US 12,413,480 B2
Network attack detection method and apparatus
Shiguang Li, Beijing (CN); Mengwen Xu, Beijing (CN); and Lijuan Jiao, Beijing (CN)
Assigned to Huawei Technologies Co., Ltd., Shenzhen (CN)
Filed by Huawei Technologies Co., Ltd., Shenzhen (CN)
Filed on Sep. 29, 2022, as Appl. No. 17/956,591.
Application 17/956,591 is a continuation of application No. PCT/CN2020/133366, filed on Dec. 2, 2020.
Claims priority of application No. 202010245563.2 (CN), filed on Mar. 31, 2020.
Prior Publication US 2023/0025946 A1, Jan. 26, 2023
Int. Cl. H04L 41/14 (2022.01); H04L 9/40 (2022.01); H04L 41/00 (2022.01); H04L 67/02 (2022.01); H04L 69/22 (2022.01)
CPC H04L 41/145 (2013.01) [H04L 41/00 (2013.01); H04L 63/1416 (2013.01); H04L 63/145 (2013.01); H04L 67/02 (2013.01); H04L 69/22 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
performing, by a network protection device, protocol parsing on one or more packets comprised in received first network traffic, to obtain one or more first parsing results comprising one or more first preset fields, the one or more first preset fields comprising first key data;
obtaining, by the network protection device, the first key data from the one or more first preset fields, and matching the first key data with one or more first attack signatures in a signature database to obtain a first matching result, the first matching result comprising a first attack signature comprised in both the first key data and the signature database;
determining, by the network protection device based on the first matching result, whether the first network traffic is aggressive;
in response to determining, by the network protection device based on the first matching result, that the first network traffic is aggressive, adding, by the network protection device, the first network traffic to a first sample set as a black sample, to obtain a second sample set, wherein the first sample set comprises at least one black sample, and training, by the network protection device, an original attack detection model using the second sample set based on a predetermined algorithm, to obtain a target attack detection model, the target attack detection model being configured to identify one or more attack signatures different from the one or more attack signatures in the signature database;
receiving, by the network protection device, second network traffic;
determining, by the network protection device based on the target attack detection model, whether the second network traffic is aggressive; and
in response to determining, based on the target attack detection model, that the second network traffic is not aggressive, performing, by the network protection device, an action response for the second network traffic based on a second preset action, wherein when the second preset action is allowing, performing, by the network protection device, the action response for the second network traffic based on the second preset action comprises:
sending, by the network protection device, the second network traffic to a next-hop device of the network protection device.