WO2018121331A1

WO2018121331A1 - Attack request determination method, apparatus and server

Info

Publication number: WO2018121331A1
Application number: PCT/CN2017/117067
Authority: WO
Inventors: 冯帅涛; 杨洋; 向西西
Original assignee: 阿里巴巴集团控股有限公司
Priority date: 2016-12-28
Filing date: 2017-12-19
Publication date: 2018-07-05
Also published as: CN108259425A; TW201824047A

Abstract

Provided in the present application are an attack request determination method, apparatus and server, the method comprising: receiving an access request; extracting first request information from the access request, and matching the first request information to information in multiple types of prearranged blacklist which support multiple matching parameters; when there is a successful match with information in any type of blacklist, determining that the access request is an attack request. Technical solutions of the present invention solve problems in the prior art of determining at attack request solely by means of frequency of access of an IP address, including not being applicable to a CC attack type having low IP address access frequency, not being able to accurately distinguish different types of CC attack, and having a high false positive rate; the present invention can make a decision on an access request on the basis of multiple types of matching parameter, said decision has broader dimensionality, the decision mode is more flexible, and decision results are more accurate.

Description

Method, device and server for determining attack request

本申请要求2016年12月28日递交的申请号为201611243727.8、发明名称为“攻击请求的确定方法、装置及服务器”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application Serial No. No. No. No. No. No. No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No

Technical field

本申请涉及互联网安全技术领域，尤其涉及一种攻击请求的确定方法、装置及服务器。The present application relates to the field of Internet security technologies, and in particular, to a method, an apparatus, and a server for determining an attack request.

Background technique

随着互联网业务的不断发展，网站的页面越来越复杂，网站对请求的处理也需要消耗越来越多的资源，这种情况下，访问的用户越多，系统的负载越高。网站易于遭受到CC(Challenge Collapsar，挑战黑洞)攻击，CC攻击会造成巨大的资源消耗，从而导致页面的打开速度变的非常慢，如果CPU(Central Processing Unit，中央处理单元)或带宽资源被消耗尽，可能出现服务不可用的情况，从而影响用户访问网络，用户体验较差。With the continuous development of Internet services, the pages of websites are becoming more and more complex, and the processing of requests by websites requires more and more resources. In this case, the more users access, the higher the load on the system. The website is vulnerable to CC (Challenge Collapsar) attacks. CC attacks can cause huge resource consumption, which causes the page to open very slowly. If the CPU (Central Processing Unit) or bandwidth resources are consumed. As a result, there may be cases where the service is unavailable, which affects the user's access to the network, and the user experience is poor.

现有技术中，主要通过对IP(Internet Protocol，互联网协议)地址的访问量进行统计来确定CC攻击，如果某一IP地址在某段时间内的访问量超过设定阈值，则将该IP地址列入黑名单，并进行基于IP地址的阻断。In the prior art, a CC attack is determined by performing statistics on an IP (Internet Protocol) address. If an IP address exceeds a threshold in a certain period of time, the IP address is obtained. Blacklisted and blocked based on IP address.

这种方法对于使用同一IP大量访问的情况下能够检测出CC攻击，但是不能够准确识别随机URI(Uniform Resource Identifiers，统一资源标识符)攻击类型、随机域名类型等CC攻击，而且仅仅通过IP的角度进行统计的方式比较单一，不够灵活，攻击者可以根据IP统计的规则，逐渐减少攻击次数，继而制造出访问次数不超过设定阈值的恶意攻击。如果将阈值调整的较小，则会增大误杀率，尤其是在无线网络和NAT(Network Address Translation，网络地址转换)网络普及的情况下，存在多个用户使用同一个出口IP的问题，更加容易造成误杀。This method can detect CC attacks in the case of large-scale access using the same IP, but cannot accurately identify CC attacks such as random URI (Uniform Resource Identifiers) attack type and random domain name type, and only through IP. The angle is statistically simple and not flexible enough. The attacker can gradually reduce the number of attacks according to the rules of IP statistics, and then create malicious attacks whose access times do not exceed the set threshold. If the threshold is adjusted to a small value, the rate of killing will increase. Especially in the case of wireless network and network address translation (NAT), there are many users who use the same egress IP. Easy to cause manslaughter.

发明内容Summary of the invention

本申请提供攻击请求的确定方法及装置，以解决现有技术仅通过IP地址的访问次数来确定攻击请求的方式对于IP地址访问频率不高的CC攻击类型并不适用、无法精确识别各种类型的CC攻击、误杀率高等问题。The present invention provides a method and a device for determining an attack request, so as to solve the problem that the attack request is determined only by the number of accesses of the IP address in the prior art, and the type of the CC attack with a low IP address access frequency is not applicable, and various types cannot be accurately identified. CC attack, high killing rate and other issues.

根据本申请实施例的第一方面，提供了一种攻击请求的确定方法，应用在服务器上，包括：According to the first aspect of the embodiments of the present application, a method for determining an attack request, which is applied to a server, includes:

接收访问请求；Receiving an access request;

提取所述访问请求中的第一请求信息，将所述第一请求信息分别与预设置的支持多种匹配参数的各种类型的黑名单中的信息进行匹配；Extracting the first request information in the access request, and matching the first request information with information in a preset blacklist of various types that support multiple matching parameters;

在与任一类型的黑名单中的信息匹配成功时，确定所述访问请求为攻击请求。When the information in any type of blacklist is successfully matched, the access request is determined to be an attack request.

根据本申请实施例的第二方面，提供一种攻击请求的确定装置，应用在服务器上，包括：According to a second aspect of the embodiments of the present application, a device for determining an attack request, which is applied to a server, includes:

接收单元，用于接收访问请求；a receiving unit, configured to receive an access request;

匹配单元，用于提取所述访问请求中的第一请求信息，将所述第一请求信息分别与预设置的支持多种匹配参数的各种类型的黑名单中的信息进行匹配；a matching unit, configured to extract first request information in the access request, and match the first request information with information in a preset blacklist of various types that support multiple matching parameters;

第一确定单元，用于在与任一类型的黑名单中的信息匹配成功时，确定所述访问请求为攻击请求。The first determining unit is configured to determine that the access request is an attack request when the information in the blacklist of any type is successfully matched.

根据本申请实施例的第三方面，提供一种服务器，包括：According to a third aspect of the embodiments of the present application, a server is provided, including:

收发模块，用于接收访问请求，并提取所述访问请求中的第一请求信息；a transceiver module, configured to receive an access request, and extract the first request information in the access request;

阻断模块，与所述执行模块连接，用于将所述第一请求信息与预设置的支持多种匹配参数的各种类型的黑名单中的信息进行匹配，并在与任一类型的黑名单中的信息匹配成功时，确定所述访问请求为攻击请求。a blocking module, coupled to the execution module, for matching the first request information with pre-set information in various types of blacklists supporting multiple matching parameters, and in any type of black When the information in the list matches successfully, it is determined that the access request is an attack request.

根据本申请实施例的第四方面，提供一种攻击请求的确定装置，所述装置为服务器，包括：处理器；用于存储所述处理器可执行指令的存储器；其中，所述处理器被配置为：According to a fourth aspect of the embodiments of the present application, there is provided an apparatus for determining an attack request, the apparatus being a server, comprising: a processor; a memory for storing the processor executable instructions; wherein the processor is Configured as:

接收访问请求；Receiving an access request;

根据本申请实施例的第五方面，提供一种计算机存储介质，所述存储介质中存储有程序指令，所述指令包括：According to a fifth aspect of the embodiments of the present application, a computer storage medium is provided, where the program medium is stored, and the instructions include:

接收访问请求；Receiving an access request;

由以上技术方案可见，本申请的实施例中服务器中设置了支持多种匹配参数的各种类型的黑名单，从而不仅能够通过IP地址的访问次数进行判断，还基于header、cookie及args等类型进行CC攻击的判断，从而能够对攻击请求实现更加精确的判断，避免误判断；判断维度更广，判断方式更为灵活，且判断结果更为准确。It can be seen from the foregoing technical solutions that various types of blacklists supporting multiple matching parameters are set in the server in the embodiment of the present application, so that not only the number of accesses of the IP address can be determined, but also based on types such as header, cookie, and args. The judgment of the CC attack can make more accurate judgments on the attack request and avoid misjudgment; the judgment dimension is wider, the judgment mode is more flexible, and the judgment result is more accurate.

DRAWINGS

图1是本申请攻击请求的确定方法的场景示意图；1 is a schematic diagram of a scenario of a method for determining an attack request of the present application;

图2是本申请攻击请求的确定方法的一个实施例流程图；2 is a flow chart of an embodiment of a method for determining an attack request of the present application;

图3是本申请攻击请求的确定装置所在设备的一种硬件结构图；3 is a hardware structure diagram of a device where the determining device of the attack request of the present application is located;

图4为本申请攻击请求的确定装置的一种硬件结构图；4 is a hardware structural diagram of an apparatus for determining an attack request according to the present application;

图5为本申请攻击请求的确定装置的一个实施例框图。FIG. 5 is a block diagram of an embodiment of a determining apparatus for an attack request according to the present application.

detailed description

在本申请使用的术语是仅仅出于描述特定实施例的目的，而非旨在限制本申请。在本申请和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式，除非上下文清楚地表示其他含义。还应当理解，本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terminology used in the present application is for the purpose of describing particular embodiments, and is not intended to be limiting. The singular forms "a", "the" and "the" It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.

应当理解，尽管在本申请可能采用术语第一、第二、第三等来描述各种信息，但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如，在不脱离本申请范围的情况下，第一信息也可以被称为第二信息，类似地，第二信息也可以被称为第一信息。取决于语境，如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although the terms first, second, third, etc. may be used to describe various information in this application, such information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, the first information may also be referred to as the second information without departing from the scope of the present application. Similarly, the second information may also be referred to as the first information. Depending on the context, the word "if" as used herein may be interpreted as "when" or "when" or "in response to a determination."

现有技术中，当网站受到CC攻击时，通常基于接收到的请求确定IP地址，然后统计该IP地址在某时间段内的访问量，如果访问量超过了设定阈值，则基于该IP生成IP黑名单，以便对来自该IP地址的请求进行阻断。这种方式仅能够对同一IP地址频繁访问的CC攻击进行阻断，但是攻击者可以以少于设定阈值的次数进行攻击；而且这种方式对于IP地址访问频率不高的CC攻击类型并不适用，例如：频繁访问某个大文件的URI，使用较少的攻击次数就能够将服务器的出口带宽打满，影响用户访问，这种情况下仅根据IP地址进行阻断，极有可能对访问其他URI的IP地址造成误判断。再例如针对CDN(Content Delivery Network，内容分发网络)节点的域名攻击请求，由于会导致 CDN节点频繁查询DNS(Domain Name System，域名系统)，因而即使访问量(攻击量)不大也会导致DNS服务器挂掉。再例如针对CDN节点的随机URI攻击，这种与IP地址的访问量并无直接关系的攻击会导致请求每次都穿透到源站，导致服务异常。再例如模拟用户访问网站时的一些非常耗时的操作，比如电商网站上的下单操作，这种攻击即使访问量比较小也会导致网站瘫痪。综上，基于IP地址的访问量进行识别的方式并不能准确确定上述各种CC攻击。In the prior art, when a website is attacked by a CC, an IP address is usually determined based on the received request, and then the amount of access of the IP address in a certain period of time is counted. If the amount of access exceeds a set threshold, the IP is generated based on the IP address. IP blacklist to block requests from this IP address. This mode can only block CC attacks that are frequently accessed by the same IP address, but the attacker can attack the number of times less than the set threshold. In this way, the type of CC attack that does not have a high IP address access frequency is not. Applicable, for example, frequent access to the URI of a large file, using a small number of attacks to fill the server's egress bandwidth, affecting user access, in this case only blocking according to the IP address, most likely to access The IP address of other URIs causes misjudgment. For example, a domain name attack request for a CDN (Content Delivery Network) node may cause a CDN node to frequently query a DNS (Domain Name System), so that even if the amount of access (attack amount) is small, DNS may be caused. The server hangs. For example, for a random URI attack on a CDN node, such an attack that is not directly related to the amount of access to the IP address causes the request to penetrate to the source station each time, resulting in a service exception. For example, it simulates some very time-consuming operations when a user visits a website, such as an order operation on an e-commerce website. Such an attack may cause the website to be embarrassed even if the amount of the visit is small. In summary, the way in which the IP address based access is identified does not accurately determine the various CC attacks described above.

本申请的实施例提出一种新的攻击请求的确定方法及装置，通过预先设置的表达式以及设定时间段内的请求信息和响应信息来确定各种类型的黑名单，基于黑名单对接收到的请求进行判断和阻断，这种方式能够针对攻击类型的特点，配置若干针对性的表达式，从而实现对各种类型的CC攻击都能够做到有效防御的效果。本申请的实施例可以应用于服务器中，服务器可以是一个物理或逻辑服务器，也可以是由两个或两个以上分担不同职责的物理或逻辑服务器、相互协同来实现本申请实施例中服务器的各项功能。本申请实施例对服务器的种类，以及服务器之间通信网络的类型、协议等均不做限定。An embodiment of the present application provides a method and apparatus for determining a new attack request, and determining various types of blacklists by using a preset expression and request information and response information in a set time period, and receiving based on the blacklist The request is judged and blocked. This method can configure a number of targeted expressions according to the characteristics of the attack type, so as to achieve effective defense against various types of CC attacks. The embodiment of the present application may be applied to a server, where the server may be a physical or logical server, or may be a physical or logical server that shares two or more different responsibilities, and cooperate with each other to implement the server in the embodiment of the present application. Various functions. The embodiments of the present application do not limit the types of servers, the types and protocols of communication networks between servers, and the like.

参见图1，为本申请实施例的攻击请求的确定方法的场景示意图：FIG. 1 is a schematic diagram of a scenario for determining an attack request according to an embodiment of the present application:

图1中包括：服务器、n台计算机，分别为第一计算机、第二计算机直到第N计算机，服务器接收来自n台计算机的请求。1 includes: a server, n computers, respectively a first computer, a second computer up to an Nth computer, and the server receives a request from n computers.

应用在服务器上的攻击请求的确定方法的流程如图2所示，包括以下步骤：The process of determining the attack request applied to the server is as shown in FIG. 2, and includes the following steps:

步骤201、接收访问请求。Step 201: Receive an access request.

本申请实施例中，该请求可以包括http(Hyper Text Transfer Protocol，超文本传输协议)请求、rrt请求、mp请求等应用层的请求，请求的内容可以包括对网页、视频、直播的请求等。本申请实施例中以http请求为例进行说明。In the embodiment of the present application, the request may include an application layer request such as a http (Hyper Text Transfer Protocol) request, a rrt request, and an mp request, and the requested content may include a request for a webpage, a video, a live broadcast, and the like. In the embodiment of the present application, the http request is taken as an example for description.

步骤202、提取访问请求中的第一请求信息，将第一请求信息分别与预设置的支持多种匹配参数的各种类型的黑名单中的信息进行匹配。Step 202: Extract the first request information in the access request, and match the first request information with information in various types of blacklists that support multiple matching parameters.

本申请步骤中，服务器对接收到的访问请求进行解析，得到的第一请求信息可以包括以下任一个或多个参数，但不限于以下参数：In the step of the application, the server parses the received access request, and the obtained first request information may include any one or more of the following parameters, but is not limited to the following parameters:

count，表示对应黑名单key(黑名单键值，可以理解为上述匹配参数)的访问次数，例如黑名单中的过滤信息为IP＝111.1.1.1，那么count可以表示该IP＝111.1.1.1的地址的访问次数。Count, which indicates the number of accesses of the corresponding blacklist key (the blacklist key value, which can be understood as the above matching parameter). For example, the filtering information in the blacklist is IP=111.1.1.1, then count can represent the address of the IP=111.1.1.1. Number of visits.

uri_num，表示访问某个URI的次数，例如uri_num/a和uri_num/b为不同的URI。Uri_num indicates the number of times a URI is accessed, for example, uri_num/a and uri_num/b are different URIs.

status_count，表示请求中返回某个状态码的次数，需要带参数，例如status_count|404，表示请求中返回状态码404的次数。Status_count indicates the number of times a status code is returned in the request. It needs to take parameters, such as status_count|404, to indicate the number of times the status code 404 is returned in the request.

status_ratio，表示请求中返回某个状态码的次数占总访问次数的比例，需要带参数，例如status_ratio|404，表示请求中返回状态码404的次数占总访问次数比例。其中，总访问次数指的是设定时间间隔内的访问次数。Status_ratio, which indicates the ratio of the number of times a status code is returned in the request to the total number of accesses. It needs to take parameters, such as status_ratio|404, indicating the number of times the status code 404 is returned in the request as a percentage of the total number of accesses. Among them, the total number of visits refers to the number of visits within the set time interval.

arg_num，表示请求中携带某个arg的个数，需要带参数，可以用arg_num|x来表示，比如/a？x＝1和/a？x＝2表示访问了2次。Arg_num, which means that the number of args carried in the request, with parameters, can be represented by arg_num|x, such as /a? x=1 and /a? x=2 means that the visit was 2 times.

none_arg_ratio，表示不携带某个arg的请求占总请求数的比例，需要带参数，例如none_arg_ratio|x，即不携带arg为x的请求占总请求数的比例。其中总请求数表示在黑名单的有效期内，即设定时间间隔内接收到的总请求数。None_arg_ratio, which means that the ratio of requests that do not carry an arg to the total number of requests needs to be parameterized, such as none_arg_ratio|x, that is, the ratio of requests that do not carry arg to x to the total number of requests. The total number of requests indicates the total number of requests received within the set time interval during the validity period of the blacklist.

cookie_num，表示请求中携带某个cookie的个数，需要带参数,例如cookie_num|x表示请求中携带cookie为x的个数。Cookie_num, which indicates the number of cookies in the request, which needs to be parameterized. For example, cookie_num|x indicates the number of cookies in the request.

none_cookie_ratio，表示不携带某个cookie的请求占总请求数的比例，需要带参数，例如none_cookie_ratio|x，表示不携带cookie为x的请求占总请求数的比例。None_cookie_ratio, which means that the ratio of requests that do not carry a cookie to the total number of requests needs to be parameterized, for example, none_cookie_ratio|x, which means that the number of requests that do not carry the cookie x is the ratio of the total number of requests.

req_header_num，表示请求中携带某个header的个数，需要带参数,例如req_header_num|x，表示请求中携带header为x的个数。Req_header_num, which indicates the number of headers carried in the request. It needs to take parameters, such as req_header_num|x, to indicate that the number of headers in the request is x.

none_req_header_ratio，表示不携带某个header的请求占总请求的个数，需要带参数，例如none_header_ratio|x，表示不携带header为x的请求占总请求数的比例。None_req_header_ratio indicates that the number of requests that do not carry a header accounts for the total number of requests. For example, none_header_ratio|x indicates that the number of requests that do not carry the header x is the ratio of the total number of requests.

resp_header_num，表示响应中携带某个header的个数，需要带参数,例如resp_header_num|x响应中携带header为x的个数。Resp_header_num, which indicates the number of headers carried in the response. It needs to take parameters. For example, the number of headers x is in the response of resp_header_num|x.

none_req_header_ratio，表示不携带某个header的响应占总请求数的比例，需要带参数，例如none_header_ratio|x，表示不携带header为x的响应占总请求数的比例。None_req_header_ratio indicates the ratio of the response that does not carry a header to the total number of requests. It needs to take parameters, such as none_header_ratio|x, to indicate that the response of the header is not the proportion of the total number of requests.

method_ratio，表示以某个方式提交的请求的个数占总请求数的比例，需要带参数，例如method_ratio|POST，表示以post方式提交的请求的个数占总访问数的比例，请求还可以以get方式提交、以delete方式提交、以head方式提交、以put方式提交等，都可以计算对应的请求个数占总请求数的比例。Method_ratio, which indicates the ratio of the number of requests submitted in a certain way to the total number of requests, and needs to take parameters, such as method_ratio|POST, indicating the proportion of requests submitted in post mode to the total number of accesses. The request can also be The get mode submission, the delete submission, the header submission, and the put submission can all calculate the proportion of the corresponding requests to the total number of requests.

method_count表示以某个方式提交的请求的次数，需要带参数，例如method_count|POST，表示以POST方式提交的请求的次数。Method_count represents the number of requests submitted in a certain way, with parameters, such as method_count|POST, indicating the number of requests submitted in POST.

req_traffic，表示请求的总流量值，也就是在黑名单有效期内所接收的请求所消耗的总流量值。Req_traffic, which indicates the total traffic value of the request, that is, the total traffic value consumed by the request received during the blacklist validity period.

resp_traafic，表示响应的总流量值，也就是在黑名单有效期内所发送的响应所消耗的总流量值。Resp_traafic, which represents the total traffic value of the response, that is, the total traffic value consumed by the response sent during the blacklist validity period.

本申请实施例中，服务器可以预先设置支持多种匹配参数的黑名单，黑名单包括多种类型，而不像现有技术中那样仅有针对IP地址的类型，设置黑名单包括以下步骤(图2中未示出)：In the embodiment of the present application, the server may preset a blacklist that supports multiple matching parameters, and the blacklist includes multiple types, instead of the type only for the IP address as in the prior art, setting the blacklist includes the following steps (figure Not shown in 2):

步骤301、对设定时间段内接收到的访问请求和/或发出去的响应进行解析，分别得到第二请求信息和/或响应信息。Step 301: Parse the access request and/or the sent response received within the set time period, and obtain the second request information and/or the response information respectively.

本申请步骤中，设定时间段可以是用于表示攻击条件的表达式的执行时间间隔所分隔成的时间段，例如执行时间间隔为10s，那么该设定时间段即当前时间之前10s的时间段。第二请求信息和响应信息可以为上述步骤202中所列举的参数中的任一个或多个。In the step of the present application, the set time period may be a time period separated by an execution time interval of an expression for indicating an attack condition, for example, the execution time interval is 10 s, and the set time period is 10 s before the current time. segment. The second request information and the response information may be any one or more of the parameters listed in step 202 above.

步骤302、基于预设置的表达式中的变量，从第二请求信息和/或响应信息中提取对应于该变量的信息。Step 302: Extract information corresponding to the variable from the second request information and/or the response information based on the variable in the preset expression.

本申请实施例中，可以预先设置表达式，该表达式由变量和操作符组成，用于表示攻击条件，本申请实施例中基于CC攻击的各种类型和特点可以设置多个表达式，以便后续能够生成涵盖多种CC攻击类型的黑名单。本步骤中，提取第二请求信息和/或响应信息中对应于表达式的变量的信息。In the embodiment of the present application, an expression may be preset, which is composed of a variable and an operator, and is used to indicate an attack condition. In the embodiment of the present application, multiple types of expressions may be set based on various types and characteristics of the CC attack, so that Subsequent generation of blacklists covering multiple CC attack types can be generated. In this step, information of the variable corresponding to the expression in the second request information and/or the response information is extracted.

其中，操作符可以包括但不限于下述几种：Among them, operators can include but are not limited to the following:

括号：()brackets:()

大于号：>Greater than: >

小于号：<Less than: <

或操作符：||Or operator: ||

与操作符：&&And operator: &&

通过上述设置表达式的方式，增加了统计的灵活度，可以根据攻击的类型及实际情况及时调整表达式，从而便于对各种攻击做出精确判断，从而扩大了攻击的判断覆盖范围，可以同时结合状态码、header以及流量信息等进行判断，判断维度更广，判断结果更精确。Through the above-mentioned setting expression, the flexibility of statistics is increased, and the expression can be adjusted in time according to the type and actual situation of the attack, thereby facilitating accurate judgment on various attacks, thereby expanding the coverage of the attack, and simultaneously The status code, header, and flow information are combined to determine the dimension and the judgment result is more accurate.

步骤303、将所提取的信息作为输入代入表达式的变量中进行运算。Step 303: Perform the operation by substituting the extracted information as an input into a variable of the expression.

在提取了对应于表达式的所有变量的信息之后，服务器将所提取的信息代入到表达式的变量中，进行运算。After extracting the information of all the variables corresponding to the expression, the server substitutes the extracted information into the variable of the expression to perform an operation.

步骤304、在运算结果为符合攻击条件时，基于表达式中的参数所属的类型生成黑名单。Step 304: When the operation result is that the attack condition is met, the blacklist is generated based on the type of the parameter in the expression.

由于表达式所表示的是攻击条件，那么当运算结果为是(true)时，说明代入到表达式变量中的信息符合该攻击条件，那么对应于该信息的访问请求极有可能是攻击请求，因而，在运算结果为是时，可以生成黑名单。在运算结果为否(false)时，说明代入到表达式变量中的信息不符合该攻击条件，那么对应于该信息的访问请求通常不是攻击请求。Since the expression indicates an attack condition, when the operation result is true, it indicates that the information substituted into the expression variable conforms to the attack condition, and the access request corresponding to the information is most likely an attack request. Therefore, when the operation result is YES, a blacklist can be generated. When the operation result is negative (false), it indicates that the information substituted into the expression variable does not meet the attack condition, and the access request corresponding to the information is usually not an attack request.

从上述描述可知，黑名单为预先生成的，而非在接收到请求之后才进行信息的统计和黑名单的生成，判断的过程也比较简单，仅判断访问请求中的信息是否存在于黑名单中即可，这种方式反应迅速，不会延长访问的响应时间，特别适用于高并发的场景，而且尤其适用于分布式环境中，对整个分布式环境的所有http信息进行统计，覆盖范围更广。As can be seen from the above description, the blacklist is pre-generated, and the statistics and the blacklist are generated after the request is received. The process of determining is relatively simple, and only determining whether the information in the access request exists in the blacklist. That way, this method is quick and does not prolong the response time of the access, especially suitable for high-concurrency scenarios, and is especially suitable for distributed environment, all the http information of the whole distributed environment is counted, and the coverage is wider. .

具体而言，本申请实施例中将黑名单分为四种类型，黑名单类型与匹配参数相对应，也就是说黑名单支持四种匹配参数：包括：IP、header_x、cookie_x以及arg_x。Specifically, in the embodiment of the present application, the blacklist is classified into four types, and the blacklist type corresponds to the matching parameter, that is, the blacklist supports four matching parameters: including: IP, header_x, cookie_x, and arg_x.

例如，IP＝111.1.1.1，表示以IP地址作为类型，生成IP地址为111.1.1.1的黑名单。For example, IP=111.1.1.1 indicates that the IP address is used as the type and the blacklist with the IP address 111.1.1.1 is generated.

header_host＝ww.cdn.com，表示生成请求的header(头)中host(指定请求的服务器的域名和端口号)为ww.cdn.com的黑名单。Header_host=ww.cdn.com, which indicates that the host (the domain name and port number of the specified request server) in the header (header) that generated the request is the blacklist of ww.cdn.com.

cookie_unc＝test，表示生成请求的cookie中unc＝test的黑名单。Cookie_unc=test, which indicates the blacklist of unc=test in the cookie that generated the request.

arg_user＝admin，表示生成请求参数中user＝admin的黑名单。Arg_user=admin, which means that the blacklist of user=admin in the request parameter is generated.

那么在本步骤中，需要确定运算结果为是的表达式的变量所属的黑名单类型，然后，依据所属的黑名单类型和代入的信息生成对应类型的黑名单。Then, in this step, it is necessary to determine the blacklist type to which the variable of the expression whose operation result is YES, and then generate a blacklist of the corresponding type according to the blacklist type and the information to be substituted.

例如，对于表达式："none_cookie_ratio|t">0.5，当代入该表达式的信息的结果为是时，根据该表达式对应的变量none_cookie_ratio，能够确定所属的黑名单类型为cookie_x，那么可以生成“cookie中unc＝test”的黑名单。For example, for the expression: "none_cookie_ratio|t">0.5, when the result of the information in the expression is YES, according to the variable none_cookie_ratio corresponding to the expression, it can be determined that the blacklist type belongs to cookie_x, then it can generate " The blacklist of unc=test in the cookie.

再例如，针对随机域名和随机URI的CC攻击，表达式为：For another example, for a CC attack against a random domain name and a random URI, the expression is:

("status_ratio|404">0.6&&"uri_num">5&&"count">50000)||("status_ratio|502">0.6&&"count">100)||("status_ratio|504">0.6&&"count">500)||("status_ratio|503">0.6&&"count">500)，即结合状态码，请求的URI数目和请求次数等信息来综合判断是否存在CC攻击。匹配参数越多，判断方式越灵活，判断结果越精确。("status_ratio|404">0.6&&"uri_num">5&&"count">50000)||("status_ratio|502">0.6&&"count">100)||("status_ratio|504">0.6&&"count ">500)||("status_ratio|503">0.6&&"count">500), which combines the status code, the number of requested URIs and the number of requests to comprehensively determine whether there is a CC attack. The more matching parameters, the more flexible the judgment method and the more accurate the judgment result.

本申请步骤中，由于黑名单类型有多个，表达式中的变量也有多个，因而可能存在一个表达式的变量分别属于不同的黑名单类型的情况，也就是说与一个表达式对应的黑名单类型有两个或两个以上，这种情况下，可以设置黑名单类型的优先级，仅生成优先级最高的类型的黑名单。或者可以指定，例如只生成IP的黑名单，或只生成针对header的黑名单。In the step of the present application, since there are multiple blacklist types and there are multiple variables in the expression, there may be cases where the variables of one expression belong to different blacklist types, that is, the black corresponding to an expression. There are two or more types of lists. In this case, you can set the priority of the blacklist type and generate only the blacklist of the highest priority type. Or you can specify, for example, only generate a blacklist of IPs, or just generate a blacklist for the header.

本申请步骤中，在所设置的表达式有多个的情况下，黑名单的个数也可能会比较多。在将第一请求信息与预设置的黑名单中的信息进行匹配时，如果黑名单的个数较少，少于设定阈值，那么可以将第一请求信息依次与每个黑名单中的信息进行匹配，如果黑名单的个数较多，遍历各个黑名单的方式效率会比较低，这种情况下可以基于黑名单类型生成黑名单的二叉树。In the step of this application, if there are multiple expressions set, the number of blacklists may be more. When the first request information is matched with the information in the preset blacklist, if the number of blacklists is less than the set threshold, the first request information may be sequentially and information in each blacklist. If the number of blacklists is large, the efficiency of traversing each blacklist is relatively low. In this case, a blacklisted binary tree can be generated based on the blacklist type.

步骤203、在与任一类型的黑名单中的信息匹配成功时，确定该访问请求为攻击请求。Step 203: When the information in the blacklist of any type is successfully matched, determine that the access request is an attack request.

当第一请求信息与黑名单中的信息匹配成功时，能够确定对应的访问请求为攻击请求。例如，黑名单中，IP＝111.1.1.1，而第一请求信息的IP也为111.1.1.1，那么匹配成功。再例如，黑名单中，user＝admin，而第一请求信息中的user也为admin，那么匹配成功，确定对应的访问请求为攻击请求。When the first request information is successfully matched with the information in the blacklist, the corresponding access request can be determined as an attack request. For example, in the blacklist, IP=111.1.1.1, and the IP of the first request information is also 111.1.1.1, then the match is successful. For example, in the blacklist, user=admin, and the user in the first request information is also admin, then the matching is successful, and the corresponding access request is determined to be an attack request.

在一实施例中，结合图1所示，In an embodiment, as shown in FIG. 1,

服务器预先设置黑名单：服务器对设定时间段内接收到的访问请求和/或发出的响应进行解析，提取出其中的第二请求信息和/或响应信息，这里的第二请求信息及响应信息为上述匹配参数中的任多个。然后服务器读取预设置的表达式，表达式由变量和操作符组成，例如表达式为method_count|POST>5，则该式中所表示的以POST方式所提交的请求的数量即需要从第二请求信息中提取的信息。然后服务器将提取的第二请求信息和/或响应信息作为输入带入到表达式的变量中进行计算，仍以上述表达式为例，如果服务器提取的第二请求信息为7，由于7>5，则运算结果为是，表示成立，运算结果为符合攻击条件，因而服务器基于该表达式中的参数所属的类型生成黑名单。该表达式的类型为header，因而生成类型为header的黑名单，并且该黑名单中的匹配参数包括method_count。The server pre-sets the blacklist: the server parses the access request and/or the response received during the set time period, and extracts the second request information and/or response information, where the second request information and the response information are It is any of the above matching parameters. The server then reads the pre-set expression, which consists of variables and operators. For example, if the expression is method_count|POST>5, then the number of requests submitted in POST as indicated in the formula needs to be from the second. Request information extracted from the information. Then the server takes the extracted second request information and/or response information as input into the variable of the expression for calculation, and still takes the above expression as an example, if the second request information extracted by the server is 7, due to 7>5 , the operation result is yes, the representation is established, and the operation result is in accordance with the attack condition, so the server generates a blacklist based on the type of the parameter in the expression. The expression is of type header, thus generating a blacklist of type header, and the matching parameters in the blacklist include method_count.

服务器在设置了黑名单之后，在接收到来自计算机的http访问请求时，服务器提取该http访问请求中的第一请求信息，包括count、uri_num、status_count等信息，并将所提取的信息分别与预设置的各种类型的黑名单中的信息进行匹配，其中，黑名单支持多种匹配参数，而匹配参数与访问请求中提取的信息相对应。在该第一请求信息与任一类型的黑名单中的信息匹配成功时，确定该访问请求为攻击请求After receiving the blacklist, the server receives the http access request from the computer, and the server extracts the first request information in the http access request, including count, uri_num, status_count, etc., and separately extracts the extracted information. The information in the various types of blacklists set is matched, wherein the blacklist supports multiple matching parameters, and the matching parameters correspond to the information extracted in the access request. When the first request information is successfully matched with the information in any type of blacklist, the access request is determined to be an attack request.

例如，所提取的第一请求信息包括：count、none_cookie_ratio|t、status_ratio|404。而一个表达式为：For example, the extracted first request information includes: count, none_cookie_ratio|t, status_ratio| 404. And an expression is:

("count">1000&&"none_cookie_ratio|t">0.5)||("count">100&&"status_ratio|404">0.8)("count">1000&&"none_cookie_ratio|t">0.5)||("count">100&&"status_ratio|404">0.8)

如果第一请求信息中的某个IP的访问总量大于1000，而且cookie中不包含t的比例数大于0.5或者访问的总请求数大于100，而且返回的404的状态码大于0.8，都会与类型为IP、匹配参数包括count、none_cookie_ratio以及status_ratio的黑名单匹配成功，从而确定该访问请求为攻击请求。If the total number of accesses of an IP in the first request message is greater than 1000, and the proportion of the cookie that does not contain t is greater than 0.5 or the total number of requests accessed is greater than 100, and the status code of the returned 404 is greater than 0.8, The IP address matching parameters including count, none_cookie_ratio, and status_ratio are successfully matched, thereby determining that the access request is an attack request.

在确定了攻击请求之后，本申请实施例提供的方法还可以包括以下步骤：After the attack request is determined, the method provided by the embodiment of the present application may further include the following steps:

基于匹配成功的黑名单确定对应的阻断方案(Action)，然后基于确定的阻断方案对攻击请求进行阻断。The corresponding blocking scheme is determined based on the blacklist of the matching success, and then the attack request is blocked based on the determined blocking scheme.

在服务器中，每个类型的黑名单都对应的存储有阻断方案，以针对不同类型的CC攻击作出不同的阻断反应。In the server, each type of blacklist is stored with a blocking scheme corresponding to different blocking responses for different types of CC attacks.

本申请实施例中，阻断方案可以包括但不限于以下几种：In the embodiment of the present application, the blocking scheme may include but is not limited to the following:

login：表示跳转登陆页面；Login: indicates the jump login page;

wait：表示跳转等待页面；Wait: indicates the jump waiting page;

challenge：表示跳转人机挑战页面；Challenge: indicates the jump to the human machine challenge page;

chaptcha：表示跳转验证码页面；Chaptcha: indicates the jump verification code page;

deny：表示返回拒绝页面；Deny: indicates that the rejection page is returned;

close：表示直接断开连接。Close: indicates that the connection is directly disconnected.

本申请实施例采用不同的阻断方案，而非现有技术中的直接断开连接，从而适用于不同的业务场景和攻击场景。例如当前受到的攻击请求严重影响了当前服务时，可以直接断开连接，如果出现了疑似攻击，则可以跳转到验证码页面。The embodiments of the present application adopt different blocking schemes instead of the direct disconnection in the prior art, so as to be applicable to different service scenarios and attack scenarios. For example, if the current attack request seriously affects the current service, you can directly disconnect. If a suspected attack occurs, you can jump to the verification code page.

其中，表达式具有执行时间间隔，也就是说，表达式每隔执行时间间隔生成一次黑名单。那么本申请实施例中，统计表达式从上次执行时间起的第一时间长度；在第一时间长度达到第一设定时间长度，即执行时间间隔时，基于表达式生成新的黑名单；使用新的黑名单覆盖当前的黑名单。The expression has an execution time interval, that is, the expression generates a blacklist every execution interval. Then, in the embodiment of the present application, the first time length of the statistical expression from the last execution time; when the first time length reaches the first set time length, that is, when the time interval is executed, a new blacklist is generated based on the expression; Overwrite the current blacklist with the new blacklist.

其中，黑名单具有有效期(expired_time)，也就是说，所生成的黑名单仅在有效期内有效。那么本申请实施例中，每个黑名单从生成之时起，都要统计该黑名单从生成时起的第二时间长度；并且在第二时间长度达到第二设定时间长度时，将黑名单设置为无效。黑名单的有效期一般比表达式的执行时间间隔长，从而保证不会出现当前黑名单已无效，而新的黑名单尚未生成的情况。Among them, the blacklist has an expiration_time, that is, the generated blacklist is valid only during the validity period. Then, in the embodiment of the present application, each blacklist is counted from the time of generation to the second time length from the time of generation; and when the second time length reaches the second set time length, it will be black. The list is set to invalid. The blacklist is usually valid for a longer period of time than the expression, so that the current blacklist is not valid and the new blacklist has not yet been generated.

通过上述方式，能够保证总是基于统计的最新的请求信息和响应信息而生成黑名单，及时根据当前的业务情况和攻击情况调整黑名单，从而保证黑名单的时效性，保证能够更精确的确定攻击请求，提高防攻击效率并且降低误杀率。In the above manner, it is ensured that the blacklist is always generated based on the latest request information and response information, and the blacklist is adjusted according to the current service situation and the attack situation, thereby ensuring the timeliness of the blacklist and ensuring more accurate determination. Attack requests, improve anti-attack efficiency and reduce the rate of missed attacks.

从现有技术中可以看出，仅通过IP地址的访问次数确定攻击请求的方式对于IP地址访问频率不高的CC攻击类型并不适用，而且误杀率较高。而本申请不仅通过IP地址的访问次数进行判断，还基于header、cookie及args等进行CC攻击的判断，从而能够对攻击请求实现更加精确的判断。还可以基于状态码/流量信息/method进行判断，从而判断维度更广，判断方式更为灵活，且判断结果更为准确。It can be seen from the prior art that the manner of determining the attack request only by the number of accesses of the IP address is not applicable to the CC attack type with a low IP address access frequency, and the killing rate is high. The present application not only judges the number of accesses of the IP address, but also judges the CC attack based on the header, the cookie, and the args, thereby enabling more accurate judgment of the attack request. It can also be judged based on the status code/flow information/method, so that the dimension is wider, the judgment mode is more flexible, and the judgment result is more accurate.

参见图3，为本申请实施例的服务器的模块示意图，图3中包括：收发模块11、统计模块12、配置模块13、执行模块14和阻断模块15。FIG. 3 is a schematic diagram of a module of a server according to an embodiment of the present disclosure. FIG. 3 includes: a transceiver module 11, a statistics module 12, a configuration module 13, an execution module 14, and a blocking module 15.

其中，收发模块11，用于接收访问请求，以及基于访问请求发送响应，例如接收http访问请求及发送http响应，并记录和上报请求信息和响应信息。通常收发模块11基于nginx或Squid软件而设置。The transceiver module 11 is configured to receive an access request, and send a response based on the access request, for example, receiving an http access request and sending an http response, and recording and reporting the request information and the response information. The transceiver module 11 is typically set up based on nginx or Squid software.

统计模块12，与收发模块11连接，用于接收收发模块11上报的请求信息和响应信息，根据预设的表达式从请求信息和响应信息中统计对应于表达式的变量的信息，并将统计结果上报给执行模块14。The statistics module 12 is connected to the transceiver module 11 and configured to receive the request information and the response information reported by the transceiver module 11, and collect statistics on the variables corresponding to the expression from the request information and the response information according to a preset expression, and The result is reported to the execution module 14.

配置模块13，与执行模块14连接，用于提供动态表达式配置接口，并实时将用于表示攻击条件的表达式下发到执行模块14。The configuration module 13 is connected to the execution module 14 for providing a dynamic expression configuration interface, and delivers an expression for indicating an attack condition to the execution module 14 in real time.

执行模块14，用于解析表达式，并根据表达式和统计模块12的统计结果，生成黑名单。具体而言，将统计模块12统计的信息带入到表达式的变量中进行运算，如果运算结果为是，则基于表达式的变量所属的黑名单类型生成对应类型的黑名单。The execution module 14 is configured to parse the expression, and generate a blacklist according to the expression and the statistical result of the statistics module 12. Specifically, the information of the statistical module 12 is brought into the variable of the expression to perform an operation. If the result of the operation is YES, the blacklist of the corresponding type is generated by the blacklist type to which the variable according to the expression belongs.

阻断模块15，与执行模块14连接，用于根据执行模块14生成的黑名单，对收发模块11接收到的访问请求进行匹配，对与黑名单相匹配的的访问请求进行阻断。The blocking module 15 is connected to the execution module 14 for matching the access request received by the transceiver module 11 according to the blacklist generated by the execution module 14, and blocking the access request matching the blacklist.

与本申请攻击请求的确定方法的实施例相对应，本申请还提供了攻击请求的确定装置的实施例。Corresponding to the embodiment of the determining method of the attack request of the present application, the present application also provides an embodiment of the determining device for the attack request.

本申请攻击请求的确定装置的实施例可以应用在服务器上。装置实施例可以通过软件实现，也可以通过硬件或者软硬件结合的方式实现。以软件实现为例，作为一个逻辑意义上的装置，是通过其所在设备的处理器将非易失性存储器中对应的计算机程序指令读取到内存中运行形成的。从硬件层面而言，如图4所示，为本申请攻击请求的确定装置所在设备的一种硬件结构图，除了图4所示的处理器、内存、网络接口、以及非易失性存储器之外，实施例中装置所在的设备通常根据该设备的实际功能，还可以包括其他硬件，图4中不再一一示出。An embodiment of the determining device of the attack request of the present application can be applied to a server. The device embodiment may be implemented by software, or may be implemented by hardware or a combination of hardware and software. Taking the software implementation as an example, as a logical means, the processor of the device in which it is located reads the corresponding computer program instructions in the non-volatile memory into the memory. From the hardware level, as shown in FIG. 4, a hardware structure diagram of the device where the determining device of the attack request is located, except for the processor, the memory, the network interface, and the non-volatile memory shown in FIG. In addition, the device in which the device is located in the embodiment may also include other hardware according to the actual function of the device, which is not shown in FIG. 4 .

参见图5，为本申请攻击请求的确定装置的一个实施例框图，该装置可以应用在服务器上，该装置包括：接收单元510、匹配单元520及第一确定单元530。Referring to FIG. 5, it is a block diagram of an embodiment of a determining apparatus for an attack request according to the present application. The apparatus may be applied to a server, and the apparatus includes: a receiving unit 510, a matching unit 520, and a first determining unit 530.

接收单元510，用于接收访问请求；The receiving unit 510 is configured to receive an access request.

匹配单元520，用于提取所述访问请求中的第一请求信息，将所述第一请求信息分别与预设置的支持多种匹配参数的各种类型的黑名单中的信息进行匹配；The matching unit 520 is configured to extract the first request information in the access request, and match the first request information with information in a preset blacklist of various types that support multiple matching parameters.

第一确定单元530，用于在与任一类型的黑名单中的信息匹配成功时，确定所述访问请求为攻击请求。The first determining unit 530 is configured to determine that the access request is an attack request when the information in the blacklist of any type is successfully matched.

在一个可选的实现方式中，该装置还可以包括(图5中未示出)：In an alternative implementation, the apparatus may also include (not shown in Figure 5):

解析单元，用于对设定时间段内接收到的访问请求进行解析，得到第二请求信息，和/或对所述设定时间段内发送出的响应进行解析，得到响应信息；The parsing unit is configured to parse the access request received in the set time period, obtain the second request information, and/or parse the response sent in the set time period to obtain response information;

提取单元，用于基于预设置的用于表示攻击条件的表达式中的变量，从所述第二请求信息和/或所述响应信息中提取对应于所述变量的信息；An extracting unit, configured to extract information corresponding to the variable from the second request information and/or the response information based on a preset variable in an expression for indicating an attack condition;

运算单元，用于将所提取的信息作为输入代入到所述表达式的变量中进行运算；An operation unit, configured to substitute the extracted information as an input into a variable of the expression to perform an operation;

第一生成单元，用于在所述运算结果为符合所述攻击条件时，基于所述表达式的变量所属的黑名单类型生成对应类型的黑名单。The first generating unit is configured to generate a blacklist of the corresponding type based on the blacklist type to which the variable of the expression belongs when the operation result is that the attack condition is met.

在另一个可选的实现方式中，第一生成单元可以包括(图5中未示出)：In another optional implementation, the first generating unit may include (not shown in FIG. 5):

第一确定子单元，用于确定符合所述攻击条件的表达式中的变量；a first determining subunit, configured to determine a variable in an expression that meets the attack condition;

第二确定子单元，用于查找预设置的黑名单类型，确定所述变量所属的黑名单类型；a second determining subunit, configured to search for a preset blacklist type, and determine a blacklist type to which the variable belongs;

生成子单元，用于基于所述黑名单类型生成对应类型的黑名单，所述黑名单类型与所述匹配参数相对应。And generating a sub-unit, configured to generate a blacklist of a corresponding type according to the blacklist type, where the blacklist type corresponds to the matching parameter.

在另一个可选的实现方式中，黑名单类型包括：互联网协议地址、header_x、cookie_x以及arg_x。In another optional implementation, the blacklist type includes: an internet protocol address, header_x, cookie_x, and arg_x.

在另一个可选的实现方式中，装置还可以包括(图5中未示出)：In another alternative implementation, the apparatus may also include (not shown in FIG. 5):

存储单元，用于将不同类型的黑名单和阻断方案对应的进行存储。A storage unit is configured to store different types of blacklists and blocking schemes.

在另一个可选的实现方式中，装置还包括(图5中未示出)：In another optional implementation, the apparatus further includes (not shown in FIG. 5):

第二确定单元，用于基于匹配成功的黑名单确定对应的阻断方案；a second determining unit, configured to determine a corresponding blocking scheme based on the blacklist matching the success;

阻断单元，用于基于所述阻断方案对所确定的攻击请求进行阻断。And a blocking unit, configured to block the determined attack request based on the blocking scheme.

在另一个可选的实现方式中，阻断方案包括：跳转页面、返回拒绝页面、断开连接中的任一种。In another optional implementation, the blocking scheme includes any one of a jump page, a return rejection page, and a disconnection.

统计单元，用于统计所述表达式从上次执行时间起的时间长度；a statistical unit for counting the length of time the expression is from the last execution time;

第二生成单元，用于在所述第一时间长度达到第一设定时间长度时，基于所述表达式生成新的黑名单；a second generating unit, configured to generate a new blacklist based on the expression when the first time length reaches a first set time length;

覆盖单元，用于将新的黑名单覆盖当前的黑名单。Coverage unit for overwriting the current blacklist with the new blacklist.

上述装置中各个单元的功能和作用的实现过程具体详见上述方法中对应步骤的实现过程，在此不再赘述。The implementation process of the function and the function of each unit in the foregoing device is specifically described in the implementation process of the corresponding steps in the foregoing method, and details are not described herein again.

对于装置实施例而言，由于其基本对应于方法实施例，所以相关之处参见方法实施例的部分说明即可。以上所描述的装置实施例仅仅是示意性的，其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本申请方案的目的。本领域普通技术人员在不付出创造性劳动的情况下，即可以理解并实施。For the device embodiment, since it basically corresponds to the method embodiment, reference may be made to the partial description of the method embodiment. The device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the present application. Those of ordinary skill in the art can understand and implement without any creative effort.

由上述实施例可见，服务器通过在文件任务表中增设捡漏文件任务，在捡漏文件任务中设置包括业务时间段及文件生成时间的字段，通过sql逻辑语句对数据的入库时间及文件生成时间进行对比，能够确保查找到的正常数据和遗漏数据的互补和不重复，能够有效、及时、完整准确的将遗漏数据进行汇总，并及时反馈给基金公司，大大提高了运行效能。It can be seen from the above embodiment that the server adds a file task in the file task table, and sets a field including a service time period and a file generation time in the file task, and uses the sql logic statement to perform data storage time and file generation time. Contrast, it can ensure the complementarity and non-repetition of the found normal data and missing data, and can summarize the missing data effectively, timely, complete and accurate, and timely feedback to the fund company, greatly improving the operational efficiency.

本领域技术人员在考虑说明书及实践这里公开的发明后，将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化，这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的，本申请的真正范围和精神由下面的权利要求指出。Other embodiments of the present application will be readily apparent to those skilled in the <RTIgt; The application is intended to cover any variations, uses, or adaptations of the application, which are in accordance with the general principles of the application and include common general knowledge or common technical means in the art that are not disclosed herein. . The specification and examples are to be regarded as illustrative only,

应当理解的是，本申请并不局限于上面已经描述并在附图中示出的精确结构，并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求来限制。It is to be understood that the invention is not limited to the details of the details and The scope of the present application is limited only by the accompanying claims.

Claims

A method for determining an attack request, which is applied to a server, and includes:

Receiving an access request;

Extracting the first request information in the access request, and matching the first request information with information in a preset blacklist of various types that support multiple matching parameters;

When the information in any type of blacklist is successfully matched, the access request is determined to be an attack request.

The method of claim 1 further comprising:

Parsing the access request received in the set time period, obtaining the second request information, and/or parsing the response sent within the set time period to obtain response information;

Extracting information corresponding to the variable from the second request information and/or the response information based on a pre-set variable in an expression representing an attack condition;

Substituting the extracted information as an input into a variable of the expression for operation;

When the operation result is that the attack condition is met, a blacklist of the corresponding type is generated based on the blacklist type to which the variable of the expression belongs.

The method of claim 2, wherein the blacklist based on the variable to which the expression belongs is generated by a blacklist of a corresponding type, including:

Determining variables in the expression that match the attack condition;

Find a pre-set blacklist type and determine the blacklist type to which the variable belongs.

Generating a blacklist of a corresponding type based on the blacklist type, where the blacklist type corresponds to the matching parameter.

The method according to claim 3, wherein the blacklist type comprises: an internet protocol address, a header, a cookie, a status code, traffic information, and parameters.

The method of claim 3, wherein the method further comprises:

Store different types of blacklists and blocking schemes.

The method of claim 5, wherein the method further comprises:

Determining a corresponding blocking scheme based on the blacklist of successful matching;

The determined attack request is blocked based on the blocking scheme.

The method according to claim 6, wherein the blocking scheme comprises: jumping a page, returning a rejection page, disconnecting any one of the connections.

The method according to any one of claims 2-7, wherein the method further comprises:

Counting the first length of time from the last execution time of the expression;

Generating a new blacklist based on the expression when the first time length reaches a first set time length;

Overwrite the current blacklist with the new blacklist.

The method according to any one of claims 1 to 7, wherein the method further comprises:

Counting the second time length of the blacklist from the time of generation;

When the second time length reaches the second set time length, the blacklist is set to be invalid.

An apparatus for determining an attack request, which is applied to a server, and includes:

a receiving unit, configured to receive an access request;

a matching unit, configured to extract first request information in the access request, and match the first request information with information in a preset blacklist of various types that support multiple matching parameters;

The first determining unit is configured to determine that the access request is an attack request when the information in the blacklist of any type is successfully matched.

The device according to claim 10, wherein the device further comprises:

The parsing unit is configured to parse the access request received in the set time period, obtain the second request information, and/or parse the response sent in the set time period to obtain response information;

An extracting unit, configured to extract information corresponding to the variable from the second request information and/or the response information based on a preset variable in an expression for indicating an attack condition;

An operation unit, configured to substitute the extracted information as an input into a variable of the expression to perform an operation;

The first generating unit is configured to generate a blacklist of the corresponding type based on the blacklist type to which the variable of the expression belongs when the operation result is that the attack condition is met.

The apparatus according to claim 11, wherein the first generating unit comprises:

a first determining subunit, configured to determine a variable in an expression that meets the attack condition;

a second determining subunit, configured to search for a preset blacklist type, and determine a blacklist type to which the variable belongs;

And generating a sub-unit, configured to generate a blacklist of a corresponding type according to the blacklist type, where the blacklist type corresponds to the matching parameter.

The apparatus according to claim 12, wherein the blacklist type comprises: an internet protocol address, a header, a cookie, a status code, traffic information, and parameters.

The device of claim 12, wherein the device further comprises:

A storage unit is configured to store different types of blacklists and blocking schemes.

The device according to claim 14, wherein the device further comprises:

a second determining unit, configured to determine a corresponding blocking scheme based on the blacklist matching the success;

And a blocking unit, configured to block the determined attack request based on the blocking scheme.

The apparatus according to claim 15, wherein the blocking scheme comprises any one of a jump page, a return rejection page, and a disconnection.

The device according to any one of claims 11 to 16, wherein the device further comprises:

a statistical unit, configured to count the first time length of the expression from the last execution time;

a second generating unit, configured to generate a new blacklist based on the expression when the first time length reaches a first set time length;

Coverage unit for overwriting the current blacklist with the new blacklist.

A server, comprising:

a transceiver module, configured to receive an access request, and extract the first request information in the access request;

a blocking module, configured to match the first request information with pre-set information in various types of blacklists supporting multiple matching parameters, and when the information in any type of blacklist matches successfully Determining that the access request is an attack request.

The server according to claim 18, wherein the transceiver module is further configured to parse an access request received within a set time period, obtain second request information, and/or set the time The response sent in the segment is parsed to obtain response information;

The server further includes:

The statistics module is connected to the transceiver module, and is configured to receive the request information and the response information reported by the transceiver module, and the statistics corresponding to the expression are sent from the request information and the response information according to a preset expression for indicating an attack condition. The information of the variable and report the statistical result to the execution module;

a configuration module, connected to the execution module, configured to provide an expression configuration interface, and deliver the expression to the execution module;

The execution module is connected to the blocking module, and is configured to parse the received expression, and generate various types of blacklists according to the expression and the statistical result of the statistical module.

The server according to claim 19, wherein said execution module is configured to:

Substituting information of the statistics module as input into a variable of the expression for operation;

The server according to claim 18, wherein said blocking module is further configured to block said attack request.

An apparatus for determining an attack request, wherein the apparatus is a server, comprising: a processor; a memory for storing the processor-executable instructions; wherein the processor is configured to:

Receiving an access request;

A computer storage medium storing program instructions in the storage medium, wherein the instructions include:

Receiving an access request;