CN112953956B - Reflection amplifier identification method based on active and passive combination - Google Patents
Reflection amplifier identification method based on active and passive combination Download PDFInfo
- Publication number
- CN112953956B CN112953956B CN202110247040.6A CN202110247040A CN112953956B CN 112953956 B CN112953956 B CN 112953956B CN 202110247040 A CN202110247040 A CN 202110247040A CN 112953956 B CN112953956 B CN 112953956B
- Authority
- CN
- China
- Prior art keywords
- reflection
- reflection amplifier
- attack
- attack detection
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000001514 detection method Methods 0.000 claims abstract description 105
- 238000012549 training Methods 0.000 claims abstract description 21
- 238000013480 data collection Methods 0.000 claims abstract description 20
- 238000012795 verification Methods 0.000 claims abstract description 4
- 230000003321 amplification Effects 0.000 claims description 40
- 238000003199 nucleic acid amplification method Methods 0.000 claims description 40
- 230000004044 response Effects 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 5
- 238000002372 labelling Methods 0.000 claims description 3
- 238000010801 machine learning Methods 0.000 claims description 3
- 238000010187 selection method Methods 0.000 claims description 3
- 230000009471 action Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a reflection amplifier identification method based on active and passive combination, which comprises the following operation steps: s1, constructing an identification system: the method comprises the steps of setting a model training module, an unknown attack detection module, a model updating module and a reflection amplifier data collection module. Relates to the technical field of network information security. The method for identifying the reflection amplifier based on active and passive combination mainly comprises three steps of identification of the reflection amplifier in passive flow, discovery of an unknown reflection amplifier and verification of the reflection amplifier based on an active mode during identification, wherein the reflection amplifier can be identified from the passive flow by arranging an attack detection module.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to a reflection amplifier identification method based on active and passive combination.
Background
In the reflection attack, an attacker controls a controlled host to forge a source IP address to a reflector to be a large number of data packets of an attack target IP address, and after the reflector receives the data packets, the data packets are considered to be the request sent by the attack target, so that response data can be sent to the attacked target. When a large number of response data packets flood to an attack target, network bandwidth resources of the target can be exhausted, and denial of service attack is caused.
At present, reflection amplification attack is one of the most destructive attack forms at present, and is the largest complete threat on the internet, wherein reflection amplification attack occupies the dominant position, and a reflection amplifier is an indispensable part in reflection amplification attack, for reflection amplification attack, once the flow is amplified, the occupied bandwidth can be increased rapidly, and no matter what protection method is adopted, the cost and the cost are increased rapidly, so that reflection point treatment can effectively relieve reflection amplification attack, and the reflection amplifier is the premise of reflection point treatment, in the prior art, the reflection amplifier identification generally uses the traditional network scanning method, and the method utilizes the characteristics of the reflection amplifier, so that different identification methods exist for different reflection amplifiers, and the method is an active mode, has the problems of long time consumption, large consumption bandwidth and high error rate, and in addition, as the active scanning method needs the characteristics of the known reflection amplifier, the method cannot identify the unknown type of reflection amplifier.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a reflection amplifier identification method based on active and passive combination, and solves the problems that the traditional reflection amplifier identification network scanning method is long in time consumption, large in consumption bandwidth, high in error rate and difficult in identification of unknown amplifiers.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme: a reflection amplifier identification method based on active and passive combination comprises the following operation steps:
s1, constructing an identification system: setting a model training module, an unknown attack detection module, a model updating module, a reflection amplifier data collection module and a reflection amplifier IP library to form an identification system;
s2, constructing an attack detection module: collecting known reflection amplifier data, transmitting the data to a model training module, and training to generate an attack detection model by using a feature selection algorithm;
s3, detecting the type of the reflection amplification attack: inputting the flow into an attack detection module constructed in the S2, detecting whether a reflection amplification attack of a known attack type exists, if the attack is detected, entering the S6, and if not, entering the S4;
s4, unknown attack detection: inputting flow data into an unknown attack detection module, detecting whether unknown attacks exist in the flow by using the size-to-quantity ratio of request response data packets, entering S5 if the unknown attacks exist, and ending the system operation if the unknown attacks do not exist;
s5, updating an attack detection model: the flow data characteristics are input into a model updating module, and an attack detection model is updated according to the detected flow data of unknown attack, so that the data set updating attack detection model can identify the unidentifiable reflection amplifier;
s6, verifying a reflection amplifier: and inputting the flow data into a data collection module of the reflection amplifier, verifying the detected reflection amplifier in an active mode, confirming the amplification factor attribute of the reflection amplifier, and simultaneously recording the data of the reflection amplifier into an IP (Internet protocol) library of the reflection amplifier.
Further, the model training module in S1 mainly generates an attack detection model for a known reflection amplifier, and the attack detection module determines whether there is a reflection amplification attack in passive traffic by using the generated attack detection model.
Further, the unknown attack detection module in S1 determines that the attack detection model does not have the traffic of the known type of attack, and detects whether the unknown attack exists by using the size-to-quantity ratio of the request response data packet, and the module update module is mainly used for updating the attack detection model so as to identify the reflection amplifier that the attack detection model cannot identify.
Further, the data collection module of the reflection amplifier in S1 mainly uses an active detection mode to confirm the amplification factor property of the reflection amplifier and collect data of the reflection amplifier.
Furthermore, the reflection amplifier IP library is used for storing and backing up the reflection amplifier data collected by the reflection amplifier data collection module, so that the later-stage calling is facilitated.
Further, when the model training module in S2 constructs the attack detection module, a reflection amplifier of a common protocol is autonomously constructed, flow data is generated as reflection amplification attack flow of each protocol portion, a large amount of reflection amplification attack flow data on the internet and normal flow data are additionally collected, then, a feature selection algorithm is used, a statistically ordered network flow feature selection method is used to select features, features are extracted from the flow data set according to the selected features, labeling is done, and a machine learning algorithm is used to train and generate the attack detection model.
Further, when the attack detection module in S3 detects, it mainly uses the generated attack detection model to determine whether there is a reflection amplification attack in the passive traffic, and when a group of traffic data enters the system, extracts the features of the group of traffic according to the feature matching required by the attack detection model, inputs the group of traffic features into the trained attack detection model, and determines whether there is a reflection amplification attack of a known type in the traffic using the attack detection model.
Further, when the unknown attack detection module in S4 detects, the comparison process is as follows by using the ratio of the size to the number of the request response data packets: firstly, calculating a1= response packet size/request packet size, a2= response packet number/request packet number, and if the size of a1 exceeds a certain threshold α 1 or the size of a2 exceeds a certain threshold α 2, then it is determined that there is an unknown reflection amplifier, and the method enters a model updating module and a reflection amplifier data collecting module.
Further, during the updating in the model updating module in S5, a large amount of flow data of the reflection amplifier that cannot be identified by the attack detection model is collected by using an active detection method, the collected flow data set is added to the original flow data set to form a new data set, and then the attack detection model is retrained by using the new data set to generate an attack detection model that can identify the new type of reflection amplifier.
Further, when the data collection module of the reflection amplifier in S6 verifies, the IP address and the feature information of the reflection amplifier collected by the previous module are used to perform active detection on the detected reflection amplifier to determine the specific amplification factor attribute, and then the data of the detected reflection amplifier is added to the IP library of the reflection amplifier after determining that the information of the reflection amplifier is correct.
(III) advantageous effects
The invention has the following beneficial effects:
(1) The reflection amplifier identification method based on active and passive combination mainly comprises three steps of reflection amplifier identification in passive flow, discovery of an unknown reflection amplifier and reflection amplifier verification based on an active mode, wherein the reflection amplifier can be identified from the passive flow by arranging the attack detection module, compared with a non-range active reflection amplifier detection method, a large amount of bandwidth is saved, and meanwhile, the secondary calculation of the ratio of the size to the quantity of a request response data packet can be carried out on the passive flow identified as the reflection amplification attack without the known type by arranging the unknown attack detection module, so that the system has the function of automatically identifying the reflection amplifier with the unknown type, the function is more powerful, and the safety protection performance is higher;
(2) According to the reflection amplifier identification method based on active and passive combination, the reflection amplifier identified in passive flow can be actively verified by arranging the reflection amplifier data collection module, the specific amplification factor/attribute of the reflection amplifier is determined, the information of the reflection amplifier is accurately collected, meanwhile, the detection result can be verified again, and the detection accuracy is improved again.
Of course, it is not necessary for any product in which the invention is practiced to achieve all of the above-described advantages at the same time.
Drawings
FIG. 1 is a system diagram of a reflection amplifier identification method based on active and passive combination according to the present invention;
fig. 2 is a basic schematic diagram of a reflection attack in the prior art.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "opening," "upper," "lower," "thickness," "top," "middle," "length," "inner," "peripheral," and the like are used in an orientation or positional relationship merely to facilitate description of the invention and to simplify the description, and are not intended to indicate or imply that the referenced components or elements must be in a particular orientation, constructed and operative in a particular orientation, and are not to be construed as limiting the invention.
Referring to fig. 1-2, an embodiment of the present invention provides a technical solution: a reflection amplifier identification method based on active and passive combination comprises the following operation steps:
s1, constructing an identification system: setting a model training module, an unknown attack detection module, a model updating module, a reflection amplifier data collection module and a reflection amplifier IP library to form an identification system;
s2, constructing an attack detection module: collecting known reflection amplifier data, transmitting the data to a model training module, and training to generate an attack detection model by using a feature selection algorithm;
s3, detecting the type of the reflection amplification attack: inputting the flow into an attack detection module constructed in the S2, detecting whether a reflection amplification attack of a known attack type exists, if the attack is detected, entering the S6, otherwise, entering the S4;
s4, unknown attack detection: inputting flow data into an unknown attack detection module, detecting whether unknown attacks exist in the flow by using the size-to-quantity ratio of request response data packets, entering S5 if the unknown attacks exist, and ending the system operation if the unknown attacks do not exist;
s5, updating an attack detection model: the flow data characteristics are input into a model updating module, and an attack detection model is updated according to the detected flow data of unknown attack, so that the data set updating attack detection model can identify the unidentifiable reflection amplifier;
s6, verifying a reflection amplifier: and inputting the flow data into a data collection module of the reflection amplifier, verifying the detected reflection amplifier in an active mode, confirming the amplification factor attribute of the reflection amplifier, and simultaneously recording the data of the reflection amplifier into an IP (Internet protocol) library of the reflection amplifier.
The model training module in the S1 mainly generates an attack detection model aiming at a known reflection amplifier, and the attack detection module judges whether reflection amplification attack exists in passive flow or not by utilizing the generated attack detection model.
The unknown attack detection module in the S1 judges that the attack detection model does not have the flow of known type attacks, and detects whether the unknown attack exists or not by utilizing the size-to-quantity ratio of the request response data packets, and the module updating module is mainly used for updating the attack detection model so as to identify the reflecting amplifier which cannot be identified.
The data collection module of the reflection amplifier in the S1 mainly confirms the amplification factor attribute of the reflection amplifier in an active detection mode and collects data of the reflection amplifier.
The reflection amplifier IP library is used for storing and backing up the reflection amplifier data collected by the reflection amplifier data collection module, and is convenient for later-stage calling.
And when the model training module in the S2 constructs the attack detection module, a reflection amplifier of a common protocol is automatically constructed, flow data are generated to serve as reflection amplification attack flow of each protocol part, a large amount of reflection amplification attack flow data on the Internet and normal flow data are collected, then a characteristic selection algorithm is utilized, a network flow characteristic selection method of statistical sorting is used for selecting characteristics, characteristics are extracted from a flow data set according to the selected characteristics, labeling is well carried out, and a machine learning algorithm is used for training to generate the attack detection model.
And when the attack detection module in the S3 detects, whether the reflection amplification attack exists in the passive flow is mainly judged by using the generated attack detection model, when a group of flow data enters the system, the characteristics of the group of flow are extracted according to the characteristic matching required by the attack detection model, the characteristics of the group of flow are input into the trained attack detection model, and the attack detection model is used for judging whether the known type of reflection amplification attack exists in the flow.
When the unknown attack detection module in the S4 detects, the size and the quantity ratio of the request response data packets are utilized, and the comparison process is as follows: first calculate a 1 = response packet size/request packet size, a 2 = number of response packets/number of request packets if a 1 Is greater than a certain threshold value alpha 1 Or a is 2 Is greater than a certain threshold value alpha 2 Then the unknown reflection amplifier is considered to exist and enters the model update module and the reflection amplifier data collection module.
And in the S5, when the model updating module is updated, a large amount of flow data of the reflection amplifier which cannot be identified by the attack detection model is collected by using an active detection mode, the collected flow data set is added into the original flow data set to form a new data set, and then the attack detection model is trained again by using the new data set to generate the attack detection model capable of identifying the new type of reflection amplifier.
When the data collection module of the reflection amplifier in S6 is used for verification, the IP address and the characteristic information of the reflection amplifier collected by the previous module are used to perform active detection on the detected reflection amplifier to determine the specific amplification factor attribute, and then the data of the detected reflection amplifier is added to the IP library of the reflection amplifier after determining that the information of the reflection amplifier is correct.
The working principle is as follows:
s1, constructing an identification system: setting a model training module, an unknown attack detection module, a model updating module, a reflection amplifier data collection module and a reflection amplifier IP library to form an identification system;
s2, constructing an attack detection module: collecting known reflection amplifier data, transmitting the data to a model training module, and training to generate an attack detection model by using a feature selection algorithm;
s3, detecting the type of the reflection amplification attack: inputting the flow into an attack detection module constructed in the S2, detecting whether a reflection amplification attack of a known attack type exists, if the attack is detected, entering the S6, and if not, entering the S4;
s4, unknown attack detection: inputting flow data into an unknown attack detection module, detecting whether unknown attacks exist in the flow by using the size-to-quantity ratio of request response data packets, entering S5 if the unknown attacks exist, and ending the system operation if the unknown attacks do not exist;
s5, updating an attack detection model: the flow data characteristics are input into a model updating module, and an attack detection model is updated aiming at the detected flow data of unknown attack, so that the data set updating attack detection model can identify the unidentifiable reflection amplifier;
s6, verifying a reflection amplifier: and inputting the flow data into a data collection module of the reflection amplifier, verifying the detected reflection amplifier in an active mode, confirming the amplification factor attribute of the reflection amplifier, and simultaneously recording the data of the reflection amplifier into an IP (Internet protocol) library of the reflection amplifier.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims (7)
1. A reflection amplifier identification method based on active and passive combination is characterized by comprising the following operation steps:
s1, constructing an identification system: setting a model training module, an unknown attack detection module, a model updating module, a reflection amplifier data collection module and a reflection amplifier IP library to form an identification system;
s2, constructing an attack detection module: collecting known reflection amplifier data, transmitting the data to a model training module, and training to generate an attack detection model by using a feature selection algorithm;
s3, detecting the type of the reflection amplification attack: inputting the flow into an attack detection module constructed in the S2, detecting whether a reflection amplification attack of a known attack type exists, if the attack is detected, entering the S6, otherwise, entering the S4;
s4, unknown attack detection: inputting flow data into an unknown attack detection module, detecting whether unknown attacks exist in the flow by using the size-to-quantity ratio of request response data packets, entering S5 if the unknown attacks exist, and ending the system operation if the unknown attacks do not exist;
s5, updating an attack detection model: the flow data characteristics are input into a model updating module, and an attack detection model is updated aiming at the detected flow data of unknown attack, so that the data set updating attack detection model can identify the unidentifiable reflection amplifier;
s6, verifying a reflection amplifier: inputting the flow data into a data collection module of the reflection amplifier, verifying the detected reflection amplifier in an active mode, confirming the amplification factor attribute of the reflection amplifier, and simultaneously recording the data of the reflection amplifier into an IP (Internet protocol) library of the reflection amplifier;
the model training module in the S1 mainly generates an attack detection model aiming at a known reflection amplifier, and the attack detection module judges whether reflection amplification attack exists in passive flow or not by utilizing the generated attack detection model;
the unknown attack detection module in the S1 judges that the attack detection model does not have the flow of known type attack, and detects whether the unknown attack exists or not by utilizing the size-to-quantity ratio of the request response data packet, and the module updating module is mainly used for updating the attack detection model so as to identify the reflecting amplifier which cannot be identified by the attack detection model;
the data collection module of the reflection amplifier in the S1 mainly uses an active detection mode to confirm the amplification factor attribute of the reflection amplifier and collects the data of the reflection amplifier.
2. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: the reflection amplifier IP library is used for storing and backing up the reflection amplifier data collected by the reflection amplifier data collection module, and is convenient for later-stage calling.
3. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: and when the model training module in the S2 constructs the attack detection module, a reflection amplifier of a common protocol is automatically constructed, flow data are generated to serve as reflection amplification attack flow of each protocol part, a large amount of reflection amplification attack flow data on the Internet and normal flow data are collected, then a characteristic selection algorithm is utilized, a network flow characteristic selection method of statistical sorting is used for selecting characteristics, characteristics are extracted from a flow data set according to the selected characteristics, labeling is well carried out, and a machine learning algorithm is used for training to generate the attack detection model.
4. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: and when the attack detection module in the S3 detects, the generated attack detection model is mainly used for judging whether the reflection amplification attack exists in the passive flow, when a group of flow data enters the system, the characteristics of the group of flow are extracted according to the characteristic matching required by the attack detection model, the characteristics of the group of flow are input into the trained attack detection model, and the attack detection model is used for judging whether the known type of reflection amplification attack exists in the flow.
5. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: when the unknown attack detection module in the S4 detects, the size and the quantity ratio of the request response data packets are utilized, and the comparison process is as follows: first calculate a 1 = response packet size/request packet size, a 2 = number of response packets/number of request packets if a 1 Is greater than a certain threshold value alpha 1 Or a is 2 Is greater than a certain threshold value alpha 2 Then the unknown reflection is considered to existThe amplifier enters a model updating module and a reflection amplifier data collecting module.
6. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: and in the S5, when the model updating module is updated, a large amount of flow data of the reflection amplifier which cannot be identified by the attack detection model is collected by using an active detection mode, the collected flow data set is added into the original flow data set to form a new data set, and then the attack detection model is trained again by using the new data set to generate the attack detection model capable of identifying the new type of reflection amplifier.
7. The method for identifying a reflection amplifier based on active and passive combination as claimed in claim 1, wherein: when the data collection module of the reflection amplifier in S6 is used for verification, the IP address and the characteristic information of the reflection amplifier collected by the previous module are used to perform active detection on the detected reflection amplifier to determine the specific amplification factor attribute, and then the data of the detected reflection amplifier is added to the IP library of the reflection amplifier after the information of the reflection amplifier is determined to be correct.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110247040.6A CN112953956B (en) | 2021-03-05 | 2021-03-05 | Reflection amplifier identification method based on active and passive combination |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110247040.6A CN112953956B (en) | 2021-03-05 | 2021-03-05 | Reflection amplifier identification method based on active and passive combination |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112953956A CN112953956A (en) | 2021-06-11 |
| CN112953956B true CN112953956B (en) | 2022-11-18 |
Family
ID=76228564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110247040.6A Active CN112953956B (en) | 2021-03-05 | 2021-03-05 | Reflection amplifier identification method based on active and passive combination |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112953956B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114257452B (en) * | 2021-12-24 | 2023-06-23 | 中国人民解放军战略支援部队信息工程大学 | Method for finding unknown UDP reflection amplification attack based on flow analysis |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106341418A (en) * | 2016-10-08 | 2017-01-18 | 中国科学院信息工程研究所 | Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems |
| CN109818964A (en) * | 2019-02-01 | 2019-05-28 | 长沙市智为信息技术有限公司 | A kind of ddos attack detection method, device, equipment and storage medium |
| CN110011999A (en) * | 2019-03-29 | 2019-07-12 | 东北大学 | IPv6 network ddos attack detection system and method based on deep learning |
| CN110311925A (en) * | 2019-07-30 | 2019-10-08 | 百度在线网络技术(北京)有限公司 | Detection method and device, computer equipment and the readable medium of DDoS reflection-type attack |
| CN110661763A (en) * | 2018-06-29 | 2020-01-07 | 阿里巴巴集团控股有限公司 | DDoS reflection attack defense method, device and equipment |
| CN110691100A (en) * | 2019-10-28 | 2020-01-14 | 中国科学技术大学 | Hierarchical network attack identification and unknown attack detection method based on deep learning |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20160095856A (en) * | 2015-02-04 | 2016-08-12 | 한국전자통신연구원 | System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type |
| CN106230819B (en) * | 2016-07-31 | 2019-08-06 | 上海交通大学 | A kind of DDoS detection method based on stream sampling |
| CN106534209B (en) * | 2016-12-29 | 2017-12-19 | 广东睿江云计算股份有限公司 | A kind of method and system for shunting reflection-type DDOS flows |
| US10868828B2 (en) * | 2018-03-19 | 2020-12-15 | Fortinet, Inc. | Mitigation of NTP amplification and reflection based DDoS attacks |
| CN108696543B (en) * | 2018-08-24 | 2021-01-05 | 海南大学 | Distributed reflection denial of service attack detection and defense method based on deep forest |
| CN109040113B (en) * | 2018-09-04 | 2021-03-19 | 海南大学 | Distributed denial of service attack detection method and device based on multi-core learning |
-
2021
- 2021-03-05 CN CN202110247040.6A patent/CN112953956B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106341418A (en) * | 2016-10-08 | 2017-01-18 | 中国科学院信息工程研究所 | Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems |
| CN110661763A (en) * | 2018-06-29 | 2020-01-07 | 阿里巴巴集团控股有限公司 | DDoS reflection attack defense method, device and equipment |
| CN109818964A (en) * | 2019-02-01 | 2019-05-28 | 长沙市智为信息技术有限公司 | A kind of ddos attack detection method, device, equipment and storage medium |
| CN110011999A (en) * | 2019-03-29 | 2019-07-12 | 东北大学 | IPv6 network ddos attack detection system and method based on deep learning |
| CN110311925A (en) * | 2019-07-30 | 2019-10-08 | 百度在线网络技术(北京)有限公司 | Detection method and device, computer equipment and the readable medium of DDoS reflection-type attack |
| CN110691100A (en) * | 2019-10-28 | 2020-01-14 | 中国科学技术大学 | Hierarchical network attack identification and unknown attack detection method based on deep learning |
Non-Patent Citations (5)
| Title |
|---|
| Detect the reflection amplification attack based on UDP protocol;Chang Liu等;《2015 10th International Conference on Communications and Networking in China(ChinaCom)》;20160623;全文 * |
| UDP反射攻击检测与响应技术研究;周文烽;《中国优秀硕士学位论文全文数据库 信息科技辑》;20190515(第05期);全文 * |
| 反射放大型DDoS攻击与防御研究;蒋泽军等;《计算机产品与流通》;20200909(第10期);全文 * |
| 基于深度学习的实时DDoS攻击检测;李传煌等;《电信科学》;20170720(第07期);全文 * |
| 基于深度学习的放大攻击归因技术;刘东明等;《通信技术》;20191210(第12期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112953956A (en) | 2021-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100800370B1 (en) | Network attack signature generation | |
| CN110719275B (en) | Method for detecting power terminal vulnerability attack based on message characteristics | |
| WO2009135396A1 (en) | Network attack processing method, processing device and network analyzing and monitoring center | |
| CN101841533A (en) | Method and device for detecting distributed denial-of-service attack | |
| CN111131260B (en) | Mass network malicious domain name identification and classification method and system | |
| CN110830490B (en) | Malicious domain name detection method and system based on area confrontation training deep network | |
| CN108632269A (en) | Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms | |
| CN107770132A (en) | A kind of method and device detected to algorithm generation domain name | |
| US20120090027A1 (en) | Apparatus and method for detecting abnormal host based on session monitoring | |
| CN103067364A (en) | Virus detection method and equipment | |
| CN109818970A (en) | A kind of data processing method and device | |
| CN106357660A (en) | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system | |
| CN112953956B (en) | Reflection amplifier identification method based on active and passive combination | |
| Xu et al. | [Retracted] DDoS Detection Using a Cloud‐Edge Collaboration Method Based on Entropy‐Measuring SOM and KD‐Tree in SDN | |
| CN115277108B (en) | Method and system for defending anti-centralised application first-aid running attack | |
| CN111404768A (en) | DPI recognition realization method and equipment | |
| CN112291213A (en) | Abnormal flow analysis method and device based on intelligent terminal | |
| KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
| Bhuyan et al. | Towards an unsupervised method for network anomaly detection in large datasets | |
| CN108650274B (en) | Network intrusion detection method and system | |
| CN116668145A (en) | Industrial control equipment manufacturer identification method based on industrial control protocol communication model | |
| CN116192530A (en) | Unknown threat self-adaptive detection method based on deceptive defense | |
| RU2622788C1 (en) | Method for protecting information-computer networks against cyber attacks | |
| CN116527307A (en) | Botnet detection algorithm based on community discovery | |
| TW202008758A (en) | Decentralized network flow analysis approach and system for malicious behavior detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 571924 301, floor 3, building A09, Hainan Ecological Software Park, high tech industry demonstration zone, Laocheng, Hainan Province Patentee after: Jizhi (Hainan) Information Technology Co.,Ltd. Country or region after: China Address before: 571924 Room 301, 3rd floor, building A09, Hainan Ecological Software Park, Laocheng hi tech Industrial Demonstration Zone, Chengmai County, Haikou City, Hainan Province Patentee before: Zhongdian Jizhi (Hainan) Information Technology Co.,Ltd. Country or region before: China |