The invention discloses a WEB malicious scanning behavior abnormity detection method and a WEB malicious scanning behavior abnormity detection system. The method comprises the following steps: 1) extracting keyword characteristics and statistics characteristics of access users from an access history record, and building keyword vectors and statistic characteristic vectors of the users, 2) traversing the keyword vectors of the users, performing statistics on the user number corresponding to each keyword, and building a global keyword table, 3) calculating the uncommon degree of each keyword according to the global keyword table, calculating original abnormal score values of the access users according to the corresponding uncommon degrees, correcting the original abnormal score values then according to the statistic characteristic vectors of the access users, and obtaining final abnormal score values of the users; 4) for a jump point of a final abnormal score value sequence of all the access users, taking the final abnormal score value corresponding to the jump point as a threshold, and 5) comparing the final abnormal score values of the access values with the threshold, and taking the users as malicious scanning users if the final abnormal score values of the access values are greater than the threshold. An unknown attack behavior can be found, and normal historical data is not relied on.

WEB malicious scanning behavior abnormity detection method and system

The invention discloses a method and system for detecting a network anomalous behavior. The method comprises the steps of acquiring a network access data set from network access logs; extracting network access data under each specific domain name from the network access data set, and calculating statistic characteristic parameters of a specific field in the network access data; detecting behavior characteristics of each piece of network access data in the network access data set from different dimensions, and generating a multi-dimensional eigenvector corresponding to each piece of network access data; and based on the multi-dimensional eigenvector of each piece of training data and an actual class marker of each piece of training data in a training data set and the multi-dimensional eigenvector of each piece of detection data in the detection data set, by adopting a classification algorithm in machine learning, obtaining a predicted class marker of each piece of detection data in the detection data set. According to the scheme provided by the invention, an obtained detection result simultaneously has a high accuracy rate and a high recalling rate.

Method and system for detecting network anomalous behavior

The invention relates to a SDN network DDoS attack detecting method based on network layer flow abnormity in order to detect and process a DDoS attack in a SDN network according to the network layer flow abnormity The method comprises steps of: getting access to an OpenFlow switch flow table information items by using a SDN network controller in order to acquire a communication flow characteristic reaching the OpenFlow switch; and analyzing and processing the acquired detection characteristic by using introduced information entropy and single-side connection density in order to obtain a training and detection characteristic element group It is found that in a implementing process, the SDN network DDoS attack detecting and processing method based on network layer flow abnormity may effectively improve detection accuracy of the DDoS attack generated in the SDN network, makes corresponding treatment on a communication flow according to a detected result, may well deal with the DDoS attack, from which a network may possibly suffer, in the form of saturated flow, and has very obvious beneficial effects

SDN network DDoS attack detecting method based on network layer flow abnormity

A partial URL signing scheme for controlling access to content provided in adaptive streaming such as DASH is disclosed herein. Partial URL signing and verifying algorithms act as extensions to existing URL/URI signing techniques (e.g., IETF URI Signing). Partially signed URLs are signaled in an MPD and may take the form of a prefix, a suffix, or a substring of a URL. Individual segments of the content are requested by the client using URLs constructed based on a URL segment template with partial URL signing information provided as a query parameter for verification.

System and method for partial url signing with applications to dynamic adaptive streaming

The invention discloses a moving target defense system for an SDN (self-defending network). The system consists of a moving target defense module and an SDN controller management module; the moving target defense module comprises a flow analysis module, a mapping information storage module, a target conversion module, an encryption transmission module, a load balance module, a safety authentication module, a business flow recording database and a mapping information recording database; the SDN controller management module comprises a flow table generation module, a flow table distribution/synchronization module, a route selection module, a DNS service module, a load balance module, a distributed management module, a safety communication module, a redundant backup module, a safety authentication module and a flow table database; furthermore, the invention also discloses a moving target defense method for the SDN. Through the moving target defense system and the moving target defense method disclosed by the invention, the difficulty of an attacker to detect a target is increased further, and therefore the safety of an intranet is comprehensively protected.

Moving target defense system and moving target defense method for SDN (self-defending network)

The invention relates to a method and system for preventing blind DDoS attacks on SDN controllers. The system comprises an SDN controller resource pool monitor, a controller list dynamic switching module deployed on an SDN switch and an attack detection application module, and the attack detection application module and the controllers carry out data interaction through data interfaces. The SDN controller resource pool monitor is used for maintaining the establishment of a plurality of physical machine and/or virtual machine controllers, data synchronism, IP address distribution and state lists to be issued to the switch. The attack detection application module detects the communication data streams of the controllers and the switch in an SDN network, and when blind DDoS attack streams on the controllers are detected, the SDN controller resource pool monitor dynamically adjusts the number of the controllers according to attack flow generated when the blind DDoS attacks occur. The method can dynamically adjust the number of the controllers, the blind DDoS attacks on the controllers can be effectively prevented, and the usability of the SDN network is guaranteed.

Method and system for preventing blind DDoS attacks on SDN controllers

The invention relates to an abnormal access behavior detection method on the basis of WEB logs. The abnormal access behavior detection method includes steps of 1) performing IP(internet protocol) access statistics and URL access statistics after removing interference information by analyzing WEB raw logs so as to acquire an IP access statistic list and a URL access statistic list, 2) according to the IP access statistic list, performing crawler behavior characteristic recognition, error response code statistics and access frequency deviation degree detection while updating IP abnormal characteristic list, and 3) sequencing the abnormal characteristics in the IP abnormal characteristic list according to a set order of precedence, and outputting the sequenced IP abnormal characteristic list to obtain abnormal access results. By the abnormal access behavior detection method, an access model is built with no depending on history access data, abnormal access is checked by lateral comparison, and abnormal parameter detection is performed by voting and referring query strings.

Abnormal access behavior detection method and system on basis of WEB logs

The invention relates to a world wide web (WEB) hotlinking protection method and a gateway system thereof. The gateway system comprises a gateway configuration module, a hotlinking protection identification generating and distributing module and a hotlinking protection identification extracting and verifying module. 1) A pre-gateway is built between a client-end and a WEB server, the pre-gateway configurates hotlinking protection file types for the WEB server represented by the pre-gateway, the hotlinking protecting function is activated after the configuration takes effect. 2) According to a request type from the client-end, the pre-gateway judges whether a resource request is in the hotlinking protection file types. 3) The hotlinking protection identification is extracted and verified, the resource request meeting set conditions is transmitted to the WEB server from the pre-gateway. By means of the WEB hotlinking protection method and the gateway system thereof, a hotlinking attack can be confirmed in time, the source request is rejected, the WEB server and the diversity and the differentiation of an operation system are shielded, the software configuration of the server does not need to be changed, the service to WEB is transparent, and the previous management model is not affected.

World wide web (WEB) hotlinking protection method and gateway system thereof

The invention relates to a dynamic application address conversion method and gateway system. A novel Web application attack defense method is achieved. URL addresses are dynamically converted, attack faces of an application system are converted, vulnerability of Web applications is hidden, the attack difficulty of an attacker is increased, and the difficulty in which the attacker conducts vulnerability scanning and attack injection on Websites through URLs is greatly increased. By the adoption of a DAAT method, the security threats of the attacker to the Web applications can be dynamically and effectively reduced, and security of the Web application system is improved.

Dynamic application address conversion method and gateway system

The invention relates to a cross-platform detection method and system for malicious files in a cloud environment. The detection method includes the steps: 1) acquiring original suspicious malicious files, storing the original suspicious malicious files in a distributed storage cluster in the cloud environment and isolating the malicious files; 2) manufacturing file copies of the malicious files, recognizing formats of the filename extension of the file copy of each malicious file and uploading the recognized file copy of each malicious file to a WEB end; 3) only downloading the copies of the malicious files from the WEB end according to different operating system types to security sandbox virtual machines corresponding to respective systems, and detecting characteristics and/or running behaviors of the malicious files; 4) submitting and summarizing detection results of the malicious files in the security sandbox virtual machines, associating the detection results with the original malicious files and then detecting cross-platform malicious files. Universality and automation degree of malicious file detection are improved, the malicious files can be preprocessed in batch by the aid of cloud platform technology, and the processing efficiency of malicious file detection is greatly improved.

Huang Liang

Papers

Method and system for preventing blind DDoS attacks on SDN controllers

Abnormal access behavior detection method and system on basis of WEB logs

World wide web (WEB) hotlinking protection method and gateway system thereof

Dynamic application address conversion method and gateway system

Cross-platform detection method and system for malicious files in cloud environment