A network attack detection method, apparatus, device and medium
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER
- Filing Date
- 2023-09-26
- Publication Date
- 2026-06-23
Smart Images

Figure CN117081844B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network and information security technology, and in particular to a network attack detection method, apparatus, device and medium. Background Technology
[0002] Distributed Denial of Service (DDoS) attacks are attacks that maintain a connection with a target server, consuming its resources and preventing it from providing normal services. With the continuous evolution of the internet and internet services, DDoS protection technologies have evolved to adapt to new network environments and business needs in order to ensure network security. In recent years, slow attacks, which are variations of normal requests, have become a more stealthy form of DDoS attack. Their data packets represent normal request behavior and fully comply with the Hypertext Transfer Protocol (HTTP) requirements, making them difficult to protect against using attack detection methods.
[0003] Slow-speed attacks maintain a connection with a target server by sending small amounts of data requests at a low rate, thereby consuming server resources. Based on request characteristics, slow-speed attacks are mainly divided into three types: slow header attacks, slow body attacks, and slow read attacks. A slow header attack occurs when the client, after establishing a connection with the server, continuously sends HTTP request headers at a slow pace. The server needs to receive all request headers before processing the request, causing it to continuously receive headers and be unable to process the request, thus consuming system resources. A slow body attack involves sending a large HTTP message length to inform the server that a large amount of data will be sent. The server maintains the connection to prepare to receive data, but the client sends only small amounts of data at a time, continuously sending them slowly, thus consuming system resources. A slow read attack occurs when the client receives a request from the server and reads it very slowly, causing the server to mistakenly believe the client is busy, thus maintaining the connection and consuming resources.
[0004] In related technologies, slow attack detection methods are mainly based on the characteristics of slow attacks to determine the response time, data packet characteristics, and data transmission rate of each request. Based on the experience of experts, a fixed threshold is set for each attribute, and the corresponding request is judged as a slow attack based on the threshold. This type of method requires a high level of expert experience, and if the threshold is not set properly, it can be easily bypassed. Moreover, it is prone to false alarms when the website business causes traffic changes, and it lacks the ability to optimize the strategy.
[0005] Therefore, improving the accuracy of network attack detection has become an urgent problem to be solved. Summary of the Invention
[0006] This application provides a network attack detection method, apparatus, device, and medium to address the problem of low accuracy in network attack detection in the prior art.
[0007] Firstly, this application provides a method for detecting network attacks, the method comprising:
[0008] Determine the first moment when the request to be detected is received, and the source IP address corresponding to the request to be detected;
[0009] Obtain historical requests received from the source IP address within a target time period of a preset time length prior to the first time; determine a first statistical value for at least one statistical parameter of the source IP address based on the historical requests and the requests to be detected, wherein the statistical parameter includes any one of the following: the percentage of requests with an end identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address occur within the target time period.
[0010] Based on the first statistical value and the second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period, it is determined whether the request to be detected is an abnormal request.
[0011] Secondly, this application provides a network attack detection device, the device comprising:
[0012] The determination module is used to determine the first time the request to be detected is received, and the source IP address corresponding to the request to be detected;
[0013] The acquisition module is used to acquire historical requests received from the source IP address within a target time period of a preset time length prior to the first time.
[0014] The determining module is further configured to determine a first statistical value of at least one statistical parameter of the source IP address based on the historical requests and the request to be detected, wherein the statistical parameter includes any one of the following: the percentage of requests with an end identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address occur within the target time period; and determine whether the request to be detected is an abnormal request based on the first statistical value and a second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period.
[0015] This application also provides an electronic device, which includes at least a processor and a memory. The processor is used to execute a computer program stored in the memory to implement the steps of the network attack detection method described in any of the above embodiments.
[0016] This application also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of the network attack detection method described in any of the preceding embodiments.
[0017] In this embodiment, the first time the request to be detected is received, and the source IP address corresponding to the request to be detected are determined. Historical requests received from the source IP address within a target time period of a preset length prior to the first time are obtained. Based on the obtained historical requests and the request to be detected, a first statistical value of at least one statistical parameter of the source IP address is determined. The statistical parameters include any one of the following: the percentage of requests with an end-of-line identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address appear within the target time period. Based on the determined first statistical value and a second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period, it is determined whether the request to be detected is an abnormal request. The second statistical value corresponding to the same historical time period as the target time period in which the request to be detected is received is used as the threshold for detecting the request to be detected. This allows for dynamic determination of the threshold, avoiding the problem of high reliance on human experience and effectively improving the accuracy of network attack detection. Attached Figure Description
[0018] To more clearly illustrate the technical solutions of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0019] Figure 1 A flowchart illustrating a network attack detection process provided in this application embodiment;
[0020] Figure 2 A flowchart illustrating another network attack detection process provided in this application embodiment;
[0021] Figure 3 This is a schematic diagram of a network attack detection device provided in an embodiment of this application;
[0022] Figure 4 This is a schematic diagram of an electronic device structure provided in an embodiment of this application. Detailed Implementation
[0023] To make the objectives, technical solutions, and advantages of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art are within the scope of protection of this application.
[0024] This application provides a network attack detection method, apparatus, device, and medium. The method involves determining the first time a request to be detected is received, and the source IP address corresponding to the request; acquiring historical requests received from the source IP address within a target time period of a preset length prior to the first time; determining a first statistical value for at least one statistical parameter of the source IP address based on the historical requests and the request to be detected, wherein the statistical parameter includes any one of the following: the percentage of requests from the same IP address containing an end-of-line identifier, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address appear within the target time period; and determining whether the request to be detected is an abnormal request based on the first statistical value and a second statistical value of the at least one statistical parameter corresponding to a historical time period identical to the target time period.
[0025] Example 1:
[0026] Figure 1 This application provides a flowchart illustrating a network attack detection process, as shown in the embodiments below. Figure 1 As shown, the process includes the following:
[0027] S101: Determine the first time the request to be detected is received, and the source IP address corresponding to the request to be detected.
[0028] The network attack detection method provided in this application uses an electronic device, which may be a server, PC, etc.
[0029] In order to determine whether a network attack exists, upon receiving an arbitrary request, in this embodiment of the application, the received arbitrary request can be identified as a request to be detected. If the request to be detected is an abnormal request, it can be confirmed that a network attack may exist; otherwise, it can be determined that a network attack may not exist.
[0030] Upon receiving a request to be tested, the exact time of receipt and the source IP address corresponding to that request can be determined. In other words, after receiving the request, the system records the exact time of receipt and which electronic device with which IP address sent the request.
[0031] S102: Obtain historical requests received from the source IP address within a target time period of a preset time length prior to the first time.
[0032] Since network attacks typically involve repeatedly sending requests from the same IP address to consume the resources of electronic devices, preventing them from processing other requests, this embodiment stores a preset time length, such as 30 seconds, 1 minute, 5 minutes, or 1 hour. After determining the first time, a time window of the preset time length preceding that first time is defined as the target time period. For example, if the first time the request to be detected is received is 10:00, and the preset time length is 1 minute, then the target time period is 9:59–10:00.
[0033] Once a target time period is determined, historical requests for the source IP addresses of the text to be detected received within that time period can be retrieved. In other words, it identifies which historical requests within that target time period have the same source IP address as the request to be detected.
[0034] S103: Based on the historical requests and the requests to be detected, determine a first statistical value of at least one statistical parameter of the source IP address, wherein the statistical parameter includes any one of the following: the percentage of requests with an end identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address occur within the target time period.
[0035] Since the obtained historical requests match the IP address that sent the request to be detected, in this embodiment of the application, a first statistical value of at least one statistical parameter of the source IP address can be determined based on the obtained historical requests and the request to be detected. The statistical parameter may include any one of the following: the percentage of requests from the same IP address containing an end-of-line identifier; the average length of HTTP messages contained in requests from the same IP address; the coefficient of variation of the time interval between requests from the same IP address; and the rate at which requests from the same IP address occur within the target time period.
[0036] Specifically, the percentage of requests from the same IP address that contain an end-of-line identifier can be determined using the following formula:
[0037]
[0038] Where Ratio1 represents the percentage of requests with an end identifier from a certain IP address; m represents the number of requests with an end identifier from that IP address; and n represents the total number of requests from that IP address within the time period, which is the sum of the number of historical requests and the number of requests to be detected. Since in this embodiment, the relevant historical requests are obtained based on the source IP address of the received requests to be detected, the value of n is greater than 0.
[0039] In this embodiment of the application, the end identifier of the request can be "\r\n\r\n". This embodiment of the application does not limit the format of the end identifier, and those skilled in the art can configure the end identifier as needed.
[0040] Current requests typically use a field to indicate the length of the upcoming HTTP message, reminding the receiving electronic device to determine the appropriate message length. If a malicious IP address sends an extremely long HTTP message in its request and then sends it very slowly, the receiving device will remain in a continuous receiving state, consuming its resources and preventing it from processing other requests promptly. Therefore, in this embodiment, the average length of HTTP messages included in requests from the same IP address can be determined based on the following formula:
[0041]
[0042] Among them, Ave lengt h represents the average length of the HTTP messages contained in a request from a given IP address; L i This indicates the field value corresponding to the HTTP message length field in the i-th request of a certain IP address; the value of i ranges from 1 to n, where n represents the number of requests from a certain IP address within the time period.
[0043] In this embodiment of the application, the coefficient of variation of the time interval between requests from the same IP address can be determined based on the following formula:
[0044]
[0045] Among them, cv T The coefficient of variation representing the time interval between requests from a given IP address; std T The standard deviation of the time intervals between requests from a given IP address; mean TThis represents the average time interval between requests from a given IP address.
[0046] In this embodiment of the application, the rate at which requests from the same IP address occur within a target time period can be determined based on the following formula:
[0047]
[0048] Where Fre represents the rate at which requests from a specific IP address occur within the target time period; n represents the total number of requests sent by that specific IP address within the target time period; and t represents the preset time length, i.e., the time difference between the start and end of the target request time period.
[0049] S104: Based on the first statistical value and the second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period, determine whether the request to be detected is an abnormal request.
[0050] Since data traffic within the same time period is generally similar, in this embodiment, a historical time period identical to the target time period can be determined based on the target time period in which the first time occurs. For example, if the target time period is from 02:28:04 on September 3, 2023 to 02:38:04 on September 3, 2023, then the historical time period identical to the target time period could be the same time period of the previous day, i.e., from 02:28:04 on September 2, 2023 to 02:38:04 on September 2, 2023. The historical time period identical to the target time period could also be the same time period of each of the previous two days, or the same time period of a single day in the previous month; this embodiment does not impose any restrictions on this.
[0051] In this embodiment, it can be determined whether a request to be detected is an abnormal request based on a first statistical value and a second statistical value of the at least one statistical parameter corresponding to a historical time period. Specifically, for each determined statistical parameter, a first statistical value and a second statistical value corresponding to that statistical parameter can be determined, and the relationship between the first statistical value and the second statistical value can be used to determine whether the request to be detected is an abnormal request.
[0052] In this embodiment, the first time the request to be detected is received, and the source IP address corresponding to the request to be detected are determined. Historical requests received from the source IP address within a target time period of a preset length prior to the first time are obtained. Based on the obtained historical requests and the request to be detected, a first statistical value of at least one statistical parameter of the source IP address is determined. The statistical parameters include any one of the following: the percentage of requests with an end-of-line identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address appear within the target time period. Based on the determined first statistical value and a second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period, it is determined whether the request to be detected is an abnormal request. The second statistical value corresponding to the same historical time period as the target time period in which the request to be detected is received is used as the threshold for detecting the request to be detected. This allows for dynamic determination of the threshold, avoiding the problem of high reliance on human experience and effectively improving the accuracy of network attack detection.
[0053] Example 2:
[0054] To further improve the accuracy of network attack detection, based on the above embodiments, in this embodiment, the process of determining the second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period includes:
[0055] Obtain historical requests received within the historical time period and the source IP addresses corresponding to the historical requests; group the historical requests according to the source IP addresses to obtain request groups;
[0056] For each of the request groups, a third statistical value for the at least one statistical parameter in that request group is determined;
[0057] The third statistical value of the at least one statistical parameter of each source IP address is sorted according to a preset order, and the second statistical value of the at least one statistical parameter is determined based on the sorted third statistical value and the preset sorting threshold stored for the at least one statistical parameter.
[0058] To further improve the accuracy of network attack detection, in determining the second statistical value, in this embodiment of the application, all historical requests received within the same historical time period as the target time period, as well as the source IP address corresponding to each historical request, can be obtained. The historical requests can be log data filtered by security devices such as firewalls.
[0059] After obtaining each source IP address, each historical request can be grouped to obtain request groups. For example, historical requests with the same source IP address can be grouped together.
[0060] After obtaining each request packet, a third statistical value for the statistical parameters in that request packet is determined. The statistical parameter for the determined third statistical value is consistent with at least one statistical parameter used to determine the first statistical value. That is, at least one statistical parameter can be determined for each source IP address, including any one of the following: the percentage of requests with an end-of-line identifier from the same IP address; the average length of HTTP messages contained in requests from the same IP address; the coefficient of variation of the time interval between requests from the same IP address; and the rate at which requests from the same IP address occur within a historical time period.
[0061] After determining the third statistical value corresponding to each statistical parameter in each request group, i.e., after determining the third statistical value corresponding to each statistical parameter for each source IP address, the third statistical values of each statistical parameter for each source IP address can be sorted according to a preset order. For example, the third statistical values of each statistical parameter for each source IP address can be sorted in ascending or descending order. Based on the sorted third statistical values and the preset sorting threshold stored for each statistical parameter, the second statistical value of that statistical parameter is determined. That is, since some statistical parameters are better the larger the statistical value, while some statistical parameters are better the smaller the statistical value, in this embodiment of the application, different preset sorting thresholds are stored for different statistical parameters. The sorting threshold can be a certain position in the queued sequence. For example, if the queueing threshold is 5, then it is the fifth third statistical value in the queued sequence. When determining the second statistical value, the target third statistical value corresponding to the preset sorting threshold can be found in the sorted third statistical values according to the preset sorting threshold. This target third statistical value is the second statistical value of the statistical parameter.
[0062] Specifically, since the larger the value of the statistical parameter of the average length of HTTP messages contained in requests from the same IP address, the higher the probability that the corresponding request is a slow attack request, in this embodiment of the application, the preset sorting threshold for the statistical parameter of the average length of HTTP messages contained in requests from the same IP address can be set to a larger value, so that a larger second statistical value can be determined based on the larger preset sorting threshold.
[0063] Since normal requests generally include an end-of-line character, the absence of an end-of-line character indicates that the request may be abnormal. Therefore, the smaller the value of the statistical parameter of the percentage of requests with end-of-line characters from the same IP address, the higher the probability that the corresponding request is a slow attack request. Therefore, in this embodiment of the application, the preset sorting threshold for the statistical parameter of the percentage of requests with end-of-line characters from the same IP address can be set to a small value, so that a smaller second statistical value can be determined based on the smaller preset sorting threshold.
[0064] Since a smaller value for the statistical parameter of the coefficient of variation of the time interval between requests from the same IP address indicates a higher probability that the corresponding request is a slow attack request, in this embodiment of the application, the preset sorting threshold for the statistical parameter of the coefficient of variation of the time interval between requests from the same IP address can be set to a smaller value so that a smaller second statistical value can be determined based on the smaller preset sorting threshold.
[0065] Since a larger value for the statistical parameter of the rate at which requests from the same IP address occur within a time period indicates a higher probability that the corresponding request is a slow attack request, in this embodiment of the application, a larger preset sorting threshold can be set for the statistical parameter of the rate at which requests from the same IP address occur within a time period, so that a larger second statistical value can be determined based on the larger preset sorting threshold.
[0066] Specifically, assuming that the preset sorting threshold for the statistical parameter of the average length of HTTP messages contained in requests for the same IP address is the 75th percentile, then the third statistical value corresponding to this statistical parameter for each source IP address can be sorted, and then the target third statistical value corresponding to the 75th percentile can be found in the sorted third statistical values. This target third statistical value is determined as the second statistical value of this statistical parameter.
[0067] To further improve the accuracy of network attack detection, based on the above embodiments, the method in this application embodiment further includes:
[0068] If the preset sorting threshold stored for at least one statistical parameter is greater than the threshold benchmark, the second statistical value is amplified to obtain a fourth statistical value, and the second statistical value is updated using the fourth statistical value.
[0069] Since the second statistical value is directly selected from the third statistical value, there may be special cases in determining the second statistical value. Therefore, in this embodiment of the application, after the second statistical value is determined, it can be reduced or increased.
[0070] In this embodiment, if the preset sorting threshold stored for a certain statistical parameter is greater than the threshold benchmark, the second statistical value is reduced to obtain a fourth statistical value, and the second statistical value is updated using the fourth statistical value. The preset sorting threshold can be an intermediate value determined in advance through statistics.
[0071] Specifically, assuming that the preset sorting threshold for statistical parameter 1 is the 75th percentile and the threshold benchmark is 50%, since the sorting threshold of 75% is greater than the threshold benchmark of 50%, the second statistical value determined based on the methods in the above embodiments can be amplified. For example, the second statistical value can be amplified by 5% of the original second statistical value. Alternatively, the amplification range of the second statistical value can be determined by comprehensively considering the deviation between the second and third statistical values based on other third statistical values.
[0072] To further improve the accuracy of network attack detection, based on the above embodiments, in this application embodiment, the method further includes: if the preset sorting threshold stored for the at least one statistical parameter is not greater than the threshold benchmark, then the second statistical value is reduced to obtain a fifth statistical value, and the second statistical value is updated using the fifth statistical value.
[0073] In this embodiment of the application, if the preset sorting threshold stored for a certain statistical parameter is not greater than the threshold benchmark, the second statistical value is reduced to obtain the fifth statistical value, and the second statistical value is updated using the fifth statistical value.
[0074] Specifically, assuming that the preset sorting threshold for statistical parameter 1 is the 25th percentile and the threshold benchmark is 50%, since the sorting threshold of 25% is not greater than the threshold benchmark of 50%, the second statistical value determined based on the methods in the above embodiments can be rapidly reduced, for example, by reducing the second statistical value by 5% of the original second statistical value, or by taking into account the deviation between the second statistical value and the third statistical value based on other third statistical values to determine the reduction range of the second statistical value.
[0075] The scaling process of the second statistical value is described below with reference to a specific embodiment. Assume that in this embodiment, a first preset sorting threshold and a second preset sorting threshold are pre-stored, wherein the first preset sorting threshold is the 25th percentile and the second preset sorting threshold is the 75th percentile. The second preset sorting threshold is set for the following statistical parameters: the percentage of requests with an end-of-line identifier from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address occur within a time period. The first preset sorting threshold is set for the statistical parameter of the average length of the HTTP messages contained in requests from the same IP address. In this embodiment, a second statistical value corresponding to each statistical parameter and a reference statistical value corresponding to a non-preset sorting threshold for each statistical parameter can be determined based on the first preset sorting threshold and the second preset sorting threshold. Subsequently, the second statistical value can be amplified or reduced based on the deviation between the second statistical value and the reference statistical value. Suppose that the second statistical value Q3 of a certain statistical parameter is determined based on the 75th percentile of the second preset sorting threshold. Then, the reference statistical value Q1 can be determined based on the 25th percentile of the first preset sorting threshold. The deviation IQR between Q3 and Q1 is calculated: IQR = Q3 - Q1. Then, the second statistical value Q3 can be amplified based on this IQR. The amplification can be performed based on the following formula: Upper = Q3 + (threshold * IQR), where the threshold is any pre-set value greater than 0 and less than 1, for example, 0.5.
[0076] Example 3:
[0077] To further improve the accuracy of network attack detection, based on the above embodiments, in this embodiment, determining whether the request to be detected is an abnormal request based on the first statistical value and the second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period includes:
[0078] For any statistical parameter, determine the difference between the first statistical value and the corresponding second statistical value of the statistical parameter, and determine the outlier value of the statistical parameter of the request to be detected based on the quotient of the difference and the second statistical value.
[0079] Calculate the sum of outliers for each statistical parameter;
[0080] If the sum of the identified outliers is greater than a preset threshold, then the request to be verified is determined to be an outlier.
[0081] In determining whether a request to be detected is an abnormal request based on a first statistical value and a second statistical value, in this embodiment of the application, for any statistical parameter, the difference between the first statistical value and the corresponding second statistical value of the statistical parameter can be determined, and the abnormal value of the statistical parameter of the request to be detected can be determined based on the quotient of the difference and the second statistical value.
[0082] After identifying outliers for each statistical parameter, the sum of the outliers for each statistical parameter is calculated. If the sum of the identified outliers exceeds a preset threshold, the request to be verified is determined to be an abnormal request. Furthermore, since different statistical parameters have varying degrees of importance in network attack detection, in this embodiment, a corresponding weight can be pre-set for each statistical parameter, and the sum of outliers can be calculated subsequently based on this weight.
[0083] Specifically, when identifying outliers of any statistical parameter, the following formula can be used:
[0084]
[0085] Where A represents an outlier, and n represents the identifier of the statistical parameter, then A n This indicates an outlier for the statistical parameter n; X represents the first statistical value; and W represents the second statistical value.
[0086] The sum of outliers can be determined based on the following formula:
[0087] B = ∑a n A n
[0088] Among them, a n B represents the weight of the statistical parameter n; B represents the sum of outliers.
[0089] Example 4:
[0090] The process of network attack detection is illustrated below with a specific example. Figure 2 A flowchart illustrating another network attack detection process provided in this application embodiment is shown below. Figure 2 As shown, the process includes the following steps:
[0091] S201: Receive a request to be detected; determine a target time period based on the first time of the received request to be detected and a preset time length; and determine the first statistical value of at least one statistical parameter of the source IP address based on historical requests of the source IP address of the request to be detected received within the target time period.
[0092] S202: Determine a historical time period that is the same as the target time period, and determine a second statistical value of the at least one statistical parameter based on the historical requests received within that historical time period.
[0093] S203: Based on the first statistical value and the second statistical value, determine the sum of the outliers for each statistical parameter.
[0094] S204: Determine whether the sum of outliers is greater than a preset threshold. If yes, execute S205; otherwise, execute S206.
[0095] S205: The request to be verified has been determined to be an abnormal request.
[0096] S206: The request to be verified has been determined to be a normal request.
[0097] Example 5:
[0098] Figure 3 This application provides a schematic diagram of a network attack detection device, which includes:
[0099] The determination module 301 is used to determine the first time the request to be detected is received, and the source IP address corresponding to the request to be detected;
[0100] The acquisition module 302 is used to acquire historical requests received from the source IP address within a target time period of a preset time length before the first time.
[0101] The determining module 301 is further configured to determine a first statistical value of at least one statistical parameter of the source IP address based on the historical requests and the request to be detected, wherein the statistical parameter includes any one of the following: the percentage of requests with an end identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address occur within the target time period; and determine whether the request to be detected is an abnormal request based on the first statistical value and a second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period.
[0102] In one possible implementation, the acquisition module 302 is further configured to acquire historical requests received within the historical time period and the source IP address corresponding to the historical request; and group the historical requests according to the source IP address to obtain request groups;
[0103] The determining module 301 is specifically used to determine the third statistical value of the at least one statistical parameter in each request group; sort the third statistical values of the at least one statistical parameter of each source IP address in a preset order; and determine the second statistical value of the at least one statistical parameter based on the sorted third statistical values and a preset sorting threshold stored for the at least one statistical parameter.
[0104] In one possible implementation, the device further includes:
[0105] The update module 303 is used to amplify the second statistical value to obtain a fourth statistical value if the preset sorting threshold stored for the at least one statistical parameter is greater than the threshold benchmark, and then use the fourth statistical value to update the second statistical value.
[0106] In one possible implementation, the update module 303 is further configured to, if the preset sorting threshold stored for the at least one statistical parameter is not greater than the threshold benchmark, perform a reduction process on the second statistical value to obtain a fifth statistical value, and use the fifth statistical value to update the second statistical value.
[0107] In one possible implementation, the determining module 301 is specifically configured to: determine the difference between a first statistical value and a corresponding second statistical value for any statistical parameter; determine an outlier value for the statistical parameter of the request to be detected based on the quotient of the difference and the second statistical value; calculate the sum of the outlier values for each statistical parameter; and determine the request to be verified as an outlier request if the sum of the determined outlier values is greater than a preset threshold.
[0108] Example 6:
[0109] Based on the above embodiments, this application also provides an electronic device. Figure 4 This application provides a schematic diagram of an electronic device structure, such as... Figure 4 As shown, it includes: processor 401, communication interface 402, memory 403 and communication bus 404, wherein processor 401, communication interface 402 and memory 403 communicate with each other through communication bus 404.
[0110] The memory 403 stores a computer program. When the program is executed by the processor 401, the processor 401 performs the following steps:
[0111] Determine the first moment when the request to be detected is received, and the source IP address corresponding to the request to be detected;
[0112] Obtain historical requests received from the source IP address within a target time period of a preset time length prior to the first time; determine a first statistical value for at least one statistical parameter of the source IP address based on the historical requests and the requests to be detected, wherein the statistical parameter includes any one of the following: the percentage of requests with an end identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address occur within the target time period.
[0113] Based on the first statistical value and the second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period, it is determined whether the request to be detected is an abnormal request.
[0114] In one possible implementation, the processor 401 is further configured to obtain historical requests received within the historical time period and the source IP address corresponding to the historical request; and to group the historical requests according to the source IP address to obtain request groups;
[0115] For each of the request groups, a third statistical value for the at least one statistical parameter in that request group is determined;
[0116] The third statistical value of the at least one statistical parameter of each source IP address is sorted according to a preset order, and the second statistical value of the at least one statistical parameter is determined based on the sorted third statistical value and the preset sorting threshold stored for the at least one statistical parameter.
[0117] In one possible implementation, the processor 401 is further configured to, if the preset sorting threshold stored for the at least one statistical parameter is greater than the threshold benchmark, amplify the second statistical value to obtain a fourth statistical value, and update the second statistical value using the fourth statistical value.
[0118] In one possible implementation, the processor 401 is further configured to perform a reduction process on the second statistical value to obtain a fifth statistical value if the preset sorting threshold stored for the at least one statistical parameter is not greater than the threshold benchmark, and update the second statistical value using the fifth statistical value.
[0119] In one possible implementation, the processor 401 is further configured to, for any statistical parameter, determine the difference between a first statistical value and a corresponding second statistical value of the statistical parameter, and determine an outlier value of the statistical parameter of the request to be detected based on the quotient of the difference and the second statistical value.
[0120] Calculate the sum of outliers for each statistical parameter;
[0121] If the sum of the identified outliers is greater than a preset threshold, then the request to be verified is determined to be an outlier.
[0122] The communication bus mentioned in the above electronic devices can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. This communication bus can be divided into address bus, data bus, control bus, etc. For ease of illustration, only one thick line is used to represent it in the diagram, but this does not mean that there is only one bus or one type of bus.
[0123] Communication interface 402 is used for communication between the aforementioned electronic device and other devices. The memory may include random access memory (RAM) or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the memory may also be at least one storage device located remotely from the aforementioned processor.
[0124] The processors mentioned above can be general-purpose processors, including central processing units, network processors (NPs), etc.; they can also be digital signal processors (DSPs), application-specific integrated circuits, field-programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
[0125] Example 7:
[0126] Based on the above embodiments, this invention also provides a computer-readable storage medium storing a computer program executable by a processor. When the program runs on the processor, it causes the processor to perform the following steps:
[0127] Determine the first moment when the request to be detected is received, and the source IP address corresponding to the request to be detected;
[0128] Obtain historical requests received from the source IP address within a target time period of a preset time length prior to the first time; determine a first statistical value for at least one statistical parameter of the source IP address based on the historical requests and the requests to be detected, wherein the statistical parameter includes any one of the following: the percentage of requests with an end identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address occur within the target time period.
[0129] Based on the first statistical value and the second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period, it is determined whether the request to be detected is an abnormal request.
[0130] In one possible implementation, the process of determining the second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period includes:
[0131] Obtain historical requests received within the historical time period and the source IP addresses corresponding to the historical requests; group the historical requests according to the source IP addresses to obtain request groups;
[0132] For each of the request groups, a third statistical value for the at least one statistical parameter in that request group is determined;
[0133] The third statistical value of the at least one statistical parameter of each source IP address is sorted according to a preset order, and the second statistical value of the at least one statistical parameter is determined based on the sorted third statistical value and the preset sorting threshold stored for the at least one statistical parameter.
[0134] In one possible implementation, the method further includes:
[0135] If the preset sorting threshold stored for at least one statistical parameter is greater than the threshold benchmark, the second statistical value is amplified to obtain a fourth statistical value, and the second statistical value is updated using the fourth statistical value.
[0136] In one possible implementation, the method further includes:
[0137] If the preset sorting threshold stored for the at least one statistical parameter is not greater than the threshold benchmark, then the second statistical value is reduced to obtain a fifth statistical value, and the second statistical value is updated using the fifth statistical value.
[0138] In one possible implementation, determining whether the request to be detected is an abnormal request based on the first statistical value and the second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period includes:
[0139] For any statistical parameter, determine the difference between the first statistical value and the corresponding second statistical value of the statistical parameter, and determine the outlier value of the statistical parameter of the request to be detected based on the quotient of the difference and the second statistical value.
[0140] Calculate the sum of outliers for each statistical parameter;
[0141] If the sum of the identified outliers is greater than a preset threshold, then the request to be verified is determined to be an outlier.
[0142] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0143] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0144] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0145] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0146] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.
Claims
1. A method for detecting network attacks, characterized in that, The method includes: Determine the first moment when the request to be detected is received, and the source IP address corresponding to the request to be detected; Obtain historical requests received from the source IP address within a target time period of a preset time length prior to the first time; based on the historical requests and the requests to be detected, determine a first statistical value for at least one statistical parameter of the source IP address, wherein the statistical parameter includes any one of the following: the percentage of requests with an end identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address occur within the target time period. For any statistical parameter, determine the difference between the first statistical value and the corresponding second statistical value of the statistical parameter, and determine the outlier value of the statistical parameter of the request to be detected based on the quotient of the difference and the second statistical value. The sum of outliers for each statistical parameter is calculated; if the sum of the determined outliers is greater than a preset threshold, the request to be detected is determined to be an outlier.
2. The method according to claim 1, characterized in that, The process of determining the second statistical value of the at least one statistical parameter corresponding to the same historical time period as the target time period includes: Obtain historical requests received within the historical time period and the source IP addresses corresponding to the historical requests; group the historical requests according to the source IP addresses to obtain request groups; For each of the request groups, a third statistical value for the at least one statistical parameter in that request group is determined; The third statistical values of at least one statistical parameter for each source IP address are sorted according to a preset order. Based on a preset sorting threshold stored for the at least one statistical parameter, a target third statistical value corresponding to the preset sorting threshold is found in the sorted third statistical values. The target third statistical value is determined as the second statistical value of the at least one statistical parameter. The preset sorting threshold is the sorting position.
3. The method according to claim 2, characterized in that, The method further includes: If the preset sorting threshold stored for at least one statistical parameter is greater than the threshold benchmark, the second statistical value is amplified to obtain a fourth statistical value, and the second statistical value is updated using the fourth statistical value.
4. The method according to claim 2, characterized in that, The method further includes: If the preset sorting threshold stored for at least one statistical parameter is not greater than the threshold benchmark, then the second statistical value is reduced to obtain a fifth statistical value, and the second statistical value is updated using the fifth statistical value.
5. A network attack detection device, characterized in that, The device includes: The determination module is used to determine the first time the request to be detected is received, and the source IP address corresponding to the request to be detected; The acquisition module is used to acquire historical requests received from the source IP address within a target time period of a preset time length prior to the first time. The determining module is further configured to determine, based on the historical requests and the request to be detected, a first statistical value of at least one statistical parameter of the source IP address, wherein the statistical parameter includes any one of the following: the percentage of requests with an end identifier from the same IP address, the average length of HTTP messages contained in requests from the same IP address, the coefficient of variation of the time interval between requests from the same IP address, and the rate at which requests from the same IP address occur within the target time period; for any statistical parameter, determine the difference between the first statistical value and the corresponding second statistical value of the statistical parameter, and determine the outlier value of the statistical parameter of the request to be detected based on the quotient of the difference and the second statistical value; calculate the sum of the outlier values of each statistical parameter; if the sum of the determined outlier values is greater than a preset threshold, then determine the request to be detected as an abnormal request.
6. The apparatus according to claim 5, characterized in that, The acquisition module is further configured to acquire historical requests received within the same historical time period as the target time period, and the source IP address corresponding to the historical request; and to group the historical requests according to the source IP address to obtain request groups; The determining module is specifically configured to, for each request group, determine the third statistical value of the at least one statistical parameter in the request group; sort the third statistical values of the at least one statistical parameter of each source IP address in a preset order; find the target third statistical value corresponding to the preset sorting threshold in the sorted third statistical values according to the preset sorting threshold stored for the at least one statistical parameter; and determine the target third statistical value as the second statistical value of the at least one statistical parameter, wherein the preset sorting threshold is the sorting position.
7. The apparatus according to claim 6, characterized in that, The device further includes: The update module is configured to amplify the second statistical value to obtain a fourth statistical value if the preset sorting threshold stored for the at least one statistical parameter is greater than the threshold benchmark, and then update the second statistical value using the fourth statistical value.
8. An electronic device, characterized in that, The electronic device includes at least a processor and a memory, wherein the processor is used to execute a computer program stored in the memory to implement the steps of the network attack detection method as described in any one of claims 1-4.
9. A computer-readable storage medium, characterized in that, It stores a computer program, which, when executed by a processor, implements the steps of the network attack detection method as described in any one of claims 1-4.