Method and device for filtering network attack traffic

Abstract

The invention provides a method for filtering network attack traffic. The method comprises the following steps of: acquiring samples of network traffic as initial samples; summing the triplication of an average value of the initial samples and the triplication of a standard difference of the initial samples to obtain an intermediate threshold value; filtering samples greater than the intermediate threshold value to obtain remaining samples; obtaining a final threshold value according to an average value and a standard difference of the remaining samples, wherein the final threshold value is the sum of the triplication of the average value of the remaining samples and the triplication of the standard difference of the remaining samples; and filtering the network attack traffic according to the final threshold value. Compared with the prior art, the invention adopts a more scientific and accurate method for calculating the final threshold value and achieves better attack traffic filtering effects.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and device for filtering network attack traffic. Background technique [0002] With the development of Internet technology, network security issues have attracted widespread attention. Viruses, hackers and other network attacks emerge in an endless stream, and people try their best to deal with these security threats. Different from these conventional network threats is the increasingly developed traffic attack, which uses a large data flow that exceeds the system's processing capacity to crash the system or overwhelm the network equipment. Common such as DDos (distributed denial of service attack), the This kind of attack is developed from DOS (Denial of Service Attack) attack. Because it usually spreads data on the network with a seemingly legitimate identity, the detectors at the source or destination of the network can hardly identify these abnormal data fl...

AI Technical Summary

Problems solved by technology

For the calculation of the threshold, there are mainly three methods as follows: (1) Select the maximum value of the network traffic sampling value as the threshold. The sampling of abnormal flow cannot be effectively ruled out during sampling; (2) The average value of the flow sampling value is selected as the threshold value. Macroscopic characteristics, the statistics of abnormal flow cannot be ruled out during flow sampling; (3) The flow sampling values ​​before and after the moment are weighted to calculate the threshold, the threshold determined by this method can slow down the fluctuation of the threshold with the change of flow, and has a certain macroscopic However, it is still impossible to rule out the statistics of abnormal traffic, and the weighted value is almost impossible to determine except based on long-term accumulated experience.

It can be seen that the existing methods cannot avoid the influence of abnormal flow when sampling flow, so the calculated flow threshold is usually difficult to reflect the real boundary between normal flow and abnormal flow, thereby reducing the ability to filter out abnormal flow. Effect

Images