49 results about "Application layer DDoS attack" patented technology

Disclosed is a DDoS attack detection and response apparatus. The DDoS attack detection and response apparatus comprises: a receiver unit receiving HTTP requests from a client terminal which is characterized as an IP address; a data measuring unit computing the number of HTTP requests by IP and the number of URIs per HTTP over a certain time period; a DDoS discrimination unit comparing the number of HTTPs per URI with a threshold value and defining an access of the client terminal having the IP address as a DDoS attack when the number of HTTPs per URI is larger than the threshold value; and a blocking unit blocking packets from the IP address when the DDoS discrimination unit detects a DDoS attack.

Methods and systems for detecting and defeating a low and slow application DDoS attack, comprising: computing the Entropy of a plurality of detectors, at least in part selected from a group Geo detector, a group response size detector, a group preference detector, and an individual client behavior detector, wherein the plurality of detectors each describe a feature of traffic affected by the DDoS attack; composing the plurality of detectors on one or more of a Receiver Operating Characteristic (ROC) curve basis and a correlation basis; and implementing a countermeasure to mitigate the DDoS attack.

The invention discloses a method for detecting and filtering an application layer DDoS (Distributed Denial of Service) attack on the basis of access marking. The method comprises the following steps of: on the training phase, carrying out non-strategy marking on access behaviors of normal users; carrying out marking processing by adopting a marking strategy; extracting detection features by adopting a feature extraction strategy and representing access users as feature vectors; acquiring SVDD (Support Vector Data Description) supraspheres of the normal users and storing the SVDD supraspheres into a training database; carrying out marking on the basis of the marking strategy on access behaviors of users who enter a server and are to be detected; extracting effective detection features and expressing the access users into a feature vector form; and according to the SVDD supraspheres, carrying out detection classification and abnormity judgment on the feature vectors and when the access users are abnormal users, carrying out synchronous filtering. Implementation of the technical scheme adopted by the invention has the following beneficial effects that access marking and extraction of abnormal features are not limited to the specific server; synchronous filtering on attacking users can be implemented in the detecting process; and capability that the server resists to application layer DDoS attack is improved.

The invention discloses a DDoS(Distributed Denial of Service) attack defensive system for an application layer based on multiple feature recognition. When a user initiates a request, the system stores information of a user data packet in a net-node network flow table, analyzes the user data packet, and judges whether the source of the user data packet is real and reliable or not; verification data is inserted when data is returned to the user; whether the source is real and reliable or not is detected again; afterthe fact that the source is real is determined, the credibility of the user is a threshold value credibility; the system distributes a cookie identity identifier to the source; then, a data database for recording the cookie identity identifier is established; access information of the cookie identity identifier within a certain time period is recorded and stored; the access information is used as the basis of identity verification management; and corresponding dispatching is carried out through analysis and treatment of a feature library. According to the invention, whether the long-term access behaviour of the user is normal or illegal can be analyzed and judged by establishing a blacklist and a whitelist ofaccess feature detection analysis; and the normal flow of the user cannot be intercepted when a DDoS attack occurs.

The invention discloses a method and a system for network data analysis based on application layer data. The method comprises the following steps of: reading network data and analysing that whether the present data packet is an application layer data packet or not at first; if not, then discarding the present data packet; or else, then analysing the quintuple (comprising a source IP (Internet protocol) address, a destination IP address, a source port, a destination port and a transport layer protocol) of each network data packet, and the application layer data; filtering the analysed application layer data according to set characteristics, so as to obtain application layer data meeting the set characteristics; or, displaying the application layer data satisfying the set characteristics to be set colours, and highlighting the application layer data meeting the set characteristics. With the adoption of the method and the system disclosed by the invention, the communication content of analysis software and audit network content become convenient, and the working efficiency can be increased; and moreover, an analysis function can be customized according to a specific network protocol, so that the analysis work becomes flexible and has extendibility.

The invention discloses a network protocol conversion system, a network protocol converter and a network protocol conversion method. The network protocol converter comprises a first receiving unit, a content acquiring unit, an application layer extracting layer, a first packing unit and a first transmitting unit, wherein the first receiving unit is used for receiving data request information of a first network protocol of a client side, the content acquiring unit is used for connecting with protected equipment through a second network protocol so as to acquiring content of the protected equipment according to the data request information, the application layer extracting unit is used for extracting application layer data in the second network protocol, the first packing unit is used for packing the content of the protected equipment in a form of the first network protocol according to the application layer data and preset configuration information, and the first transmitting unit is used for transmitting the packed content to the client side. The network protocol conversion system, the network protocol converter and the network protocol conversion method have the advantages that through the externally connected network protocol converter, security conversion for an original product network protocol is realized transparently, development for special products one by one is not required, low developing workload is required, and application range is large.

The present application provides a protection method and a protection device for application layer attacks, electronic equipment and a computer readable storage medium. The protection method comprises: after an access request sent by a client is received, sending response information carrying a jump link to the client; and if request information of the access jump link sent by the client is not received, denying forwarding the access request to the server. A protection side sends response information carrying a jump link and verification request information to the client; and according to theresponse made by the client, whether the client is an abnormal client can be accurately judged, the access request from the abnormal client is denied to be forwarded to the server when the client is an abnormal client, and the abnormal client can be effectively prevented from attacking the application layer, so that the server can serve the normal client.

The invention relates to an application layer DDoS attack detection method and device. The method comprises the following steps: extracting access feature information from access data; obtaining a membership function of a comment set corresponding to each evaluation factor; determining a membership function corresponding to an access feature value according to the evaluation factor corresponding to the access feature information; calculating a membership degree of the access feature information for each comment set according to the membership function; and determining whether an access requestcorresponding to the access data is a DDoS attack. By adoption of the technical scheme, the accuracy and efficiency of detection are effectively improved, the false positive rate and the missed rateare reduced, and the security of the server is further improved.

The embodiments of the invention disclose an application layer slow-speed attack detection method and a correlation apparatus. The application layer slow-speed attack detection method comprises the following steps: obtaining a flow entering a server; based on the obtained flow entering the server, counting the quantity of transmission layer empty chains initiated to the server within preset duration; and if the counted quantity of the transmission layer empty chains is greater than or equal to a first threshold and the quantity of application layer data packets carrying a destination internetworking protocol address i and a public network gateway interface identification j in the flow entering the server within k periods accords with a preset threshold condition, performing application layer slow-speed attack alarm on the destination internetworking protocol address i and the public network gateway interface identification j, wherein the destination internetworking protocol address i is one of internetworking protocol addresses of the server. According to the technical scheme provided by the embodiments of the invention, the accuracy of the application layer slow-speed attack alarm is improved.

Methods and systems for a two-stage attribution of application layer DDoS attack are provided. In a first table just a hash index is maintained whereas the second stage table keeps the string parameter corresponding to the application layer attribute under attack. A linked list maintains a plurality of rows if there is hash collision in the first table. The second table is aged out and reported periodically with details of large strings.

The invention discloses a distributed denial-of-service attack detection method based on the external connection behaviors of a Web communication group. The method comprises the following steps of: 1) setting a port mirror image on network equipment, and copying and transmitting all network messages passing through the equipment to an attach detection front-end processor; 2) extracting the communication group of a given Web server and the external connection behaviors of the communication group, and transmitting the communication group and the external connection behaviors thereof to an attack detection server by using the attack detection front-end processor; 3) counting external connection behavior parameters comprising the number CN_MLN of clients connected with a plurality of external connection nodes and a total client number CN of the Web communication group, and monitoring the offset of ratio of the two parameters by using an improved cumulative sum (CUSUM) algorithm to judge the occurrence of an application layer distributed denial-of-service (DDoS) attack according to the offset by using the attack detection server; and 4) reporting whether the application layer DDoS attack occurs to the given Web server or not to a network monitoring terminal at the end of each time period.

A method and system for protecting cloud-hosted applications against application-layer slow distributed denial-of-service (DDoS) attacks. The comprising collecting telemetries from a plurality of sources deployed in at least one cloud computing platform hosting a protected cloud-hosted application; providing a set of rate-based and rate-invariant features based on the collected telemetries; evaluating each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack; and causing execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined.

The embodiment of the invention discloses a method and related device for detecting a quick attack of an application layer. The method for detecting the quick attack of the application layer comprises the following steps of: obtaining the traffic entering a server; counting the number of application layer data packets carrying a target internetworking protocol address i and a public gateway interface identifier j in the traffic entering the server in K time intervals; and, if the counted number of the application layer data packets carrying the target internetworking protocol address i and the public gateway interface identifier j in the traffic entering the server in K time intervals accords with a threshold value condition, alarming the quick attack of the application layer for the target internetworking protocol address i and the public gateway interface identifier j, wherein the target internetworking protocol address i is one internetworking protocol address in the server; and the K is a positive integer, which is greater than or equal to 1. By means of the scheme in the embodiment of the invention, the quick attack alarm accuracy of the application layer is increased easily.

The invention provides a security control method used for a cloud platform network. The security control method comprises the steps that: a controller of the cloud network platform performs hash operation on application layer data in a control data message based on a preset security level value, a first currently valid secret key and a predetermined hash function when sending the control data message, so as to obtain an operation result; a first part of the operation result serves as authentication data and is attached to the control data message, and the second part of the operation result serves as a new first currently valid secret key to be used in the next hash operation; and the control data message with the authentication data is sent to a target node in the cloud network platform, and the target node adopts an algorithm corresponding to the hash operation adopted by the controller to authenticate the authentication data. The security control method used for the cloud platform network disclosed by the invention has high security level.

The invention provides a wireless data transmission device. The wireless data transmission device comprises a microprocessor connected with a host and a wireless transceiver connected with the microprocessor, wherein the wireless transceiver transmits data received through a wireless local area network to the microprocessor or transmits the data transmitted by the microprocessor through the wireless local area network; the microprocessor comprises a first interface in data interaction with the host, a user protocol unit, a TCP/IP protocol unit, a WiFi protocol unit and a second interface connected with the wireless transceiver; the user protocol unit extracts application layer data in the data acquired through the second interface and transmits the application layer data to the host through the first interface or transmits the application layer data received through the first interface to the wireless transceiver through the second interface; the user protocol unit and the wireless transceiver are communicated with each other by using a TCP/IP protocol; and the wireless transceiver receives and transmits the data of the wireless local area network by using a WiFi protocol. The wireless data transmission device lowers the access complexity of the wireless local area network.

A system and method for detecting a Denial of Service (DoS) attack. A number of evaluator elements (M) is determined for DoS analysis for network connection requests wherein each evaluator element is preferably associated with a component of the analyzed connection request. A DoS evaluator element score is determined for an evaluator element of the connection request by analyzing the evaluator element. DoS mitigation actions may be performed on the connection request if the determined evaluator element score is indicative of a DoS attack. An evaluator consolidated score (which may be weighted) is then calculated preferably consisting of one or more of the respective DoS evaluator element scores. Next, a determination is made as to whether each evaluator element of the M evaluator elements has been analyzed for determining a respective DoS evaluator element score. If no, a DoS evaluator element score for a succeeding evaluator element to be analyzed is then determined. And if yes, a determination is then made as to whether the value of the evaluator consolidated score is indicative of a DoS attack by the subject analyzed network connection request.

The invention discloses an application layer data sequential packing method and device, computer equipment and a readable storage medium. The application layer data sequential packing method comprisesthe following steps: receiving a data packet of an application layer; Analyzing the data packet; Judging whether the data packet format is legal; If the format of the data packet is legal, judging whether the data packet meets a return condition or not; And if the data packet does not meet the return condition, caching the current data packet. The sequential packing method includes packaging thereceived out-of-order data in an application layer; according to the serial number of the received data packet and the serial number of the data packet required in the current sequence, returning or caching the data packet; and further judging whether a data packet adjacent to the received data packet exists in the cache region or not before returning, and if yes, combining the received data packet with the adjacent data packet, thereby effectively simplifying the application layer data packet sorting process and processing steps, improving the efficiency, and improving the data sequence packaging success rate and system stability.