preset access success rate; calculate the difference between the request time delay in the access success rate and the request time delay in the preset access success rate Change amount; the change rate and the change amount are determined as the third change value set.
優選的,所述主機性能參數包括:所述目標端的主機在接收到第一個syn封包之後半開連結的數量;所述目標端的主機CPU;所述目標端的主機記憶體;所述目標端的連接表;所述目標端的主機輸入輸出次數;以及,所述目標端的主機的進出流量所佔比例。 Preferably, the host performance parameter includes: the number of half-open connections of the host of the target end after receiving the first syn packet; the host CPU of the target end; the host memory of the target end; the connection of the target end Table; the host input and output times of the target end; and, the proportion of the incoming and outgoing traffic of the host of the target end.
優選的,所述網路服務品質包括:在清洗所述原始資料流程量過程中帶來的網路延時;在清洗所述原始資料流程量過程中帶來的網路丟包率;在清洗所述原始資料流程量過程中帶來的TCP可用性;在清洗所述原始資料流程量過程中帶來的UDP可用性;以及, 在清洗所述原始資料流程量過程中帶來的抖動。 Preferably, the network service quality includes: network delay brought in the process of cleaning the original data flow; network packet loss rate brought in the process of cleaning the original data flow; The TCP availability brought in the process of the original data flow; the UDP availability brought in the process of cleaning the raw data flow; and the jitter brought in the process of cleaning the raw data flow.
一種量化防禦結果的系統,包括:業務端、位於雲平台的防禦端、目標端以及與所述業務端、所述防禦端和所述目標端相連的核心路由;所述核心路由,用於複製業務端接取目標端的原始資料流程量,獲得副本資料流程量;所述防禦端,用於獲取可疑資料流程量集合,所述可疑資料流程量集合為位於雲平台的防禦端經核心路由牽引業務端接取目標端的原始資料流程量後,由所述原始資料流程量所包含的可疑IP位址集合中每個可疑IP位址對應的資料流程量所組成的,所述可疑IP位址集合為依據預設檢測規則在所述原始資料流程量中確定的;獲取正常資料流程量,所述正常資料流程量為所述防禦端對所述可疑資料流程量集合按預設防禦策略清洗後剩餘的資料流程量;授權主機性能參數,所述主機性能參數為所述防禦端在將所述正常資料流程量發送至目標端後,在所述目標端上提取得到的參數的集合;基於目標參數集合來量化防禦結果;其中,所述目標參數集合至少包括:所述可疑資料流程量集合、正常資料流程量和主機性能參數。 A system for quantifying defense results, including: a business end, a defense end located on a cloud platform, a target end, and a core route connected to the business end, the defense end, and the target end; the core route is used for copying The business end obtains the original data flow volume of the target end to obtain the copy data flow volume; the defense end is used to obtain the suspicious data flow volume collection, and the suspicious data flow volume collection is the defense end located on the cloud platform and the core routing traction business After receiving the raw data flow volume of the target end, it is composed of the data flow volume corresponding to each suspicious IP address in the suspicious IP address set included in the raw data flow volume, and the suspicious IP address set is Determined in the original data flow volume according to the preset detection rules; obtain the normal data flow volume, the normal data flow volume is the remaining after the defense end cleans the suspicious data flow volume set according to the preset defense strategy Data flow volume; authorized host performance parameters, the host performance parameters are the set of parameters extracted from the target end after the defense end sends the normal data flow volume to the target end; based on the target parameter set To quantify the defense result; wherein, the target parameter set includes at least: the suspicious data flow set, normal data flow, and host performance parameters.
優選的,所述防禦端包括:與所述核心路由相連的可疑流量檢測裝置,用於依據預設檢測規則分析所述副本資料流程量,獲得所述副本資料流程量中包含的可疑IP位址集合,並發送所述可疑IP位址集合; 與所述核心路由和所述可疑流量檢測裝置相連的可疑流量清洗裝置,用於獲取所述可疑IP位址集合,在所述核心路由的原始資料流程量中牽引可疑資料流程量集合,其中,按預設防禦策略清洗所述可疑資料流程量集合,並將所述可疑資料流程量集合在清洗後剩餘的正常資料流程量,轉發至所述目標端;與所述可疑流量檢測裝置、所述可疑流量清洗裝置和所述目標端相連的雲主機,用於在所述可疑流量檢測裝置上獲取所述可疑資料流程量集合,所述可疑資料流程量集合中包含與每個可疑IP位址對應的可疑資料流程量;在所述可疑流量清洗裝置上獲取正常資料流程量,在將所述正常資料流程量發送至目標端後,在所述目標端上獲取表示目標端性能的主機性能參數。 Preferably, the defense end includes: a suspicious traffic detection device connected to the core route, configured to analyze the copy data flow volume according to a preset detection rule to obtain the suspicious IP address included in the copy data flow volume And send the set of suspicious IP addresses; a suspicious traffic cleaning device connected to the core route and the suspicious traffic detection device is used to obtain the set of suspicious IP addresses in the original data of the core route Pull the suspicious data flow collection in the flow volume, wherein the suspicious data flow collection is cleaned according to the preset defense strategy, and the suspicious data flow collection is the remaining normal data flow volume after the cleaning is forwarded to the target A cloud host connected to the suspicious traffic detection device, the suspicious traffic cleaning device, and the target terminal, for obtaining the suspicious data flow collection on the suspicious traffic detection device, the suspicious data flow The volume set contains the suspicious data flow volume corresponding to each suspicious IP address; the normal data flow volume is obtained on the suspicious traffic cleaning device, and after the normal data flow volume is sent to the target end, the target Obtain the host performance parameters representing the performance of the target end on the end.
優選的,所述系統還包括:與所述雲主機相連的業務監控裝置,用於控制多個位於不同地理位置的業務主機接取所述目標端,依據所述目標端回饋的接取成功率和請求時間延遲,計算接取成功率;將所述接取成功率發送至所述雲主機;相應的,所述目標參數集合還包括所述接取成功率。 Preferably, the system further includes: a service monitoring device connected to the cloud host, which is used to control a plurality of service hosts located in different geographic locations to access the target terminal, according to the success rate of the target terminal feedback And the request time delay, calculate the access success rate; send the access success rate to the cloud host; correspondingly, the target parameter set also includes the access success rate.
優選的,所述雲主機還用於,依據所述可疑資料流程量集合和所述正常資料流程量,計算網路服務品質;相應的,所述目標參數集合還包括所述網路服務品質。 Preferably, the cloud host is further configured to calculate the network service quality based on the suspicious data flow volume set and the normal data flow volume; correspondingly, the target parameter set also includes the network service quality.
優選的,所述核心路由還用於,將可疑流量清洗裝置 在原始資料流程量中牽引可疑資料流程量集合之後剩餘的資料流程量,轉發至所述目標端。 Preferably, the core route is also used to forward the data flow volume remaining after the suspicious data flow volume is collected by the suspicious data flow cleaning device from the original data flow volume to the target end.
優選的,所述雲主機具體用於,利用所述目標參數集合以及預設參數集合確定所述各個參數的變化值集合;將所述各個參數的變化值集合與所述期望SLA等級中的各個參數範圍進行匹配;若匹配成功,則確定防禦端的防禦效果達到所述期望SLA等級;若匹配不成功,確定所述防禦端的防禦效果未達到所述期望SLA等級。 Preferably, the cloud host is specifically configured to determine the change value set of each parameter by using the target parameter set and the preset parameter set; and compare the change value set of each parameter with each of the expected SLA levels. The parameter range is matched; if the matching is successful, it is determined that the defense effect of the defense end reaches the expected SLA level; if the matching is unsuccessful, it is determined that the defense effect of the defense end does not reach the expected SLA level.
優選的,所述雲主機還用於,在匹配不成功的情況下,將當前的防禦策略的前一防禦策略,確定為所述預設防禦策略;其中,所述預設參數集合為預先存儲的、無攻擊資料流程量的情況下各個參數的集合;所述防禦端中存儲有按順序排列的多個SLA等級,以及,與每個SLA等級對應的一個防禦策略,SLA等級越小表示目標端所享受的服務等級越高,並且,前一SLA等級的對應的防禦策略優於後一SLA等級對應的防禦策略。 Preferably, the cloud host is further configured to determine the previous defense strategy of the current defense strategy as the preset defense strategy in the case of unsuccessful matching; wherein, the preset parameter set is stored in advance The collection of various parameters in the case of no attack data flow; the defense end stores multiple SLA levels arranged in order, and a defense strategy corresponding to each SLA level. The smaller the SLA level, the target The higher the service level enjoyed by the terminal, and the defense strategy corresponding to the previous SLA level is better than the defense strategy corresponding to the latter SLA level.
優選的,所述主機性能參數,包括:所述目標端的主機在接收到第一個syn封包之後半開連結的數量;所述目標端的主機CPU;所述目標端的主機記憶體;所述目標端的連接表;所述目標端的主機輸入輸出次數;以及, 所述目標端的主機的進出流量所佔比例。 Preferably, the host performance parameters include: the number of half-open connections of the host of the target end after receiving the first syn packet; the host CPU of the target end; the host memory of the target end; Connection table; host input and output times of the target end; and, the proportion of the in and out traffic of the host of the target end.
優選的,所述網路服務品質包括:在清洗所述原始資料流程量過程中帶來的網路延時;在清洗所述原始資料流程量過程中帶來的網路丟包率;在清洗所述原始資料流程量過程中帶來的TCP可用性;在清洗所述原始資料流程量過程中帶來的UDP可用性;以及,在清洗所述原始資料流程量過程中帶來的抖動。 Preferably, the network service quality includes: network delay brought in the process of cleaning the original data flow; network packet loss rate brought in the process of cleaning the original data flow; The TCP availability brought in the process of the original data flow; the UDP availability brought in the process of cleaning the original data flow; and the jitter brought in the process of cleaning the raw data flow.
由以上技術內容可以看出本發明具有以下有益效果:本發明實施例將防禦端設置於雲平台,在雲平台防禦端可以將業務端的原始資料流程量牽引到自身,目標端的業務一般都是在雲平台上運行,所以防禦端可以在雲平台上獲得目標端的資料流程量,同時,防禦端還可以獲得自身的資料流程量。所以,在雲平台下可以將業務端、目標端和防禦端三者的資料流程量統一集中,從而可以獲得三端的資料流程量。由於,本發明中可以將業務端、防禦端和目標端三部分的資料流程量進行統一分析,從而使得評估防禦結果的評價角度和指標較為全面,進而使得防禦結果較為準確。 It can be seen from the above technical content that the present invention has the following beneficial effects: the embodiment of the present invention sets the defense end on the cloud platform, and the original data flow of the business end can be pulled to itself on the cloud platform defense end, and the business of the target end is generally It runs on the cloud platform, so the defense end can obtain the data flow volume of the target end on the cloud platform, and at the same time, the defense end can also obtain its own data flow volume. Therefore, under the cloud platform, the data flow volume of the business side, the target side and the defense side can be unified and centralized, so that the data flow volume of the three ends can be obtained. Because the data flow volume of the three parts of the business end, the defense end and the target end can be analyzed in a unified manner in the present invention, the evaluation angle and indicators for evaluating the defense result are more comprehensive, and the defense result is more accurate.
100‧‧‧業務端 100‧‧‧Business side
200‧‧‧防禦端 200‧‧‧Defensive end
300‧‧‧目標端 300‧‧‧Target
400‧‧‧核心路由 400‧‧‧Core routing
201‧‧‧可疑流量檢測裝置 201‧‧‧Suspicious traffic detection device
202‧‧‧可疑流量清洗裝置 202‧‧‧Suspicious flow cleaning device
203‧‧‧雲主機 203‧‧‧Cloud Host
500‧‧‧業務監控裝置 500‧‧‧Business monitoring device
600‧‧‧分光器 600‧‧‧Splitter
為了更清楚地說明本發明實施例或現有技術中的技術 方案,下面將對實施例或現有技術描述中所需要使用的附圖作簡單地介紹,顯而易見地,下面描述中的附圖僅僅是本發明的一些實施例,對於本領域普通技術人員來講,在不付出創造性勞動的前提下,還可以根據這些附圖獲得其他的附圖。 In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are merely present For some of the embodiments of the invention, for those of ordinary skill in the art, other drawings may be obtained based on these drawings without creative work.
圖1為現有網路系統架構的一種示意圖;圖2為本發明實施例公開的量化防禦結果的系統的結構示意圖;圖3為本發明實施例公開的又一量化防禦結果的系統的結構示意圖;圖4為本發明實施例公開的又一量化防禦結果的系統的結構示意圖;圖5為本發明實施例公開的又一量化防禦結果的系統的結構示意圖;圖6為本發明實施例公開的量化防禦結果的方法的流程圖;圖7為本發明實施例公開的量化防禦結果的方法中計算防禦結果的流程圖。 Fig. 1 is a schematic diagram of an existing network system architecture; Fig. 2 is a schematic structural diagram of a system for quantifying defense results disclosed in an embodiment of the present invention; Fig. 3 is a schematic structural diagram of another system for quantifying defense results disclosed in an embodiment of the present invention; 4 is a schematic structural diagram of another system for quantifying defense results disclosed in an embodiment of the present invention; FIG. 5 is a schematic structural diagram of another system for quantifying defense results disclosed in an embodiment of the present invention; FIG. 6 is a quantification disclosed by an embodiment of the present invention The flow chart of the method of defense result; FIG. 7 is a flowchart of calculating the defense result in the method of quantifying the defense result disclosed in the embodiment of the present invention.
下面將結合本發明實施例中的附圖,對本發明實施例中的技術方案進行清楚、完整地描述,顯然,所描述的實施例僅僅是本發明一部分實施例,而不是全部的實施例。基於本發明中的實施例,本領域普通技術人員在沒有做出 創造性勞動前提下所獲得的所有其他實施例,都屬於本發明保護的範圍。 The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
現有技術中在量化防禦結果過程中的評價角度和評價指標不全面的根本原因在於:無法將業務端、防禦端和目標端三者的資料流程量進行統一集中。三者的資料流程量無法統一集中的原因為:攻擊端的資料流程量來自網路的外部,防禦端的資料流程量一般是在網路的邊界或者出口,目標端的資料流程量一般是歸屬用戶自己管理,即三者的資料流程量不在同一系統中;並且,業務端、目標端和防禦端三者之間無介面,即三者之間資料流程量無法經由介面進行資料共用;所以三者資料流程量難以統一集中。 The fundamental reason for the incomplete evaluation angles and evaluation indicators in the process of quantifying defense results in the prior art lies in the inability to centralize the data flow volume of the business side, the defense side, and the target side. The reason why the data flow of the three cannot be unified and centralized is: the data flow of the attacker comes from outside the network, the data flow of the defensive side is generally at the border or exit of the network, and the data flow of the target is generally managed by the user. , That is, the data flow of the three are not in the same system; and there is no interface between the business side, the target side and the defense side, that is, the data flow between the three cannot be shared through the interface; so the three data flow The amount is difficult to be centralized.
為此,本發明提供的一種量化防禦結果的系統。如圖2所示,量化防禦結果的系統包括:業務端100,位於雲平台的防禦端200,目標端300,以及,與所述業務端100、防禦端200和目標端300相連的核心路由400。本實施例中防禦端200旁路設置在核心路由400的一側。 To this end, the present invention provides a system for quantifying defense results. As shown in Figure 2, the system for quantifying defense results includes: a
下面詳細介紹量化防禦結果的系統中各部分的作用: The following is a detailed description of the role of each part of the system for quantifying defense results:
本發明中業務端100可以包含有多個業務主機,每個業務主機均有唯一的源位址(IP位址),每個業務主機均可以向目標端300發送資料流程量。因此,業務端100向目標端300發送的原始資料流程量中包含有多個業務主機 發送的資料流程量,每個資料流程量中均包含業務主機的源位址,即原始資料流程量中包含有多個業務主機的源位址(IP位址)。 In the present invention, the
由於一部分業務主機是正常業務主機,一部分業務主機是攻擊業務主機,所以原始資料流程量中一部分是由正常業務主機發送的正常資料流程量,一部分是由攻擊業務主機發送的攻擊資料流程量。 Since some business hosts are normal business hosts and some are attacking business hosts, part of the original data flow is the normal data flow sent by the normal business host, and the other is the attack data flow sent by the attacking business host.
業務端100可以將旨在發送至目標端300的原始資料流程量發送至核心路由400。 The
核心路由400,用於複製業務端接取目標端的原始資料流程量,獲得副本資料流程量。 The
核心路由400可以採用分光器分光方式或者軟體程式複製的方式,將業務端100接取目標端300的原始資料流程量進行複製,從而得到與原始資料流程量一致的副本資料流程量。這可以方便後續防禦端200可以對副本資料流程量進行檢測,以查看副本資料流程量中是否有具有攻擊資料流程量。 The
如圖3所示,所述防禦端200具體包括: As shown in FIG. 3, the
(a)可疑流量檢測裝置201。 (a) Suspicious
可疑流量檢測裝置201與所述核心路由400相連,用 於依據預設檢測規則分析所述副本資料流程量,獲得所述副本資料流程量中包含的可疑IP位址集合,並發送所述可疑IP位址集合。 The suspicious
可疑流量檢測裝置201中的預設檢測規則可以為具有攻擊性的多個異常IP位址。由可疑IP位址發送而來的資料流程量為可能具有攻擊性的可疑資料流程量。 The preset detection rule in the suspicious
可疑流量檢測裝置201在獲得副本資料流程量後,可以提取其中所有IP位址,然後可以將所有IP位址與預設檢測規則中的異常IP位址進行對比。當副本資料流程量中所有IP位址包含有異常IP位址時,則說明副本資料流程量中包含有可疑資料流程量。 After the suspicious
將副本資料流程量中所包含的所有異常IP位址作為可疑IP位址,將所有可疑IP位址的集合稱為可疑IP位址集合,將可疑IP位址集合發送至可疑流量清洗裝置202。 All abnormal IP addresses included in the copy data flow are regarded as suspicious IP addresses, the set of all suspicious IP addresses is called a suspicious IP address set, and the suspicious IP address set is sent to the suspicious
在確定可疑IP位址集合後,在副本資料流程量中提取與每個可疑IP位址對應的可疑資料流程量,將所有可疑資料流程量的集合稱為可疑資料流程量集合;並將可疑資料流程量集合發送至雲主機203,供雲主機203計算防禦結果使用。 After determining the set of suspicious IP addresses, extract the suspicious data flow volume corresponding to each suspicious IP address from the copy data flow volume, and call the set of all suspicious data flow volume sets as the suspicious data flow volume set; The process volume collection is sent to the
(b)可疑流量清洗裝置202。 (b) Suspicious
與所述核心路由400和所述可疑流量檢測裝置201相連的可疑流量清洗裝置202,用於獲取所述可疑IP位址集合,在所述核心路由400的原始資料流程量中牽引可疑資 料流程量集合,其中,按預設防禦策略清洗所述可疑資料流程量集合,並將所述可疑資料流程量集合在清洗後剩餘的正常資料流程量,轉發至所述目標端300。 The suspicious
可疑流量清洗裝置202在獲得可疑IP位址集合之後,便在核心路由400的原始資料流程量中牽引與每個可疑IP位址對應的可疑資料流程量,並將所有可疑資料流程量的集合組成可疑資料流程量集合。 After the suspicious
在原始資料流程量中去除可疑資料流程量集合後剩餘數量,為不具有攻擊性IP位址對應的資料流程量,所以這部分資料流程量可以不用牽引至可疑流量清洗裝置202中進行清洗,直接由核心路由400轉發至目標端300即可。 After removing the suspicious data flow collection from the original data flow volume, the remaining amount is the data flow volume corresponding to the non-aggressive IP address. Therefore, this part of the data flow volume can be cleaned directly without being dragged to the suspicious
可疑資料流程量集合為從可疑IP位址傳輸而來的資料流程量,所以可疑資料流程量集合中可疑資料流程量可能是正常資料流程量,可能是攻擊資料流程量。因此,可疑流量清洗裝置202在獲得可疑資料流程量集合後,需要依據預設防禦策略清洗可疑資料流程量集合中的攻擊資料流程量。 The suspicious data flow set is the data flow transmitted from the suspicious IP address, so the suspicious data flow in the suspicious data flow set may be the normal data flow or the attack data flow. Therefore, after obtaining the suspicious data flow set, the suspicious
可見,本發明中可疑流量清洗裝置203僅需對原始資料流程量中可疑資料流程量集合進行清洗即可,而無需全部的原始資料流程量進行清洗。由於減少了可疑流量清洗裝置203的資料流程量,所以,可以提高可疑流量清洗裝置203的清洗效率。 It can be seen that the suspicious
理論上,經過可疑流量清洗裝置202清洗之後輸出的 資料流程量為不具有攻擊性的正常資料流程量。所以,可以將正常資料流程量轉發至目標端300,以便業務端100接取目標端300的正常資料流程量可以轉發至目標端300。 Theoretically, the data flow volume output after cleaning by the suspicious
現實情況下,可疑流量清洗裝置202中的預設防禦策略並一定是最適用於目標端的防禦策略。即按預設防禦策略清洗可疑資料流程量集合後得到的資料流程量中仍然有攻擊資料流程量(此時說明防禦策略過鬆);或者,清洗後得到的資料流程量中原本正常的資料流程量被清洗掉(此時說明防禦策略過緊)。 In reality, the preset defense strategy in the suspicious
因此,可疑流量清洗裝置202可以將可疑資料流程量集合在清洗後剩餘的正常資料流程量,發送至雲主機203,以便供雲主機203計算防禦結果,從而根據防禦結果來改善預設防禦策略。 Therefore, the suspicious
(c)雲主機203。 (c)
與所述可疑流量檢測裝置201、所述可疑流量清洗裝置202和所述目標端300相連的雲主機203,用於在所述可疑流量檢測裝置201上獲取所述可疑資料流程量集合,所述可疑資料流程量集合中包含與每個可疑IP位址對應的可疑資料流程量;在所述可疑流量清洗裝置202上獲取正常資料流程量,在將所述正常資料流程量發送至目標端300後,在所述目標端300上獲取表示目標端300性能的主機性能參數;將目標參數集合確定為量化防禦結果的基礎;其中,所述目標參數集合至少包括:所述可疑資料流 程量集合、所述正常資料流程量和所述主機性能參數。 The
雲主機203在可疑流量檢測裝置201上獲取可疑資料流程量集合,在可疑流量清洗裝置202上獲取按預設防禦策略清洗後的正常資料流程量,利用這兩部分資料計算清洗前和清洗後的資料流程量的變化率;並將變化率作為量化防禦結果的一個依據。 The
由於清洗後的正常資料流程量發送至目標端300,所以,正常資料流程量會對目標端產生直接的影響,即目標端300的性能狀態最先產生變化,例如,CPU佔用過多、無法響應等等。因此,在將清洗後得到的正常資料流程量發送至目標端300後,可以提取目標端的主機性能參數,將主機性能參數作為量化防禦結果的一個依據。 Since the cleaned normal data flow volume is sent to the
其中,所述主機性能參數,包括:所述目標端的主機在接收到第一個syn封包之後半開連結的數量;所述目標端的主機CPU;所述目標端的主機記憶體;所述目標端的連接表;所述目標端的主機輸入輸出次數;以及,所述目標端的主機的進出流量所佔比例。 Wherein, the host performance parameters include: the number of half-open connections of the host of the target end after receiving the first syn packet; the host CPU of the target end; the host memory of the target end; the connection of the target end Table; the host input and output times of the target end; and, the proportion of the incoming and outgoing traffic of the host of the target end.
在本發明提供的量化防禦結果的系統下,位於雲平台的防禦端200可以在核心路由上藉由路由調度策略將業務端100的原始資料流程量牽引至自身;目標端300的業務一般都是在雲平台上運行,所以,防禦端200可以在雲平台上獲得目標端300的資料流程量;同時,位於雲平台的防禦端200還可以在雲平台獲得自身的資料流程量。所以,在雲平台上可以將業務端100、目標端300和防禦端 200三者的資料流程量進行統一集中。 Under the system for quantifying defense results provided by the present invention, the
此外,由於業務端100、目標端300和防禦端200三者的資料流程量均經過雲平台下,雲平台具有統一資料格式的作用。因此,雲平台上可以將三者的資料格式統一,從而可以方便對三者的資料流程量進行統一分析。因此,在雲平台上防禦端200可以藉由大數據分析的能力,同時對業務端100、目標端300和防禦端200三者資料流程量進行統一分析,由於量化防禦結果的評估角度和指標較為全面,所以可以得到準確的防禦效果。 In addition, because the data flows of the
為了使雲主機203計算得到的防禦結果更加準確,如圖4所示,本發明提供的量化防禦結果的系統還包括:與所述雲主機相連的業務監控裝置500。 In order to make the defense result calculated by the
業務監控裝置500用於控制多個位於不同地理位置的業務主機接取所述目標端300,依據所述目標端300回饋的請求成功率和請求時間延遲,計算接取成功率;將所述接取成功率發送至所述雲主機203。將接取成功率作為目標參數集合的一員,以便供雲主機203計算防禦結果。 The
在可疑流量清洗裝置202將清洗後的正常資料流程量發送至目標端300之後,正常資料流程量(若清洗效果不好則可能攜帶有攻擊資料流程量)可能會目標端造成正常運行造成影響。例如,假設目標端為“淘寶網”,在正常資料流程量發送至目標端之後,可能造成用戶無法正常打開“淘寶網”頁面的情況。 After the suspicious
所以,業務監控裝置500可以控制位於不同位址位置 的多個業務主機接取目標端300,來計算目標端300的接取成功率,從接取成功率上查看清洗後的正常資料流程量是否對目標端的正常業務造成影響。 Therefore, the
例如,控制地理位置為深圳、北京、上海和廣州等多個業務主機接取“淘寶網”,根據“淘寶網”是否能夠打開頁面以及打開頁面的速度,來計算多個業務主機的接取成功率。然後,將多個業務主機的平均接取成功率作為“淘寶網”的接取成功率。 For example, controlling geographic locations for multiple business hosts such as Shenzhen, Beijing, Shanghai, and Guangzhou to access "Taobao.com". According to whether "Taobao" can open the page and the speed of opening the page, calculate the access of multiple business hosts. Take the success rate. Then, the average access success rate of multiple service hosts is taken as the access success rate of "Taobao.com".
在得到目標端300的接取成功率之後,將接取成功率作為目標參數集合的一員,以便供雲主機203計算防禦結果。 After the access success rate of the
此外,量化防禦結果的目標參數集合中還可以包括:網路服務品質。 In addition, the target parameter set for quantifying the defense result may also include: network service quality.
防禦端200對可疑資料流程量集合進行清洗的過程中,可能會引起整體網路的抖動,造成網路服務品質下降、目標端300的接取成功率下降和主機性能參數下降,進而影響防禦結果的計算。所以,所述雲主機203還用於,依據所述可疑資料流程量集合和所述正常資料流程量,計算網路服務品質;並將所述網路服務品質作為目標參數集合的一員。這使得雲主機203在計算防禦結果時可以考慮網路服務品質,從而得出合理的防禦效果。 When the
其中,網路服務品質包括:所述網路服務品質包括:在清洗所述原始資料流程量過程中帶來的網路延時;在清洗所述原始資料流程量過程中帶來的網路丟包 率;在清洗所述原始資料流程量過程中帶來的TCP可用性;在清洗所述原始資料流程量過程中帶來的UDP可用性;以及,在清洗所述原始資料流程量過程中帶來的抖動。 Wherein, the network service quality includes: the network service quality includes: network delay caused in the process of cleaning the raw data flow; network packet loss caused in the process of cleaning the raw data flow Rate; TCP availability brought in the process of cleaning the original data flow; UDP availability brought in the process of cleaning the raw data flow; and, jitter brought in the process of cleaning the raw data flow .
上述圖2-圖4所示的量化防禦結果的系統即適用於光纖網路又適用於非光纖網路。在光纖網路中資料流程量較大,所以利用核心路由對原始流量進行複製的速率較慢。 為了加快對原始資料流程量的複製過程,本發明提供了一種適用於光線網路的量化防禦結果的系統。 The system of quantifying defense results shown in Figure 2 to Figure 4 is applicable to both optical fiber networks and non-optical fiber networks. In the optical fiber network, the amount of data flow is large, so the rate of copying the original traffic using core routing is slow. In order to speed up the process of copying the original data flow volume, the present invention provides a system suitable for the quantitative defense result of the optical network.
如圖5所示,本發明的量化防禦結果的系統,包括:業務端100,與所述業務端100相連的分光器600,位於雲平台的防禦端200,目標端300,以及,與所述分光器600、防禦端200和目標端300相連的核心路由400。本實施例中防禦端200旁路設置在核心路由400的一側。 As shown in Figure 5, the system for quantifying defense results of the present invention includes: a
本實施例中由分光器600來實現對業務端100發送至目標端300的原始流量進行複製得到副本資料流程量的過程,並將副本資料流程量和原始資料流程量發送至核心路由400。本實施例中其它內容與圖2-圖4所示的內容一致,在此不再贅述。 In this embodiment, the
在上述圖2-圖5所示的量化防禦結果的系統的基礎上,下面介紹本發明的量化防禦結果的方法的實施例,本 實施例應用於量化防禦結果的系統的防禦端的雲主機。如圖6所示,所述方法具體包括以下步驟S601~S602: On the basis of the system for quantifying defense results shown in Figures 2 to 5, the following describes an embodiment of the method for quantifying defense results of the present invention. This embodiment is applied to the cloud host at the defense end of the system for quantifying defense results. As shown in FIG. 6, the method specifically includes the following steps S601 to S602:
步驟S601:獲取可疑資料流程量集合;其中,所述可疑資料流程量集合為位於雲平台的防禦端經核心路由牽引業務端接取目標端的原始資料流程量後,由所述原始資料流程量所包含的可疑IP位址集合中每個可疑IP位址對應的資料流程量所組成的,所述可疑IP位址集合為依據預設檢測規則在所述原始資料流程量中確定的。 Step S601: Obtain a set of suspicious data flow volumes; wherein the set of suspicious data flow volumes is determined by the original data flow volume of the target end after the defensive end of the cloud platform receives the original data flow volume of the target end via the core routing traction service end. The set of suspicious IP addresses included is composed of a data flow volume corresponding to each suspicious IP address, and the suspicious IP address set is determined in the original data flow volume according to a preset detection rule.
步驟S602:獲取正常資料流程量;其中,所述正常資料流程量為所述防禦端對所述可疑資料流程量集合按預設防禦策略清洗後剩餘的資料流程量。 Step S602: Obtain normal data flow volume; wherein, the normal data flow volume is the remaining data flow volume after the suspicious data flow volume set is cleaned by the defense end according to a preset defense strategy.
步驟S603:授權主機性能參數;其中,所述主機性能參數為所述防禦端在將所述正常資料流程量發送至目標端後,在所述目標端上提取得到的參數的集合。 Step S603: Authorize host performance parameters; wherein, the host performance parameters are a set of parameters extracted from the target end after the defense end sends the normal data flow volume to the target end.
步驟S604:基於目標參數集合來量化防禦結果;其中,所述目標參數集合至少包括:所述可疑資料流程量集合、正常資料流程量和主機性能參數。 Step S604: Quantify the defense result based on the target parameter set; wherein, the target parameter set includes at least: the suspicious data flow set, the normal data flow set, and the host performance parameter.
此外,所述目標參數集合還包括:與所述防禦端相連的業務監控裝置發送的接取成功率;其中,所述接取成功率為所述業務監控裝置在控制多個位於不同地理位置的業務端接取所述目標端後,依據所述目標端回饋的請求成功率和請求時間延遲計算得到的。 In addition, the target parameter set also includes: the access success rate sent by the service monitoring device connected to the defense end; wherein the access success rate is that the service monitoring device is controlling a plurality of devices located in different geographic locations. After the service terminal receives the target terminal, it is calculated according to the request success rate and the request time delay returned by the target terminal.
網路服務品質;其中,所述網路服務品質為所述防禦端依據可疑資料流程量集合和所述正常資料流量計算得到 的。 Network service quality; wherein, the network service quality is calculated by the defense end based on the suspicious data flow collection and the normal data flow.
防禦端的雲主機獲取目標參數集合的過程,已在圖2-圖5所示的量化防禦結果的系統實施例中進行清楚說明,此處不再贅述。 The process by which the cloud host on the defense end obtains the target parameter set has been clearly explained in the system embodiment for quantifying the defense result shown in Figure 2-Figure 5, and will not be repeated here.
由此可以看出,本發明具有以下有益效果:本發明實施例將防禦端設置於雲平台,在雲平台防禦端可以將業務端的原始資料流程量牽引到自身,目標端的業務一般都是在雲平台上運行,所以防禦端可以在雲平台上獲得目標端的資料流程量,同時,防禦端還可以獲得自身的資料流程量。所以,在雲平台下可以將業務端、目標端和防禦端三者的資料流程量統一集中,從而可以獲得三端的資料流程量。由於,本發明中可以將業務端、防禦端和目標端三部分的資料流程量進行統一分析,從而使得評估防禦結果的評價角度和指標較為全面,進而使得防禦結果較為準確。 It can be seen from this that the present invention has the following beneficial effects: in the embodiment of the present invention, the defense end is set on the cloud platform, and the original data flow of the business end can be pulled to itself on the cloud platform defense end, and the business of the target end is generally in the cloud. It runs on the platform, so the defense end can obtain the data flow volume of the target end on the cloud platform, and at the same time, the defense end can also obtain its own data flow volume. Therefore, under the cloud platform, the data flow volume of the business side, the target side and the defense side can be unified and centralized, so that the data flow volume of the three ends can be obtained. Because the data flow volume of the three parts of the business end, the defense end and the target end can be analyzed in a unified manner in the present invention, the evaluation angle and indicators for evaluating the defense result are more comprehensive, and the defense result is more accurate.
在得到目標參數集合後可以計算防禦結果。在介紹計算防禦結果的內容之前,首先說明防禦端中可疑流量清洗裝置所使用的防禦策略和SLA等級。其中,SLA為Service-Level Agreement的縮寫,意思是服務等級協定。SLA為關於網路服務供應商和客戶間的一份合同,其中定義了服務類型、服務品質和客戶付款等術語。 The defense result can be calculated after the target parameter set is obtained. Before introducing the content of calculating the defense result, first explain the defense strategy and SLA level used by the suspicious traffic cleaning device in the defense end. Among them, SLA is the abbreviation of Service-Level Agreement, which means service level agreement. SLA is a contract between a network service provider and a customer, which defines terms such as service type, service quality, and customer payment.
在防禦端中預先存儲有多個防禦策略,一個防禦策略對應一個理論上應達到的SLA等級。比如,第一SLA等級對應第一防禦策略,第二SLA等級對應第二防禦策 略,第三SLA等級對應第三防禦策略,依次類推。並且,第一SLA等級、第二SLA等級和第三SLA等級的對使用者而言,服務品質逐漸降低,同理,第一防禦策略、第二防禦策略和第三防禦策略對於攻擊流量而言逐漸變鬆。即,防禦策略越緊對應的防禦結果越好,使得目標端的SLA等級越高。 There are multiple defense strategies pre-stored in the defense end, and one defense strategy corresponds to a theoretical SLA level that should be achieved. For example, the first SLA level corresponds to the first defense strategy, the second SLA level corresponds to the second defense strategy, the third SLA level corresponds to the third defense strategy, and so on. In addition, the service quality of the first SLA level, the second SLA level and the third SLA level are gradually reduced for users. Similarly, the first defense strategy, the second defense strategy, and the third defense strategy are for attack traffic. Gradually become loose. That is, the tighter the defense strategy, the better the defense result, which makes the SLA level of the target end higher.
在使用防禦端清洗原始流量之前,目標端300的使用者與網路服務提供商之間協商,並設定目標端300所希望達到的期望SLA等級。網路服務提供商會依據與期望SLA等級對應的防禦策略作為預設防禦策略,採用預設防禦策略阻擋攻擊目標端的攻擊資料流程量,並使得最終的防禦結果達到用戶所希望的期望SLA等級。 Before using the defensive end to clean the original traffic, the user of the
為了使得目標端達到的期望SLA等級,在圖2所示的可疑流量清洗裝置中預先設定有與期望SLA等級對應的預設防禦策略。理論上,該防禦策略能夠使得防禦結果達到對應的期望SLA等級。但是,隨著攻擊資料流程量的不斷變化,攻擊資料流程量可能會突破防禦策略而攻擊目標端,進而使得目標端上的SLA等級低於期望SLA等級。 In order to make the target end reach the expected SLA level, the suspicious traffic cleaning device shown in FIG. 2 is preset with a preset defense strategy corresponding to the expected SLA level. Theoretically, this defense strategy can make the defense result reach the corresponding expected SLA level. However, with the continuous changes in the amount of attack data flow, the amount of attack data flow may break through the defense strategy and attack the target end, thereby making the SLA level on the target end lower than the expected SLA level.
所以,可以計算目標端所得到防禦效果是否達到期望SLA等級。如圖7所示,包括以下步驟: Therefore, it can be calculated whether the defense effect obtained by the target end reaches the expected SLA level. As shown in Figure 7, it includes the following steps:
步驟S701:利用所述目標參數集合以及預設參數集合確定所述各個參數的變化值集合;其中,所述預設參數集合為預先存儲的、無攻擊資料流程量的情況下各個參數 的集合。 Step S701: Use the target parameter set and the preset parameter set to determine the change value set of each parameter; wherein, the preset parameter set is a set of various parameters stored in advance without attacking data flow.
詳細的計算過程,將在本實施例之後進行詳細說明。 The detailed calculation process will be described in detail after this embodiment.
步驟S702:判斷是否匹配成功,即將所述各個參數的變化值集合與所述期望SLA等級中的各個參數範圍進行匹配,並判斷是否匹配成功。 Step S702: Determine whether the matching is successful, that is, match the change value set of each parameter with each parameter range in the expected SLA level, and determine whether the matching is successful.
在雲主機中存儲有每個SLA等級的各個參數的範圍。將按目標參數集合計算得到的各個參數變化值與期望SLA等級的參數範圍進行對比。 The range of each parameter of each SLA level is stored in the cloud host. Compare each parameter change value calculated according to the target parameter set with the parameter range of the expected SLA level.
步驟S703:若匹配成功,則確定防禦端的防禦效果達到所述期望SLA等級。 Step S703: If the matching is successful, it is determined that the defense effect of the defense end reaches the expected SLA level.
若各個參數的變化值集合在期望SLA等級規定的範圍內,則表示目前的防禦效果達到期望的防禦效果;可以按照繼續按照可疑流量清洗裝置中預設防禦策略繼續對接取目標端的資料流程量進行清洗。 If the change value of each parameter is within the range specified by the expected SLA level, it means that the current defense effect has reached the expected defense effect; you can continue to follow the preset defense strategy in the suspicious traffic cleaning device to continue to access the data flow volume of the target end Clean.
步驟S704:若匹配不成功,則將當前的防禦策略的前一防禦策略,確定為所述預設防禦策略;重新進入步驟S701。其中,所述防禦端中存儲有按順序排列的多個SLA等級,以及,與每個SLA等級對應的一個防禦策略,SLA等級越小表示目標端所享受的服務等級越高,並且,前一SLA等級的對應的防禦策略優於後一SLA等級對應的防禦策略。 Step S704: If the matching is unsuccessful, determine the previous defense strategy of the current defense strategy as the preset defense strategy; enter step S701 again. Wherein, the defense terminal stores multiple SLA levels arranged in order, and a defense strategy corresponding to each SLA level. The smaller the SLA level, the higher the service level enjoyed by the target terminal, and the previous one The defense strategy corresponding to the SLA level is better than the defense strategy corresponding to the latter SLA level.
若匹配不成功,則確定防禦端的防禦效果未達到所述期望SLA等級。即:若各個參數的變化值集合未在期望SLA等級規定的範圍內,則表示目前的防禦效果未達到期 望的防禦效果,即表示可疑流量清洗裝置中預設防禦策略過鬆,不能達到期望SLA等級。所以,需要收緊防禦策略,以便經過防禦策略清洗後的防禦效果達到期望SLA等級。 If the matching is unsuccessful, it is determined that the defense effect of the defense end has not reached the expected SLA level. That is: if the change value set of each parameter is not within the range specified by the expected SLA level, it means that the current defense effect has not reached the expected defense effect, that is, the preset defense strategy in the suspicious traffic cleaning device is too loose to achieve the expected SLA grade. Therefore, the defense strategy needs to be tightened so that the defense effect after the defense strategy cleansing reaches the desired SLA level.
因此,選擇當前防禦策略的前一防禦策略,確定為預設防禦策略。然後,按最新的預設防禦策略繼續對接取目標端的資料流程量進行清洗,並按本發明的方法計算防禦結果(各個參數的變化值集合),並判斷防禦結果(各個參數的變化值集合)是否達到期望SLA等級(期望SLA等級各個參數範圍)。若仍防禦結果未達到期望SLA等級,在繼續收緊防禦策略,重複執行計算防禦結果的過程,直接判定防禦結果達到期望SLA等級。 Therefore, the previous defense strategy of the current defense strategy is selected and determined as the preset defense strategy. Then, according to the latest preset defense strategy, continue to clean the data flow volume of the target end, and calculate the defense result (variation value set of each parameter) according to the method of the present invention, and judge the defense result (variation value set of each parameter) Whether the desired SLA level is reached (the range of various parameters of the desired SLA level). If the defense result still does not reach the expected SLA level, continue to tighten the defense strategy, repeat the process of calculating the defense result, and directly determine that the defense result reaches the expected SLA level.
下面結合具體的應用場景,來對步驟S701:利用所述目標參數集合以及預設參數集合確定所述各個參數的變化值集合的步驟,進行詳細說明。 The step S701: the step of determining the change value set of each parameter by using the target parameter set and the preset parameter set will be described in detail below in conjunction with specific application scenarios.
即依據所述可疑資料流程量集合和所述正常資料流程量,計算輸入協定信息和輸出協定信息變化率的變化量集合。其中,所述輸入協議信息從所述可疑資料流程量集合中提取得到的,所述輸出協議信息從所述正常資料流程量中提取得到。 That is, according to the suspicious data flow volume set and the normal data flow volume, the change amount set of the input agreement information and the change rate of the output agreement information is calculated. Wherein, the input protocol information is extracted from the suspicious data flow volume set, and the output protocol information is extracted from the normal data flow volume.
業務端和目標端的傳輸方式為一對一的,例如:業務端向目標端發送建立連接請求,則目標端向業務端與建立 連接確認指令。所以,業務端向目標端發送的信息,與目標端向業務端發送的信息數量理應為一致的。當輸出的信息數量或輸入的信息數量突然增大時,則說明防禦端的清洗效果不好。 The transmission mode between the business end and the target end is one-to-one. For example, the business end sends a connection establishment request to the target end, and the target end sends a connection confirmation instruction to the business end. Therefore, the amount of information sent by the business end to the target end should be consistent with the amount of information sent by the target end to the business end. When the amount of output information or the amount of input information suddenly increases, it indicates that the cleaning effect of the defense end is not good.
下面以具體三種流量型攻擊為例,對本步驟進行詳細說明: The following uses specific three types of traffic attacks as examples to describe this step in detail:
在正常情況下,業務端向目標端發送syn(可以建立連接?)請求信息,目標端會回饋syn-ack(可以+請確認)信息,業務端再次向目標端發送ack(確認)信息,從而建立兩者連接。 Under normal circumstances, the business end sends a syn (can establish a connection?) request information to the target end, the target end will return syn-ack (can + please confirm) information, and the business end sends an ack (confirmation) message to the target end again. Establish a connection between the two.
在目標端受到syn flood攻擊(即攻擊端向目標端發送大量syn請求信息)的情況下,如果防禦策略的清洗效果不好,輸出方向的syn-ack信息將會增多;但是,業務端發出的第三個ack信息會減少。 In the case of a syn flood attack on the target end (that is, the attacking end sends a large amount of syn request information to the target end), if the cleaning effect of the defense strategy is not good, the syn-ack information in the output direction will increase; however, the information sent by the business end The third ack message will decrease.
因此,計算syn信息清洗前和清洗後的增加比率Psyn,以及,syn-ack信息清洗前和清洗後的增加比率Psyn-ack。 Thus, increasing the ratio information before calculating syn cleaning and after cleaning syn P, and increase the ratio of syn-ack message before washing and after washing P syn-ack.
Psyn=(ppssyn-pps` syn)/ppssyn P syn =(pps syn -pps ` syn )/pps syn
Psyn-ack=(ppssyn-ack-pps` syn-ack)/ppssyn-ack P syn-ack =(pps syn-ack -pps ` syn-ack )/pps syn-ack
P1=Psyn-Psyn-ack P 1 =P syn -P syn-ack
其中,ppssyn為按預設防禦策略清洗前的syn信息數量,pps` syn為按預設防禦策略清洗後的syn信息數量; ppssyn-ack為按預設防禦策略清洗前的syn-ack信息數量,pps` syn為按預設防禦策略清洗後的syn-ack信息數量,P1代表防禦端的防禦結果。 Among them, pps syn is the amount of syn information before cleaning according to the preset defense strategy, pps ` syn is the amount of syn information after cleaning according to the preset defense strategy; pps syn-ack is the syn-ack information before cleaning according to the preset defense strategy Number, pps ` syn is the number of syn-ack messages cleaned according to the preset defense strategy, and P1 represents the defense result of the defense end.
理想情況下,輸入方向的syn封包和輸出方向的syn-ack信息是1:1,即P1=0。所以P1的值越大的時候,代表了輸入方向的syn信息大部分沒有得到回應,此時,表示防禦結果越差。 Ideally, the syn packet in the input direction and the syn-ack information in the output direction are 1:1, that is, P1=0. Therefore, when the value of P1 is larger, most of the syn information representing the input direction has not received a response. At this time, the defense result is worse.
在正常情況下,業務端向目標端發送ack(確認)請求信息,目標端在確認未與業務端建立連接時,業務端向目標端發送rst(重定)信息。即,如果目標端收到的一個明顯不屬於自己的一個連接,則向業務端發送一個復位包。 Under normal circumstances, the business end sends an ack (confirmation) request message to the target end. When the target end confirms that it has not established a connection with the business end, the business end sends rst (reset) information to the target end. That is, if the target end receives a connection that is obviously not its own, it sends a reset packet to the service end.
在目標端受到ack flood攻擊的情況下,如果防禦端的清洗效果不好,則rst信息將會增多。因此,計算ack信息清洗前和清洗後的增加比率Pack,計算rst信息清洗前和清洗後的增加比率Prst。 In the case of an ack flood attack on the target end, if the cleaning effect of the defense end is not good, the rst information will increase. Therefore, calculate the increase ratio P ack before and after ack information cleaning, and calculate the increase ratio P rst before and after the rst information cleaning.
Pack=(ppsack-pps` ack)/ppsack P ack =(pps ack -pps ` ack )/pps ack
Prst=(ppsrst-pps` rst)/ppsrst P rst =(pps rst -pps ` rst )/pps rst
P2=Pack-Prst P2=P ack -P rst
其中,ppsack為按預設防禦策略清洗前的rst信息數量,pps` ack為按預設防禦策略清洗後的rst信息數量,ppsrst為按預設防禦策略清洗前的rst信息數量,pps` rst為 按預設防禦策略清洗後的rst信息數量,P2代表防禦端的防禦結果。 Among them, pps ack is the amount of rst information before cleaning according to the preset defense strategy, pps ` ack is the amount of rst information after cleaning according to the preset defense strategy, pps rst is the amount of rst information before cleaning according to the preset defense strategy, pps ` rst is the amount of rst information cleaned according to the preset defense strategy, and P2 represents the defense result of the defense end.
理想情況下,輸入方向的ack信息和輸出方向的rst信息是1:1,即P2=0。所以P2的值越大的時候,代表了輸入方向的ack信息大部分沒有得到回應,此時,表示防禦結果越差。 Ideally, the ack information in the input direction and the rst information in the output direction are 1:1, that is, P2=0. Therefore, when the value of P2 is larger, most of the ack messages representing the input direction are not responded. At this time, the defense result is worse.
在目標端受到icmp flood攻擊的情況下,如果防禦端的清洗效果不好,icmp response信息將會增多。因此,計算icmp信息清洗前和清洗後的增加比率Picmp,計算icmp response信息清洗前和清洗後的增加比率Picmp response。 In the case that the target end is attacked by icmp flood, if the cleaning effect of the defense end is not good, the icmp response information will increase. Therefore, calculate the increase ratio Picmp of icmp information before and after cleaning, and calculate the increase ratio of icmp response information before and after cleaning Picmp response .
Picmp=(ppsicmp-pps` icmp)/ppsicmp P icmp =(pps icmp -pps ` icmp )/pps icmp
Picmp-reponse=(ppsicmp-reponse-pps` icmp-reponse)/ppsicmp-reponse P icmp-reponse =(pps icmp-reponse -pps ` icmp-reponse )/pps icmp-reponse
P3=Picmp-Picmp-reponse P3=P icmp -P icmp-reponse
其中,ppsicmp為清洗前的icmp信息數量,pps` icmp為清洗後icmp信息數量,ppsicmp-reponse為清洗前的icmp response信息數量,pps` icmp-reponse為清洗後icmp response信息數量,P3代表防禦端的防禦結果。 Wherein, pps icmp is the number icmp information before cleaning, pps `icmp after washing quantity icmp message, pps icmp-reponse is the number icmp Response information before cleaning, pps` icmp-reponse is the number icmp Response information cleaning, P3 representatives Defensive results on the defensive side.
理想情況下,輸入方向的icmp信息和輸出方向的icmp response信息是1:1,即P3=0。所以P3的值越大的時候,代表輸入方向的icmp信息大部分沒有得到回應,此時,表示防禦結果較差。 Ideally, the icmp information in the input direction and the icmp response information in the output direction are 1:1, that is, P3=0. Therefore, when the value of P3 is larger, most of the icmp information representing the input direction does not receive a response. At this time, the defense result is poor.
以上列舉了計算輸入協定信息和輸出協定信息的所佔 比例的三個實例。可以理解的是,還可以計算其它表徵防禦結果的流量類型的所佔比例,來評估防禦結果。在此不再一一列舉。 The above lists three examples of calculating the proportion of input agreement information and output agreement information. It is understandable that the proportion of other traffic types that characterize the defense result can also be calculated to evaluate the defense result. I will not list them all here.
本步驟主要用於評估流量型攻擊的防禦結果。其中,syn flood攻擊、ack flood攻擊和icmp flood攻擊均為流量型攻擊。因此,在獲得所有用於評估防禦結果的比率後(P1、P2和P3),計算多個防禦結果比率的平均值,作為針對評估流量型攻擊的防禦結果。 This step is mainly used to evaluate the defense results of traffic-based attacks. Among them, syn flood attack, ack flood attack and icmp flood attack are all flow-based attacks. Therefore, after obtaining all the ratios (P1, P2, and P3) for evaluating defense results, calculate the average of multiple defense result ratios as the defense result against the evaluation traffic type attack.
由於,本步驟主要用於評估流量型攻擊的防禦結果,syn flood攻擊是流量型攻擊中的典型代表,所以,也可以直接採用P1作為對流量型攻擊的防禦結果。 Since this step is mainly used to evaluate the defense result of traffic-based attacks, syn flood attack is a typical representative of traffic-based attacks, so P1 can also be directly used as the defense result of traffic-based attacks.
流量性能參數的另一表現形式為:計算所述正常資料流程量的核心資料集與所述預設參數集合中的預設核心資料集之間的標準差集合。 Another manifestation of the flow performance parameter is: calculating the standard deviation set between the core data set of the normal data flow volume and the preset core data set in the preset parameter set.
本步驟的主要目的在於,藉由即時獲取請求信息和相應的回應信息的所佔比例以及分析http的狀態碼的變化,來評估正常請求信息和異常請求信息的所佔比例是否符合預期。 The main purpose of this step is to evaluate whether the proportion of normal request information and abnormal request information meets expectations by obtaining the proportion of request information and corresponding response information in real time and analyzing the change of the http status code.
在具體使用過程中,可以計算表徵正常資料流程量的核心資料集;其中,核心資料集包括請求應答率、業務成功率、30x狀態碼的所佔比例、40x狀態碼的所佔比例、50x狀態碼的所佔比例和正常用戶請求的時間延遲。 In the specific process of use, the core data set that characterizes the normal data flow can be calculated; the core data set includes the request response rate, the business success rate, the proportion of 30x status codes, the proportion of 40x status codes, and the 50x status. The proportion of codes and the time delay of normal user requests.
下面對核心資料集中各個參數進行詳細說明: The following is a detailed description of each parameter in the core data set:
目標端的請求信息和回應信息比值是在不斷變化的。以統計週期t為例,比如t1到t2時間段內突然開始有攻擊,則http的請求信息和回應信息都會增多。當防禦端的防禦結果不好時,正常的請求信息得到回應信息則會特別少。所以,統計請求信息和回應信息的所佔比例,如果防禦端的清洗效果不好,那麼請求信息和回應信息的比值將會低於某一個極限值。 The ratio of request information to response information at the target end is constantly changing. Take the statistical period t as an example. For example, if an attack suddenly starts from t1 to t2, the http request information and response information will increase. When the defense result of the defensive side is not good, there will be very little response information for normal request information. Therefore, the proportion of request information and response information is calculated. If the cleaning effect of the defense end is not good, then the ratio of request information and response information will be lower than a certain limit value.
Prequest=Chave_response/Crequest_total* 100% P request =C have_response /C request_total * 100%
其中,Prequest為網站的請求應答率,Chave_response為回應信息的數量,Crequest_total為總的請求信息的數量。 Among them, P request is the request response rate of the website, C have_response is the number of response messages, and C request_total is the total number of requested messages.
200 ok信息是表示業務請求成功的信息,則P200 ok表示業務成功率。請求回應的比例Prequest僅可以衡量當前網路http流量情況。而P200 ok能反映業務端得到的回應的概率。 The 200 ok information is information indicating the success of the service request, and P 200 ok indicates the success rate of the service. The request response ratio P request can only measure the current network http traffic situation. And P 200 ok can reflect the probability of response from the business end.
P200ok=Chave_200ok/Chave_response* 100% P 200ok = C have_200ok / C have_response * 100%
其中,Chave_200ok表示業務請求成功的信息,Chave_response為回應信息的數量。 Among them, C have_200ok represents the information that the business request is successful, and C have_response is the number of response messages.
在正常資料流程量中出現誤丟包的時候會出現30x、40x和50x等狀態碼。大量的GET包得不到回應,一般會 返回40x和50x錯誤的狀態碼。因此,狀態碼的所佔比例可以衡量防禦出現誤殺正常資料流程量的情況。 Status codes such as 30x, 40x, and 50x will appear when there is an error packet loss in the normal data flow. A large number of GET packets cannot be responded, and 40x and 50x error status codes are generally returned. Therefore, the proportion of status codes can be used to measure the amount of normal data flow in the defense.
值得注意的是,某些防護系統會使用人機識別機制來判斷接取者是否是真實的流覽器。如業界常用的url redirect演算法,即是藉由返回一個302(30x)狀態碼來判斷接取者是程式還是真實的流覽器,所以網路中302(30x)狀態碼的劇增,也可以作為評估防禦結果的指標。 It is worth noting that some protection systems use man-machine identification mechanisms to determine whether the receiver is a real browser. For example, the url redirect algorithm commonly used in the industry, that is, by returning a 302 (30x) status code to determine whether the recipient is a program or a real browser, so the rapid increase in the 302 (30x) status code in the network is also It can be used as an indicator to evaluate the defense results.
以上三種指標可以綜合衡量CC攻擊的清洗率 The above three indicators can comprehensively measure the cleaning rate of CC attacks
P30x=Chave_30x/Chave_response* 100% P 30x =C have_30x /C have_response * 100%
P40x=Chave_40x/Chave_response * 100% P 40x =C have_40x /C have_response * 100%
P50x=Chave_500/Chave_response* 100% P 50x =C have_500 /C have_response * 100%
其中,P30x表示30x的狀態碼在回應信息中的所佔比例,Chave_30x表示30x的信息數量;P40x表示40x的狀態碼在回應信息中的所佔比例,Chave_40x表示40x的信息數量;P50x表示50x的狀態碼在回應信息中的所佔比例,Chave_50x x表示50x的信息數量。 Among them, P 30x represents the proportion of 30x status codes in the response message, C have_30x represents the proportion of 30x messages; P 40x represents the proportion of 40x status codes in the response message, and C have_40x represents the proportion of 40x messages; P 50x represents the proportion of the status code of 50x in the response message, and C have_50x x represents the number of messages of 50x.
(d)正常用戶的請求的RTT(請求時間延遲),假設用戶在攻擊時間內共發起了n次請求,則評估本次攻擊事件的時候,以用戶的平均時間延遲作為參考。 (d) RTT (request time delay) of a normal user's request. Assuming that the user has initiated n requests during the attack time, the average time delay of the user is used as a reference when evaluating this attack event.
將經過(a)、(b)、(c)和(d)得到的Prequest,P200ok,P30x,P40x,P50x,T0構建核心資料集M,M定義了攻擊時刻核心流量指標的資料。 P request , P 200ok , P 30x , P 40x , P 50x , T 0 obtained through (a), (b), (c) and (d) are used to construct a core data set M, which defines the core traffic indicators at the time of the attack data of.
為了更加準確的確定防禦結果,因此可以計算多個核心資料集的陣列M。例如,統計n個核心資料集形成陣列M,則M={M1,M2,...Mi...Mn};其中,Mi={Prequest,P200ok,P30x,P40x,P50x,T0},i=1、2......n。 In order to determine the defense result more accurately, an array M of multiple core data sets can be calculated. For example, count n core data sets to form an array M, then M={M 1 ,M 2 ,...M i ...M n }; where M i ={P request ,P 200ok ,P 30x ,P 40x ,P 50x ,T 0 }, i=1, 2...n.
針對雲環境下的服務基於歷史的大數據分析,得出另外一組核心資料集N。即N={P`request,P`200ok,P`30x,P`40x,P`50x,T`0}。N表示在沒有攻擊時的各個指標的所佔比例,即標準的核心資料集。 Based on historical big data analysis of services in the cloud environment, another core data set N is obtained. I.e., N = {P` request, P` 200ok , P` 30x, P` 40x, P` 50x, T` 0}. N represents the proportion of each indicator when there is no attack, that is, the standard core data set.
理想情況下,這些指標的變化不會出現明顯的波動。但是,當防禦策略不夠理想時,可能會導致個別指標出現急劇變化。如,在某一次的攻擊事件中出現了200ok狀態碼和歷史同期相比巨大的變化曲線時,則表示防禦結果較差從而導致正常請求信息的回應減少。 Ideally, there will be no significant fluctuations in the changes in these indicators. However, when the defense strategy is not ideal, it may cause rapid changes in individual indicators. For example, when there is a huge change curve of the 200ok status code compared with the same period in history in a certain attack event, it means that the defense result is poor and the response to the normal request information decreases.
因此,本發明用標準差來評估攻擊時防禦策略對業務指標造成的影響,將核心資料集N作為平均值,然後針對每個參數計算標準差。以指標Prequest為例,對計算標準差的公式進行詳細說明:
其中,σ requst 為表示Prequest的標準差,
按上述方式計算陣列M={M1,M2,...Mi...Mn}與N中每個參數的標準差,從而得到多個標準差σ={σ requst ,σ200ok,σ30x ,σ40x ,σ50x ,σ0}。當標準差越小時,則表示防禦結果越好,當標準差越大時,則表示防禦結果越差。 Calculated in the above manner array M = {M 1, M 2 , ... M i ... M n} with standard N for each parameter difference to obtain a plurality of standard deviation σ = {σ requst, σ 200ok , σ 30 x ,σ 40 x ,σ 50 x ,σ 0 }. When the standard deviation is smaller, the defense result is better, and when the standard deviation is larger, the defense result is worse.
即計算所述主機性能參數和所述預設參數集合中的預設主機性能參數之間的第二變化值集合。 That is, the second change value set between the host performance parameter and the preset host performance parameter in the preset parameter set is calculated.
在可疑流量清洗裝置按預設防禦策略清洗後的正常資料流程量傳輸至所述目標端後,獲取目標端的主機性能參數。因為,DDos攻擊時受害主機最先產生狀態的變化,獲取受害主機的性能參數,可以直接量化出攻擊流量對主機產生的影響。主機性能參數在某些情況下,比監測網路流量變化更為方便。 After the suspicious traffic cleaning device transmits the normal data flow after cleaning according to the preset defense strategy to the target end, the host performance parameters of the target end are acquired. This is because the victim host first changes its state during a DDos attack. Obtaining the performance parameters of the victim host can directly quantify the impact of the attack traffic on the host. In some cases, host performance parameters are more convenient than monitoring changes in network traffic.
例如,一個典型的例子就是tcp慢連接發生時,可能網路流量並無異常。但是,觀察目標端主機的連接表可以發現有大量殘餘的連接。因此,藉由評估主機性能參數,作為衡量防禦端的一個重要因素。 For example, a typical example is when a TCP slow connection occurs, there may be no abnormalities in the network traffic. However, by observing the connection table of the target host, there are a large number of residual connections. Therefore, by evaluating host performance parameters, it is an important factor to measure the defense end.
參見表1,所述主機性能參數包括:所述目標端的主機在接收到第一個syn封包之後半開連結的數量,所述目標端的主機CPU,所述目標端的主機記憶體,所述目標端的連接表,所述目標端的主機輸入輸出次數,以及,所述目標端的主機的進出流量所佔比例。 Referring to Table 1, the host performance parameters include: the number of half-open connections of the host at the target end after receiving the first syn packet, the host CPU at the target end, the host memory at the target end, and the host memory at the target end A connection table, the number of input and output of the host at the target end, and the proportion of the in and out traffic of the host at the target end.
即計算所述接取成功率與所述預設參數集合中預設接取成功率的第三變化值集合。 That is, calculating the access success rate and the third change value set of the preset access success rate in the preset parameter set.
接取成功率可以包含請求成功率和請求時間延遲,然後計算請求成功率與預設接取成功率之間的變化率,以及,計算請求時間延遲與預設請求時間延遲之間的變化量,並將該變化率和變化量作為第三變化值集合。 The access success rate may include the request success rate and the request time delay, and then calculate the rate of change between the request success rate and the preset access success rate, and calculate the amount of change between the request time delay and the preset request time delay, And use the change rate and the change amount as the third change value set.
由於攻擊流量會對目標端造成影響,進而影響目標端的業務性能。為了確定目標端目前的業務性能(能夠正常響應正常業務請求),本發明實施例控制正常業務端接取目標端。然後藉由計算請求成功率的變化率和請求時間延遲的變化量,來確定攻擊資料流程量對目標端的影響,這可以從側面反映防禦結果的好壞。 Because the attack traffic will affect the target end, and then affect the target end's business performance. In order to determine the current service performance of the target terminal (which can normally respond to normal service requests), the embodiment of the present invention controls the normal service terminal to access the target terminal. Then, by calculating the change rate of the request success rate and the change amount of the request time delay, the impact of the attack data flow volume on the target is determined, which can reflect the quality of the defense result from the side.
即計算所述網路服務品質與所述預設參數集合中預設網路服務品質的第四變化值集合。 That is, the network service quality and the fourth change value set of the preset network service quality in the preset parameter set are calculated.
基於分散式環境下,針對被攻擊主機的防禦策略可能影響整體的網路狀態。因此,帶來的後果是其它未被攻擊的主機也會受到影響。所以,在評估防禦成功率的時候還需要整體的網路性能參數作為評估標準。 Based on the distributed environment, the defense strategy against the attacked host may affect the overall network status. Therefore, the consequence is that other unattended hosts will also be affected. Therefore, when evaluating the success rate of defense, the overall network performance parameters are also required as the evaluation criteria.
參見表2,所述網路環境參數包括:在清洗原始資料流程量過程中帶來的網路延時,在清洗原始資料流程量過程中帶來的網路丟包率,在清洗原始資料流程量過程中帶來的TCP可用性,在清洗原始資料流程量過程中帶來的UDP可用性,以及,在清洗原始資料流程量過程中帶來的抖動。 Refer to Table 2. The network environment parameters include: network delay brought in the process of cleaning the original data flow, network packet loss rate brought in the process of cleaning the raw data flow, and the process of cleaning the raw data The availability of TCP in the process, the availability of UDP in the process of cleaning the flow of raw data, and the jitter caused by the process of cleaning the flow of raw data.
下面介紹依據目標參數集合計算得到各個參數的變化值集合與期望SLA等級有的各個參數範圍進行匹配的具體過程。以此來評估防禦結果是否滿足使用者的最終期望SLA等級。 The following describes the specific process of matching the change value set of each parameter calculated based on the target parameter set and the parameter range of the expected SLA level. To evaluate whether the defense result meets the user's final expected SLA level.
DDoS在遭受不同的攻擊時,網路流量的變化也不同。為了從流量層面上量化DDoS防禦端的影響。參見表3本發明定義出網路中關鍵協定信息的SLA指標。如,TCP重傳率的上限,當高於某一上限時,則表示防禦結果未達到期望SLA等級。 When DDoS is under different attacks, the network traffic changes differently. In order to quantify the impact of DDoS defense at the traffic level. Referring to Table 3, the present invention defines SLA indicators of key agreement information in the network. For example, the upper limit of TCP retransmission rate, when it is higher than a certain upper limit, it means that the defense result has not reached the expected SLA level.
一套應用伺服器需要滿足的業務性能指標。因此,在評估ddos防禦結果是否達到使用者的SLA目標時,參見表4,可以藉由是否符合下表中的業務性能指標來考核。 A set of business performance indicators that the application server needs to meet. Therefore, when evaluating whether the ddos defense result meets the user's SLA target, refer to Table 4, which can be assessed by whether it meets the business performance indicators in the following table.
藉由對主機狀態的回饋,根據不同的攻擊類型,判斷是否符合當前主機SLA的指標。參見表5為表徵主機狀態的參數。 Based on the feedback to the host status, according to different attack types, determine whether it meets the current host SLA indicators. See Table 5 for the parameters that characterize the status of the host.
基於分散式環境下針對被攻擊主機的防禦策略可能影響整體的網路狀態,因此帶來的後果是其他未被攻擊的主機也會受到影響。所以在評估防禦成功率的時候還需要整體的網路服務品質作為評估依據,參見表6,定義如下關鍵核心指標來表徵這一維度的SLA參數。 Based on a decentralized environment, the defense strategy against the attacked host may affect the overall network state, so the consequence is that other unattended hosts will also be affected. Therefore, when evaluating the defense success rate, the overall network service quality is also required as the basis for evaluation. See Table 6. The following key core indicators are defined to characterize the SLA parameters of this dimension.
藉由以上期望SLA等級的各個參數指標設定的範圍,來確定各個參數的變化值集合是否在期望SLA等級的各個參數範圍內。若各個參數的變化值集合是否在期望SLA等級的各個參數範圍內,則判定防禦策略的防禦效果 達到期望SLA等級,否則表示防禦策略的防禦效果未達到期望SLA等級。 Based on the range set by each parameter index of the expected SLA level above, it is determined whether the change value set of each parameter is within the range of each parameter of the expected SLA level. If the change value set of each parameter is within the range of each parameter of the expected SLA level, it is determined that the defense effect of the defense strategy has reached the expected SLA level, otherwise it means that the defense effect of the defense strategy has not reached the expected SLA level.
以上為本發明所提供的全部內容,從以上技術內容可以得出:本發明實施例將防禦端設置於雲平台,在雲平台防禦端可以將業務端的原始資料流程量牽引到自身,目標端的業務一般都是在雲平台上運行,所以防禦端可以在雲平台上獲得目標端的資料流程量,同時,防禦端還可以獲得自身的資料流程量。所以,在雲平台下可以將業務端、目標端和防禦端三者的資料流程量統一集中,從而可以獲得三端的資料流程量。由於,本發明中可以將業務端、防禦端和目標端三部分的資料流程量進行統一分析,從而使得評估防禦結果的評價角度和指標較為全面,進而使得防禦結果較為準確。 The above is all the content provided by the present invention. From the above technical content, it can be concluded that: in the embodiment of the present invention, the defense end is set on the cloud platform. On the cloud platform defense end, the original data flow of the business end can be pulled to itself, and the business of the target end Generally, it runs on a cloud platform, so the defense end can obtain the data flow volume of the target end on the cloud platform, and at the same time, the defense end can also obtain its own data flow volume. Therefore, under the cloud platform, the data flow volume of the business side, the target side and the defense side can be unified and centralized, so that the data flow volume of the three ends can be obtained. Because the data flow volume of the three parts of the business end, the defense end and the target end can be analyzed in a unified manner in the present invention, the evaluation angle and indicators for evaluating the defense result are more comprehensive, and the defense result is more accurate.
本實施例方法所述的功能如果以軟體功能單元的形式實現並作為獨立的產品銷售或使用時,可以存儲在一個計算設備可讀取存儲介質中。基於這樣的理解,本發明實施例對現有技術做出貢獻的部分或者該技術方案的部分可以以軟體產品的形式體現出來,該軟體產品存儲在一個存儲介質中,包括若干指令用以使得一台計算設備(可以是個人電腦,伺服器,行動計算裝置或者網路設備等)執行本發明各個實施例所述方法的全部或部分步驟。而前述的存儲介質包括:USB隨身碟、行動硬碟、唯讀記憶體(ROM,Read-Only Memory)、隨機存取記憶體(RAM, Random Access Memory)、磁碟或者光碟等各種可以存儲程式碼的介質。 If the function described in the method of this embodiment is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a storage medium readable by a computing device. Based on this understanding, the part of the embodiment of the present invention that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product. The software product is stored in a storage medium and includes a number of instructions to make a A computing device (which can be a personal computer, a server, a mobile computing device, or a network device, etc.) executes all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage media include: USB flash drives, mobile hard disks, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disks or optical disks, etc. that can store programs The medium of the code.
本說明書中各個實施例採用遞進的方式描述,每個實施例重點說明的都是與其它實施例的不同之處,各個實施例之間相同或相似部分互相參見即可。 The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments can be referred to each other.
對所公開的實施例的上述說明,使本領域專業技術人員能夠實現或使用本發明。對這些實施例的多種修改對本領域的專業技術人員來說將是顯而易見的,本文中所定義的一般原理可以在不脫離本發明的精神或範圍的情況下,在其它實施例中實現。因此,本發明將不會被限制於本文所示的這些實施例,而是要符合與本文所公開的原理和新穎特點相一致的最寬的範圍。 The above description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be obvious to those skilled in the art, and the general principles defined herein can be implemented in other embodiments without departing from the spirit or scope of the present invention. Therefore, the present invention will not be limited to the embodiments shown in this document, but should conform to the widest scope consistent with the principles and novel features disclosed in this document.
100‧‧‧業務端 100‧‧‧Business side
200‧‧‧防禦端 200‧‧‧Defensive end
201‧‧‧可疑流量檢測裝置 201‧‧‧Suspicious traffic detection device
202‧‧‧可疑流量清洗裝置 202‧‧‧Suspicious flow cleaning device
203‧‧‧雲主機 203‧‧‧Cloud Host
300‧‧‧目標端 300‧‧‧Target
400‧‧‧核心路由 400‧‧‧Core routing
Claims (20)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106101916A TWI717454B (en) | 2017-01-19 | 2017-01-19 | Method, device and system for quantifying defense results |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106101916A TWI717454B (en) | 2017-01-19 | 2017-01-19 | Method, device and system for quantifying defense results |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201828660A TW201828660A (en) | 2018-08-01 |
| TWI717454B true TWI717454B (en) | 2021-02-01 |
Family
ID=63960375
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW106101916A TWI717454B (en) | 2017-01-19 | 2017-01-19 | Method, device and system for quantifying defense results |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI717454B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI700330B (en) * | 2018-11-09 | 2020-08-01 | 台光電子材料股份有限公司 | Resin composition and articles made from it |
| TWI742808B (en) * | 2020-08-20 | 2021-10-11 | 中華電信股份有限公司 | Method and device for detecting a hidden channel |
-
2017
- 2017-01-19 TW TW106101916A patent/TWI717454B/en active
Non-Patent Citations (1)
| Title |
|---|
| 網頁資料:「Arbor Networks DDoS 攻擊防護(網頁日期2016年01月21日、查詢日期1090603、https://www.netfos.com.tw/ArborNetworks/arbor-index.html) * |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201828660A (en) | 2018-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106411828B (en) | The method, apparatus and system of quantization defence result | |
| EP1999890B1 (en) | Automated network congestion and trouble locator and corrector | |
| JP5947838B2 (en) | Attack detection apparatus, attack detection method, and attack detection program | |
| Shah et al. | The impact and mitigation of ICMP based economic denial of sustainability attack in cloud computing environment using software defined network | |
| CN106357641B (en) | Defense method and device for interest packet flooding attack in content-centric network | |
| CN104734916B (en) | A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol | |
| CN107026766A (en) | A kind of assessment detection method and device of network quality | |
| CN101917309B (en) | Detection method of denial of service of public service number under soft switching platform | |
| TWI717454B (en) | Method, device and system for quantifying defense results | |
| Behal et al. | Measuring the impact of DDoS attacks on web services-a realtime experimentation | |
| CN113630398B (en) | Joint anti-attack method, client and system in network security | |
| Khanna et al. | Adaptive selective verification | |
| CN111343135A (en) | Network security situation detection method | |
| JP5052653B2 (en) | TCP communication quality estimation method and TCP communication quality estimation apparatus | |
| WO2021147371A1 (en) | Fault detection method, apparatus and system | |
| Lu et al. | Network security situation awareness based on network simulation | |
| KR102575526B1 (en) | Apparatus and method for detecting distributed denial of service attack using learned historical data | |
| CN106817268B (en) | DDOS attack detection method and system | |
| CN107689967A (en) | A kind of ddos attack detection method and device | |
| JP4282556B2 (en) | Flow level communication quality management apparatus and method and program | |
| TWI666568B (en) | Method of Netflow-Based Session Detection for P2P Botnet | |
| Sukhov et al. | Active flows in diagnostic of troubleshooting on backbone links | |
| Kawahara et al. | Detection accuracy of network anomalies using sampled flow statistics | |
| CN115037528B (en) | Abnormal flow detection method and device | |
| CN114221819B (en) | Network scanning method and device based on game theory |