A detection method and device based on malicious address in ddos ​​attack

Abstract

The invention discloses a method and device for detecting a malicious address in an attack based on DDOS. The method comprises the steps: obtaining a head file of a data package in a preset time window, and forming an N-item set through N preset field items in the head file; looking up the record comprising the subsets of the N-item set in a candidate set formed by N preset field items in the head files of a plurality of preset data packages; setting the minimum support degree of the number of recording times or the recording frequency; detecting the next data package when the number of recording times or the frequency of any one subset in the N-item set is less than the minimum support degree; and judging that the source address of the current data package is the malicious address when the next data package when the number of recording times or the frequency of any one subset in the N-item set is not less than the minimum support degree. According to the invention, the method can quickly screen out the IP address of a suspected malicious attack, assists a system host to quickly respond to the attack, and protects a network from being palsied.

Description

technical field [0001] The invention relates to the technical field of network security, and more specifically, to a detection method and device based on malicious addresses in DDOS attacks. Background technique [0002] DDOS (Distributed Denial of Service, Distributed Denial of Service) attack refers to the use of client / server technology to combine multiple computers as an attack platform to launch DDOS attacks on one or more targets, thereby multiplying the probability of denial of service attacks. power. Usually, the attacker uses a stolen account to install the DDOS main control program on a computer. At a set time, the main control program will communicate with a large number of agent programs. The agent programs have been installed on many computers on the network. The agent launches an attack when instructed to do so. Using client / server technology, the master control program can activate hundreds of thousands of agent program runs in seconds. [0003] Today's def...

AI Technical Summary

Problems solved by technology

Then, the protocol stack analysis is based on the RFC (Request For Comments, a series of files arranged by number) specification. Since each data packet type basically needs to comply with the RFC specification, the data packets constructed by the attacker through the tool do not conform to the specification. At this time, the attack behavior can be detected through protocol stack analysis, but as the attack escalates, advanced attackers can still construct data packets that conform to the protocol stack specification as much as possible, increasing the difficulty of protocol stack analysis. The analysis tool only It can deal with elementary level attackers, and cannot accurately screen the IP addresses of malicious attacks

Finally, fingerprint recognition has the highest accuracy for identifying DDOS attacks, but requires more resource consumption, and cannot identify new types of attacks that are not included in the fingerprint library, making it difficult to respond quickly when the system host is under attack

[0004] Therefore, although locating the attacker's IP address has practical application value, how to determine malicious IP addresses from a large number of data packet communications and ensure sufficient accuracy, especially to prevent normal access IP addresses from being blacklisted. The influence of normal users is a problem to be solved in the industry

Images