Method and system for detecting abnegation service aggression

A denial-of-service attack and detection module technology, applied in the field of computer networks, can solve the problems of large space occupation and slow detection speed, and achieve the effect of improving retrieval speed and overcoming the large cost of computing resources

Inactive Publication Date: 2009-06-24
BEIJING VENUS INFORMATION TECH
View PDF0 Cites 19 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Overcome the technical problems of large space occupation and slow detection speed caused by previous solutions in the process of detecting denial-of-service attacks

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system for detecting abnegation service aggression
  • Method and system for detecting abnegation service aggression
  • Method and system for detecting abnegation service aggression

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0025] This embodiment is a basic mode of a method for detecting denial of service attacks. This embodiment can be briefly described as:

[0026] (1) Collect network data and perform space compression storage based on Bloom counting filter;

[0027] (2) periodically counting the data information collected in step (1), and extracting the aggregated information;

[0028] (3) Detect the aggregated information obtained in step (2), and obtain the initiator and / or victim of the denial of service attack.

[0029] The basic idea of ​​realizing this embodiment is: obtain the network data packet and analyze it, extract the source IP, destination IP, source port, destination port in the data packet; classify according to the transport layer protocol type, based on the Bloom counting filter The source IP, the destination IP, the corresponding relationship between the source IP and the destination port, the relationship between the destination IP and the destination port, and the corres...

Embodiment 2

[0040] This embodiment is a preferred solution of the data collection step in the first embodiment. The sub-steps that described data acquisition step comprises, flow process is as figure 2 Shown:

[0041] Step 201: Capture raw data packets directly from the network card.

[0042] Step 202: Perform link layer protocol analysis to provide information for network layer protocol analysis;

[0043] Step 203: Analyze the network layer protocol, provide information for the transport layer protocol analysis, and extract the source IP address and destination IP address corresponding to the original data message.

[0044]Step 204: Analyzing the transport layer protocol, extracting the source and destination ports corresponding to the original data message, and analyzing all the information needed for the detection process.

Embodiment 3

[0046] This embodiment is a preferred solution for the step of classifying and storing in Embodiment 1. The Bloom counting filter is used in the classified storage step of this embodiment, and the Bloom counting filter is a storage method with a data compression function, and stores elements in the form of a set. It maps an element (referred to as an IP address in the present invention) into a set through multiple hash functions to indicate whether the element is in the set; at the same time, it accumulates statistics on the number of collisions in a counting manner, That is, when the mapping value conflicts, the number of visits to the unit is represented by counting in the conflict unit. If the element can be restored, the frequency of occurrence of the element can be obtained, and corresponding to the IP address, the frequency of occurrence of the IP can be obtained.

[0047] In order to correctly restore the IP address, five hash functions are designed in this embodiment,...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a method and a system for detecting denial of service attack; the invention is on the basis of a bloom counting filter and sufficiently utilizes the characteristic of heavy-tailed distribution of IP addresses and / or ports in the attack occurring process in actual network, and is able to detect the denial of service attack behavior in actual network. The invention includes a data acquisition and analyzing module, an information storage module, an information statistic module, a detection module and an alarm module. The invention adopts bloom filter and compressed data recovery technology to overcome the problem of high computation resource cost due to maintenance and IP address space traversing, and realizes the advantages of improving retrieval speed and detection performance. The invention is applied to network intrusion detection system or network intrusion prevention system and is able to finish the detection of denial of service attack under large traffic situation in actual network.

Description

technical field [0001] The invention relates to a method and system for detecting a denial of service attack, which is a security detection method and system with a network behavior pattern as a detection feature, and belongs to the technical field of computer networks. Background technique [0002] The network intrusion detection system is an important part of the network security defense system. It accesses the detected network through bypass mode, captures the data packets in the network, analyzes them, and detects them through feature matching or abnormal analysis. Check whether there are security policy violations or attacks on the network. [0003] Denial of service attack means that the attacker deliberately causes the computer or network to fail to operate normally through certain means, such as malicious data packets and flooding, so that the required service cannot be provided to legitimate users or the quality of service is reduced; its harmfulness lies in making ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L12/26H04L29/06H04L29/08
Inventor 邓炜叶润国许金鹏赵东宾周涛
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap