TW201828660A - Method, apparatus and system for quantifying defense result indicating that the defense result is more accurate since an evaluation and an evaluation index for calculating the defense result of this invention are relatively comprehensive - Google Patents

Abstract

An embodiment of this invention provides a method and a system for quantifying a defense result, wherein the method comprises the following steps: obtaining a suspicious data traffic set, wherein the suspicious data traffic set is located at a defense end of a cloud platform and composed of data traffics corresponding to each suspicious IP address in the suspicious IP address set contained by an original data traffic; obtaining normal data traffics, wherein the normal data traffics are data traffics remaining after the defense end cleans the suspicious data traffic set according to a preset defense policy; authorizing host performance parameters, wherein the host performance parameters are a set of parameters extracted from a target end after the defense end sends the normal data traffics to the target end; and quantizing the defense result based on the target parameter set, wherein the target parameter set at least comprises the suspicious data traffic set, the normal data traffics and the host performance parameters. The defense result is more accurate since an evaluation perspective and an evaluation index for calculating the defense result of this invention are relatively comprehensive.

Description

 Method, device and system for quantifying defense results  

The present invention relates to the field of network technologies, and in particular, to a method, apparatus, and system for quantifying a defense result.

With the continuous advancement of network technology, there are more and more cyber attacks in the network field. At present, distributed Denial of Service (DDoS) has become a serious attack in many network attacks. To this end, the defensive end is added to the original system architecture to block DDoS attacks.

As shown in Figure 1, it is a schematic diagram of an existing network system architecture. As shown in the figure, the system architecture includes a service end, a routing device, a defensive end, and a target end. The service end includes a normal service end and an attack end. The attacker sends various forms of attack data flow, and the defensive end blocks the attack data flow according to its internal defense strategy.

If the defense policy in the defensive end is too loose, a large amount of attack traffic will be attacked on the target end. However, if the defense policy is too tight, the normal service will send normal data flows to the target. Therefore, it is necessary to evaluate the defense outcome of the defensive end defense strategy and determine the appropriate defense strategy based on the defense outcome.

At present, the results of evaluating the defense results are inaccurate due to imperfect use methods, incomplete parameter parameters, and incomplete data flow.

The present invention provides a method, apparatus and system for quantifying a defense result, and by improving an evaluation method, improves the accuracy of evaluating a defense result. In addition, combined with the cloud platform to further improve the integrity of the data flow.

In order to achieve the above object, the present invention adopts the following technical means: a method for quantifying a defense result, comprising: acquiring a suspicious data flow quantity set, where the suspicious data flow quantity set is located at a defensive end of the cloud platform and is accessed by a core route traction service end After the original data flow of the target end, the data flow corresponding to each suspicious IP address in the suspicious IP address set included in the original data flow quantity is composed, and the suspicious IP address set is preset according to The detection rule is determined in the original data flow quantity; the normal data flow quantity is obtained, and the normal data flow quantity is the data flow quantity remaining after the defensive end cleans the suspicious data flow quantity set according to the preset defense strategy Authorizing the host performance parameter, the host performance parameter is a set of parameters extracted by the defense terminal on the target end after sending the normal data flow amount to the target end; and quantifying the defense based on the target parameter set a result; wherein the target parameter set includes at least: the suspicious data flow quantity set, a normal data flow The throughput and host performance parameters.

Preferably, the target parameter set further includes: a success rate of the transmission sent by the service monitoring device connected to the defensive end; wherein the success rate of the receiving is controlled by the service monitoring device in multiple geographical locations After the service end picks up the target end, it is calculated according to the request success rate and the request time delay of the target end feedback.

Preferably, the target parameter set further includes network service quality, wherein the network service quality is calculated by the defense terminal according to the suspicious data flow quantity set and the normal data flow.

Preferably, the preset defense policy in the suspicious traffic cleaning device corresponds to a desired SLA level; and the quantifying the defense result based on the target parameter set includes: determining, by using the target parameter set and the preset parameter set, the each a set of change values of the parameter; wherein the preset parameter set is a set of each parameter in a case of a pre-stored, non-attack data flow amount; each of the change value sets of the respective parameters and the desired SLA level The parameter range is matched; if the matching is successful, it is determined that the defense effect of the defensive end reaches the expected SLA level; if the matching is unsuccessful, it is determined that the defense effect of the defensive end does not reach the expected SLA level.

Preferably, the method further includes: if the matching is unsuccessful, determining a previous defense policy of the current defense policy as the preset defense policy; wherein the defense terminal stores multiple SLA levels arranged in sequence, And a defense strategy corresponding to each SLA level, the smaller the SLA level, the higher the service level enjoyed by the target end, and the corresponding defense strategy of the previous SLA level is better than the defense strategy corresponding to the latter SLA level.

Preferably, the determining, by using the target parameter set and the preset parameter set, the change value set of the each parameter comprises: calculating input protocol information and output according to the suspicious data flow quantity set and the normal data flow quantity a set of changes in the rate of change of the agreement information; wherein the input protocol information is extracted from the set of suspect data flows, the output protocol information is extracted from the normal data flow; and, a standard deviation set between a core data set of a normal data flow quantity and a preset core data set in the preset parameter set; wherein the core data set includes a request response rate, a service success rate, and a 30x status code The proportion, the proportion of the 40x status code, the proportion of the 50x status code, and the time delay of the normal user request; and, between calculating the host performance parameter and the preset host performance parameter in the preset parameter set a second set of change values; and/or, calculating a third change in the success rate of the pick-up and the preset success rate in the preset parameter set And a set of values of the fourth change value of the network service quality and the preset network service quality in the preset parameter set.

Preferably, the change set of the change rate of the input agreement information and the output agreement information is calculated according to the suspicious data flow quantity set and the normal data flow quantity, including: calculating a difference between the syn information in the input direction and the syn information in the output direction. a value, the ratio of the difference to the syn information of the input direction is used as an increase rate of the syn information; calculating a difference between the syn-ack information in the input direction and the syn-ack information in the output direction, the difference being The syn-ack information ratio of the input direction is used as the increase rate of the syn-ack information; and the difference between the increase rate of the syn information and the increase rate of the syn-ack information is determined as the change amount set.

Preferably, the calculating a standard deviation set between the core data set of the normal data flow quantity and the preset core data set in the preset parameter set comprises: calculating the core data set and preset core data Concentration, the first standard deviation for the request response rate, the second standard deviation for the service success rate, the third standard deviation for the proportion of the 30x status code, the fourth standard deviation for the 40x status code, a fifth standard deviation for the proportion of the 50x status code and a sixth standard deviation for the time delay of the normal user request; the first standard deviation, the second standard deviation, the third standard deviation, the The set of the fourth standard deviation, the fifth standard deviation, and the sixth standard deviation is determined as the standard deviation set.

Preferably, the success rate of the connection includes a request success rate and a request time delay; the calculating a third change value set of the success rate of the connection and the preset success rate in the preset parameter set, including Calculating a rate of change of the request success rate in the success rate of the connection and the success rate of the request in the preset success rate; calculating a request time delay in the success rate of the connection and a request time delay in the success rate of the preset connection The amount of change; determining the rate of change and the amount of change as the third set of change values.

Preferably, the host performance parameter includes: a number of half-open links after the host of the target end receives the first syn packet; a host CPU of the target end; a host memory of the target end; and a connection of the target end a table; a number of host input and output times of the target end; and a proportion of the inbound and outbound traffic of the host at the target end.

Preferably, the network service quality includes: a network delay caused by cleaning the original data flow amount; a network packet loss rate brought by cleaning the original data flow amount; The TCP availability brought about by the raw data flow process; the UDP availability brought about by cleaning the raw data flow; and the jitter caused by cleaning the raw data flow.

A system for quantifying a defense result, comprising: a service end, a defensive end located at a cloud platform, a target end, and a core route connected to the service end, the defensive end, and the target end; the core route is used for copying The business end accesses the original data flow of the target end, and obtains the copy data flow quantity; the defensive end is used to obtain the suspicious data flow quantity set, and the suspicious data flow quantity set is the core route traction service located at the defensive end of the cloud platform After the source data volume of the target end is taken, the data flow corresponding to each suspicious IP address in the suspicious IP address set included in the original data flow quantity is formed, and the suspicious IP address set is And determining, according to the preset detection rule, the amount of the normal data flow, where the normal data flow quantity is the remaining after the defensive end cleans the suspicious data flow quantity set according to the preset defense strategy Data flow quantity; authorized host performance parameter, the host performance parameter is that the defensive end sends the normal data flow amount to the target And extracting the obtained set of parameters on the target end; and quantifying the defense result based on the target parameter set; wherein the target parameter set includes at least: the suspicious data flow quantity set, the normal data flow quantity, and the host performance parameter .

Preferably, the defensive end includes: a suspicious traffic detecting device connected to the core route, configured to analyze the copy data flow according to a preset detection rule, and obtain a suspicious IP address included in the copy data flow. And collecting the suspect IP address set; the suspicious traffic cleaning device connected to the core route and the suspicious traffic detecting device, configured to acquire the suspect IP address set, and the original data in the core route Tracing a collection of suspicious data flows in a process quantity, wherein the suspicious data flow quantity set is cleaned according to a preset defense policy, and the suspicious data flow quantity is collected in a normal data flow quantity after cleaning, and forwarded to the target a cloud host connected to the suspicious traffic detecting device, the suspicious traffic cleaning device, and the target end, configured to acquire the suspicious data flow quantity set on the suspicious traffic detecting device, where the suspicious data flow The quantity set includes a suspicious data flow amount corresponding to each suspicious IP address; obtaining normal on the suspicious traffic cleaning device The amount of material flow, after the normal data flow sent to the target amount of the end, on the end of the target performance parameter acquisition target that the host-side performance.

Preferably, the system further includes: a service monitoring device connected to the cloud host, configured to control a plurality of service hosts located in different geographical locations to access the target end, and according to the success rate of the target end feedback And the request time delay is calculated, and the success rate of the connection is calculated; the success rate of the connection is sent to the cloud host; correspondingly, the target parameter set further includes the success rate of the connection.

Preferably, the cloud host is further configured to calculate a network service quality according to the suspicious data flow quantity set and the normal data flow quantity; correspondingly, the target parameter set further includes the network service quality.

Preferably, the core route is further configured to forward the data flow amount remaining after the suspicious traffic cleaning device pulls the suspicious data flow quantity set in the original data flow quantity to the target end.

Preferably, the cloud host is specifically configured to determine, by using the target parameter set and the preset parameter set, a change value set of the each parameter; and set a change value set of the each parameter to each of the expected SLA levels. The parameter range is matched; if the matching is successful, it is determined that the defense effect of the defensive end reaches the expected SLA level; if the matching is unsuccessful, it is determined that the defense effect of the defensive end does not reach the expected SLA level.

Preferably, the cloud host is further configured to: determine, in the case that the matching is unsuccessful, the previous defense policy of the current defense policy as the preset defense policy; wherein the preset parameter set is pre-stored a set of various parameters in the case of no attack data flow; the defensive end stores a plurality of SLA levels arranged in order, and a defense strategy corresponding to each SLA level, the smaller the SLA level indicates the target The higher the service level enjoyed by the terminal, and the corresponding defense strategy of the previous SLA level is better than the defense strategy corresponding to the latter SLA level.

Preferably, the host performance parameter includes: a quantity of a half-open link after the host of the target end receives the first syn packet; a host CPU of the target end; a host memory of the target end; and a target end of the target end a connection table; a number of times of input and output of the host at the target end; and a proportion of the inbound and outbound traffic of the host at the target end.

Preferably, the network service quality includes: a network delay caused by cleaning the original data flow amount; a network packet loss rate brought by cleaning the original data flow amount; The TCP availability brought about by the raw data flow process; the UDP availability brought about by cleaning the raw data flow; and the jitter caused by cleaning the raw data flow.

It can be seen from the above technical content that the present invention has the following beneficial effects: the defensive end is set on the cloud platform in the embodiment of the present invention, and the original data flow of the service end can be pulled to itself on the defensive end of the cloud platform, and the services at the target end are generally in the The cloud platform runs, so the defensive end can obtain the data flow of the target end on the cloud platform, and the defensive end can also obtain its own data flow amount. Therefore, under the cloud platform, the data flow of the business end, the target end, and the defensive end can be unified and centralized, so that the data flow of the three end can be obtained. Because the data flow of the business part, the defensive end and the target end can be uniformly analyzed in the invention, the evaluation angle and the index of the evaluation of the defense result are comprehensive, and the defense result is more accurate.

100‧‧‧Business side

200‧‧‧defensive end

300‧‧‧ Target

400‧‧‧ Core Routing

201‧‧‧Suspicious flow detection device

202‧‧‧Suspicious flow cleaning device

203‧‧‧Cloud Host

500‧‧‧Business monitoring device

600‧‧‧distributor

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only Some embodiments of the invention may also be used to obtain other figures from these figures without departing from the art.

1 is a schematic diagram of an existing network system architecture; FIG. 2 is a schematic structural diagram of a system for quantifying a defense result according to an embodiment of the present invention; FIG. 3 is a schematic structural diagram of another system for quantifying a defense result according to an embodiment of the present invention; FIG. 4 is a schematic structural diagram of another system for quantifying a defense result according to an embodiment of the present invention; FIG. 5 is a schematic structural diagram of another system for quantifying a defense result according to an embodiment of the present invention; FIG. 6 is a schematic diagram of a method disclosed in an embodiment of the present invention; A flowchart of a method for defending a result; FIG. 7 is a flowchart of calculating a defense result in a method for quantifying a defense result disclosed in an embodiment of the present invention.

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

In the prior art, the fundamental reason for the incomplete evaluation angle and evaluation index in the process of quantifying the defense result is that the data flow of the business end, the defensive end and the target end cannot be uniformly centralized. The reason why the data flow of the three cannot be unified is that the data flow of the attack side comes from the outside of the network, and the data flow of the defensive end is generally at the boundary or the exit of the network. The data flow of the target end is generally managed by the user. , that is, the data flow of the three is not in the same system; and there is no interface between the business side, the target end and the defensive end, that is, the data flow between the three cannot be shared by the interface; therefore, the data flow of the three It is difficult to concentrate and concentrate.

To this end, the present invention provides a system for quantifying defense outcomes. As shown in FIG. 2, the system for quantifying the defense result includes: a service end 100, a defensive end 200 of the cloud platform, a target end 300, and a core route 400 connected to the service end 100, the defensive end 200, and the target end 300. . In this embodiment, the defensive end 200 is bypassed on one side of the core route 400.

The role of each part of the system that quantifies the defense results is detailed below:

 (1) Business side 100  

In the present invention, the service end 100 may include multiple service hosts, each of which has a unique source address (IP address), and each service host may send a data flow to the target end 300. Therefore, the original data flow sent by the service end 100 to the target end 300 includes the data flow volume sent by the multiple service hosts, and each data flow quantity includes the source address of the service host, that is, the original data flow quantity is included. The source address (IP address) of multiple service hosts.

Because some service hosts are normal service hosts and some service hosts are attack service hosts, part of the original data flow is the normal data flow sent by the normal service host, and part of the attack data flow sent by the attack service host.

The business end 100 can send the raw material flow amount intended to be sent to the target end 300 to the core route 400.

 (2) Core Route 400  

The core route 400 is used for copying the raw data flow of the target end to obtain the copy data flow.

The core route 400 can use the splitter splitting mode or the software program copying method to copy the original data flow amount of the target end 300 to the target end 300, thereby obtaining the copy data flow amount consistent with the original data flow amount. This can facilitate the subsequent defensive end 200 to detect the amount of the copy data flow to check whether there is an attack data flow amount in the copy data flow.

 (3) defensive end 200  

As shown in FIG. 3, the defensive end 200 specifically includes:

(a) Suspicious flow rate detecting means 201.

The suspicious traffic detection device 201 is connected to the core route 400, and configured to analyze the copy data flow amount according to a preset detection rule, obtain a suspicious IP address set included in the copy data flow, and send the suspicious IP address. A collection of addresses.

The preset detection rule in the suspicious traffic detecting device 201 may be a plurality of abnormal IP addresses that are aggressive. The amount of data flow sent from a suspect IP address is a potentially suspicious amount of suspicious data.

After obtaining the copy data flow amount, the suspicious traffic detecting device 201 can extract all the IP addresses therein, and then compare all the IP addresses with the abnormal IP addresses in the preset detection rules. When all the IP addresses in the copy data flow contain abnormal IP addresses, it indicates that the copy data flow contains the suspicious data flow.

All abnormal IP addresses included in the copy data flow are regarded as suspicious IP addresses, and a collection of all suspect IP addresses is referred to as a suspicious IP address set, and the suspect IP address set is sent to the suspicious traffic cleaning device 202.

After determining the set of suspicious IP addresses, the suspicious data flow corresponding to each suspicious IP address is extracted in the copy data flow, and the collection of all suspicious data flows is called a suspicious data flow set; and the suspicious data is The set of process quantities is sent to the cloud host 203 for the cloud host 203 to calculate the defense result for use.

(b) Suspicious flow cleaning device 202.

The suspicious traffic cleaning device 202 connected to the core route 400 and the suspicious traffic detecting device 201 is configured to acquire the suspect IP address set, and to pull the suspicious data flow amount in the original data flow of the core route 400. The collection, wherein the suspicious data flow quantity set is cleaned according to a preset defense policy, and the suspicious data flow quantity is collected in the normal data flow quantity remaining after the cleaning, and is forwarded to the target end 300.

After obtaining the suspicious IP address set, the suspicious traffic cleaning device 202 pulls the suspicious data flow corresponding to each suspicious IP address in the original data flow of the core route 400, and composes a set of all suspicious data flows. A collection of suspicious data flows.

After the removal of the suspicious data flow quantity set in the original data flow quantity, the remaining quantity is the data flow quantity corresponding to the non-aggressive IP address, so the part of the data flow quantity can be directly washed by the suspicious flow cleaning device 202, directly It can be forwarded by the core route 400 to the target terminal 300.

The suspicious data flow collection is the amount of data flow transmitted from the suspect IP address, so the suspicious data flow in the suspicious data flow set may be the normal data flow, which may be the attack data flow. Therefore, after obtaining the suspicious data flow quantity set, the suspicious traffic cleaning device 202 needs to clean the attack data flow amount in the suspicious data flow quantity set according to the preset defense policy.

It can be seen that, in the present invention, the suspicious flow cleaning device 203 only needs to clean the set of suspicious data flows in the original data flow, and does not need to clean all the original data flows. Since the amount of data flow of the suspicious flow cleaning device 203 is reduced, the cleaning efficiency of the suspicious flow cleaning device 203 can be improved.

Theoretically, the amount of data flow output after being cleaned by the suspicious flow cleaning device 202 is a non-aggressive normal data flow. Therefore, the normal data flow can be forwarded to the target end 300, so that the normal data flow of the target end 300 of the service end 100 can be forwarded to the target end 300.

In reality, the preset defense policy in the suspicious traffic cleaning device 202 must be the defense strategy most suitable for the target end. That is, there is still an attack data flow in the data flow obtained after cleaning the suspicious data flow collection according to the preset defense strategy (in this case, the defense strategy is too loose); or, the data flow obtained after cleaning is the normal data flow. The amount is washed away (this indicates that the defense strategy is too tight).

Therefore, the suspicious traffic cleaning device 202 can collect the normal data flow amount remaining after the cleaning of the suspicious data flow amount to the cloud host 203, so that the cloud host 203 calculates the defense result, thereby improving the preset defense policy according to the defense result.

(c) Cloud host 203.

a cloud host 203 connected to the suspicious traffic detecting device 201, the suspicious traffic cleaning device 202, and the target terminal 300, configured to acquire the suspicious data flow quantity set on the suspicious traffic detecting device 201, The suspicious data flow quantity set includes a suspicious data flow quantity corresponding to each suspicious IP address; the normal data flow quantity is obtained on the suspicious traffic cleaning apparatus 202, and after the normal data flow quantity is sent to the target end 300, Obtaining a host performance parameter indicating the performance of the target end 300 on the target end 300; determining the target parameter set as a basis for quantifying the defense result; wherein the target parameter set at least includes: the suspicious data flow quantity set, the The normal data flow amount and the host performance parameter are described.

The cloud host 203 obtains the set of suspicious data flows on the suspicious traffic detecting device 201, and obtains the normal data flow after cleaning according to the preset defense policy on the suspicious traffic cleaning device 202, and uses the two pieces of data to calculate the pre-cleaning and post-cleaning processes. The rate of change in the amount of data flow; and the rate of change as a basis for quantifying the defense outcome.

Since the normal data flow after cleaning is sent to the target terminal 300, the normal data flow has a direct impact on the target end, that is, the performance state of the target end 300 is changed first, for example, the CPU is too large, unable to respond, etc. Wait. Therefore, after the normal data flow obtained after the cleaning is sent to the target end 300, the host performance parameter of the target end can be extracted, and the host performance parameter is used as a basis for quantifying the defense result.

The host performance parameter includes: a number of half-open connections after the host of the target end receives the first syn packet; a host CPU of the target end; a host memory of the target end; and a connection of the target end a table; a number of host input and output times of the target end; and a proportion of the inbound and outbound traffic of the host at the target end.

In the system for quantifying the defense result provided by the present invention, the defensive end 200 of the cloud platform can pull the original data flow of the service end 100 to itself through the routing scheduling policy on the core route; the services of the target end 300 are generally The defensive end 200 can obtain the data flow of the target end 300 on the cloud platform. Meanwhile, the defensive end 200 of the cloud platform can also obtain its own data flow quantity on the cloud platform. Therefore, the data flow of the service end 100, the target end 300, and the defensive end 200 can be uniformly centralized on the cloud platform.

In addition, since the data flow of the service end 100, the target end 300, and the defensive end 200 are all under the cloud platform, the cloud platform has the function of a unified data format. Therefore, the data format of the three can be unified on the cloud platform, so that the data flow of the three can be conveniently analyzed. Therefore, on the cloud platform, the defensive end 200 can analyze the data flow of the service end 100, the target end 300, and the defensive end 200 by using the capability of big data analysis, because the evaluation angles and indicators of the quantitative defense results are relatively Comprehensive, so you can get accurate defense effects.

In order to make the defense result calculated by the cloud host 203 more accurate, as shown in FIG. 4, the system for quantifying the defense result provided by the present invention further includes: a service monitoring apparatus 500 connected to the cloud host.

The service monitoring device 500 is configured to control a plurality of service hosts located in different geographical locations to access the target terminal 300, and calculate a success rate of the request according to the request success rate and the request time delay fed back by the target terminal 300; The success rate is sent to the cloud host 203. The success rate is taken as a member of the target parameter set for the cloud host 203 to calculate the defense result.

After the suspicious traffic cleaning device 202 sends the cleaned normal data flow to the target terminal 300, the normal data flow amount (if the cleaning effect is not good, the attack data flow may be carried) may affect the normal operation of the target end. For example, if the target end is “Taobao”, after the normal data flow is sent to the target end, the user may not be able to open the “Taobao” page normally.

Therefore, the service monitoring device 500 can control the plurality of service hosts located at different address locations to access the target terminal 300 to calculate the success rate of the target terminal 300, and check whether the normal data flow after cleaning is obtained from the success rate of the connection. It affects the normal business of the target.

For example, control the geographical location for multiple business hosts in Shenzhen, Beijing, Shanghai, and Guangzhou to access “Taobao.” According to whether Taobao can open the page and open the page, calculate the connection of multiple service hosts. Take the success rate. Then, the average success rate of multiple service hosts is taken as the success rate of the "Taobao" connection.

After the success rate of the target end 300 is obtained, the success rate is taken as a member of the target parameter set for the cloud host 203 to calculate the defense result.

In addition, the target parameter set for quantifying the defense result may also include: network service quality.

During the process of cleaning the suspicious data flow collection by the defensive end 200, the overall network may be jittered, the quality of the network service is degraded, the success rate of the target end 300 is decreased, and the performance parameters of the host are decreased, thereby affecting the defense result. Calculation. Therefore, the cloud host 203 is further configured to: calculate a network service quality according to the suspicious data flow quantity set and the normal data flow quantity; and use the network service quality as a member of the target parameter set. This allows the cloud host 203 to consider the quality of the network service when calculating the defense result, thereby obtaining a reasonable defense effect.

The network service quality includes: the network service quality includes: a network delay caused by cleaning the original data flow process; and a network packet loss caused by cleaning the original data flow process Rate; the TCP availability brought by the process of cleaning the raw data flow; the UDP availability brought by the process of cleaning the raw data flow; and the jitter caused by cleaning the raw data flow .

The system for quantifying the defense results shown in Figures 2 to 4 above is applicable to both the fiber network and the non-fiber network. In the optical network, the amount of data flow is large, so the rate of copying the original traffic using the core route is slow. In order to speed up the process of copying the raw data flow, the present invention provides a system suitable for quantitative defense results of a light network.

As shown in FIG. 5, the system for quantifying the defense result of the present invention includes: a service end 100, a splitter 600 connected to the service end 100, a defensive end 200 of the cloud platform, a target end 300, and The splitter 600, the defensive end 200, and the core router 400 connected to the target end 300. In this embodiment, the defensive end 200 is bypassed on one side of the core route 400.

In this embodiment, the process of copying the original traffic sent by the service terminal 100 to the target terminal 300 to obtain the copy data flow amount is implemented by the optical splitter 600, and the copy data flow amount and the original data flow amount are sent to the core route 400. Other contents in this embodiment are the same as those shown in FIG. 2 to FIG. 4, and details are not described herein again.

Based on the above-described system for quantizing the defense result shown in Figs. 2 to 5, an embodiment of the method for quantizing the defense result of the present invention is described below, and the present embodiment is applied to the cloud host at the defensive end of the system for quantifying the defense result. As shown in FIG. 6, the method specifically includes the following steps S601 to S602:

Step S601: Acquiring a set of suspicious data flows; wherein the set of suspicious data flows is obtained by the source data flow quantity after the defensive end of the cloud platform receives the original data flow amount of the target end by the core route traction service end The data flow corresponding to each suspicious IP address in the set of suspicious IP addresses is included, and the set of suspicious IP addresses is determined in the original data flow according to a preset detection rule.

Step S602: Acquire a normal data flow quantity, where the normal data flow quantity is a data flow quantity remaining after the defensive end cleans the suspicious data flow quantity set according to a preset defense policy.

Step S603: Authorize the host performance parameter, where the host performance parameter is a set of parameters extracted by the defense terminal on the target end after the normal data flow quantity is sent to the target end.

Step S604: Quantify the defense result based on the target parameter set; wherein the target parameter set includes at least: the suspicious data flow quantity set, the normal data flow quantity, and the host performance parameter.

In addition, the target parameter set further includes: a success rate of the transmission sent by the service monitoring device connected to the defensive end; wherein the success rate of the receiving is controlled by the service monitoring device in multiple geographical locations After the service end picks up the target end, it is calculated according to the request success rate and the request time delay of the target end feedback.

The quality of the network service; wherein the quality of the network service is calculated by the defensive end according to the set of suspicious data flows and the normal data traffic.

The process of obtaining the target parameter set by the cloud host on the defensive end is clearly illustrated in the system embodiment of the quantitative defense result shown in FIG. 2 to FIG. 5, and details are not described herein again.

It can be seen that the present invention has the following beneficial effects: the defensive end is set on the cloud platform in the embodiment of the present invention, and the original data flow of the service end can be pulled to itself on the defensive end of the cloud platform, and the services of the target end are generally in the cloud. The platform runs, so the defensive end can obtain the data flow of the target end on the cloud platform, and the defensive end can also obtain its own data flow. Therefore, under the cloud platform, the data flow of the business end, the target end, and the defensive end can be unified and centralized, so that the data flow of the three end can be obtained. Because the data flow of the business part, the defensive end and the target end can be uniformly analyzed in the invention, the evaluation angle and the index of the evaluation of the defense result are comprehensive, and the defense result is more accurate.

The defense result can be calculated after the target parameter set is obtained. Before introducing the content of the calculation of the defense result, first explain the defense strategy and SLA level used by the suspicious traffic cleaning device in the defensive end. Among them, SLA is the abbreviation of Service-Level Agreement, which means service level agreement. The SLA is a contract between an Internet Service Provider and a customer that defines terms such as service type, quality of service, and customer payment.

A plurality of defense strategies are pre-stored in the defensive end, and one defense strategy corresponds to a theoretically reached SLA level. For example, the first SLA level corresponds to the first defense policy, the second SLA level corresponds to the second defense policy, the third SLA level corresponds to the third defense policy, and so on. Moreover, for the user of the first SLA level, the second SLA level, and the third SLA level, the service quality is gradually reduced. Similarly, the first defense strategy, the second defense strategy, and the third defense strategy are for attack traffic. Gradually become loose. That is, the tighter the defense strategy, the better the defense result, so that the SLA level of the target end is higher.

Before using the defensive end to clean the original traffic, the user of the target end 300 negotiates with the network service provider and sets the desired SLA level that the target end 300 desires to achieve. The network service provider uses the defense policy corresponding to the desired SLA level as the preset defense policy, and uses the preset defense policy to block the attack data flow of the attack target end, and the final defense result reaches the desired SLA level desired by the user.

In order to achieve the desired SLA level reached by the target end, a preset defense policy corresponding to the desired SLA level is preset in the suspicious traffic cleaning device shown in FIG. 2. In theory, the defensive strategy can bring the defensive outcome to the corresponding desired SLA level. However, as the amount of attack data continues to change, the attack data flow may break through the defense strategy and attack the target end, thereby making the SLA level on the target side lower than the expected SLA level.

Therefore, it can be calculated whether the defense effect obtained by the target end reaches the desired SLA level. As shown in Figure 7, the following steps are included:

Step S701: Determine, by using the target parameter set and the preset parameter set, a change value set of each parameter, where the preset parameter set is a set of each parameter in a case of a pre-stored, non-attack data flow quantity.

The detailed calculation process will be described in detail after this embodiment.

Step S702: Determine whether the matching is successful, that is, match the change value set of each parameter with each parameter range in the expected SLA level, and determine whether the matching is successful.

The range of individual parameters for each SLA level is stored in the cloud host. Each parameter change value calculated according to the target parameter set is compared with the parameter range of the desired SLA level.

Step S703: If the matching is successful, it is determined that the defense effect of the defensive end reaches the desired SLA level.

If the change value of each parameter is within the range specified by the desired SLA level, it indicates that the current defense effect achieves the desired defense effect; the data flow rate of the target data can be continuously continued according to the preset defense strategy in the suspicious traffic cleaning device. Cleaning.

In step S704, if the matching is unsuccessful, the previous defense policy of the current defense policy is determined as the preset defense policy; and the process proceeds to step S701. The defensive end stores a plurality of SLA levels arranged in order, and a defense strategy corresponding to each SLA level. The smaller the SLA level, the higher the service level enjoyed by the target end, and the previous one The corresponding defense strategy of the SLA level is better than the defense strategy corresponding to the latter SLA level.

If the match is unsuccessful, it is determined that the defense effect of the defensive end does not reach the desired SLA level. That is, if the set of change values of each parameter is not within the range specified by the desired SLA level, it indicates that the current defense effect does not reach the desired defense effect, that is, the preset defense strategy in the suspicious traffic cleaning device is too loose to achieve the desired SLA. grade. Therefore, it is necessary to tighten the defense strategy so that the defense effect after the defense strategy is cleaned up to the desired SLA level.

Therefore, the previous defense strategy of the current defense strategy is selected and determined as the preset defense strategy. Then, according to the latest preset defense policy, the data flow of the target data is continuously cleaned, and the defense result (the set of change values of each parameter) is calculated according to the method of the present invention, and the defense result (the set of change values of each parameter) is determined. Whether the desired SLA level is reached (expected SLA level various parameter ranges). If the defense result does not reach the expected SLA level, continue to tighten the defense strategy, repeat the process of calculating the defense result, and directly determine that the defense result reaches the desired SLA level.

The steps of determining the set of change values of the respective parameters by using the target parameter set and the preset parameter set are described in detail in conjunction with a specific application scenario.

 (1) Flow performance parameters  

That is, according to the suspicious data flow quantity set and the normal data flow quantity, the change set of the input agreement information and the output agreement information change rate is calculated. The input protocol information is extracted from the suspicious data flow quantity set, and the output protocol information is extracted from the normal data flow quantity.

The transmission mode of the service end and the target end is one-to-one. For example, the service end sends a connection establishment request to the target end, and the target end establishes a connection confirmation instruction to the service end. Therefore, the information sent by the service end to the target end should be consistent with the amount of information sent by the target end to the service end. When the amount of information output or the amount of information input suddenly increases, the cleaning effect of the defensive end is not good.

The following three specific traffic attacks are taken as an example to describe this step in detail:

 (a) The target is attacked by a syn flood  

Under normal circumstances, the service end sends a syn (can establish a connection?) request message to the target end, the target end will feed back the syn-ack (can + confirm) information, and the service end sends ack (acknowledgement) information to the target end again, thereby Establish a connection between the two.

When the target end is attacked by a syn flood (that is, the attacker sends a large amount of syn request information to the target end), if the cleaning effect of the defense policy is not good, the syn-ack information in the output direction will increase; however, the service side sends out The third ack message will be reduced.

Thus, increasing the ratio information before calculating syn cleaning and after cleaning _syn P, and increase the ratio of syn-ack message before washing and after washing P _syn-ack.

P _syn =(pps _syn -pps ^` _syn )/pps _syn

P _syn-ack =(pps _syn-ack -pps ^` _syn-ack )/pps _syn-ack

P ₁ =P _syn -P _syn-ack

Where pps _syn is the number of syn messages before cleaning according to the preset defense policy, pps ^{`</sup> <sub>syn</sub> is the number of syn messages after cleaning according to the preset defense policy; pps <sub>syn-ack</sub> is the syn-ack information before cleaning according to the preset defense policy The number, pps <sup>`} _syn is the number of syn-ack messages after cleaning according to the preset defense policy, and P1 represents the defense result of the defensive end.

Ideally, the syn-ack information for the syn packet in the input direction and the output direction is 1:1, that is, P1=0. Therefore, when the value of P1 is larger, most of the syn information representing the input direction is not responded, and at this time, the worse the defense result is.

 (b) The target end is attacked by ack flood  

Under normal circumstances, the service end sends ack (acknowledgement) request information to the target end. When the target end confirms that no connection is established with the service end, the service end sends rst (re-determination) information to the target end. That is, if the target receives a connection that is obviously not its own, it sends a reset packet to the service.

In the case of an ack flood attack on the target side, if the cleaning effect on the defensive end is not good, the rst information will increase. Therefore, the increase ratio P _{ack of the ack} information before and after the cleaning is calculated, and the increase ratio P _rst before and after the cleaning of the rst information is calculated.

P _ack =(pps _ack -pps ^` _ack )/pps _ack

P _rst =(pps _rst -pps ^` _rst )/pps _rst

P2=P _ack -P _rst

Where pps _ack is the number of rst information before cleaning according to the preset defense policy, pps ^{`</sup> <sub>ack</sub> is the number of rst information after cleaning according to the preset defense policy, and pps <sub>rst</sub> is the number of rst information before cleaning according to the preset defense policy, pps <sup>`} _Rst is the number of rst information after cleaning according to the preset defense policy, and P2 is the defense result of the defensive end.

Ideally, the ack information in the input direction and the rst information in the output direction are 1:1, that is, P2=0. Therefore, when the value of P2 is larger, most of the ack information representing the input direction is not responded, and at this time, the worse the defense result is.

 (c) The target is attacked by the icmp flood  

In the case where the target end is attacked by the icmp flood, if the cleaning effect of the defensive end is not good, the icmp response information will increase. Thus, increasing the ratio information before calculating icmp cleaning and after cleaning _icmp P, before calculating the increase ratio icmp Response information cleaning and after cleaning P _{icmp response.}

P _icmp =(pps _icmp -pps ^` _icmp )/pps _icmp

P _icmp-reponse =(pps _icmp-reponse -pps ^` _icmp-reponse )/pps _icmp-reponse

P3=P _icmp -P _icmp-reponse

Wherein, pps _icmp is the number icmp information before cleaning, pps <sub>^{`icmp</sup></sub> after washing quantity icmp message, pps <sub>icmp-reponse</sub> is the number icmp Response information before cleaning, <sup>pps`} _icmp-reponse is the number icmp Response information cleaning, P3 representatives Defensive end defense results.

Ideally, the icmp information in the input direction and the icmp response information in the output direction are 1:1, that is, P3=0. Therefore, when the value of P3 is larger, most of the icmp information representing the input direction is not responded, and at this time, the defense result is poor.

The above lists three examples of calculating the proportion of input agreement information and output protocol information. It can be understood that the proportion of other types of traffic characterizing the defense result can also be calculated to evaluate the defense result. I will not list them one by one here.

This step is mainly used to evaluate the defense result of traffic-type attacks. Among them, the sn flood attack, the ack flood attack, and the icmp flood attack are all traffic attacks. Therefore, after obtaining all the ratios for evaluating the defense results (P1, P2, and P3), the average of the multiple defense result ratios is calculated as a defense result for evaluating the traffic type attack.

Because this step is mainly used to evaluate the defense result of the traffic attack, the syn flood attack is a typical representative of the traffic attack. Therefore, P1 can also be directly used as the defense result of the traffic attack.

Another manifestation of the traffic performance parameter is: calculating a standard deviation set between the core data set of the normal data flow quantity and the preset core data set in the preset parameter set.

The main purpose of this step is to evaluate whether the proportion of the normal request information and the abnormal request information is in conformity with the expected ratio of the request information and the corresponding response information and the change of the status code of the http.

In the specific use process, the core data set representing the normal data flow amount can be calculated; wherein the core data set includes the request response rate, the service success rate, the proportion of the 30x status code, the proportion of the 40x status code, and the 50x status. The proportion of the code and the time delay of the normal user request.

The following is a detailed description of each parameter in the core data set:

(a) Request response rate of the website P _request

The ratio of request information to response information on the target side is constantly changing. Taking the statistical period t as an example, for example, if an attack suddenly starts within the time period from t1 to t2, the request information and the response information of http will increase. When the defensive end's defense result is not good, the normal request information will receive a small amount of response information. Therefore, if the proportion of the request information and the response information is statistically small, if the cleaning effect of the defensive end is not good, the ratio of the request information to the response information will be lower than a certain limit value.

P _request =C _{have_response} /C _{request_total} * 100%

Among them, P _request is the request response rate of the website, C _{have_response} is the number of response information, and C _{request_total} is the total number of request information.

 (b) Proportion of 200 ok information  

The 200 ok information is information indicating that the service request is successful, and P _{200 ok} indicates the service success rate. The proportion of request responses P _request can only measure the current network http traffic. The P _{200 ok} can reflect the probability of the response received by the business.

_{P 200ok = C have_200ok / C have_response} * 100%

Among them, C _{have_200ok} indicates the success of the service request, and C _{have_response} is the number of response messages.

 (c) Proportion of status codes such as 30x, 40x, and 50x  

Status codes such as 30x, 40x, and 50x appear when a packet is lost in the normal data flow. A large number of GET packets are not responding, and generally return 40x and 50x error status codes. Therefore, the proportion of the status code can be measured against the amount of normal data flow.

It is worth noting that some protection systems use a human-machine recognition mechanism to determine if the accessor is a real browser. For example, the url redirect algorithm commonly used in the industry, by returning a 302 (30x) status code to determine whether the accessor is a program or a real browser, so the 302 (30x) status code in the network has increased dramatically. Can be used as an indicator to evaluate the defense outcome.

The above three indicators can comprehensively measure the cleaning rate of CC attacks.

P _30x =C _{have_30x} /C _{have_response} * 100%

P _40x =C _{have_40x} /C _{have_response} * 100%

P _50x =C _{have_500} /C _{have_response} * 100%

Where P _30x represents the proportion of the status code of 30x in the response information, C _{have_30x} represents the amount of information of 30x; P _40x represents the proportion of the status code of 40x in the response information, and C _{have_40x} represents the amount of information of 40x; P _50x represents the proportion of the 50x status code in the response message, and C _{have_50x x} represents the amount of information of 50x.

(d) The RTT of the normal user's request (request time delay). If the user has initiated a total of n requests during the attack time, the average time delay of the user is used as a reference when evaluating the attack event.

 (e) Identify core data sets  

P _request , P _200ok , P _30x , P _40x , P _50x , T ₀ obtained by (a), (b), (c) and (d) are used to construct the core data set M, M to define the core traffic index at the attack time. data of.

In order to more accurately determine the defense result, it is possible to calculate an array M of multiple core data sets. For example, counting n core data sets to form array M, then M={M ₁ , M ₂ , . . . M _i . . . M _n }; wherein, M _i ={P _request , P _200ok , P _30x , P _40x , P _50x , T ₀ }, i=1, 2...n.

For the history-based big data analysis of services in the cloud environment, another set of core data sets N is obtained. I.e., _{N = {P` request, P` 200ok} , P` 30x, P` 40x, P` 50x, T` 0}. N represents the proportion of each indicator in the absence of an attack, that is, the standard core data set.

Ideally, there will be no significant fluctuations in the changes in these indicators. However, when the defensive strategy is not ideal, it may lead to a sharp change in individual indicators. For example, when a 200ok status code has a large change curve compared with the historical period in a certain attack event, it indicates that the defense result is poor, resulting in a decrease in the response of the normal request information.

Therefore, the present invention uses the standard deviation to evaluate the impact of the attack defense strategy on the business indicators, takes the core data set N as an average, and then calculates the standard deviation for each parameter. Taking the indicator P _request as an example, the formula for calculating the standard deviation is described in detail:

Where σ _requst is the standard deviation indicating the P _request , For the value of the i-th P _request , n is the number of core data sets in the array M. P` <sub>request</sub> here represent the mean, P` _request the core data set N.

Calculated in the above manner array _{M = {M 1, M 2} , ... M i ... M n} with standard N for each parameter difference to obtain a plurality of standard deviation _{σ = {σ requst, σ 200ok} , σ _{30 x} , σ _{40 x} , σ _{50 x} , σ ₀ }. When the standard deviation is smaller, it means that the defense result is better, and when the standard deviation is larger, it means that the defense result is worse.

 (2) Host performance parameters  

That is, a second set of change values between the host performance parameter and the preset host performance parameter in the preset parameter set is calculated.

After the suspicious traffic cleaning device transmits the normal data flow after cleaning according to the preset defense policy to the target end, the host performance parameter of the target end is obtained. Because the victim host first generates state changes during the DDos attack, and obtains the performance parameters of the victim host, it can directly quantify the impact of the attack traffic on the host. Host performance parameters are more convenient than monitoring network traffic changes in some cases.

For example, a typical example is when the tcp slow connection occurs, there may be no abnormal network traffic. However, observing the connection table of the target host can find a large number of residual connections. Therefore, by evaluating host performance parameters, it is an important factor in measuring the defensive end.

Referring to Table 1, the host performance parameter includes: the number of half-open links after the host of the target end receives the first syn packet, the host CPU of the target end, the host memory of the target end, and the target end The connection table, the number of input and output of the host at the target end, and the proportion of the inbound and outbound traffic of the host at the target end.

 (3) Success rate of receiving  

That is, a third set of change values of the success rate of the connection and the preset success rate of the preset parameter set is calculated.

The success rate of the connection may include a request success rate and a request time delay, and then calculate a rate of change between the request success rate and the preset access success rate, and calculate a change amount between the request time delay and the preset request time delay. The rate of change and the amount of change are used as a third set of change values.

As the attack traffic affects the target end, it affects the service performance of the target. In order to determine the current service performance of the target end (which can normally respond to the normal service request), the embodiment of the present invention controls the normal service end to access the target end. Then, by calculating the rate of change of the request success rate and the amount of change of the request time delay, the impact of the attack data flow on the target end is determined, which can reflect the quality of the defense result from the side.

 (4) Network service quality.  

That is, a fourth set of change values of the network service quality and the preset network service quality in the preset parameter set is calculated.

Based on a decentralized environment, the defense policy against the attacked host may affect the overall network state. Therefore, the consequences are that other hosts that are not attacked will also be affected. Therefore, the overall network performance parameters are also required as an evaluation criterion when evaluating the defense success rate.

Referring to Table 2, the network environment parameters include: network delay caused by cleaning the original data flow, network packet loss rate during cleaning of the original data flow, and cleaning of the original data flow The TCP availability brought about by the process, the UDP availability brought about by cleaning the raw data flow, and the jitter caused by cleaning the raw data flow.

The following describes the specific process of matching the set of change values of each parameter with each parameter range of the desired SLA level according to the target parameter set. This is used to assess whether the defense outcome meets the user's final desired SLA rating.

 First: flow performance parameters  

When DDoS is attacked differently, the network traffic changes differently. In order to quantify the impact of the DDoS defensive end from the traffic level. Referring to Table 3, the present invention defines SLA indicators for key agreement information in the network. For example, the upper limit of the TCP retransmission rate, when it is above a certain upper limit, indicates that the defense result does not reach the desired SLA level.

 Second, the success rate of the acquisition (request success rate and request time delay)  

A set of application performance indicators that the application server needs to meet. Therefore, when assessing whether the ddos defense result meets the user's SLA goal, see Table 4, which can be assessed by compliance with the business performance indicators in the table below.

 Third, host performance parameters  

By responding to the status of the host, it is determined whether the indicator of the current host SLA is met according to different attack types. See Table 5 for the parameters that characterize the state of the host.

 Fourth, the quality of network services  

A defense policy for an attacked host based on a distributed environment may affect the overall network state. As a result, other unattacked hosts are also affected. Therefore, when assessing the success rate of defense, the overall network service quality is also required as the evaluation basis. See Table 6 to define the following key core indicators to characterize the SLA parameters of this dimension.

Whether the set of change values of the respective parameters is within each parameter range of the desired SLA level is determined by the range set by each parameter index of the above-mentioned desired SLA level. If the change value set of each parameter is within the range of each parameter of the desired SLA level, it is determined that the defense effect of the defense strategy reaches the desired SLA level, otherwise the defense effect of the defense strategy does not reach the desired SLA level.

The above is the entire content provided by the present invention. It can be concluded from the above technical content that the defensive end is set on the cloud platform, and the defensive end of the cloud platform can pull the original data flow of the service end to itself, and the target end service Generally, it runs on the cloud platform, so the defensive end can obtain the data flow of the target end on the cloud platform, and the defensive end can also obtain its own data flow. Therefore, under the cloud platform, the data flow of the business end, the target end, and the defensive end can be unified and centralized, so that the data flow of the three end can be obtained. Because the data flow of the business part, the defensive end and the target end can be uniformly analyzed in the invention, the evaluation angle and the index of the evaluation of the defense result are comprehensive, and the defense result is more accurate.

The functions described in the method of the present embodiment can be stored in a computing device readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, portions of the embodiments of the present invention that contribute to the prior art or portions of the technical solutions may be embodied in the form of a software product stored in a storage medium, including a number of instructions for causing one The computing device (which may be a personal computer, a server, a mobile computing device, or a network device, etc.) performs all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: USB flash drive, mobile hard disk, read-only memory (ROM), random access memory (RAM, random access memory), disk or optical disk, and the like. The medium of the code.

The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same or similar parts of the respective embodiments may be referred to each other.

The above description of the disclosed embodiments enables those skilled in the art to make or use the invention. Various modifications to these embodiments are obvious to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention is not to be limited to the embodiments shown herein, but the scope of the invention is to be accorded

Claims (20)

 A method for quantifying a defense result, comprising: acquiring a suspicious data flow quantity set, wherein the suspicious data flow quantity set is a raw data flow quantity that is located at a defensive end of the cloud platform and is received by the core routing traction service end to the target end The suspected IP address set is composed of the data flow corresponding to each suspicious IP address in the set of suspicious IP addresses included in the original data flow, and the set of suspect IP addresses is in the original data flow according to a preset detection rule. The quantity of the normal data flow is obtained by the defensive end, and the amount of data flow remaining after the defensive end cleans the suspicious data flow quantity set according to the preset defense policy; the authorized host performance parameter, The host performance parameter is a set of parameters extracted by the defensive end after the normal data flow quantity is sent to the target end, and the defense result is quantized based on the target parameter set; wherein the target parameter is The set includes at least: the suspicious data flow quantity set, the normal data flow quantity, and the host performance parameter.    The method of claim 1, wherein the target parameter set further comprises: a success rate of the transmission sent by the service monitoring device connected to the defensive end; wherein the success rate of the receiving is the After the service monitoring device controls a plurality of service terminals located in different geographical locations to access the target end, the service monitoring device calculates the request success rate and the request time delay according to the target end feedback.    The method of claim 2, wherein the target parameter set further comprises network service quality; wherein the network service quality is the defensive end based on the suspicious data flow quantity set and the normal data The flow calculation is obtained.    The method of any one of claims 1-3, wherein the preset defense policy in the suspicious traffic cleaning device corresponds to a desired service level agreement (SLA) level; The determinating the defensive result includes: determining, by using the target parameter set and the preset parameter set, the change value set of the each parameter; wherein the preset parameter set is a pre-stored, non-attack data flow amount a set of parameters; matching the set of change values of the respective parameters with each parameter range in the expected SLA level; if the matching is successful, determining that the defense effect of the defensive end reaches the expected SLA level; if the matching is unsuccessful And determining that the defense effect of the defensive end does not reach the desired SLA level.    The method of claim 4, further comprising: if the matching is unsuccessful, determining a previous defense policy of the current defense policy as the preset defense policy; wherein, the defense terminal is The storage has a plurality of SLA levels arranged in order, and a defense strategy corresponding to each SLA level. The smaller the SLA level, the higher the service level enjoyed by the target end, and the corresponding defense strategy of the previous SLA level. Better than the defense strategy corresponding to the latter SLA level.    The method of claim 4, wherein the determining, by using the target parameter set and the preset parameter set, the change value set of the each parameter comprises: according to the suspicious data flow quantity set and the a normal data flow amount, a set of changes in the rate of change of the input agreement information and the output agreement information; wherein the input protocol information is extracted from the set of suspicious data flows, and the output protocol information is from the normal data Extracting from the process quantity; and calculating a standard deviation set between the core data set of the normal data flow quantity and the preset core data set in the preset parameter set; wherein the core data set includes a request response Rate, service success rate, proportion of 30x status code, proportion of 40x status code, proportion of 50x status code, and time delay of normal user request; and, calculating the host performance parameter and the preset a second set of change values between the preset host performance parameters in the parameter set; and/or, calculating the success rate of the access and the preset parameter The third variation preset engagement acess success rate value set; and / or, calculating the quality of network service parameter set to the preset predetermined value set fourth variation web service quality.    The method of claim 6, wherein the change set of the change rate of the input agreement information and the output agreement information is calculated according to the suspicious data flow quantity set and the normal data flow quantity, including: calculating an input direction The difference between the syn information and the syn information in the output direction, the ratio of the difference to the syn information in the input direction is taken as the increase rate of the syn information; the syn-ack information in the input direction and the syn-ack information in the output direction are calculated. The difference between the difference and the syn-ack information of the input direction as the increase rate of the syn-ack information; the difference between the increase rate of the syn information and the increase rate of the syn-ack information , determined as the set of variations.    The method of claim 6, wherein the calculating a standard deviation set between the core data set of the normal data flow quantity and the preset core data set in the preset parameter set comprises: Calculating a first standard deviation of the requested response rate, a second standard deviation for the service success rate, a third standard deviation for the proportion of the 30x status code, and a 40x state for the core data set and the preset core data set a fourth standard deviation of the proportion of the code, a fifth standard deviation of the proportion of the 50x status code, and a sixth standard deviation of the time delay for the normal user request; the first standard deviation, the second A set of the standard deviation, the third standard deviation, the fourth standard deviation, the fifth standard deviation, and the sixth standard deviation is determined as the standard deviation set.    The method of claim 6, wherein the success rate of the connection comprises a request success rate and a request time delay; and the calculating the success rate of the connection is preset with the preset parameter set. The third change value set of the success rate includes: calculating a rate of change of the request success rate in the success rate of the connection and the success rate of the request in the preset success rate; calculating a request time delay in the success rate of the connection Predetermining the amount of change in the request time delay in the success rate; determining the rate of change and the amount of change as the third set of change values.    The method of claim 1 or 6, wherein the host performance parameter comprises: a quantity of a half-open link after the host of the target end receives the first syn packet; and a host CPU of the target end; a host memory of the target end; a connection table of the target end; a number of times of input and output of the host at the target end; and a proportion of the inbound and outbound traffic of the host at the target end.    The method of claim 3, wherein the network service quality comprises: a network delay caused by cleaning the raw data flow; and the process of cleaning the original data flow The network packet loss rate brought by the network; the TCP availability brought by the process of cleaning the original data flow; the UDP availability brought by the process of cleaning the original data flow; and the cleaning of the original data Jitter caused by the process flow.    A system for quantifying a defense result, comprising: a service end, a defense end located at a cloud platform, a target end, and a core route connected to the service end, the defense end, and the target end; the core route For copying the raw data flow of the target end of the business end, and obtaining the copy data flow quantity; the defensive end is used for acquiring the suspicious data flow quantity set, and the suspicious data flow quantity set is located at the defensive end of the cloud platform After the core route traction service end receives the original data flow amount of the target end, the suspicious IP is composed of the data flow amount corresponding to each suspicious IP address address in the suspicious IP address set included in the original data flow quantity. The address set is determined according to the preset detection rule in the original data flow quantity; the normal data flow quantity is obtained, and the normal data flow quantity is the preset defense strategy of the defensive end to the suspicious data flow quantity set The amount of data flow remaining after cleaning; the authorized host performance parameter, the host performance parameter is the defensive end in the normal data flow After being sent to the target end, extracting the obtained set of parameters on the target end; and quantifying the defense result based on the target parameter set; wherein the target parameter set includes at least: the suspicious data flow quantity set, and the normal data flow quantity And host performance parameters.    The system of claim 12, wherein the defensive end comprises: a suspicious traffic detecting device connected to the core route, configured to analyze the copy data flow according to a preset detection rule, and obtain the a set of suspect IP addresses included in the copy data flow, and sending the set of suspect IP addresses; a suspicious traffic cleaning device connected to the core route and the suspicious traffic detecting device, configured to obtain the suspect IP address a set of addresses, the suspect data flow set is pulled in a raw data flow of the core route, wherein the suspicious data flow set is cleaned according to a preset defense policy, and the suspicious data flow quantity is collected after cleaning a normal data flow amount, forwarded to the target end; a cloud host connected to the suspicious traffic detecting device, the suspicious traffic cleaning device, and the target end, configured to acquire the a set of suspicious data flows, the suspicious data flow set includes a suspicious data flow corresponding to each suspicious IP address; Said suspicious traffic cleaning apparatus acquires the amount of the normal data flow, after the normal data flow sent to the target amount of the end, on the end of the target performance parameter acquisition target that the host-side performance.    The system of claim 13, wherein the system further comprises: a service monitoring device connected to the cloud host, configured to control a plurality of service hosts located in different geographical locations to access the target end, Determining the success rate of the connection according to the success rate of the target end feedback and the request time delay; sending the success rate of the connection to the cloud host; correspondingly, the target parameter set further includes the accessing Success rate.    The system of claim 13, wherein the cloud host is further configured to calculate a network service quality according to the suspicious data flow quantity set and the normal data flow quantity; correspondingly, the target The set of parameters also includes the quality of the network service.    The system of claim 13, wherein the core route is further configured to forward the amount of data flow remaining after the suspicious traffic cleaning device pulls the set of suspicious data flows in the original data flow amount to the Target side.    The system of any one of claims 13-15, wherein the cloud host is specifically configured to determine a set of change values of the respective parameters by using the target parameter set and a preset parameter set; The set of change values of each parameter is matched with each parameter range in the expected SLA level; if the match is successful, it is determined that the defense effect of the defensive end reaches the expected SLA level; if the match is unsuccessful, the defense effect of the defensive end is determined. The desired SLA level is not reached.    The system of claim 17, wherein the cloud host is further configured to: determine, in the case that the matching is unsuccessful, the previous defense policy of the current defense policy as the preset defense policy; The preset parameter set is a preset set of each parameter in the case of a non-attack data flow amount; the defensive end stores a plurality of SLA levels arranged in order, and corresponds to each SLA level. A defense strategy, the smaller the SLA level, the higher the service level enjoyed by the target end, and the corresponding defense strategy of the previous SLA level is better than the defense strategy corresponding to the latter SLA level.    The system of claim 12, wherein the host performance parameter comprises: a quantity of a half-open link after the host of the target end receives the first syn packet; a host CPU of the target end; a host memory of the target end; a connection table of the target end; a number of times of input and output of the host at the target end; and a proportion of the inbound and outbound traffic of the host at the target end.    The system of claim 15, wherein the network service quality comprises: a network delay caused by cleaning the raw data flow; and the process of cleaning the original data flow Network packet loss rate; TCP availability brought by cleaning the raw data flow; UDP availability during cleaning of the original data flow; and cleaning of the original data flow Jitter caused by the process.