WO2024159901A1 - Network attack defense method, network element device and computer-readable storage medium - Google Patents

Abstract

The present application belongs to the technical field of network security. Disclosed are a network attack defense method, a network element device and a computer-readable storage medium. The method of the present application comprises: detecting a system operation state of a current period; after determining the system operation state being abnormal operation, using a message data flow in the current period as a data flow under test, and according to message frequency information, message load information and source address information corresponding to said data flow, detecting whether an attack message is present in said data flow; and after determining that an attack message is present, identifying a source sending address corresponding to the attack message, and performing suppression processing on messages sent by the source sending address.

Description

Network attack defense method, network element device and computer readable storage medium

Related Applications

This application claims priority to Chinese patent application No. 202310045480.2 filed on January 30, 2023, the entire contents of which are incorporated by reference into this application.

Technical Field

The present application relates to the field of network security technology, and in particular to a method for defending against network attacks, a network element device, and a computer-readable storage medium.

Background Art

In recent years, the Internet industry has been constantly subjected to large-scale DDoS (Distributed Denial of Service) network attacks. DDoS attacks can quickly exhaust the key resources (such as bandwidth, buffer, processor resources, etc.) of the attacked host in the SDN (Software Defined Network) network, causing it to crash or take a lot of time to process attack packets, resulting in the inability to provide network services normally, forming a denial of service attack, which poses a threat to network devices and network services in the SDN network and has a significant impact on the security of the SDN network. Therefore, it is necessary to detect, trace and defend against network attacks.

At present, the anti-attack solution is generally to configure DDOS detection equipment on network element devices to monitor traffic and divert it to the state firewall. Due to cost and scale issues, DDOS detection equipment cannot monitor all network traffic. In actual application scenarios, with the highly distributed and complex attack behaviors, the current network anti-attack solution can no longer ensure the effective defense of the network attack source in a short period of time. That is, either it takes a long time to ensure that the network attack source can be detected and defended, or the detection accuracy of the network attack source is sacrificed to improve the detection efficiency. It is impossible to take into account both the detection efficiency and detection accuracy of the network attack source at the same time.

Summary of the invention

The main purpose of this application is to provide a network attack defense method, network element equipment and computer-readable storage medium, aiming to solve the current technical problem of being unable to simultaneously take into account the detection efficiency and detection accuracy of network attack sources.

To achieve the above objectives, the present application provides a network attack defense method, including:

Detect the system operation status of the current cycle;

After determining that the system operation state is abnormal, taking the message data flow in the current cycle as the data flow to be detected, and checking whether there is an attack message in the data flow to be detected according to the message frequency information, message load information and source address information corresponding to the data flow to be detected, wherein the source address information includes a source IP address and a source port;

After determining that there is an attack message, a source sending address corresponding to the attack message is identified, and a suppression process is performed on messages sent by the source sending address.

In addition, to achieve the above purpose, the present application also provides a network element device, the network element device comprising: a memory, A processor and a network attack defense program stored in the memory and executable on the processor, wherein the network attack defense program implements the network attack defense method as described above when executed by the processor.

In addition, to achieve the above-mentioned purpose, the present application also provides a computer-readable storage medium, on which a network attack defense program is stored. When the network attack defense program is executed by a processor, the network attack defense method as described above is implemented.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on the structures shown in these drawings without paying any creative work.

FIG1 is a flow chart of a first embodiment of a network attack defense method of the present application;

FIG2 is a flow chart of a second embodiment of a method for defending against network attacks of the present application;

FIG3 is a schematic diagram of the system architecture of a network attack defense system according to an embodiment of the present application;

FIG4 is a global stage flow chart of the network attack defense method according to an embodiment of the present application;

FIG5 is a flow chart of a method for defending against network attacks in a specific embodiment of the present application;

FIG6 is a schematic diagram of functional modules of a network attack defense device according to an embodiment of the present application;

FIG. 7 is a schematic diagram of the hardware structure of a network element device involved in an embodiment of the present application.

The realization of the purpose, functional features and advantages of this application will be further explained in conjunction with embodiments and with reference to the accompanying drawings.

DETAILED DESCRIPTION

It should be understood that the specific embodiments described herein are only used to explain the present application and are not used to limit the present application.

The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

It should be noted that all directional indications in the embodiments of the present application (such as up, down, left, right, front, back, etc.) are only used to explain the relative position relationship, movement status, etc. between the components under a certain specific posture (as shown in the accompanying drawings). If the specific posture changes, the directional indication will also change accordingly.

In this application, unless otherwise clearly specified and limited, the terms "connection", "fixation", etc. should be understood in a broad sense. For example, "fixation" can be a fixed connection, a detachable connection, or an integral connection; it can be a mechanical connection or an electrical connection; it can be a direct connection or an indirect connection through an intermediate medium, it can be the internal connection of two elements or the interaction relationship between two elements, unless otherwise clearly defined. For ordinary technicians in this field, the specific meanings of the above terms in this application can be understood according to specific circumstances.

In addition, the descriptions of "first", "second", etc. in this application are only for descriptive purposes and cannot be understood as indicating or implying their relative importance or implicitly indicating the number of the indicated technical features. Therefore, the features defined as "first" or "second" may explicitly or implicitly include at least one of the features. In addition, the technical solutions between the various embodiments may be different. However, they must be based on the fact that they can be implemented by ordinary technicians in this field. When the combination of technical solutions is contradictory or cannot be implemented, it should be deemed that such combination of technical solutions does not exist and is not within the scope of protection required by this application.

At present, the anti-attack solution is generally to configure DDOS detection equipment on network element devices to monitor traffic and divert it to the state firewall. Due to cost and scale issues, DDOS detection equipment cannot monitor all network traffic. In actual application scenarios, with the highly distributed and complex attack behaviors, the current network anti-attack solution can no longer ensure the effective defense of the network attack source in a short period of time. That is, either it takes a long time to ensure that the network attack source can be detected and defended, or the detection accuracy of the network attack source is sacrificed to improve the detection efficiency. It is impossible to take into account both the detection efficiency and detection accuracy of the network attack source at the same time.

Based on this, an embodiment of the present application provides a method for defending against network attacks, with reference to FIG1 , which is a flow chart of an embodiment of a method for defending against network attacks of the present application. In this embodiment, the method for defending against network attacks includes:

Step S10, detecting the system operation status of the current cycle;

In this embodiment, the system operation status of the network device (or network element device) can be detected once every time a preset detection cycle is reached. The detection cycle can be set according to actual needs, for example, it can be set to 1 second (s). Among them, the current cycle refers to the detection cycle at the current moment. The network device is the protected object, and can be an object such as a switch, a router or a host device for sending and receiving data streams, and the data stream is sent by the source device to the protected object (network device).

The system operation status is used to indicate whether the network device can process each service message normally, or whether the network device is in a state of serious network congestion, resulting in the inability to process other normal service processing requests in a timely manner.

Step S20, after determining that the system operation state is abnormal, taking the message data flow in the current cycle as the data flow to be detected, and checking whether there is an attack message in the data flow to be detected according to the message frequency information, message load information and source address information corresponding to the data flow to be detected, wherein the source address information includes a source IP address and a source port;

In this embodiment, when the network device cannot process each service message normally, it means that the system operation state is abnormal. Or, when the network device is in a relatively serious network congestion state, resulting in the inability to process other service processing requests in time, it means that the system operation state is abnormal.

The message frequency information is used to characterize the message receiving frequency or message sending frequency. For example, the message frequency information of network address A is used to characterize the message receiving frequency or message sending frequency of network address A. The message frequency information of network address B is used to characterize the message receiving frequency or message sending frequency of network address B. The message receiving frequency refers to the data volume of the business message received in a specified time period, which can be measured by the number of bytes or bits received per unit time. The message sending frequency refers to the data volume of the business message sent in a specified time period, which can be measured by the number of bytes or bits sent per unit time.

Attackers frequently send a large number of data service requests to network devices, which quickly exhausts the key resources of network devices, causing them to crash or take time to process these data service requests, resulting in the inability to process other normal business service requests. Therefore, when a large number of service requests suddenly appear in a certain period of time, that is, the message frequency value is high, the attackers will cause the network devices to be depleted of key resources, causing them to crash or take time to process these data service requests, causing the service requests of other normal businesses to be unable to be processed normally. When it is high, it often indicates that the data flow to be detected contains attack packets. Therefore, this embodiment can use the packet frequency information corresponding to the data flow to be detected as a dimension to judge whether the data flow to be detected contains attack packets, and perform attack detection on the data flow to be detected.

In this embodiment, the message payload information can be used to characterize the occurrence of each data in the payload of the data stream to be detected. It is known to those skilled in the art that, since the occurrence of each data in the payload of a normal message of a general service is relatively close, and is greatly different from the occurrence of each data in the payload of an attack message, the occurrence of each data in the payload of the data stream to be detected is determined according to the message payload information, and then the information characteristic value of the payload is calculated by the occurrence of each data in the payload, so that the attack message can be distinguished relatively accurately. The information characteristic value of the data stream to be detected can be determined based on the occurrence of each data in the payload of the data stream to be detected. Among them, the occurrence of each data in the payload can be the occurrence of each character in the payload. The occurrence can be expressed as an occurrence probability.

Among them, the network device can calculate the information characteristic value of the data flow to be detected according to the occurrence probability of each data in the data flow to be detected. First, the occurrence probability corresponding to each byte of the character in the payload of the message to be detected can be determined first. As an example, the occurrence probability of each byte in the payload is added as the information characteristic value of the payload. As another example, for each byte, the logarithm of the occurrence probability of the byte is first calculated, and then the occurrence probability of the byte is multiplied by the logarithm of the occurrence probability of the byte as the characteristic value corresponding to the byte, and then the characteristic values corresponding to each byte in the payload are added as the information characteristic value of the payload. Then, based on whether the determined information characteristic value belongs to the preset reference information characteristic value range, it is determined whether the message to be detected is an attack message. Among them, the reference information characteristic value range can be a normal message reference information characteristic value range, and can also be an attack message reference information characteristic value range. Therefore, this embodiment can perform attack detection on the data flow to be detected based on the message payload information corresponding to the data flow to be detected, as another dimension for judging whether the data flow to be detected contains an attack message.

In this embodiment, the source address information can be used to characterize the source address of each service message in the data stream to be detected. The source address information includes the source IP (Internet Protocol) address and the source port. Under normal access, the resources requested by the client have relatively large random characteristics. When the network device is attacked, a large number of request messages with the same requested resources will appear on the server side, which will be significantly different from the random distribution of normal access behavior. In this embodiment, according to the source address information of each service message in the data stream to be detected, the message flow information sent by each source address can be determined, and the information entropy of the requested resource of the network device can be determined according to the message flow information sent by each source address. The information entropy is a measure of the degree of randomness of the information. By detecting the information entropy of the requested resource of the network device, the purpose of discovering the attack message is achieved. Specifically, considering that when the network device is attacked, the randomness of the request to the network URL (Uniform Resource Locator) mutates, the information entropy value mutates, so as to judge that the system of the network device is under message attack. The data flow corresponding to when the fluctuation trend of the information entropy reaches the preset fluctuation change condition is regarded as an abnormal data flow (i.e., an attack message). Therefore, this embodiment can perform attack detection on the data flow to be detected based on the source address information corresponding to the data flow to be detected, as another dimension for judging whether the data flow to be detected contains an attack message.

After step S20, step S30 is executed to identify the source sending address corresponding to the attack message after determining that there is an attack message, and suppress the message sent by the source sending address.

After determining that there is an attack message, the source sending address corresponding to the attack message can be identified by reading the source address information carried by the attack message.

In this embodiment, if no attack message is identified, it means that the network device is not attacked. When the detection cycle arrives, the next detection cycle is updated as the current cycle, and then the process returns to step S10: detecting the system operation status of the current cycle. If no attack message is identified in the data flow to be detected, there is no need to execute the message defense strategy, that is, there is no need to suppress normal messages.

After determining that there is an attack message in the data flow to be detected, the source sending address corresponding to the attack message is identified, and the message sent by the source sending address is suppressed, thereby refusing to receive the attack message sent by the attack source port. For example, the source sending address corresponding to the attack message can be added to the blacklist. If a message carrying a source address in the blacklist is received, it can be directly discarded, suppressing the attack message sent by the attack source, thereby effectively defending against the attack source. Of course, if it is a normal communication message (non-attack message), the network device will forward it normally according to the forwarding logic corresponding to the normal communication message.

In this embodiment, the source sending address may be the device information or website information corresponding to the initiator of the attack behavior data (i.e., the sender of the attack message). The device information may include the MAC (Media Access Control) address of the initiator's device. The network information may include the network address of the initiator during communication or the network segment to which the IP address belongs. In one embodiment, the initiator, that is, the attacker who initiates the network attack event, usually continuously initiates network attack behaviors when conducting a network attack.

In this embodiment, the network device can regularly analyze network communication related data at a preset frequency to determine whether a network attack event has occurred, and determine the organizational information of the initiator of the network attack event, so as to periodically track and trace the network attack, thereby monitoring and protecting the network communication security of the network device.

The network device of this embodiment provides an attack tracing function. After determining the existence of an attack message, it identifies the source sending address corresponding to the attack message, thereby locking the suspected attack source, providing information support for subsequent attack defense, and suppressing the message sent by the source sending address, thereby providing an attack defense function. Based on the attack tracing results and defense strategies, the attack traffic is suppressed to protect the normal operation of the network device.

Exemplarily, after determining that there is an attack message, the method further includes:

Step A10: If the source sending address corresponding to the attack message is not identified within the preset time period, a rate limit process is performed on each message in the data flow to be detected for a preset defense time period.

In this embodiment, the preset duration can be set by those skilled in the art according to actual conditions, for example, 1 minute, and this embodiment does not make any specific limitation.

This embodiment performs speed limiting processing for a preset defense time on each message in the data stream to be detected when the source sending address corresponding to the attack message is not identified within the preset time. Therefore, when the attack source tracing fails to detect the attack source, indiscriminate speed limiting is performed. When the defense strategy times out, the failure strategy is executed to prevent continuous suppression of normal communication messages. This embodiment achieves suppression defense of attack messages to a certain extent by setting a preset defense protection time. At the same time, after the preset defense protection time, the suppression processing of each message in the data stream to be detected is cancelled, thereby effectively restoring the processing of business service requests for normal messages.

Exemplarily, after the step of checking whether there is an attack message in the data flow to be detected, the method further includes:

Step B10, based on the inspection result of checking whether there is an attack message in the data flow to be detected, generating a first record log corresponding to the attack message inspection result;

For example, if the inspection result is that an attack message is detected in the data stream to be detected, the generated first record log may record the time when the attack message is detected, the receiving port of the attack message, and the identification of the attack message based on Which KPI (Key Performance Indicator) indicator has an abnormality and other related information. The KPI indicator may include the message frequency information, message load information or information entropy corresponding to the data flow to be detected.

Step B20, after the step of identifying the source sending address corresponding to the attack message, the method further includes:

Step B30: Based on the identification result of the source sending address corresponding to the attack message, a second record log corresponding to the attack source tracing identification result is generated.

For example, if the identification result is that the source sending address corresponding to the attack message is not identified, the generated second record log may record the result information that the attack source tracing is not successful. If the identification result is that the source sending address corresponding to the attack message is identified, the generated second record log may record the result information that the attack source tracing is successful, the time when the source sending address is identified, and the source sending address and other related information.

This embodiment generates a first record log corresponding to the attack message check result by checking whether there is an attack message in the data stream to be detected, thereby generating an alarm to the staff through log records when the attack message is detected, and it is also convenient for subsequent staff to review the relevant situation when the attack message is detected according to the first record log, which is conducive to iterative optimization of the attack detection mechanism for detecting whether there is an attack message in the data stream to be detected. This embodiment also generates a second record log corresponding to the attack tracing identification result based on the identification result of the source sending address corresponding to the attack message, thereby generating an alarm to the staff through log records when the source address (i.e., the attack source) corresponding to the sending attack message is detected, and it is also convenient for subsequent staff to review the relevant situation when the attack message is traced according to the second record log, which is conducive to iterative optimization of the attack tracing mechanism for identifying the source sending address corresponding to the attack message.

The present application proposes a network attack defense method, a network element device and a computer-readable storage medium. In the network attack defense method, the technical solution of the embodiment of the present application is to detect the system operation status of the current cycle, so that before the network attack detection is performed on the message data flow, the system operation status is first checked, and the subsequent network attack detection steps are performed only after the system operation status is determined to be abnormal, so as to avoid blindly starting the network attack detection and increasing the system operation load, thereby reducing the efficiency of detecting the actual network attack source, and after determining that the system operation status is abnormal, the message data flow in the current cycle is used as the data flow to be detected, and the system operation status is determined to be abnormal. The message frequency information, message payload information and source address information corresponding to the detection data flow are checked to see if there are attack messages in the data flow to be detected, so as to determine whether the network element device (or network device) is under network attack based on multi-dimensional analysis, thereby improving the accuracy of network attack identification and the efficiency of detecting the source of network attacks. After determining that there are attack messages, the source sending address corresponding to the attack message is identified to complete the source tracing of the network attack, and then the messages sent by the source sending address are suppressed, so as to provide attack defense or suppression functions after the attack is detected or traced to the attack source, thereby protecting the normal operation of the network element device.

The current anti-attack solution generally involves additionally configuring DDOS detection devices on network element devices to monitor traffic and direct it to the stateful firewall. Due to cost and scale issues, DDOS detection devices cannot monitor all network traffic. In actual application scenarios, with highly distributed and complex attack behaviors, the current network anti-attack solution can no longer ensure effective defense of network attack sources in a relatively short period of time, and cannot take into account both the detection efficiency and detection accuracy of network attack sources at the same time.

Compared with the current anti-attack solution, the embodiment of the present application does not need to configure DDOS detection equipment. The embodiment of the present application can integrate the logic program of the network attack defense method into the network element device, directly detect, trace and defend against network attacks on the message data flow, without diverting it to the state firewall, thereby improving the detection efficiency of the network attack source. rate, and the embodiment of the present application verifies and analyzes whether the system is under network attack by monitoring key KPIs (Key Performance Indicator) such as message frequency information, message load information and source address information of the data flow on the network element device side, thereby improving the detection accuracy and efficiency of network attacks based on multi-dimensional analysis, and achieving the improvement of the detection efficiency of the network attack source while improving the detection accuracy of the network attack source, taking into account the detection efficiency and detection accuracy of the network attack source. In the embodiment of the present application, the attack packet detection can be completed by the network element device itself, and there is no need to upload the data flow to the state firewall for processing. The detection can be completed on the network element device side, which can meet the requirements of high-speed forwarding, effectively improve the detection accuracy and detection efficiency of network attacks, and solve the current technical problem that the detection efficiency and detection accuracy of the network attack source cannot be taken into account at the same time.

In a possible implementation manner, the step S10 of detecting the system operation status of the current cycle includes:

Step C10, detecting the CPU utilization rate, system message flow value and service operation status of the system in the current cycle;

Step C20, determining the system operation status of the current cycle according to the CPU utilization, the system message flow value and the service operation status.

In this embodiment, the CPU (Central Processing Unit) utilization (or CPU usage) refers to the CPU resources currently occupied by the network device. The system message flow value refers to the total flow value corresponding to all business messages that the network device currently needs to process. The business operation status is used to characterize whether the network device can normally process the service requests of normal business messages. Among them, if there are more than a preset number of normal business messages whose service requests cannot be processed normally, it is determined that the business operation status is abnormal.

Exemplarily, in an implementable manner, the step C20 of determining the system operation status of the current cycle according to the CPU utilization, the system message flow value and the service operation status includes:

Step D10, determining whether at least one of the following conditions is satisfied: the CPU utilization is greater than a preset utilization threshold, the system message flow value is greater than a preset flow threshold, and the service operation state is abnormal;

Step D20: If yes, determine that the system operation status of the current cycle is abnormal operation;

Step D30: If not, determine that the system operation status of the current cycle is normal.

In this embodiment, if it is determined that at least one of the following conditions is met: the CPU utilization is greater than a preset utilization threshold, the system message flow value is greater than a preset flow threshold, and the business operation state is abnormal, then the system operation state of the current period is determined to be abnormal operation. If it is determined that none of the following conditions is met: the CPU utilization is greater than a preset utilization threshold, the system message flow value is greater than a preset flow threshold, and the business operation state is abnormal, then the system operation state of the current period is determined to be normal operation.

This embodiment detects the system's CPU utilization, system message traffic value, and business operation status in the current period, and accurately identifies the system operation status of the network device in the current period based on the CPU utilization, the system message traffic value, and the business operation status. This embodiment uses multiple performance characteristics corresponding to when the network device is attacked as the judgment criteria for judging the system operation status of the network device in the current period, takes information from multiple dimensions into consideration, greatly improves the recognition accuracy of the system operation status, and facilitates subsequent accurate tracking and tracing of network attacks.

Based on the first embodiment of the present application, a second embodiment of the network attack defense method of the present application is proposed. Please refer to FIG. 2. In step S20 of the above embodiment, according to the message frequency information, message load information and source address information corresponding to the data flow to be detected, the step of checking whether there is an attack message in the data flow to be detected includes:

Step S21, according to the message frequency information, determine the number of service requests for network service requests from each network address in the current cycle, and determine the number of data to be detected based on the comparison result between the number of service requests and the preset number threshold. Whether there are attack packets in the flow;

In this embodiment, the message frequency information is used to represent the message receiving frequency or the message sending frequency. Therefore, the number of service requests for network service requests made by each network address in the current period can be determined according to the message frequency information.

Exemplarily, the step of determining whether there is an attack message in the data flow to be detected based on the comparison result of the number of service requests and a preset number threshold includes:

Step E10: If there is at least one network address whose service request quantity is greater than a preset quantity threshold, it is determined that there is an attack message in the data flow to be detected, wherein the message sent by the network address whose service request quantity is greater than the preset quantity threshold is an attack message.

In this embodiment, the preset number threshold can be set by those skilled in the art according to actual conditions to better detect whether there is an attack message in the data flow to be detected, and this embodiment does not make any specific limitation.

Attackers (for example, in DDoS attacks) often combine multiple source devices as attack platforms, and use massive, formally legal service requests to occupy a large number of service resources of network devices, so that legitimate users cannot get service responses from the network devices. Therefore, under normal circumstances, if the number of service requests from at least one network address exceeds the preset number threshold in a certain period of time, it means that the network device is likely to be attacked by a network attack.

Therefore, this embodiment determines the number of service requests for network service requests made by each network address in the current period based on the message frequency information, and determines whether there are attack messages in the data flow to be detected based on the comparison result of the number of service requests and the preset number threshold. This realizes that the number of service requests for network service requests made by each network address is used as a dimension for judging whether there are attack messages in the data flow to be detected, and the attack messages are detected on the data flow to be detected, thereby improving the accuracy of attack detection.

After step S21, executing step S22, determining actual protocol structure characteristics corresponding to each message in the data flow to be detected in the current cycle according to the message payload information, and determining whether there is an attack message in the data flow to be detected according to the actual protocol structure characteristics;

Those skilled in the art will appreciate that the message payload information can be used to characterize the occurrence of each data in the payload of the data stream to be detected. Therefore, the actual protocol structure characteristics corresponding to each message in the data stream to be detected in the current cycle can be determined based on the message payload information.

Exemplarily, the step of determining whether there is an attack message in the data flow to be detected according to the actual protocol structure feature includes:

Step F10, obtaining target service identification information of each message in the data flow to be detected;

Step F20, determining the standard protocol structure characteristics corresponding to the target service identification information;

Step F30: If there is at least one message whose actual protocol structure feature is inconsistent with the standard protocol structure feature, it is determined that there is an attack message in the data flow to be detected, wherein the message whose actual protocol structure feature is inconsistent with the standard protocol structure feature is an attack message.

In this embodiment, the target service identification information is used to characterize the service type of the message. For example, if the service type of message A in the data stream to be detected is a, the target service identification information t of message A is identified with identification information of service type a. For another example, if the service type of message B in the data stream to be detected is b, the target service identification information u of message B is identified with identification information of service type b.

After obtaining the data stream to be detected, it is necessary to first determine the target service identification information corresponding to each message in the data stream to be detected. In one embodiment, the destination port number carried by each message in the data stream to be detected can be obtained as the target service identification information corresponding to each message. Target service identification information. Since different services correspond to different destination port numbers, the destination port number can be directly used as service identification information to distinguish different services. For each service supported by the server or source device to which the network device is connected, the technician can predetermine the destination port number corresponding to each service as the target service identification information of the service. In another embodiment, the target service identification information corresponding to each message can be obtained by detecting the load of each message in the message to be detected. For each service supported by the server or source device to which the network device is connected, the technician can predetermine the message load corresponding to each service as the target service identification information of the service.

It is known to those skilled in the art that messages of different service types often have different message protocol structure characteristics. The target service identification information is used to characterize the service type of the message. Therefore, when the target service identification information v of message C identifies the identification information of service type c, and the message protocol structure characteristic of the message of service type c is M, it means that the standard protocol structure characteristic corresponding to the target service identification information v is M. That is, since messages of different service types often have different message protocol structure characteristics, different target service identification information often corresponds to different standard protocol structure characteristics. When it is detected that the actual protocol structure feature of the message is inconsistent with the standard protocol structure feature, it means that the message is an attack message. For example, the target service identification information w of message D identifies the service type d, and the message protocol structure feature of the service type d is P, that is, the standard protocol structure feature corresponding to the target service identification information w is P, but the actual protocol structure feature of message D is detected to be Q, which is inconsistent with the standard protocol structure feature P. At this time, it means that message D is not a normal service message, and it can be determined with a high probability that it is an attack message sent by an attacker to carry out a network attack.

In this embodiment, the step of determining the standard protocol structure feature corresponding to the target service identification information may specifically include: querying from a preset service identification mapping relationship table to obtain the protocol structure feature mapped to the target service identification information, and using the mapped protocol structure feature as the standard protocol structure feature corresponding to the target service identification information. The service identification mapping relationship table stores a plurality of service identification information and a one-to-one mapping relationship between each service identification information and the protocol structure feature.

This embodiment determines the actual protocol structure characteristics corresponding to each message in the data flow to be detected in the current period based on the message payload information, and determines whether there is an attack message in the data flow to be detected based on the actual protocol structure characteristics, thereby using the actual protocol structure characteristics corresponding to each message as another dimension for judging whether there is an attack message in the data flow to be detected, performing more comprehensive detection of attack messages on the data flow to be detected, and improving the comprehensiveness of attack detection.

After step S22, step S23 is executed to determine the information entropy value corresponding to the source address information in the current cycle according to the source address information, and determine whether the data flow to be detected is an attack message according to the information entropy value.

In this embodiment, the source address information can be used to characterize the source address of each service message in the data stream to be detected. The source address information includes the source IP (Internet Protocol) address and the source port. Under normal access conditions, the resources requested by the client have relatively large random characteristics. When a network device is attacked, a large number of request messages with the same requested resources will appear on the server side, which will be significantly different from the random distribution of normal access behaviors. In this embodiment, the message traffic information sent by each source address can be determined based on the source address information of each service message in the data stream to be detected. According to the message traffic information sent by each source address, the information entropy value of the requested resource of the network device (that is, the information entropy value corresponding to the source address information in the current cycle) can be determined. Therefore, the information entropy value corresponding to the source address information in the current cycle can be determined based on the source address information. Among them, the information entropy value is a measure of the degree of randomness of the information. By detecting the information entropy of the requested resources of the network device, the purpose of discovering the attack message is achieved. Specifically, considering that when a network device is attacked, the URL (Uniform Resource Locator) requested to the network The randomness of the request of the locator) will mutate, and the information entropy value will mutate, so as to judge that the system of the network device is under message attack. The corresponding data flow when the fluctuation trend of the information entropy reaches the preset fluctuation change condition is regarded as the abnormal data flow (i.e., the attack message).

Exemplarily, the step of determining whether the data flow to be detected is an attack message according to the information entropy value includes:

Step G10, obtaining target service identification information of each message in the data flow to be detected;

Step G20, determining the information reference entropy value range corresponding to the target service identification information in the preset service identification mapping relationship table;

Step G30: If there is at least one message whose information entropy value is not within the information reference entropy value range, it is determined that there is an attack message in the data flow to be detected, wherein the message whose information entropy value is not within the information reference entropy value range is an attack message.

In this embodiment, it is known to those skilled in the art that different service types of messages often correspond to different information entropy value ranges. The target service identification information is used to characterize the service type of the message. Therefore, when the target service identification information v of message C identifies the identification information of the service type c, and the information entropy value range corresponding to the message of service type c is (j, k), it means that the information reference entropy value range corresponding to the target service identification information v is (j, k). That is, since different service types of messages often correspond to different information entropy value ranges, different target service identification information often corresponds to different information reference entropy value ranges. When it is detected that the information entropy value of a message is not within the range of its corresponding information reference entropy value, it means that the message is an attack message. For example, the target service identification information w of message D identifies the identification information of the service type d, and the information entropy value range corresponding to the message of service type d is (l, n), that is, the information reference entropy value range corresponding to the target service identification information w is (l, n), but it is detected that the information entropy value of message D is not within the range of (l, n). At this time, it means that message D is not a normal service message, and it can be determined with a high probability that it is an attack message sent by an attacker to carry out a network attack.

In this embodiment, the preset business identification mapping relationship table stores multiple business identification information and a one-to-one mapping relationship between each business identification information and an information entropy value range. The information entropy value range mapped by the target business identification information can be obtained by querying the preset business identification mapping relationship table, and the mapped information entropy value range is used as the information reference entropy value range corresponding to the target business identification information.

This embodiment determines the information entropy value corresponding to the source address information in the current period based on the source address information, and determines whether the data flow to be detected is an attack message based on the information entropy value, thereby realizing that the information entropy value corresponding to the source address information is used as another dimension for judging whether the data flow to be detected contains attack messages, and performs more comprehensive and accurate detection of attack messages on the data flow to be detected, thereby improving the comprehensiveness and accuracy of attack detection.

This embodiment determines the number of service requests for network service requests made by each network address in the current period according to the message frequency information, and determines whether there is an attack message in the data flow to be detected based on the comparison result of the service request number and the preset number threshold. This embodiment also determines the actual protocol structure characteristics corresponding to each message in the data flow to be detected in the current period according to the message load information, and determines whether there is an attack message in the data flow to be detected according to the actual protocol structure characteristics. This embodiment also determines the information entropy value corresponding to the source address information in the current period according to the source address information, and determines whether the data flow to be detected is an attack message according to the information entropy value, thereby accurately identifying the attack message of the data flow to be detected in the current period of the network device. By using the multiple message abnormal characteristics corresponding to the presence of the attack message in the data flow to be detected as the identification standard for identifying the attack message, multiple dimensions of information are taken into consideration, thereby greatly improving the attack message. Identification accuracy makes it easier to accurately track and trace network attacks and take targeted defense measures.

In order to help understand the technical principle or technical concept of the embodiment of the present application, a specific embodiment is listed, with reference to FIG3 , which is a schematic diagram of the system architecture of the network attack defense system of the embodiment of the present application:

In this embodiment, the network attack defense system only involves software architecture. The entire system consists of two logical layers: the forwarding plane and the control plane. The control plane mainly performs KPI monitoring, attack detection, and traceability algorithm implementation, while the forwarding plane provides original message data and defense strategy execution.

The control plane includes KPI monitoring, data collection management, attack detection, attack tracing and defense strategy modules. The KPI monitoring module monitors KPIs that characterize whether the system operation status is normal, such as CPU utilization, health statistics of each business module (i.e., business operation status) and message flow data on the channel side (i.e., system message flow value). The data collection management module analyzes and manages the collected data. When the KPI indicator is abnormal, the data collection management module analyzes which data needs to be further collected, and then sends collection instructions to the forwarding plane for data collection. After the collection is completed, the data is uniformly managed. The attack detection module performs attack detection analysis based on the collected message data, and uses information entropy (the information entropy value corresponding to the source address information in the current cycle), frequency characteristics (i.e., message frequency information) and message content (i.e., message load information) to determine whether the system is attacked, and logs the detection results and generates alarms. The attack source tracing module analyzes the attack source based on the collected message data, and uses the frequency statistical characteristics (i.e., message frequency information) and message content characteristics (i.e., message payload information) to determine the five-tuple of the attack source (including source address, source port number, destination address, destination port number, and protocol number), and logs the tracing results and generates an alarm. The defense strategy module determines the specific defense action based on the preset defense strategy.

The forwarding plane includes two modules: original message data collection and policy execution. Original message collection is divided into two categories: periodically reported message data and control plane collected message data, providing original data for control plane attack detection and tracing. The policy execution module performs specific defense actions according to the defense strategy issued by the control plane to protect the normal operation of the device during the attack.

This embodiment relates to a control plane and forwarding plane linkage attack detection and tracing method or device, in particular to network element equipment in the communication field. This embodiment determines whether the equipment is abnormal by monitoring the data flow and key KPIs such as CPU utilization of the control plane. When the equipment is abnormal, it collects message statistics in real time, uses information entropy to further determine the probability of being attacked, and then uses the statistical information of the source and destination addresses in the message to trace the source. After determining the suspected attack source, it sends attack defense instructions to the forwarding plane to prevent the normal business from being affected after the device is attacked. This method is deployed in the network element equipment, and there is no need to deploy other anti-attack equipment.

The above specific embodiments are only used to help understand the technical principles or technical concepts of the embodiments of the present application, and do not constitute a limitation on the speed limiting device of the network traffic of the present application. More simple transformations based on the technical concept should all be within the scope of protection of the present application.

In order to further understand the technical concept or technical principle of the embodiment of the present application, a network attack defense method of another specific embodiment is listed, including:

Please refer to Figure 4, which is a global stage flow chart of the network attack defense method of the embodiment of the present application. From the perspective of the global process status, this embodiment mainly involves four stages: indicator monitoring stage, attack detection stage, attack tracing stage and attack defense stage.

The indicator monitoring stage is the initial stage of the entire process, which involves two actions: periodic data collection and indicator monitoring. If the indicator monitoring detects that the system is running normally, it will continue to stay in this stage. If the system is running abnormally, it will enter the attack detection stage (that is, after determining that the system is running abnormally, the message data flow in the current cycle is used as the data flow to be detected to detect attack messages).

The attack detection phase involves two phases: event data collection and attack detection judgment. If the system is not detected to be under attack, it will fall back to the indicator monitoring phase. If the system is detected to be under attack, it will enter the attack tracing phase (i.e. identifying the source sending address corresponding to the attack message).

The attack source tracing stage involves attack source tracing analysis actions. After the actions are executed, it automatically enters the policy execution stage.

The policy execution phase includes sending the forwarding plane suppression policy (i.e., suppressing the messages sent from the source sending address), sending the forwarding plane invalidation policy (i.e., limiting or suppressing the messages sent from the source sending address for a preset defense time, and restoring to normal after the preset defense time), indiscriminate rate limiting policy (i.e., limiting the rate of all messages in the data stream to be detected), and logging. When attack tracing detects the attack source, the forwarding plane suppression policy action is sent. When attack tracing does not detect the attack source, the indiscriminate rate limiting action is executed. When the defense policy times out, the invalidation policy is executed. When attacked, the context information related to the attack is recorded in the security log.

This embodiment provides an attack tracing function, which locks the suspected attack source through an attack tracing algorithm to provide information support for subsequent attack defense. This embodiment also provides an attack defense function, which suppresses attack traffic based on attack tracing results and defense strategies to protect the normal operation of network element equipment.

Please refer to FIG. 5 , which is a schematic diagram of a method for defending against network attacks in a specific embodiment of the present application. The overall process is as follows:

1. Periodically collect the KPI data to be monitored, such as CPU (Central Processing Unit) utilization, message flow (i.e. system message flow value) and business operation status;

2. Perform threshold judgment on KPI data. The three conditions are in an OR relationship. As long as one of the conditions is abnormal, subsequent event data collection and attack analysis will be triggered;

3. When an exception occurs, the event data collection module collects the data required for attack analysis (i.e., the message data flow in the current cycle) and stores it in the cache;

4. After the event data is stored, attack detection and analysis are performed. If the detection result is not an attack (that is, there is no attack message in the data stream to be detected), the process returns to the indicator monitoring stage. If the detection result is an attack (that is, there is an attack message in the data stream to be detected), the attack source is traced.

5. Attack source tracing mainly identifies the specific attack source, such as the IP address or the characteristics of the attack message, such as the payload content;

6. Attack defense mainly determines and executes specific defense strategies. When the attack source can be located (i.e., the source sending address corresponding to the attack message is identified) or the attack mode, the defense control module issues a suppression strategy; when the attack source cannot be located, an indiscriminate speed limit is implemented (all messages in the detected data stream are subject to speed limit processing); the specific strategies implemented need to be logged for subsequent manual analysis. At the same time, the specific strategy needs to set an expiration time to prevent continuous suppression during whitelist attacks (i.e., set a preset defense duration).

The network element device of this embodiment provides attack detection and attack tracing functions of the forwarding plane and the control plane. After detecting an attack or tracing the attack source, an alarm or log record is generated, and attack defense or suppression functions are provided. Based on the powerful computing power of the control plane, this embodiment monitors key KPIs such as data flow and CPU utilization on the control plane, and uses the information entropy algorithm to further verify and analyze whether the device is under attack, thereby improving the accuracy of the attack detection method through multi-dimensional analysis. After detecting an attack, the control plane uses historical data and message features during the attack to perform frequency analysis, calculate suspected attack sources, and implement attack tracing functions. At the same time, after locking the suspected attack source, the control plane sends the attack source information and attack defense strategy to the forwarding plane, and the forwarding plane executes the defense strategy to protect the normal operation of the device.

What is disclosed above is only one embodiment of the present application, and it is certainly not intended to limit the protection scope of the present application. A person skilled in the art can understand that all or part of the processes of the above embodiment and the equivalent changes made according to the claims of the present application are still within the scope of the present application.

That is to say, the above-mentioned specific embodiments are only used to help understand the technical concept or technical principle of the embodiments of the present application, and do not constitute a limitation of the present application. More simple transformations based on the technical concept should be within the scope of protection of the present application.

In addition, an embodiment of the present application further proposes a network attack defense device. Referring to FIG. 6 , FIG. 6 is a schematic diagram of functional modules of an embodiment of a network attack defense device of the present application.

In this embodiment, the network attack defense device includes:

A state determination module 10, configured to detect the system operation state of the current cycle;

The attack detection module 20 is configured to, after determining that the system operation state is abnormal, use the message data flow in the current cycle as the data flow to be detected, and check whether there is an attack message in the data flow to be detected according to the message frequency information, message load information and source address information corresponding to the data flow to be detected, wherein the source address information includes a source IP address and a source port;

The attack defense module 30 is configured to, after determining that an attack message exists, identify a source sending address corresponding to the attack message, and suppress messages sent by the source sending address.

In some embodiments, the state determination module 10 is further configured to:

Check the system's CPU utilization, system packet flow value, and business operation status in the current period;

The system operation status of the current cycle is determined according to the CPU utilization, the system message flow value and the service operation status.

In some embodiments, the state determination module 10 is further configured to:

Determine whether at least one of the following conditions is met: the CPU utilization is greater than a preset utilization threshold, the system message flow value is greater than a preset flow threshold, and the service operation state is abnormal;

If so, it is determined that the system operation status of the current cycle is abnormal operation;

If not, it is determined that the system operation status of the current cycle is normal.

In some embodiments, the attack detection module 20 is further configured to:

Determine the number of service requests for network service requests made by each network address in the current period according to the message frequency information, and determine whether there is an attack message in the data flow to be detected based on a comparison result between the number of service requests and a preset number threshold;

Determine, according to the message payload information, actual protocol structure characteristics corresponding to each message in the data flow to be detected in the current period, and determine, according to the actual protocol structure characteristics, whether there is an attack message in the data flow to be detected;

According to the source address information, an information entropy value corresponding to the source address information in a current cycle is determined, and according to the information entropy value, it is determined whether the data flow to be detected is an attack message.

In some embodiments, the attack detection module 20 is further configured to:

If there is at least one network address whose service request quantity is greater than a preset quantity threshold, it is determined that there is an attack message in the data flow to be detected, wherein the message sent by the network address whose service request quantity is greater than the preset quantity threshold is an attack message.

In some embodiments, the attack detection module 20 is further configured to:

Obtaining target service identification information of each message in the data flow to be detected;

Determine the standard protocol structure characteristics corresponding to the target service identification information;

If there is at least one message whose actual protocol structure feature is inconsistent with the standard protocol structure feature, it is determined that there is an attack message in the data flow to be detected, wherein the message whose actual protocol structure feature is inconsistent with the standard protocol structure feature is an attack message.

In some embodiments, the attack detection module 20 is further configured to:

Obtaining target service identification information of each message in the data flow to be detected;

Determine the information reference entropy value range corresponding to the target service identification information in the preset service identification mapping relationship table;

If there is at least one message whose information entropy value is not within the information reference entropy value range, it is determined that there is an attack message in the data flow to be detected, wherein the message whose information entropy value is not within the information reference entropy value range is an attack message.

In some embodiments, the attack detection module 20 is further configured to:

Based on the inspection result of checking whether there is an attack message in the data flow to be detected, generating a first record log corresponding to the attack message inspection result;

The attack defense module 30 is also configured to:

Based on the identification result of the source sending address corresponding to the attack message, a second record log corresponding to the attack source tracing identification result is generated.

In some embodiments, the attack defense module 30 is further configured to:

If the source sending address corresponding to the attack message is not identified within the preset time period, a rate limit process is performed on each message in the data flow to be detected for a preset defense time period.

The network attack defense device provided in this embodiment and the network attack defense method provided in the above-mentioned embodiment belong to the same inventive concept. The technical details not fully described in this embodiment can be found in the embodiments of the above-mentioned network attack defense method. This embodiment has the same beneficial effects as the embodiments of the network attack defense method, which will not be repeated here.

The device embodiments described above are merely illustrative, and the units described as separate components may or may not be physically separated, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

The application environment of the embodiment of the present application is mainly a communication network environment. The communication network is composed of multiple interconnected network element devices. The network element devices are mainly responsible for receiving and sending message data in the network. A single network element device includes a master control and a line card. The embodiment of the present application is mainly applied to a single network element device, in which both the master control and the line card are involved.

Based on this, an embodiment of the present application also provides a network element device, which may be, for example, an edge router, or a broadband remote access server (Broadband Remote Access Server, BRAS), a broadband network gateway (Broadband Network Gateway), a serving GPRS support node (Serving GPRS Support Node, SGSN), a gateway GPRS support node (Gateway GPRS Support Node, GGSN), a mobility management entity (Mobility Management Entity, MME) or a serving gateway (Serving GateWay, S-GW), etc.

Referring to FIG. 7, FIG. 7 is a schematic diagram of the hardware structure of a network element device provided in an embodiment of the present application. As shown in FIG. 7, the network element device may include: a processor 1001, such as a central processing unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. The communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit (CPU), and a storage device 1005. The user interface 1003 may also include a standard wired interface and a wireless interface, such as a keyboard. The network interface 1004 may include a standard wired interface and a wireless interface (such as a wireless fidelity (Wireless-Fidelity, WI-FI) interface). The memory 1005 may be a high-speed random access memory (Random Access Memory, RAM) or a stable non-volatile memory (Non-Volatile Memory, NVM), such as a disk memory. The memory 1005 may also be a storage device independent of the aforementioned processor 1001.

Those skilled in the art will appreciate that the structure shown in FIG7 does not constitute a limitation on the network element device, and may include more or fewer components than shown in the figure, or combine certain components, or arrange components differently. As shown in FIG7 , the memory 1005 as a storage medium may include an operating system, a data storage module, a network communication module, a user interface module, and a network attack defense program.

In the network element device shown in Figure 7, the network interface 1004 is mainly used for data communication with other devices; the user interface 1003 is mainly used for data interaction with the user; the processor 1001 and the memory 1005 in this embodiment can be set in the communication device, and the communication device calls the network attack defense program stored in the memory 1005 through the processor 1001, and executes the defense method applied to the network attack provided in any of the above embodiments.

The terminal proposed in this embodiment and the defense method applied to network attacks proposed in the above embodiment belong to the same inventive concept. The technical details not fully described in this embodiment can be referred to any of the above embodiments, and this embodiment has the same beneficial effects as the defense method for executing network attacks.

In addition, an embodiment of the present application also proposes a computer storage medium, which may be a non-volatile computer-readable storage medium, on which a network attack defense program is stored, and when the network attack defense program is executed by a processor, the network attack defense method of the present application as described above is implemented.

The various embodiments of the network element device and computer-readable storage medium of the present application can all refer to the various embodiments of the network attack defense method of the present application, which will not be repeated here.

It should be noted that, in this article, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or system including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or system. In the absence of further restrictions, an element defined by the sentence "comprises a ..." does not exclude the existence of other identical elements in the process, method, article or system including the element.

The serial numbers of the above-mentioned embodiments of the present application are for description only and do not represent the advantages or disadvantages of the embodiments.

Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, disk, CD) as described above, including a number of instructions for enabling a network element device (which can be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in each embodiment of the present application.

The above are only optional embodiments of the present application, and are not intended to limit the patent scope of the present application. Any equivalent structure or equivalent process transformation made using the contents of the present application specification and drawings, or directly or indirectly applied in other related technical fields, are also included in the patent protection scope of the present application.

Claims (11)

A method for defending against network attacks, wherein the method comprises: Detect the system operation status of the current cycle; After determining that the system operation state is abnormal, taking the message data flow in the current cycle as the data flow to be detected, and checking whether there is an attack message in the data flow to be detected according to the message frequency information, message load information and source address information corresponding to the data flow to be detected, wherein the source address information includes a source IP address and a source port; After determining that there is an attack message, a source sending address corresponding to the attack message is identified, and a suppression process is performed on messages sent by the source sending address. The network attack defense method according to claim 1, wherein the step of detecting the system operation status of the current cycle comprises: Check the system's CPU utilization, system packet flow value, and business operation status in the current period; The system operation status of the current cycle is determined according to the CPU utilization, the system message flow value and the service operation status. The network attack defense method according to claim 2, wherein the step of determining the system operation status of the current cycle according to the CPU utilization, the system message flow value and the service operation status comprises: Determine whether at least one of the following conditions is met: the CPU utilization is greater than a preset utilization threshold, the system message flow value is greater than a preset flow threshold, and the service operation state is abnormal; If so, it is determined that the system operation status of the current cycle is abnormal operation; If not, it is determined that the system operation status of the current cycle is normal. The network attack defense method according to claim 1, wherein the step of checking whether there is an attack message in the data flow to be detected based on the message frequency information, message load information and source address information corresponding to the data flow to be detected comprises: Determine the number of service requests for network service requests made by each network address in the current period according to the message frequency information, and determine whether there is an attack message in the data flow to be detected based on a comparison result between the number of service requests and a preset number threshold; Determine, according to the message payload information, actual protocol structure characteristics corresponding to each message in the data flow to be detected in the current period, and determine, according to the actual protocol structure characteristics, whether there is an attack message in the data flow to be detected; According to the source address information, an information entropy value corresponding to the source address information in a current cycle is determined, and according to the information entropy value, it is determined whether the data flow to be detected is an attack message. The network attack defense method according to claim 4, wherein the step of determining whether there is an attack message in the data stream to be detected based on the comparison result of the number of service requests and the preset number threshold comprises: If there is at least one network address whose number of service requests is greater than a preset number threshold, it is determined that there is an attack message in the data flow to be detected, wherein the message sent by the network address whose number of service requests is greater than the preset number threshold is an attack message. Hit message. The network attack defense method according to claim 4, wherein the step of determining whether there is an attack message in the data stream to be detected according to the actual protocol structure characteristics comprises: Obtaining target service identification information of each message in the data flow to be detected; Determine the standard protocol structure characteristics corresponding to the target service identification information; If there is at least one message whose actual protocol structure feature is inconsistent with the standard protocol structure feature, it is determined that there is an attack message in the data flow to be detected, wherein the message whose actual protocol structure feature is inconsistent with the standard protocol structure feature is an attack message. The network attack defense method according to claim 4, wherein the step of determining whether the data stream to be detected is an attack message according to the information entropy value comprises: Obtaining target service identification information of each message in the data flow to be detected; Determine the information reference entropy value range corresponding to the target service identification information in the preset service identification mapping relationship table; If there is at least one message whose information entropy value is not within the information reference entropy value range, it is determined that there is an attack message in the data flow to be detected, wherein the message whose information entropy value is not within the information reference entropy value range is an attack message. The network attack defense method according to claim 1, wherein after the step of checking whether there is an attack message in the data stream to be detected, the method further comprises: Based on the inspection result of checking whether there is an attack message in the data flow to be detected, generating a first record log corresponding to the attack message inspection result; After the step of identifying the source sending address corresponding to the attack message, the method further includes: Based on the identification result of the source sending address corresponding to the attack message, a second record log corresponding to the attack source tracing identification result is generated. The network attack defense method according to any one of claims 1 to 8, wherein after determining that there is an attack message, the method further comprises: If the source sending address corresponding to the attack message is not identified within the preset time period, a rate limit process is performed on each message in the data flow to be detected for a preset defense time period. A network element device, comprising: a memory, a processor, and a network attack defense program stored in the memory and executable on the processor, wherein the network attack defense program, when executed by the processor, implements the network attack defense method as described in any one of claims 1 to 9. A computer-readable storage medium, wherein a network attack defense program is stored on the computer-readable storage medium, and when the network attack defense program is executed by a processor, the network attack defense method according to any one of claims 1 to 9 is implemented.