[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107231383B - CC attack detection method and device - Google Patents

CC attack detection method and device Download PDF

Info

Publication number
CN107231383B
CN107231383B CN201710655723.9A CN201710655723A CN107231383B CN 107231383 B CN107231383 B CN 107231383B CN 201710655723 A CN201710655723 A CN 201710655723A CN 107231383 B CN107231383 B CN 107231383B
Authority
CN
China
Prior art keywords
probability
access
attack
traffic
normal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710655723.9A
Other languages
Chinese (zh)
Other versions
CN107231383A (en
Inventor
范渊
徐静
郭晓
龙文洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201710655723.9A priority Critical patent/CN107231383B/en
Publication of CN107231383A publication Critical patent/CN107231383A/en
Application granted granted Critical
Publication of CN107231383B publication Critical patent/CN107231383B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/142Denial of service attacks against network infrastructure

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a method and a device for detecting CC attack, which relate to the technical field of network information security, and the method comprises the following steps: calculating a first prior probability of the normal access flow of the Web page and a second prior probability of the CC attack access flow of the Web page; obtaining the ratio of normal access traffic and the ratio of CC attack access traffic, wherein the ratio of normal access traffic and the ratio of CC attack access traffic are determined based on sample data; calculating a first posterior probability of the normal access flow based on the first prior probability and the ratio of the normal access flow by adopting a first posterior probability model; calculating a second posterior probability of the CC attack access flow based on the second prior probability and the ratio of the CC attack access flow by adopting a second posterior probability model; whether the Web page is attacked by the CC is determined based on the first posterior probability and the second posterior probability, and the technical problems that the CC attack cannot be timely, effectively and accurately detected in the prior art are solved.

Description

CC attack detection method and device
Technical Field
The invention relates to the technical field of network information security, in particular to a method and a device for detecting CC attack.
Background
With the continuous development of internet technology, computer network technology is widely used in various industries. The rapid development of internet applications has been accompanied by a number of security vulnerabilities. These vulnerabilities, which subject computers to virus and hacking, can result in data loss, and can lead to loss of user data or property damage. Therefore, protection of internet security is an important point in internet technology.
CC is called Challenge Collapsar, meaning "Challenge black hole". The CC attack is one of DDOS distributed denial of service, the CC attack forms denial of service by continuously sending connection requests to websites, and the CC attack has certain concealment.
The current detection and defense means for CC attacks are roughly as follows: and limiting the source IP, namely configuring a black and white list, limiting the connection number of the source IP, counting all request source IPs and calculating the request rate of the request source IPs. However, most CC attacks today are usually made by a large number of puppet machines requesting the attacked server. When the controlled puppet machines reach a certain number, the IPs for initiating the requests by the puppet machines are different, and the black-and-white list strategy is difficult to work; the number of requests sent by the puppet machine IP is not high and does not exceed the threshold of the number of IP connections, so the means for configuring the threshold of the number of connections can be easily bypassed; the requesting rate of these puppet computer IPs is not necessarily high, but is lower than the threshold of the requesting rate, the requesting rate of each URL to each website is not fixed, and it is not practical to set an IP requesting rate threshold to be suitable for all Uniform Resource Locators (URLs) in a website.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for detecting a CC attack, so as to solve the technical problem in the prior art that the CC attack cannot be timely, effectively and accurately detected.
In a first aspect, an embodiment of the present invention provides a method for detecting a CC attack, including: calculating a first prior probability of the normal access flow of the Web page and a second prior probability of the CC attack access flow of the Web page, wherein the first prior probability represents the probability that the normal access flow in sample data is matched with the URL access probability, and the second prior probability represents the probability that the CC attack access flow in the sample data is matched with the URL access probability; obtaining the ratio of normal access traffic and the ratio of CC attack access traffic, wherein the ratio of the normal access traffic and the ratio of the CC attack access traffic are determined based on the sample data; calculating a first posterior probability of the normal access traffic based on the first prior probability and the ratio of the normal access traffic by adopting a first posterior probability model; calculating a second posterior probability of the CC attack access flow based on the second prior probability and the ratio of the CC attack access flow by adopting a second posterior probability model; and determining whether the Web page is attacked by CC or not based on the first posterior probability and the second posterior probability.
Further, calculating a first posterior probability of the normal access traffic based on the first prior probability and the ratio of the normal access traffic using a first posterior probability model comprises: calculating the first posterior probability through the first posterior probability calculation model, wherein the first posterior probability calculation model tableShown as follows:
Figure GDA0002203000020000021
p (C ═ normal flow | a)1=a1,A2=a2,…,AN=aN) For the first a posteriori probability, P (C ═ normal traffic) is the ratio of the normal access traffic, P (a)i=aiI C ═ normal traffic) is the first prior probability.
Further, calculating a second posterior probability of the CC attack access traffic based on the second prior probability and the ratio of the CC attack access traffic using a second posterior probability model includes: calculating the second posterior probability through the second posterior probability calculation model, wherein the second posterior probability calculation model is:
Figure GDA0002203000020000031
p (C ═ CC attack traffic | a1=a1,A2=a2,…,AN=aN) For the second a posteriori probability, P (C ═ CC attack traffic) is the ratio of the CC attack access traffic, P (a)i=aiC ═ CC attack traffic) is the second prior probability.
Further, determining whether the Web page is attacked by the CC based on the first posterior probability and the second posterior probability comprises: determining the access flow for accessing the Web page at the current moment as a normal flow under the condition that the first posterior probability is greater than the second posterior probability; and under the condition that the first posterior probability is smaller than the second posterior probability, determining that the access flow for accessing the Web page at the current moment is CC attack flow.
Further, calculating a first prior probability of a normal access traffic of the Web page and a second prior probability of a CC attack access traffic of the Web page includes: acquiring a real-time flow access log; extracting a URL and access time information of the URL from the flow access log; determining an access probability set based on the URLs and the access time information, wherein the access probability set comprises access probability of each URL; determining the first prior probability and the second prior probability based on the sample data and the set of access probabilities.
Further, before calculating a first prior probability of normal access traffic of the Web page and a second prior probability of CC attack access traffic of the Web page, the method further includes: acquiring the sample data; determining a ratio of the normal access traffic and a ratio of the CC attack access traffic based on the sample data; and constructing the first posterior probability calculation model and the second posterior probability calculation model by adopting a naive Bayes classification model based on the ratio of the normal access traffic and the ratio of the CC attack access traffic.
Further, determining the ratio of normal access traffic and the ratio of CC attack access traffic based on the sample data comprises: calculating a ratio of the normal access traffic by a first formula, wherein the first formula is expressed as:
Figure GDA0002203000020000041
wherein, B2For the number of normal flows counted in the sample data, B1Counting the number of CC attack flow in the sample data; calculating a ratio of the attack access traffic by a second formula, wherein the second formula is represented as:
Figure GDA0002203000020000042
in a second aspect, an embodiment of the present invention further provides a device for detecting a CC attack, where the device includes: the first calculation unit is used for calculating a first prior probability of the normal access flow of the Web page and a second prior probability of the CC attack access flow of the Web page, wherein the first prior probability represents the probability that the normal access flow in sample data is matched with the URL access probability, and the second prior probability represents the probability that the CC attack access flow in the sample data is matched with the URL access probability; a first obtaining unit, configured to obtain a ratio of normal access traffic and a ratio of CC attack access traffic, where the ratio of normal access traffic and the ratio of CC attack access traffic are both determined based on the sample data; a second calculation unit, configured to calculate a first posterior probability of the normal access traffic based on a ratio of the first prior probability and the normal access traffic by using a first posterior probability model; a third calculating unit, configured to calculate, by using a second posterior probability model, a second posterior probability of the CC attack access traffic based on the second prior probability and a ratio of the CC attack access traffic; a first determining unit, configured to determine whether the Web page is attacked by CC based on the first posterior probability and the second posterior probability.
Further, the second calculation unit is configured to: calculating the first posterior probability through the first posterior probability calculation model, wherein the first posterior probability calculation model is expressed as:
Figure GDA0002203000020000051
p (C ═ normal flow | a)1=a1,A2=a2,…,AN=aN) For the first a posteriori probability, P (C ═ normal traffic) is the ratio of the normal access traffic, P (a)i=aiI C ═ normal traffic) is the first prior probability.
Further, the third computing unit is configured to: calculating the second posterior probability through the second posterior probability calculation model, wherein the second posterior probability calculation model is:
p (C ═ CC attack traffic | a1=a1,A2=a2,…,AN=aN) For the second a posteriori probability, P (C ═ CC attack traffic) is the ratio of the CC attack access traffic, P (a)i=aiC ═ CC attack traffic) is the second prior probability.
In the embodiment of the invention, a first prior probability of normal access flow of a Web page and a second prior probability of CC attack access flow of the Web page are calculated firstly; then, acquiring the ratio of normal access traffic and the ratio of CC attack access traffic; next, calculating a first posterior probability of the normal access flow based on the first prior probability and the ratio of the normal access flow by adopting a first posterior probability model; calculating a second posterior probability of the CC attack access flow based on the second prior probability and the ratio of the CC attack access flow by adopting a second posterior probability model; and finally, determining whether the Web page is attacked by the CC or not based on the first posterior probability and the second posterior probability. In the embodiment of the invention, the log without CC attack and the log with CC attack are subjected to sample training and modeling, and the model is established and then the real-time flow is subjected to pattern matching so as to detect the CC attack, thereby achieving the aim of timely and accurately detecting the CC attack, further relieving the technical problem that the CC attack cannot be timely, effectively and accurately detected in the prior art, and further realizing the technical effect of improving the CC attack detection efficiency.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a CC attack detection method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a CC attack detection method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a CC attack detection apparatus according to an embodiment of the present invention;
fig. 4 is a schematic diagram of another detection apparatus for CC attack according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
in accordance with an embodiment of the present invention, there is provided an embodiment of a method for detecting a CC attack, it should be noted that the steps illustrated in the flowchart of the drawings may be executed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be executed in an order different from that herein.
Fig. 1 is a flowchart of a CC attack detection method according to an embodiment of the present invention, and as shown in fig. 1, the method includes the following steps:
step S102, calculating a first prior probability of the normal access flow of the Web page and a second prior probability of the CC attack access flow of the Web page, wherein the first prior probability represents the probability that the normal access flow in the sample data is matched with the URL access probability, and the second prior probability represents the probability that the CC attack access flow in the sample data is matched with the URL access probability;
step S104, obtaining the ratio of normal access traffic and the ratio of CC attack access traffic, wherein the ratio of normal access traffic and the ratio of CC attack access traffic are determined based on sample data;
step S106, calculating a first posterior probability of the normal access flow based on the first prior probability and the ratio of the normal access flow by adopting a first posterior probability model;
step S108, calculating a second posterior probability of the CC attack access flow based on the second prior probability and the ratio of the CC attack access flow by adopting a second posterior probability model;
and step S110, determining whether the Web page is attacked by CC or not based on the first posterior probability and the second posterior probability.
In the embodiment of the invention, a first prior probability of normal access flow of a Web page and a second prior probability of CC attack access flow of the Web page are calculated firstly; then, acquiring the ratio of normal access traffic and the ratio of CC attack access traffic; next, calculating a first posterior probability of the normal access flow based on the first prior probability and the ratio of the normal access flow by adopting a first posterior probability model; calculating a second posterior probability of the CC attack access flow based on the second prior probability and the ratio of the CC attack access flow by adopting a second posterior probability model; and finally, determining whether the Web page is attacked by the CC or not based on the first posterior probability and the second posterior probability. In the embodiment of the invention, the log without CC attack and the log with CC attack are subjected to sample training and modeling, and the model is established and then the real-time flow is subjected to pattern matching so as to detect the CC attack, thereby achieving the aim of timely and accurately detecting the CC attack, further relieving the technical problem that the CC attack cannot be timely, effectively and accurately detected in the prior art, and further realizing the technical effect of improving the CC attack detection efficiency.
In the embodiment of the present invention, before calculating a first prior probability of a normal access traffic of a Web page and a second prior probability of a CC attack access traffic of the Web page, a posterior probability calculation model (i.e., a first posterior probability calculation model and a second posterior probability calculation model) needs to be constructed, and when the posterior probability calculation model is constructed, the posterior probability calculation model is constructed based on sample data, where the sample data includes a CC attack free log of the Web page and a CC attack log of the Web page, and a specific process is described as follows:
firstly, acquiring sample data;
then, determining the ratio of normal access traffic and the ratio of CC attack access traffic based on sample data;
and finally, constructing a first posterior probability calculation model and a second posterior probability calculation model by adopting a naive Bayes classification model based on the ratio of the normal access flow and the ratio of the CC attack access flow.
Specifically, access traffic for m pieces of protected objects (e.g., protected Web pages) is first gathered and known to include normal traffic and CC attack traffic; then, the access traffic is classified and counted to obtain a click rate matrix a (i.e., sample data).
The click rate matrix A has the expression:
Figure GDA0002203000020000081
in the embodiment of the present invention, in the matrix a, the normal traffic is the first row to the xth row, and the CC attack traffic is the x +1 th row to the mth row. In the matrix, aijIndicating the probability of occurrence of the jth URL in the ith access flow. It should be noted that sample data is provided by the protected object service provider, and the quality and quantity of the sample data are usually key factors determining the performance of a model.
After the sample data is determined, a rate of normal access traffic and a rate of CC attack access traffic may be determined based on the sample data.
In an alternative embodiment, the process of determining the ratio of normal access traffic and the ratio of CC attack access traffic based on sample data is described as follows:
calculating a ratio of normal access traffic by a first formula, wherein the first formula is expressed as:
Figure GDA0002203000020000092
wherein, B2For the number of normal flows counted in the sample data, B1Counting the number of CC attack flow in the sample data;
calculating a ratio of attack access traffic by a second formula, wherein the second formula is expressed as:
Figure GDA0002203000020000093
the numbers of times in the first formula and the second formula are calculated from sample data.
In the embodiment of the present invention, the ratio of the normal access traffic may be calculated by: p (C is normal traffic) — the number of normal traffic times B2/(the number of normal traffic times B2+ the number of CC attack traffic times B1).
In the embodiment of the present invention, the ratio of CC attack access traffic may be calculated by: p (C ═ CC attack traffic) ═ CC attack traffic number B1/(normal traffic number B2+ CC attack traffic number B1).
After the ratio of the CC attack access traffic and the ratio of the normal access traffic are determined, a first posterior probability model and a second posterior probability model can be constructed.
In the embodiment of the present invention, the posterior probability model may be established by a naive bayes classifier, for example, by a formula:
Figure GDA0002203000020000101
constructing a first posterior probability model; and, by the formula
Figure GDA0002203000020000102
And constructing a second posterior probability model. In the above formula, P (a)1=a1,A2=a2,…,AN=aN) Is a constant.
After the first posterior probability model and the second posterior probability model are constructed, the mode matching can be carried out on the real-time access flow so as to detect the CC attack.
When detecting CC attack by carrying out pattern matching on real-time access flow, firstly, calculating a first prior probability of normal access flow of a Web page and a second prior probability of CC attack access flow of the Web page, wherein the specific calculation steps comprise the following steps:
step S1021, acquiring a real-time flow access log;
step S1022, extracting the URL and the access time information of the URL from the traffic access log;
step S1023, determining an access probability set based on the URLs and the access time information, wherein the access probability set comprises the access probability of each URL;
step S1024, determining a first prior probability and a second prior probability based on the sample data and the access probability set.
Firstly, extracting URL and access time information according to fields from a real-time flow access log to obtain an extraction result. Then, according to the extraction result, calculating the access probability of each URL in the real-time access flow to obtain an access probability set: [ a ] A1、a2、…、an]。
After the access probability set is determined, the prior probability can be calculated by combining the sample data and the access probability set.
Wherein the calculated normal traffic prior probability (i.e., the first prior probability) is expressed as: p (A)i=aiI ∈ 1,2, …, N, where the normal traffic prior probability is expressed as the normal access traffic in the sample data, i.e. the ith column in row 1 … x is matched to a in the access probability setiProbability of equal value. The calculated CC attack traffic prior probability (i.e., the second prior probability) is expressed as: p (A)i=aiC | ═ CC attack traffic), i ∈ 1,2, …, N, where the prior probability of CC attack traffic is expressed as CC attack access traffic in sample data, i.e. the ith column in x +1 … m row is matched to a in the access probability setiProbability of equal value.
After determining the first prior probability, the second prior probability, and the ratio of the normal access traffic and the ratio of the CC attack access traffic, the first posterior probability and the second posterior probability may be determined by a posterior probability model.
In an optional embodiment, the step S106 of calculating the first posterior probability of the normal access traffic based on the ratio of the first prior probability and the normal access traffic by using the first posterior probability model includes the following steps:
step S1061, calculating a first posterior probability by a first posterior probability calculation model, wherein the first posterior probability calculation model is represented as:
Figure GDA0002203000020000111
p (C ═ normal flow | a)1=a1,A2=a2,…,AN=aN) For the first a posteriori probability, P (C ═ normal traffic) is the ratio of normal access traffic, P (a)i=aiI C ═ normal traffic) is the first prior probability.
Specifically, in the embodiment of the present invention, the constant P (a) may be set1=a1,A2=a2,…,AN=aN) P (C ═ normal traffic), and the ratio of normal access traffic P (a)i=aiI ∈ 1,2, …, and N are substituted into the first posterior probability model built, and the first posterior probability P of the normal flow is calculated (C ═ normal flow | a)1=a1,A2=a2,…,AN=aN)。
In an optional embodiment, the step S108 of calculating the second posterior probability of the CC attack access traffic based on the second prior probability and the ratio of the CC attack access traffic by using the second posterior probability model includes the following steps:
step S1081, calculating a second posterior probability through a second posterior probability calculation model, wherein the second posterior probability calculation model is:
Figure GDA0002203000020000121
p (C ═ CC attack traffic | a1=a1,A2=a2,…,AN=aN) For the second a posteriori probability, P (C ═ CC attack traffic) is the ratio of CC attack access traffic, P (a)i=aiC ═ CC attack traffic) is the second prior probability.
A constant P (A)1=a1,A2=a2,…,AN=aN) P (C ═ CC attack traffic), and CC attack traffic prior probability (i.e., the second prior probability described above) P (a)i=aiI ∈ 1,2, …, N are substituted into the established second posterior probability model, thereby calculating the posterior probability (i.e., second posterior probability) P of CC attack traffic (C ═ CC attack traffic | a)1=a1,A2=a2,…,AN=aN)。
In the embodiment of the present invention, after the first posterior probability and the second posterior probability are determined, whether the Web page is attacked by CC may be determined based on the first posterior probability and the second posterior probability, and a specific process is described as follows:
under the condition that the first posterior probability is larger than the second posterior probability, determining that the access flow for accessing the Web page at the current moment is normal flow;
and under the condition that the first posterior probability is smaller than the second posterior probability, determining the access flow for accessing the Web page at the current moment as CC attack flow.
That is, if the posterior probability of the normal traffic is greater than the posterior probability of the CC attack traffic, the real-time traffic is the normal traffic. If the posterior probability of the CC attack flow is larger than the posterior probability of the normal flow, the real-time flow is the CC attack.
To sum up, in order to intuitively understand the above process, the method for detecting a CC attack provided by each embodiment is described by taking a schematic diagram of the method for detecting a CC attack shown in fig. 2 as an example, and the method mainly includes:
firstly, acquiring sample data; and then, performing machine learning processing on the sample data, wherein the machine learning means that a computer establishes model parameters from the sample data of a known class by adopting a naive Bayes classifier.
The sample data acquisition and machine learning processing specifically comprises the following steps:
a1 sample data
Gathering access traffic for m pieces of protected objects,and then, the normal traffic and the CC attack traffic in the traffic are known, and then classification statistics is carried out to obtain a click rate matrix (i.e. sample data). Wherein the click rate matrix is represented as:
Figure GDA0002203000020000131
in the matrix a, the normal traffic is the first row to the x-th row, and the CC attack traffic is the x +1 th row to the m-th row. In the matrix, aijIndicating the probability of occurrence of the jth URL in the ith access flow. It should be noted that sample data is provided by the protected object service provider, and the quality and quantity of the sample data are usually key factors determining the performance of a model.
A2, establishing a model
In the embodiment of the present invention, the posterior probability model may be established by a naive bayes classifier, for example, by a formula:
Figure GDA0002203000020000132
constructing a first posterior probability model; and by formula
Figure GDA0002203000020000133
And constructing a second posterior probability model. In the above formula, P (a)1=a1,A2=a2,…,AN=aN) Is a constant. Wherein Z is a constant P (A)1=a1,A2=a2,…,AN=aN)。
After the posterior probability model is built, a ratio P of normal access traffic and a ratio P of CC attack access traffic (C ═ CC attack traffic) can be calculated based on the sample data.
Wherein, the ratio of the normal access traffic can be calculated by the following formula: p (C ═ normal traffic) ═ normal traffic times/normal traffic times + CC attack traffic times.
The ratio of CC attack access traffic can be calculated by the following formula: p (C ═ CC attack traffic) ═ CC attack traffic times/normal traffic times + CC attack traffic times.
The number of times in the above formula is calculated in the sample data.
Calculating prior probability: as can be seen from the posterior probability model in the step A, the normal flow prior probability P (A) needs to be calculated first when the posterior probability is calculatedi=aiC normal traffic), i ∈ 1,2, …, N, CC attack traffic prior probability P (a)i=aiCC attack traffic), i ∈ 1,2, …, N. The method comprises the following specific steps:
B. calculating a normal traffic prior probability (i.e., a first prior probability) and a CC attack traffic prior probability (i.e., a second prior probability), wherein calculating the prior probabilities comprises the steps of:
b1, extracting an access sample: URL, access time information is extracted by field from the real-time traffic access log.
B2, calculating the access probability: and calculating the access probability of each URL [ a1, a2, … and an ] in the real-time access flow according to the result of the step B1.
B3, calculating the prior probability.
The calculated normal traffic prior probability (i.e., the first prior probability) is expressed as: p (A)i=aiI ∈ 1,2, …, N, where the normal traffic prior probability is expressed as the normal access traffic in the sample data, i.e. the ith column in row 1 … x is matched to a in the access probability setiProbability of equal value. The calculated CC attack traffic prior probability (i.e., the second prior probability) is expressed as: p (A)i=aiC | ═ CC attack traffic), i ∈ 1,2, …, N, where the prior probability of CC attack traffic is expressed as CC attack access traffic in sample data, i.e. the ith column in x +1 … m row is matched to a in the access probability setiProbability of equal value.
C. Calculating a normal traffic posterior probability (i.e., a first posterior probability) and a CC attack traffic posterior probability (i.e., a second posterior probability), wherein calculating the posterior probabilities includes the steps of:
c1, normal flow posterior probability.
A constant P (A)1=a1,A2=a2,…,AN=aN) P (C ═ normal flow), normal flow prior probability P (a) of step B3i=aiI ∈ 1,2, …, and N are substituted into the posterior probability model established in a2 to calculate the posterior probability P of the normal flow rate (C ═ normal flow rate | a)1=a1,A2=a2,…,AN=aN)
C2, CC attack traffic posterior probability.
A constant P (A)1=a1,A2=a2,…,AN=aN) P (C ═ CC attack traffic), and CC attack traffic prior probability P (a) of step B3i=aiC ═ CC attack traffic), i ∈ 1,2, …, N are substituted into the posterior probability model established in a2, and the posterior probability P of CC attack traffic is calculated (C ═ CC attack traffic | a)1=a1,A2=a2,…,AN=aN)。
D. Detecting CC attacks
And if the posterior probability of the normal flow is greater than that of the CC attack flow, the real-time flow is the normal flow. If the posterior probability of the CC attack flow is larger than the posterior probability of the normal flow, the real-time flow is the CC attack. The specific implementation process is as above, and is not described herein again.
Example two:
the embodiment of the present invention further provides a device for detecting a CC attack, where the device for detecting a CC attack is mainly used to execute the method for detecting a CC attack provided in the foregoing content of the embodiment of the present invention, and the following description specifically describes the device for detecting a CC attack provided in the embodiment of the present invention.
Fig. 3 is a schematic diagram of a CC attack detection apparatus according to an embodiment of the present invention, and as shown in fig. 3, the CC attack detection apparatus mainly includes: a first calculation unit 31, a first acquisition unit 32, a second calculation unit 33, a third calculation unit 34, and a first determination unit 35, wherein:
the first calculating unit 31 is configured to calculate a first prior probability of a normal access traffic of a Web page and a second prior probability of a CC attack access traffic of the Web page, where the first prior probability represents a probability that the normal access traffic matches the URL access probability in sample data, and the second prior probability represents a probability that the CC attack access traffic matches the URL access probability in the sample data;
a first obtaining unit 32, configured to obtain a ratio of normal access traffic and a ratio of CC attack access traffic, where the ratio of normal access traffic and the ratio of CC attack access traffic are both determined based on sample data;
a second calculating unit 33, configured to calculate a first posterior probability of the normal access traffic based on a ratio of the first prior probability and the normal access traffic by using a first posterior probability model;
a third calculating unit 34, configured to calculate, by using a second posterior probability model, a second posterior probability of the CC attack access traffic based on the second prior probability and a ratio of the CC attack access traffic;
a first determining unit 35, configured to determine whether the Web page is attacked by CC based on the first posterior probability and the second posterior probability.
In the embodiment of the invention, a first prior probability of normal access flow of a Web page and a second prior probability of CC attack access flow of the Web page are calculated firstly; then, acquiring the ratio of normal access traffic and the ratio of CC attack access traffic; next, calculating a first posterior probability of the normal access flow based on the first prior probability and the ratio of the normal access flow by adopting a first posterior probability model; calculating a second posterior probability of the CC attack access flow based on the second prior probability and the ratio of the CC attack access flow by adopting a second posterior probability model; and finally, determining whether the Web page is attacked by the CC or not based on the first posterior probability and the second posterior probability. In the embodiment of the invention, the log without CC attack and the log with CC attack are subjected to sample training and modeling, and the model is established and then the real-time flow is subjected to pattern matching so as to detect the CC attack, thereby achieving the aim of timely and accurately detecting the CC attack, further relieving the technical problem that the CC attack cannot be timely, effectively and accurately detected in the prior art, and further realizing the technical effect of improving the CC attack detection efficiency.
Optionally, the second computing unit is configured to: calculating a first posterior probability through a first posterior probability calculation model, wherein the first posterior probability calculation model is expressed as:
Figure GDA0002203000020000171
p (C ═ normal flow | a)1=a1,A2=a2,…,AN=aN) For the first a posteriori probability, P (C ═ normal traffic) is the ratio of normal access traffic, P (a)i=aiI C ═ normal traffic) is the first prior probability.
Optionally, the third computing unit is configured to: calculating a second posterior probability through a second posterior probability calculation model, wherein the second posterior probability calculation model is as follows:
Figure GDA0002203000020000172
p (C ═ CC attack traffic | a1=a1,A2=a2,…,AN=aN) For the second a posteriori probability, P (C ═ CC attack traffic) is the ratio of CC attack access traffic, P (a)i=aiC ═ CC attack traffic) is the second prior probability.
Optionally, the first determining unit is configured to: under the condition that the first posterior probability is larger than the second posterior probability, determining that the access flow for accessing the Web page at the current moment is normal flow; and under the condition that the first posterior probability is smaller than the second posterior probability, determining the access flow for accessing the Web page at the current moment as CC attack flow.
Optionally, the first computing unit is configured to: acquiring a real-time flow access log; extracting the URL and the access time information of the URL from the flow access log; determining an access probability set based on the URLs and the access time information, wherein the access probability set comprises the access probability of each URL; a first prior probability and a second prior probability are determined based on the sample data and the set of access probabilities.
Optionally, as shown in fig. 4, the apparatus further includes: a second obtaining unit 41, configured to obtain sample data before calculating a first prior probability of a normal access traffic of the Web page and a second prior probability of a CC attack access traffic of the Web page; a second determining unit 42, configured to determine a ratio of normal access traffic and a ratio of CC attack access traffic based on the sample data; the constructing unit 43 is configured to construct a first posterior probability calculation model and a second posterior probability calculation model by using a naive bayes classification model based on a ratio of normal access traffic and a ratio of CC attack access traffic.
Optionally, the second determining unit is configured to: calculating a ratio of normal access traffic by a first formula, wherein the first formula is expressed as:
Figure GDA0002203000020000181
wherein A is1For the number of normal flows counted in the sample data, B1Counting the number of CC attack flow in the sample data; calculating a ratio of the normal access traffic by a second formula, wherein the second formula is expressed as:
Figure GDA0002203000020000183
in addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The computer program product of the method and the apparatus for detecting a CC attack provided in the embodiments of the present invention includes a computer-readable storage medium storing a nonvolatile program code executable by a processor, where instructions included in the program code may be used to execute the method in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and is not described herein again.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of one logic function, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (5)

1. A method for detecting CC attack is characterized by comprising the following steps:
calculating a first prior probability of the normal access flow of the Web page and a second prior probability of the CC attack access flow of the Web page, wherein the first prior probability represents the probability that the normal access flow in sample data is matched with the URL access probability, and the second prior probability represents the probability that the CC attack access flow in the sample data is matched with the URL access probability;
obtaining the ratio of normal access traffic and the ratio of CC attack access traffic, wherein the ratio of the normal access traffic and the ratio of the CC attack access traffic are determined based on the sample data;
calculating the first posterior probability through the first posterior probability calculation model, wherein the first posterior probability calculation model is expressed as:
Figure FDA0002203000010000011
p (C ═ normal flow | a)1=a1,A2=a2,…,AN=aN) For the first a posteriori probability, P (C ═ normal traffic) is the ratio of the normal access traffic, P (a)i=aiI C ═ normal traffic) is the first prior probability;
calculating the second posterior probability through the second posterior probability calculation model, wherein the second posterior probability calculation model is:
Figure FDA0002203000010000012
p (C ═ CC attack traffic | a1=a1,A2=a2,…,AN=aN) For the second a posteriori probability, P (C ═ CC attack traffic) is the ratio of the CC attack access traffic, P (a)i=aiC ═ CC attack traffic) as the second prior probability; wherein Z is a constant, aiN is the maximum value of i for the elements in the access probability set;
determining the access flow for accessing the Web page at the current moment as a normal flow under the condition that the first posterior probability is greater than the second posterior probability;
and under the condition that the first posterior probability is smaller than the second posterior probability, determining that the access flow for accessing the Web page at the current moment is CC attack flow.
2. The method of claim 1, wherein calculating a first prior probability of normal access traffic of a Web page and a second prior probability of CC attack access traffic of the Web page comprises:
acquiring a real-time flow access log;
extracting a URL and access time information of the URL from the flow access log;
determining an access probability set based on the URLs and the access time information, wherein the access probability set comprises access probability of each URL;
determining the first prior probability and the second prior probability based on the sample data and the set of access probabilities.
3. The method of claim 1, wherein prior to calculating a first prior probability of normal access traffic for a Web page and a second prior probability of CC attack access traffic for the Web page, the method further comprises:
acquiring the sample data;
determining a ratio of the normal access traffic and a ratio of the CC attack access traffic based on the sample data;
and constructing the first posterior probability calculation model and the second posterior probability calculation model by adopting a naive Bayes classification model based on the ratio of the normal access traffic and the ratio of the CC attack access traffic.
4. The method of claim 3, wherein determining the ratio of normal access traffic and the ratio of CC attack access traffic based on the sample data comprises:
calculating a ratio of the normal access traffic by a first formula, wherein the first formula is expressed as:
Figure FDA0002203000010000021
wherein, B2For the number of normal flows counted in the sample data, B1Counting the number of CC attack flow in the sample data;
calculating a ratio of the attack access traffic by a second formula, wherein the second formula is represented as:
Figure FDA0002203000010000031
5. an apparatus for detecting a CC attack, comprising:
the first calculation unit is used for calculating a first prior probability of the normal access flow of the Web page and a second prior probability of the CC attack access flow of the Web page, wherein the first prior probability represents the probability that the normal access flow in sample data is matched with the URL access probability, and the second prior probability represents the probability that the CC attack access flow in the sample data is matched with the URL access probability;
a first obtaining unit, configured to obtain a ratio of normal access traffic and a ratio of CC attack access traffic, where the ratio of normal access traffic and the ratio of CC attack access traffic are both determined based on the sample data;
a second calculation unit configured to calculate the first posterior probability by the first posterior probability calculation model, wherein the first posterior probability calculation model is expressed as:p (C ═ normal flow | a)1=a1,A2=a2,…,AN=aN) For the first a posteriori probability, P (C ═ normal traffic) is the ratio of the normal access traffic, P (a)i=aiI C ═ normal traffic) is the first prior probability;
a third calculation unit for calculating a model by the second posterior probabilityCalculating the second posterior probability, wherein the second posterior probability calculation model is:
Figure FDA0002203000010000033
p (C ═ CC attack traffic | a1=a1,A2=a2,…,AN=aN) For the second a posteriori probability, P (C ═ CC attack traffic) is the ratio of the CC attack access traffic, P (a)i=aiC ═ CC attack traffic) as the second prior probability; wherein Z is a constant, aiN is the maximum value of i for the elements in the access probability set;
the first determining unit is used for determining that the access flow for accessing the Web page at the current moment is normal flow under the condition that the first posterior probability is greater than the second posterior probability; and under the condition that the first posterior probability is smaller than the second posterior probability, determining that the access flow for accessing the Web page at the current moment is CC attack flow.
CN201710655723.9A 2017-08-03 2017-08-03 CC attack detection method and device Active CN107231383B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710655723.9A CN107231383B (en) 2017-08-03 2017-08-03 CC attack detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710655723.9A CN107231383B (en) 2017-08-03 2017-08-03 CC attack detection method and device

Publications (2)

Publication Number Publication Date
CN107231383A CN107231383A (en) 2017-10-03
CN107231383B true CN107231383B (en) 2020-01-17

Family

ID=59957946

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710655723.9A Active CN107231383B (en) 2017-08-03 2017-08-03 CC attack detection method and device

Country Status (1)

Country Link
CN (1) CN107231383B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN108566392B (en) * 2018-04-11 2020-10-23 四川长虹电器股份有限公司 Machine learning-based system and method for preventing CC attack
CN109525551A (en) * 2018-10-07 2019-03-26 杭州安恒信息技术股份有限公司 A method of the CC based on statistical machine learning attacks protection
CN110769003B (en) * 2019-11-05 2022-02-22 杭州安恒信息技术股份有限公司 Network security early warning method, system, equipment and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN105608251A (en) * 2015-12-02 2016-05-25 西北工业大学 BNSobol method for sensitivity analysis on precision of Helicopter fire control system
CN106789871A (en) * 2016-11-10 2017-05-31 东软集团股份有限公司 Attack detection method, device, the network equipment and terminal device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN105608251A (en) * 2015-12-02 2016-05-25 西北工业大学 BNSobol method for sensitivity analysis on precision of Helicopter fire control system
CN106789871A (en) * 2016-11-10 2017-05-31 东软集团股份有限公司 Attack detection method, device, the network equipment and terminal device

Also Published As

Publication number Publication date
CN107231383A (en) 2017-10-03

Similar Documents

Publication Publication Date Title
US11310268B2 (en) Systems and methods using computer vision and machine learning for detection of malicious actions
US10560471B2 (en) Detecting web exploit kits by tree-based structural similarity search
JP6530786B2 (en) System and method for detecting malicious elements of web pages
CN107888616B (en) Construction method of classification model based on URI and detection method of Webshell attack website
US10721245B2 (en) Method and device for automatically verifying security event
CN110099059B (en) Domain name identification method and device and storage medium
US10262132B2 (en) Model-based computer attack analytics orchestration
US20110208714A1 (en) Large scale search bot detection
CN110830445B (en) Method and device for identifying abnormal access object
CN107231383B (en) CC attack detection method and device
US20120072982A1 (en) Detecting potential fraudulent online user activity
CN107666490A (en) A kind of suspicious domain name detection method and device
CN107992738B (en) Account login abnormity detection method and device and electronic equipment
EP2973138A1 (en) Event correlation based on confidence factor
CN108924118B (en) Method and system for detecting database collision behavior
JP2012527691A (en) System and method for application level security
Kim et al. Detecting fake anti-virus software distribution webpages
Krishnaveni et al. Ensemble approach for network threat detection and classification on cloud computing
CN113315742B (en) Attack behavior detection method and device and attack detection equipment
WO2018066221A1 (en) Classification device, classification method, and classification program
CN107463844B (en) WEB Trojan horse detection method and system
CN109257390B (en) CC attack detection method and device and electronic equipment
CN109947814B (en) Method and apparatus for detecting anomalous data groups in a data collection
CN110602021A (en) Safety risk value evaluation method based on combination of HTTP request behavior and business process
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310051 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province

Applicant after: Hangzhou Annan information technology Limited by Share Ltd

Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Applicant before: Dbappsecurity Co.,ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant