CN109067787B - Distributed Denial of Service (DDOS) attack detection method and device - Google Patents
Distributed Denial of Service (DDOS) attack detection method and device Download PDFInfo
- Publication number
- CN109067787B CN109067787B CN201811106052.1A CN201811106052A CN109067787B CN 109067787 B CN109067787 B CN 109067787B CN 201811106052 A CN201811106052 A CN 201811106052A CN 109067787 B CN109067787 B CN 109067787B
- Authority
- CN
- China
- Prior art keywords
- baseline
- packet
- feature
- distribution
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 109
- 238000005259 measurement Methods 0.000 claims abstract description 64
- 238000012512 characterization method Methods 0.000 claims abstract description 60
- 238000012549 training Methods 0.000 claims abstract description 58
- 239000000284 extract Substances 0.000 claims abstract description 13
- 230000005856 abnormality Effects 0.000 claims description 13
- 239000013598 vector Substances 0.000 claims description 8
- 239000004744 fabric Substances 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 23
- 230000011218 segmentation Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 9
- 238000012360 testing method Methods 0.000 description 4
- YBJHBAHKTGYVGT-ZKWXMUAHSA-N (+)-Biotin Chemical compound N1C(=O)N[C@@H]2[C@H](CCCCC(=O)O)SC[C@@H]21 YBJHBAHKTGYVGT-ZKWXMUAHSA-N 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000009825 accumulation Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000012706 support-vector machine Methods 0.000 description 3
- FEPMHVLSLDOMQC-UHFFFAOYSA-N virginiamycin-S1 Natural products CC1OC(=O)C(C=2C=CC=CC=2)NC(=O)C2CC(=O)CCN2C(=O)C(CC=2C=CC=CC=2)N(C)C(=O)C2CCCN2C(=O)C(CC)NC(=O)C1NC(=O)C1=NC=CC=C1O FEPMHVLSLDOMQC-UHFFFAOYSA-N 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000012417 linear regression Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004615 ingredient Substances 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 210000003733 optic disk Anatomy 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013450 outlier detection Methods 0.000 description 1
- 238000013139 quantization Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application proposes a kind of distributed Denial of Service (DDOS) attack detection method and device, wherein method includes: the feature portrait for obtaining user, wherein feature portrait includes at least one baseline;It obtains to measurement of discharge packet, and extracts to the comparison feature among measurement of discharge packet;According to feature and at least one baseline is compared, at least one characterization factor is generated;Characterization factor is inputted into training prediction model and carries out DDOS attack detection.This method is able to ascend the efficiency and accuracy rate of DDOS attack detection, and then reduces the rate of false alarm of DDOS attack.
Description
Technical field
This application involves internet security technical field more particularly to a kind of distributed Denial of Service (DDOS) attack detection sides
Method and device.
Background technique
Distributed denial of service (Distributed Denail of Service, abbreviation DDOS) attack, utilizes multiple points
Cloth attack source sends mass data packet to target object, to consume the available system and bandwidth resources of target object.Work as attack
When the mass data packet that source is sent has exceeded the processing capacity of target object, then it will lead to target object network service paralysis.
In the related technology, by carrying out the current accessed flow of target object and the threshold value of setting (normal flowing of access)
It compares, if current accessed flow is greater than the threshold value of setting, then it is assumed that DDOS attack has occurred in target object.
But in practical application, it has been found that DDOS attack might not have occurred when flowing of access is uprushed,
Such as trade company carries out advertising campaign, and flowing of access is caused to increase, therefore, above-mentioned detection mode exist it is accurate forthright lower and
The larger technical problem of rate of false alarm.
Summary of the invention
The application proposes a kind of distributed Denial of Service (DDOS) attack detection method and device, for according to training in advance
Training prediction model, carries out DDOS attack detection, can promote the efficiency and accuracy rate of DDOS attack detection, and then reduce
The rate of false alarm of DDOS attack, to solve the accurate biggish skill of forthright lower and rate of false alarm of DDOS attack detection in the related technology
Art problem.
The application one side embodiment proposes a kind of distributed Denial of Service (DDOS) attack detection method, comprising:
Obtain the feature portrait of user, wherein the feature portrait includes at least one baseline;
It obtains to measurement of discharge packet, and extracts described to the comparison feature among measurement of discharge packet;
According to the comparison feature and at least one described baseline, at least one characterization factor is generated;And
The characterization factor is inputted into training prediction model and carries out DDOS attack detection.
The distributed Denial of Service (DDOS) attack detection method of the embodiment of the present application, the feature by obtaining user are drawn a portrait,
Wherein, feature portrait includes at least one baseline, then, is obtained to measurement of discharge packet, and extract to the comparison among measurement of discharge packet
Feature then according to feature and at least one baseline is compared, generates at least one characterization factor, finally, characterization factor is inputted
Training prediction model carries out DDOS attack detection.In the application, due to training prediction model learnt to obtain each characterization factor and
Corresponding relationship between abnormality detection result can determine to be detected according to the training identification model to characterization factor
Whether DDOS attack occurs, the efficiency and accuracy rate of DDOS attack detection can be promoted, and then reduce the wrong report of DDOS attack
Rate.
The another aspect embodiment of the application proposes a kind of distributed Denial of Service (DDOS) attack detection device, comprising:
Module is obtained, the feature for obtaining user is drawn a portrait, wherein the feature portrait includes at least one baseline;
Extraction module for obtaining to measurement of discharge packet, and extracts described to the comparison feature among measurement of discharge packet;
Generation module, for generating at least one characterization factor according to the comparison feature and at least one described baseline;
And
Detection module carries out DDOS attack detection for the characterization factor to be inputted training prediction model.
The distributed Denial of Service (DDOS) attack detection device of the embodiment of the present application, the feature by obtaining user are drawn a portrait,
Wherein, feature portrait includes at least one baseline, then, is obtained to measurement of discharge packet, and extract to the comparison among measurement of discharge packet
Feature then according to feature and at least one baseline is compared, generates at least one characterization factor, finally, characterization factor is inputted
Training prediction model carries out DDOS attack detection.In the application, due to training prediction model learnt to obtain each characterization factor and
Corresponding relationship between abnormality detection result can determine to be detected according to the training identification model to characterization factor
Whether DDOS attack occurs, the efficiency and accuracy rate of DDOS attack detection can be promoted, and then reduce the wrong report of DDOS attack
Rate.
The another aspect embodiment of the application proposes a kind of computer equipment, comprising: memory, processor and is stored in
On reservoir and the computer program that can run on a processor, when the processor executes described program, realize as before the application
State the distributed Denial of Service (DDOS) attack detection method of embodiment proposition.
The another aspect embodiment of the application proposes a kind of computer readable storage medium, is stored thereon with computer journey
Sequence, which is characterized in that the distributed denial of service proposed such as the application previous embodiment is realized when the program is executed by processor
DDOS attack detection method.
The additional aspect of the application and advantage will be set forth in part in the description, and will partially become from the following description
It obtains obviously, or recognized by the practice of the application.
Detailed description of the invention
The application is above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, in which:
Fig. 1 is the process signal of distributed Denial of Service (DDOS) attack detection method provided by the embodiment of the present application one
Figure;
Fig. 2 is agreement component flow baseline schematic diagram in the embodiment of the present application;
Fig. 3 is the long distribution baseline schematic diagram of packet in the embodiment of the present application;
Fig. 4 is that TTL is distributed baseline schematic diagram in the embodiment of the present application;
Fig. 5 is that source port is distributed baseline schematic diagram in the embodiment of the present application;
Fig. 6 is that destination port is distributed baseline schematic diagram in the embodiment of the present application;
Fig. 7 is the process signal of distributed Denial of Service (DDOS) attack detection method provided by the embodiment of the present application two
Figure;
Fig. 8 is the process signal of distributed Denial of Service (DDOS) attack detection method provided by the embodiment of the present application three
Figure;
Fig. 9 is the segmentation hyperplane schematic diagram in the embodiment of the present application;
Figure 10 is the structural representation of distributed Denial of Service (DDOS) attack detection system provided by the embodiment of the present application four
Figure;
Figure 11 is the structural representation of distributed Denial of Service (DDOS) attack detection device provided by the embodiment of the present application five
Figure;
Figure 12 is the structural representation of distributed Denial of Service (DDOS) attack detection device provided by the embodiment of the present application six
Figure.
Specific embodiment
Embodiments herein is described below in detail, the example of embodiment is shown in the accompanying drawings, wherein identical from beginning to end
Or similar label indicates same or similar element or element with the same or similar functions.It is retouched below with reference to attached drawing
The embodiment stated is exemplary, it is intended to for explaining the application, and should not be understood as the limitation to the application.
In the related technology, the threshold value based on setting carries out DDOS attack detection, detects fast speed, can satisfy real-time
The requirement of detection.But in practical application, DDOS attack might not have occurred, such as work as quotient when flowing of access is uprushed
Family carries out advertising campaign, and flowing of access is caused to increase, therefore, the detection method cannot distinguish between burst normal flowing of access and
The accurate forthright lower and rate of false alarm of DDOS attack, detection is larger.
Meanwhile low rate distributed denial of service (Low-rate Distributed Denail of Service, referred to as
LDDOS it) attacks, in target of attack object, the flow of generation is smaller, and therefore, the threshold value based on setting can not detect LDDOS
Attack.
The accurate biggish skill of forthright lower and rate of false alarm that the application is detected mainly for DDOS attack in the related technology
Art problem proposes a kind of distributed Denial of Service (DDOS) attack detection method.
The distributed Denial of Service (DDOS) attack detection method of the embodiment of the present application, the feature by obtaining user are drawn a portrait,
Wherein, feature portrait includes at least one baseline, then, is obtained to measurement of discharge packet, and extract to the comparison among measurement of discharge packet
Feature then according to feature and at least one baseline is compared, generates at least one characterization factor, finally, characterization factor is inputted
Training prediction model carries out DDOS attack detection.In the application, due to training prediction model learnt to obtain each characterization factor and
Corresponding relationship between abnormality detection result can determine to be detected according to the training identification model to characterization factor
Whether DDOS attack occurs, the efficiency and accuracy rate of DDOS attack detection can be promoted, and then reduce the wrong report of DDOS attack
Rate.
Below with reference to the accompanying drawings the distributed Denial of Service (DDOS) attack detection method and device of the embodiment of the present application are described.In
Before specifically describing the embodiment of the present application, in order to make it easy to understand, common technology word is introduced first:
K-l divergence (Kullback-Leibler Divergence) is difference between a kind of two kinds of probability distribution of quantization
Mode, also known as relative entropy.
Support vector machines (Support Vector Machine, abbreviation SVM), by a Nonlinear Mapping p, by sample
Space reflection is into a higher-dimension or even infinite dimensional feature space (space Hilbert), so that in original sample space
The problem of the problem of Nonlinear separability, the linear separability being converted into feature space (space Hilbert).
Fig. 1 is the process signal of distributed Denial of Service (DDOS) attack detection method provided by the embodiment of the present application one
Figure.
The embodiment of the present application is configured in distributed denial of service with the distributed Denial of Service (DDOS) attack detection method
It is illustrated in DDOS attack detection device.The distributed Denial of Service (DDOS) attack detection device can be set in network
Side.
As shown in Figure 1, the distributed Denial of Service (DDOS) attack detection method may comprise steps of:
Step 101, the feature portrait of user is obtained, wherein feature portrait includes at least one baseline.
In the embodiment of the present application, feature portrait includes at least one baseline, wherein baseline may include destination port distribution
Baseline, source port distribution baseline, time existence (Time To Live, abbreviation TTL) distribution baseline, the long distribution baseline of packet and/
Or agreement component flow baseline.
It is understood that the business on each internet has its specific feature, for example provide the service of service
The DDOS attack of the IP address and port numbers of device, the content of the data packet of communication and format etc., the embodiment of the present application detects dress
Facility information, the flow of transmitted traffic packet can be determined according to the flow packet of acquisition with the flow packet of capturing service side by setting
(bps), the information such as packet amount (pps), source IP, destination IP, source port, destination port, and then can determine the feature portrait of user,
Such as it can determine destination port distribution baseline, source port distribution baseline, TTL distribution baseline, the long distribution baseline of packet, and/or association
Discuss component flow baseline.
Wherein, agreement component flow baseline is counted for counting the inbound traffics size of the destination IP in each flow packet
The received packet amount of destination IP and uninterrupted.Specifically, can using destination IP it is per second in the data of data packet that receive as
Bao Liang, using the data byte total amount received as flow.
As an example, referring to fig. 2, Fig. 2 is agreement component flow baseline schematic diagram in the embodiment of the present application.Wherein,
Time window can take a minute granularity, with 1440 minutes for an agreement component flow baseline example.
The long distribution baseline of packet, grows the aggregate-value in each segmentation for statistical data packet.Specifically, it can will collect
Long data packet, using preset first numerical value as section gap, statistical data packet grows the aggregate-value in each section gap, make
For the long distribution baseline of packet.
It as an example, is the long distribution baseline schematic diagram of packet in the embodiment of the present application referring to Fig. 3, Fig. 3.Wherein, with pre-
If the first numerical value be 150 examples, i.e., with section gap be 150 examples.
TTL is distributed baseline, for counting aggregate-value of the TTL in each segmentation.Specifically, TTL can be acquired, then with
Preset second value is section gap, counts aggregate-value of the TTL in each section gap, is distributed baseline as TTL.
As an example, referring to fig. 4, Fig. 4 is that TTL is distributed baseline schematic diagram in the embodiment of the present application.Wherein, with default
Second value be 16 examples, i.e., with section gap be 16 examples.
Source port is distributed baseline, for counting the flow distribution situation of source port.
It as an example, is that source port is distributed baseline schematic diagram in the embodiment of the present application referring to Fig. 5, Fig. 5.
Destination port is distributed baseline, for counting the flow distribution situation of destination port.
It as an example, is that destination port is distributed baseline schematic diagram in the embodiment of the present application referring to Fig. 6, Fig. 6.Wherein,
Using destination port as cloud trade company host port, time window is 14 days examples.
Step 102, it obtains to measurement of discharge packet, and extracts to the comparison feature among measurement of discharge packet.
It is the flow packet for needing to carry out DDOS attack detection to measurement of discharge packet in the embodiment of the present application.Comparing feature can be with
For the flow or packet amount to measurement of discharge packet, alternatively, contrast characteristic may include to the destination port distribution of measurement of discharge packet, source port
Distribution, TTL distribution, the long distribution of packet, and/or flow or the distribution of packet amount.
In the embodiment of the present application, DDOS attack detection device can be obtained in network side to measurement of discharge packet.Get to
After measurement of discharge packet, measurement of discharge packet can be treated and parsed, determined to the comparison feature among measurement of discharge packet.For example, can be with base
It in resolver in the related technology, treats measurement of discharge packet and is parsed, the flow or packet amount to measurement of discharge packet are determined, alternatively, can
Based on preset algorithm in the related technology, to extract to destination port distribution, the source port distribution, TTL points among measurement of discharge packet
The long distribution of cloth, packet, flow or the distribution of packet amount, with no restriction to this.
Step 103, according to feature and at least one baseline is compared, at least one characterization factor is generated.
Specifically, at least one characterization factor can be generated according to the deviant of at least one opposite baseline of contrast characteristic.
As a kind of possible implementation, when baseline includes destination port distribution baseline, source port distribution baseline, TTL
When being distributed the long distribution baseline of baseline, packet, and/or agreement component flow baseline, contrast characteristic may include the mesh to measurement of discharge packet
Port distribution, source port distribution, TTL distribution, the long distribution of packet, and/or flow or the distribution of packet amount, at this point it is possible to according to comparison
Feature and at least one baseline generate at least one distance feature factor by k-l divergence algorithm.
For example, the distance feature factor can be generated according to following formula:
Wherein, DKL(P | | Q) indicate the distance feature factor, Q indicates the probability distribution of at least one baseline, and P is indicated to bit
The probability distribution of sign.For example, when baseline is to wrap long distribution baseline, when contrast characteristic is packet length distribution, DKL(P | | Q) indicate packet length
The offset distance of distribution and the long distribution baseline of packet, Q indicate the probability distribution of the long distribution baseline of packet, and P indicates the probability of the long distribution of packet
Distribution.
As alternatively possible implementation, when baseline include destination port distribution baseline, source port distribution baseline,
When TTL is distributed the long distribution baseline of baseline, packet, and/or agreement component flow baseline, contrast characteristic may include to measurement of discharge packet
Destination port distribution, source port distribution, TTL distribution, the long distribution of packet, and/or flow or the distribution of packet amount, at this point it is possible to according to
Feature and at least one baseline are compared by COSIN cosine similarity algorithm, generates at least one angle characterization factor.
For example, baseline is purpose port distribution baseline example using contrast characteristic as purpose port distribution, current time is marked
Collected destination port distribution, the i.e. flow distribution of destination port are A=(A1, A2..., An), on corresponding baseline mutually in the same time
Destination port be distributed as B=(B1, B2..., Bn), then the angle between destination port distribution and destination port distribution baseline is special
Levy factor cos θ are as follows:
It is understood that since flow number is all larger than 0, the value range of cosine value cos θ [0,1] it
Between, when cos θ value is closer to 1, show that the direction of two vectors of A and B is closer, and when cos θ value is closer to 0, table
The direction of two vectors of bright A and B is near orthogonal.Therefore, when cos θ value is lower than preset first numerical value, such as the first number
When value is 0.7, i.e., as cos θ < 0.7, determines and DDOS attack occurs.
It similarly, is the source port distribution to measurement of discharge packet, TTL distribution, the long distribution of packet, and/or flow for contrast characteristic
Or when the distribution of packet amount, equally the angle characterization factor between the comparison feature and corresponding baseline, In can be calculated based on formula (2)
This is not repeated them here.
Step 104, characterization factor is inputted into training prediction model and carries out DDOS attack detection.
In the embodiment of the present application, characterization factor is input to trained prediction model, DDOS attack detection is carried out, can obtain
Whether the abnormality detection result of DDOS attack is occurred.Wherein, training prediction model is trained in advance, which predicts mould
Type has learnt to obtain the corresponding relationship between each characterization factor and abnormality detection result.
For example, according to step 103 it is found that when angle characterization factor cos θ is lower than preset first numerical value, such as first
Numerical value is 0.7, i.e. when cos θ < 0.7, at this point, angle factor cos θ, which is inputted training prediction model, carries out DDOS attack detection, it can
DDOS attack occurs to determine.
Alternatively, according to step 103 it is found that working as distance feature factor DKLWhen (P | | Q) is greater than preset second value, show
Contrast characteristic is larger with respect to the deviant of at least one baseline, at this point, by distance feature factor DKL(P | | Q) input training prediction
Model carries out DDOS attack detection, can determine generation DDOS attack.
In the embodiment of the present application, since training prediction model has learnt to obtain between each characterization factor and abnormality detection result
Corresponding relationship may determine whether that DDOS, which occurs, to be attacked to detect according to the training identification model to characterization factor
It hits, promotes the efficiency and accuracy rate of DDOS attack detection.
The distributed Denial of Service (DDOS) attack detection method of the embodiment of the present application, the feature by obtaining user are drawn a portrait,
Wherein, feature portrait includes at least one baseline, then, is obtained to measurement of discharge packet, and extract to the comparison among measurement of discharge packet
Feature then according to feature and at least one baseline is compared, generates at least one characterization factor, finally, characterization factor is inputted
Training prediction model carries out DDOS attack detection.In the application, due to training prediction model learnt to obtain each characterization factor and
Corresponding relationship between abnormality detection result can determine to be detected according to the training identification model to characterization factor
Whether DDOS attack occurs, the efficiency and accuracy rate of DDOS attack detection can be promoted, and then reduce the wrong report of DDOS attack
Rate.
As a kind of possible implementation, when contrast characteristic be when the flow of measurement of discharge packet or packet amount, it is available
The flow or packet amount of various time points, and agreement component flow baseline is obtained in reference flow/reference packet of various time points
Amount, so as to according to the flow of various time points or packet amount and reference flow/refer to packet amount, generate the traffic characteristic factor/
The packet measure feature factor.Below with reference to Fig. 7, the above process is described in detail.
Fig. 7 is the process signal of distributed Denial of Service (DDOS) attack detection method provided by the embodiment of the present application two
Figure.
As shown in fig. 7, the distributed Denial of Service (DDOS) attack detection method may comprise steps of:
Step 201, the feature portrait of user is obtained, wherein feature portrait includes at least one baseline.
Wherein, baseline is agreement component flow baseline.
Step 202, it obtains to measurement of discharge packet, and extracts to the comparison feature among measurement of discharge packet.
Wherein, comparing feature is the flow or packet amount to measurement of discharge packet.
The implementation procedure of step 201~202 may refer to the implementation procedure of step 101~102 in above-described embodiment, herein
It does not repeat them here.
Step 203, flow/packet amount of various time points is obtained.
In the embodiment of the present application, measurement of discharge packet can be treated and parsed, determine the stream or packet amount of various time points.Example
Such as, it can treat measurement of discharge packet based on resolver in the related technology and be parsed, determine the flow or packet of various time points
Amount, with no restriction to this.
Optionally, label current time collected flow (or packet amount) size is xn, mark before current time
The flows (or packet amount) of various time points be respectively x1, x2..., xn。
Step 204, obtain agreement component flow baseline various time points reference flow/refer to packet amount.
In the embodiment of the present application, after obtaining agreement component flow baseline, agreement component flow baseline can be adopted
Sample obtains agreement component flow baseline in the reference flow of various time points or refers to packet amount.For example, can be according to the sampling interval
T is 1 second, samples to agreement component flow baseline, obtains agreement component flow baseline in the reference flow of various time points
Or refer to packet amount.
Optionally, tag protocol component flow baseline, it is corresponding with flow (or the packet amount) of the various time points of acquisition
Reference flow (or referring to packet amount) is respectively y1, y2..., yn。
Step 205, according to agreement component flow baseline various time points reference flow/refer to packet amount, generate reference
Flow mean value/refer to packet amount mean value.
Specifically, component flow baseline can be sought in the reference flow (or referring to packet amount) of various time points
Value obtains reference flow mean value (or referring to packet amount mean value).
Still with above-mentioned example, marking reference flow mean value (or referring to packet amount mean value) is u, then:
Step 206, according to the flow of various time points/packet amount and reference flow mean value/refer to packet amount mean value, pass through change
Point accumulation and CUSUM algorithm generate the traffic characteristic factor/packet measure feature factor.
It is alternatively possible to generate the traffic characteristic factor (or packet measure feature factor) S according to following formula:
It is understood that reference flow mean value be agreement component flow baseline various time points reference flow it is equal
Value, thus reference flow mean value utilizes the flow and reference flow mean value of various time points more close to the mean value of normal discharge
Make difference summation, obtains the traffic characteristic factor, when traffic characteristic factor S is greater than the reference flow mean value u of preset first multiple,
Such as first multiple be 0.3, as S > 0.3*u, at this point, uninterrupted exception or flow speed are abnormal, hence, it can be determined that
DDOS attack occurs.
Alternatively, be mean value of the agreement component flow baseline in the reference packet amount of various time points with reference to packet amount mean value, thus
With reference to packet amount mean value more close to the mean value of normal packet amount, asked with reference to packet amount mean value as difference using the packet amount of various time points
With, the packet measure feature factor is obtained, when packet measure feature factor S is greater than the reference packet amount mean value u of preset first multiple, such as the
One multiple is 0.3, as S > 0.3*u, at this point, packet amount size is abnormal, hence, it can be determined that DDOS attack occurs.
Step 207, the traffic characteristic factor/packet measure feature factor is inputted into training prediction model, carries out DDOS attack detection.
In the embodiment of the present application, the traffic characteristic factor or the packet measure feature factor are input to trained prediction model, carried out
DDOS attack detection, can obtain the abnormality detection result that DDOS attack whether occurs.Wherein, training prediction model is to pass through in advance
Training is crossed, which has learnt to obtain between the traffic characteristic factor or the packet measure feature factor and abnormality detection result
Corresponding relationship.
For example, according to step 206 it is found that when traffic characteristic factor S is greater than the reference flow mean value u of preset first multiple
When, for example the first multiple is 0.3,, therefore, can be at this point, uninterrupted exception or flow speed are abnormal as S > 0.3*u
It determines and DDOS attack occurs.
The distributed Denial of Service (DDOS) attack detection method of the embodiment of the present application, by the stream for obtaining various time points
Amount/packet amount, and obtain agreement component flow baseline various time points reference flow/with reference to packet amount, then according to agreement at
Shunt volume baseline various time points reference flow/refer to packet amount, generate reference flow mean value/refer to packet amount mean value, then
According to the flow of various time points/packet amount and reference flow mean value/refer to packet amount mean value, pass through height accumulation and CUSUM algorithm
The traffic characteristic factor/packet measure feature factor is generated, finally by the traffic characteristic factor/packet measure feature factor input training prediction mould
Type carries out DDOS attack detection.In the application, reference flow mean value is reference of the agreement component flow baseline in various time points
The mean value of flow, thus flow and reference of the reference flow mean value more close to the mean value of normal discharge, using various time points
Flow mean value makees difference summation, obtains the traffic characteristic factor, so that the traffic characteristic factor is inputted training prediction model, carries out DDOS
Attack detecting can promote the accuracy rate of testing result.Alternatively, being agreement component flow baseline when each with reference to packet amount mean value
Between the mean value of reference packet amount put, thus utilize various time points more close to the mean value of normal packet amount with reference to packet amount mean value
Packet amount and reference packet amount mean value make difference summation, obtain the packet measure feature factor, train prediction so that the packet amount measure feature factor be inputted
Model carries out DDOS attack detection, can promote the accuracy rate of testing result.
It should be noted that according to the definition of comentropy it is found that comentropy is the degree of information needed amount of removing uncertainty
Amount, i.e., comentropy is the information content that unknown event may contain.In the place that information data is more concentrated, entropy is smaller, and
The place that information data is more dispersed, entropy are bigger.When DDOS attack occurs, at this point, multiple several fixations of purpose IP attack
Source IP, since the information data of destination IP is more dispersed, the destination IP entropy of destination IP significantly becomes larger, and the information of source IP
Data are more concentrated, and therefore, the source IP entropy of source IP then significantly becomes smaller.It therefore, can also be according to in measurement of discharge packet in the application
Source IP entropy and destination IP entropy, it is determined whether occur DDOS attack.Below with reference to Fig. 8, the above process is described in detail.
Fig. 8 is the process signal of distributed Denial of Service (DDOS) attack detection method provided by the embodiment of the present application three
Figure.
As shown in figure 8, on the basis of Fig. 1-embodiment illustrated in fig. 7, the distributed Denial of Service (DDOS) attack detection side
Method can with the following steps are included:
Step 301, the source IP and destination IP to measurement of discharge packet are obtained.
In the embodiment of the present application, measurement of discharge packet can be treated and parsed, such as can be based on parsing in the related technology
Device is treated measurement of discharge packet and is parsed, to obtain the source IP and destination IP to measurement of discharge packet.
Step 302, it calculates to the source IP of measurement of discharge packet and the source IP entropy of destination IP and destination IP entropy, and by source IP entropy and mesh
IP entropy as entropy characterization factor.
In the embodiment of the present application, the source IP entropy to the source IP of measurement of discharge packet can be calculated, and calculate to measurement of discharge packet
The destination IP entropy of destination IP, then will using source IP entropy and destination IP entropy as entropy characterization factor, so as to according to entropy feature because
Son, it is determined whether DDOS attack occurs.
It is alternatively possible to determine source IP entropy H according to following formula1(U):
Wherein, piIndicate the probability of source IP.
Destination IP entropy H can be determined according to following formula2(U):
Wherein, qiIndicate the probability of destination IP.
It is understood that working as several stationary source IP of multiple purpose IP attack, since the information data of destination IP is more divided
It dissipates, therefore, the destination IP entropy of destination IP significantly becomes larger, and the information data of source IP is more concentrated, and therefore, the source IP entropy of source IP is then
Significantly become smaller.When destination IP entropy is higher than first threshold, and source IP entropy is lower than second threshold, generation DDOS attack can be determined.
In the embodiment of the present application, by obtaining source IP and destination IP to measurement of discharge packet, then calculate to measurement of discharge packet
The source IP entropy and destination IP entropy of source IP and destination IP, and using source IP entropy and destination IP entropy as entropy characterization factor, so as to incite somebody to action
Entropy characterization factor inputs training prediction model and carries out DDOS attack detection, can promote the accuracy rate of DDOS attack detection.
As a kind of possible implementation, the training prediction model in Fig. 1-Fig. 8 embodiment can be SVM training prediction
Model converts high dimensional feature sky for the sample of low-dimensional input space linearly inseparable by using non-linear map
Between, so that sample linear separability.
It is alternatively possible to be trained using black sample and white sample to SVM training prediction model.Wherein, black sample
For the known DDOS attack sample that business side provides, white sample be the destination port distribution that the flow packet of DDOS attack does not occur,
One of source port distribution, TTL distribution, the long distribution of packet, flow/packet amount distribution are a variety of.
Wherein, SVM training prediction model core concept substantially with linear regression (Linear regression, referred to as
LR) classification method is similar, the weight coefficient in SVM training prediction model is trained by using one group of training sample set, then
Classify to training sample set.
Specifically, SVM training prediction model passes through one segmentation hyperplane (separation of training
Hyperplane), which is the decision boundary of classification, is different classes of sample positioned at segmentation hyperplane both sides
This.It is located at the nearest sample point of segmentation hyperplane firstly, it is necessary to determine, then ensures that these nearest sample points are super flat from separating
Face is remote as far as possible.Optionally, label is located at the nearest sample point of segmentation hyperplane, and the distance between segmentation hyperplane is
Margin then needs to guarantee that margin is big as far as possible, to guarantee the classifying quality of SVM training prediction model.
For example, label training sample set is T={ (x for two classification problem1,y1), (x2,y2) ..., (xN,yN),
Its classification yi∈ { 0,1 }, SVM training prediction model pass through linear learning, available segmentation hyperplane:
ω x+b=0;(7)
And corresponding categorised decision function are as follows:
F (x)=sign (ω x+b);(8)
Wherein, sign is sign function, and positive number is mapped as 1, and negative is mapped as -1.
It as an example, is the segmentation hyperplane schematic diagram in the embodiment of the present application referring to Fig. 9, Fig. 9.It will be apart from segmentation
The nearest different classes of sample point of hyperplane is known as supporting vector (support vector), constitutes two and is parallel to segmentation
The long band of hyperplane, the distance between two long bands are known as margin.Obviously, margin is bigger, classifies correct certainty factor more
It is high.Wherein, the certainty factor of sample point presentation class at a distance from separating hyperplane, remoter, the then correct certainty factor of classifying of distance
It is higher.As shown in Figure 9, the margin for dividing hyperplane B1 is greater than the margin of separating hyperplane B2, therefore, divides hyperplane B1
Classifying quality be better than B2.
It is available by calculating:
As shown in Figure 9, it is growing with the sample point except b11 and b12, or is growing with the sample point except b21 and b22,
For determining that segmentation hyperplane is not contributed, in other words, SVM training prediction model (is supported by critically important training sample
Vector) determined by.Classify in correct situation in the sample point of training set, needs to maximize margin value, that is, maximizeThen the constrained optimization problem of linear classification can convert the convex optimization problem being as follows:
In the case where linear separability, training sample concentrates the example with segmentation hyperplane apart from nearest sample point to be known as
Supporting vector, supporting vector meet:
yi(ω·xi+ b) -1=0;(11)
I.e. positive sample point meets:
ω·xi+ b=1;(12)
Negative sample point meets:
ω·xi+ b=-1;(13)
It should be noted that above-mentioned be only suitable for two class classification problem examples, practical application with SVM training prediction model
When, the SVM training prediction model in the application can be adapted for multicategory classification problem, with no restriction to this.
In the embodiment of the present application, the SVM after being trained using white sample and black sample trains prediction model, can learn
The corresponding relationship between each characterization factor and abnormality detection result is obtained, thus according to the comparison feature among measurement of discharge packet
With at least one baseline, after generating at least one characterization factor, characterization factor can be inputted to training prediction model and carry out DDOS
Attack detecting obtains testing result, can promote the accuracy of testing result.
Further, it after determining generation DDOS attack, can be sent out alerting, so as to the stream to alarm time section
Amount packet is filtered, and purifies baseline, and then promotes the accuracy of subsequent DDOS attack detection.
It as an example, is distributed Denial of Service (DDOS) provided by the embodiment of the present application four referring to Figure 10, Figure 10
The structural schematic diagram of attack detection system.
As shown in Figure 10, cloth refusal service DDOS attack detection system includes: network flow acquisition module, baseline life
At module, characterization factor generation module, detection module and alarm module.
Wherein, network flow acquisition module, the flow packet for capturing service side.
Baseline generation module generates baseline for the flow packet according to acquisition.For example, can be by flow packet, according to 14 days
Time window generates baseline.
Characterization factor generation module, for calculating and deviateing to the comparison feature in measurement of discharge packet according to Outlier Detection Algorithm
The offset of baseline.
Detection module, for carrying out DDOS attack detection to characterization factor according to SVM training prediction model.
Alarm module, for being alerted when DDOS attack occurs.
Baseline generation module is also used to be filtered the flow packet of alarm time section, baseline is purified, to be promoted subsequent
The accuracy of DDOS attack detection.
In order to realize above-described embodiment, the application also proposes a kind of distributed Denial of Service (DDOS) attack detection device.
Figure 11 is the structural representation of distributed Denial of Service (DDOS) attack detection device provided by the embodiment of the present application five
Figure.
As shown in figure 11, which includes: to obtain module 110, extract mould
Block 120, generation module 130 and detection module 140.
Wherein, module 110 is obtained, the feature for obtaining user is drawn a portrait, wherein feature portrait includes at least one base
Line.
Extraction module 120 for obtaining to measurement of discharge packet, and is extracted to the comparison feature among measurement of discharge packet.
Generation module 130, for generating at least one characterization factor according to feature and at least one baseline is compared.
As a kind of possible implementation, comparing feature is flow/packet amount to measurement of discharge packet, and baseline is agreement ingredient
Flow baseline.
Detection module 140 carries out DDOS attack detection for characterization factor to be inputted training prediction model.
Further, in a kind of possible implementation of the embodiment of the present application, referring to Figure 12, implement shown in Figure 11
On the basis of example, which can also include:
As a kind of possible implementation, generation module 130, comprising:
First acquisition submodule 131, for obtaining flow/packet amount of various time points.
Second acquisition submodule 132, for obtaining agreement component flow baseline in reference flow/reference of various time points
Bao Liang.
First generate submodule 133, for according to agreement component flow baseline various time points reference flow/reference
Bao Liang, generation reference flow mean value/refer to packet amount mean value.
Second generates submodule 134, for being wrapped according to flow/packet amount and reference flow mean value/reference of various time points
Mean value is measured, the traffic characteristic factor/packet measure feature factor is generated by height accumulation and CUSUM algorithm.
As a kind of possible implementation, comparing feature includes to the destination port distribution of measurement of discharge packet, source port point
One of cloth, life span TTL distribution, the long distribution of packet, flow/packet amount distribution are a variety of, and baseline includes destination port distribution
Baseline, source port distribution baseline, TTL distribution baseline, long distribution one of the baseline and agreement component flow baseline or a variety of of packet.
As a kind of possible implementation, generation module 130 is specifically used for: according to comparison feature and at least one base
Line generates at least one distance feature factor by k-l divergence algorithm.
As alternatively possible implementation, generation module 130 is specifically used for: according to comparison feature and at least one
Baseline generates at least one angle characterization factor by COSIN cosine similarity algorithm.
IP obtains module 150, for obtaining source IP and destination IP to measurement of discharge packet.
Processing module 160, for calculating to the source IP of measurement of discharge packet and the source IP entropy of destination IP and destination IP entropy, and by source
IP entropy and destination IP entropy are as entropy characterization factor.
As a kind of possible implementation, training prediction model is support vector machines training prediction model.
It should be noted that the aforementioned explanation to distributed Denial of Service (DDOS) attack detection method embodiment is also fitted
For the distributed Denial of Service (DDOS) attack detection device 100 of the embodiment, details are not described herein again.
The distributed Denial of Service (DDOS) attack detection device of the embodiment of the present application, the feature by obtaining user are drawn a portrait,
Wherein, feature portrait includes at least one baseline, then, is obtained to measurement of discharge packet, and extract to the comparison among measurement of discharge packet
Feature then according to feature and at least one baseline is compared, generates at least one characterization factor, finally, characterization factor is inputted
Training prediction model carries out DDOS attack detection.In the application, due to training prediction model learnt to obtain each characterization factor and
Corresponding relationship between abnormality detection result can determine to be detected according to the training identification model to characterization factor
Whether DDOS attack occurs, the efficiency and accuracy rate of DDOS attack detection can be promoted, and then reduce the wrong report of DDOS attack
Rate.
In order to realize above-described embodiment, the application also proposes a kind of computer equipment, comprising: memory, processor and deposits
The computer program that can be run on a memory and on a processor is stored up, when processor executes program, is realized as the application is aforementioned
The distributed Denial of Service (DDOS) attack detection method that embodiment proposes.
In order to realize above-described embodiment, the application also proposes a kind of computer readable storage medium, is stored thereon with calculating
Machine program, which is characterized in that the distributed refusal proposed such as the application previous embodiment is realized when the program is executed by processor
Service DDOS attack detection method.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is contained at least one embodiment or example of the application.In the present specification, schematic expression of the above terms are not
It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office
It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field
Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples
It closes and combines.
In addition, term " first ", " second " are used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance
Or implicitly indicate the quantity of indicated technical characteristic.Define " first " as a result, the feature of " second " can be expressed or
Implicitly include at least one this feature.In the description of the present application, the meaning of " plurality " is at least two, such as two, three
It is a etc., unless otherwise specifically defined.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes
It is one or more for realizing custom logic function or process the step of executable instruction code module, segment or portion
Point, and the range of the preferred embodiment of the application includes other realization, wherein can not press shown or discussed suitable
Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be by the application
Embodiment person of ordinary skill in the field understood.
Expression or logic and/or step described otherwise above herein in flow charts, for example, being considered use
In the order list for the executable instruction for realizing logic function, may be embodied in any computer-readable medium, for
Instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be held from instruction
The instruction fetch of row system, device or equipment and the system executed instruction) it uses, or combine these instruction execution systems, device or set
It is standby and use.For the purpose of this specification, " computer-readable medium ", which can be, any may include, stores, communicates, propagates or pass
Defeated program is for instruction execution system, device or equipment or the dress used in conjunction with these instruction execution systems, device or equipment
It sets.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electricity of one or more wirings
Interconnecting piece (electronic device), portable computer diskette box (magnetic device), random access memory (RAM), read-only memory
(ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk is read-only deposits
Reservoir (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other are suitable
Medium, because can then be edited, be interpreted or when necessary with it for example by carrying out optical scanner to paper or other media
His suitable method is handled electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the application can be realized with hardware, software, firmware or their combination.Above-mentioned
In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage
Or firmware is realized.Such as, if realized with hardware in another embodiment, following skill well known in the art can be used
Any one of art or their combination are realized: have for data-signal is realized the logic gates of logic function from
Logic circuit is dissipated, the specific integrated circuit with suitable combinational logic gate circuit, programmable gate array (PGA), scene can compile
Journey gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium
In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, can integrate in a processing module in each functional unit in each embodiment of the application
It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as
Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer
In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..Although having been shown and retouching above
Embodiments herein is stated, it is to be understood that above-described embodiment is exemplary, and should not be understood as the limit to the application
System, those skilled in the art can be changed above-described embodiment, modify, replace and become within the scope of application
Type.
Claims (9)
1. a kind of distributed Denial of Service (DDOS) attack detection method characterized by comprising
Obtain the feature portrait of user, wherein the feature portrait includes at least one baseline;
It obtains to measurement of discharge packet, and extracts described to the comparison feature among measurement of discharge packet;
According to deviant of the feature with respect at least one baseline is compared, at least one characterization factor is generated;And
The characterization factor is inputted into training prediction model and carries out DDOS attack detection, the trained prediction model has learnt to obtain
Corresponding relationship between each characterization factor and abnormality detection result;
Wherein, the feature that compares includes the destination port distribution to measurement of discharge packet, source port distribution, life span TTL
One of distribution, the long distribution of packet, flow/packet amount distribution are a variety of, and the baseline includes destination port distribution baseline, source port
It is distributed baseline, TTL distribution baseline, long distribution one of the baseline and agreement component flow baseline or a variety of of packet.
2. DDOS attack detection method as described in claim 1, which is characterized in that the comparison feature is described to measurement of discharge
The flow of packet/packet amount, the baseline are agreement component flow baseline.
3. DDOS attack detection method as claimed in claim 2, which is characterized in that described according to the comparison feature and described
At least one baseline generates at least one characterization factor, comprising:
Obtain flow/packet amount of various time points;
Obtain the agreement component flow baseline the various time points reference flow/with reference to packet amount;
According to the agreement component flow baseline the various time points reference flow/refer to packet amount, generate reference flow
Mean value/refer to packet amount mean value;
It is tired by height according to the flow of the various time points/packet amount and the reference flow mean value/refer to packet amount mean value
Long-pending and CUSUM algorithm generates the traffic characteristic factor/packet measure feature factor.
4. DDOS attack detection method as described in claim 1, which is characterized in that described according to the comparison feature and described
At least one baseline generates at least one characterization factor, comprising:
According to the comparison feature and at least one described baseline by k-l divergence algorithm, generate at least one distance feature because
Son.
5. DDOS attack detection method as described in claim 1, which is characterized in that described according to the comparison feature and described
At least one baseline generates at least one characterization factor, comprising:
According to the comparison feature and at least one described baseline by COSIN cosine similarity algorithm, at least one folder is generated
The corner characteristics factor.
6. DDOS attack detection method as described in claim 1, which is characterized in that further include:
Obtain the source IP and destination IP to measurement of discharge packet;
Calculate it is described to the source IP of measurement of discharge packet and the source IP entropy of destination IP and destination IP entropy, and by the source IP entropy and destination IP
Entropy is as entropy characterization factor.
7. DDOS attack detection method as described in claim 1, which is characterized in that the trained prediction model is supporting vector
Machine SVM trains prediction model.
8. a kind of distributed Denial of Service (DDOS) attack detection device characterized by comprising
Module is obtained, the feature for obtaining user is drawn a portrait, wherein the feature portrait includes at least one baseline;
Extraction module for obtaining to measurement of discharge packet, and extracts described to the comparison feature among measurement of discharge packet;
Generation module, for generating at least one characterization factor according to deviant of the feature with respect at least one baseline is compared;With
And
Detection module carries out DDOS attack detection, the training prediction for the characterization factor to be inputted training prediction model
Model has learnt to obtain the corresponding relationship between each characterization factor and abnormality detection result;
Wherein, the feature that compares includes the destination port distribution to measurement of discharge packet, source port distribution, life span TTL
One of distribution, the long distribution of packet, flow/packet amount distribution are a variety of, and the baseline includes destination port distribution baseline, source port
It is distributed baseline, TTL distribution baseline, long distribution one of the baseline and agreement component flow baseline or a variety of of packet.
9. a kind of computer equipment characterized by comprising memory, processor and storage on a memory and can handled
The computer program run on device when the processor executes described program, realizes point as described in any in claim 1-7
Cloth refusal service DDOS attack detection method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811106052.1A CN109067787B (en) | 2018-09-21 | 2018-09-21 | Distributed Denial of Service (DDOS) attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811106052.1A CN109067787B (en) | 2018-09-21 | 2018-09-21 | Distributed Denial of Service (DDOS) attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109067787A CN109067787A (en) | 2018-12-21 |
| CN109067787B true CN109067787B (en) | 2019-11-26 |
Family
ID=64763422
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811106052.1A Active CN109067787B (en) | 2018-09-21 | 2018-09-21 | Distributed Denial of Service (DDOS) attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109067787B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108965347B (en) * | 2018-10-10 | 2021-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method, device and server |
| CN109617868B (en) * | 2018-12-06 | 2021-06-25 | 腾讯科技(深圳)有限公司 | DDOS attack detection method and device and detection server |
| CN109922072B (en) * | 2019-03-18 | 2021-07-16 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN114157442A (en) * | 2020-09-04 | 2022-03-08 | 阿里巴巴集团控股有限公司 | Abnormal traffic detection method, DDoS attack detection method, device and electronic device |
| CN114124658A (en) * | 2021-11-23 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Industrial control network anomaly detection method and device, electronic equipment and storage medium |
| CN114338206B (en) * | 2021-12-31 | 2024-05-07 | 曙光网络科技有限公司 | DDOS attack detection method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013105991A2 (en) * | 2011-02-17 | 2013-07-18 | Sable Networks, Inc. | Methods and systems for detecting and mitigating a high-rate distributed denial of service (ddos) attack |
| CN106131027A (en) * | 2016-07-19 | 2016-11-16 | 北京工业大学 | A kind of exception flow of network based on software defined network detection system of defense |
| CN107483473A (en) * | 2017-09-05 | 2017-12-15 | 上海海事大学 | A low-speed denial-of-service attack data flow detection method in cloud environment |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7681235B2 (en) * | 2003-05-19 | 2010-03-16 | Radware Ltd. | Dynamic network protection |
| CN102104611A (en) * | 2011-03-31 | 2011-06-22 | 中国人民解放军信息工程大学 | Promiscuous mode-based DDoS (Distributed Denial of Service) attack detection method and device |
| CN103973663A (en) * | 2013-02-01 | 2014-08-06 | 中国移动通信集团河北有限公司 | Method and device for dynamic threshold anomaly traffic detection of DDOS (distributed denial of service) attack |
| CN104348811B (en) * | 2013-08-05 | 2018-01-26 | 深圳市腾讯计算机系统有限公司 | Detecting method of distributed denial of service attacking and device |
| CN104202336A (en) * | 2014-09-22 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | DDoS attack detection method based on information entropy |
| CN108234404B (en) * | 2016-12-15 | 2020-08-25 | 腾讯科技(深圳)有限公司 | Defense method, system and related equipment for DDoS attack |
| US10547636B2 (en) * | 2016-12-28 | 2020-01-28 | Verisign, Inc. | Method and system for detecting and mitigating denial-of-service attacks |
| CN107231384B (en) * | 2017-08-10 | 2020-11-17 | 北京科技大学 | DDoS attack detection and defense method and system for 5g network slices |
-
2018
- 2018-09-21 CN CN201811106052.1A patent/CN109067787B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013105991A2 (en) * | 2011-02-17 | 2013-07-18 | Sable Networks, Inc. | Methods and systems for detecting and mitigating a high-rate distributed denial of service (ddos) attack |
| CN106131027A (en) * | 2016-07-19 | 2016-11-16 | 北京工业大学 | A kind of exception flow of network based on software defined network detection system of defense |
| CN107483473A (en) * | 2017-09-05 | 2017-12-15 | 上海海事大学 | A low-speed denial-of-service attack data flow detection method in cloud environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109067787A (en) | 2018-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109067787B (en) | Distributed Denial of Service (DDOS) attack detection method and device | |
| CN110851321B (en) | Service alarm method, equipment and storage medium | |
| CN110808945B (en) | A meta-learning-based network intrusion detection method in small sample scenarios | |
| CN109040141A (en) | Detection method, device, computer equipment and the storage medium of abnormal flow | |
| CN105491013B (en) | A kind of multiple-domain network Security Situation Awareness Systems and method based on SDN | |
| CN111340191A (en) | Botnet malicious traffic classification method and system based on ensemble learning | |
| CN113408281B (en) | Mailbox account anomaly detection method and device, electronic equipment and storage medium | |
| US20090094699A1 (en) | Apparatus and method of detecting network attack situation | |
| CN102165490B (en) | Image identity scale calculating system | |
| CN106569936B (en) | A kind of real-time acquisition rolls the method and system of log | |
| CN106649831A (en) | Data filtering method and device | |
| CN115600128A (en) | Semi-supervised encrypted traffic classification method and device and storage medium | |
| CN108055228A (en) | A kind of intelligent grid intruding detection system and method | |
| CN111159243A (en) | User type identification method, device, device and storage medium | |
| CN103518354A (en) | Network device, communication system, method for detecting abnormal communication, and program | |
| CN112804253A (en) | Network flow classification detection method, system and storage medium | |
| CN115083003B (en) | Clustering network training and target clustering method, device, terminal and storage medium | |
| CN102360434A (en) | A Target Classification Method for Vehicles and Pedestrians in Intelligent Traffic Monitoring | |
| CN109359138A (en) | A kind of abnormal detection method and device based on kernel density estimation | |
| US20150150132A1 (en) | Intrusion detection system false positive detection apparatus and method | |
| CN108805211A (en) | IN service type cognitive method based on machine learning | |
| CN107463963A (en) | A kind of Fault Classification and device | |
| US20250139043A1 (en) | Identifying devices with multiple network interface cards in a network | |
| CN101719907B (en) | Passive load information monitoring method based on BitTorrent | |
| US20230136929A1 (en) | Identification method, identification device, and identification program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |