Abstract: A network traffic anomaly detection method and apparatus is provided. The method includes: acquiring network flows generated by a network monitoring node within a set period of time; for any one of attributes in the network flows, aggregating the network flows at a set time interval according to the attribute to generate N time sequences with respect to the attribute; determining N samples to be detected corresponding to the network flows according to the N time sequence, calculating respective angular dissimilarity degrees between a first time sequence and N?1 second time sequences corresponding to a first attribute in the other N?1 samples to be detected, and determining a first detection result with respect to the first time sequence; and determining whether each of the samples to be detected is an abnormal data stream according to a detection result.

Abstract: A DNS evaluation method and apparatus. The method comprises: determining, according to a DNS traffic log, M domain names in a DNS system, and multiple pieces of feature dimension information about each category in pre-set categories corresponding to each of the M domain names, where M is an integer greater than or equal to 1; determining association identification information associated with each of the M domain names, wherein the association identification information comprises an IP address and/or identity information; determining, according to an association relationship between each of the M domain names and the association identification information, or attribute information about each of the M domain names, a cluster score for each category in the pre-set categories of the DNS system; and determining, according to the cluster score for each category in the pre-set categories of the DNS system, the total system score for the DNS system. Thus, the accuracy of DNS evaluation is improved.

Abstract: Provided are a DDoS attack detection method and apparatus. The method comprises: acquiring network traffic of a target moment within a first period by sampling, then querying a traffic period change curve acquired in advance, determining predicted traffic corresponding to the target moment, and confirming a DDoS attack if the network traffic acquired by sampling is larger than the determined predicted traffic. The traffic period change curve is used for indicating a period change law of the predicted traffic, so that before DDoS attack detection is performed at each target moment, it only needs to determine the predicted traffic corresponding to the target moment according to the traffic period change curve without calculating the predicted traffic according to massive historical traffic data before each DDoS attack detection; and the calculation volume is reduced.

Abstract: A web page clustering method and device, used for clustering web pages according to a web page framework, the method including: acquiring uniform resource locators (URL) of a plurality of web pages to be clustered; for the URL of each web page to be clustered, determining rewriting rules of the URL and classifying the URL according to the rewriting rules of the URL; determining a web page framework of the web page corresponding to each URL in each URL class, and determining whether each URL may be clustered according to the web page framework of the web page corresponding to each URL; and retaining the URL class if each URL may be clustered.

Abstract: Defending a distributed denial of service attack includes intercepting a service packet sent by the client to a server, according to a rule agreed with the client, obtaining the information carried by a first preset field of the service packet, the inherent information carried by an inherent field of the service packet, and the added information carried by at least one second preset field, according to the hash algorithm agreed with the client, performing a hash processing on the inherent information and at least one added information so as to obtain a hash result, and determining the service packet is discarded when the hash result is different from the information carried by the first preset field.

Abstract: The present disclosure provides a method and devices for defending against distributed denial of service attacks. The method comprises: intercepting, by a defending device, a service message transmitted by a client to a server; obtaining, by the defending device, information carried in a first preset field of the service message and information carried in a second preset field of the service message according to a rule agreed on with the client; processing, by the defending device, the information carried in the second preset field and a preset key according to a hash algorithm agreed on with the client, and obtaining a hash value; and discarding, by the defending device, the service message upon determining that the hash value is different from the information carried in the first preset field.

Abstract: Provided are a network attack detection method and device.

Abstract: The disclosed embodiment provides a method and device for vulnerability scanning, the method comprising: a reverse scanning agent module acquires a client message; the reverse scanning agent module transmits the client message to a vulnerability scanner, enabling the vulnerability scanner to identify a vulnerability of the client according to the client message; or the reverse scanning agent module identifies the vulnerability of the client according to the client message and transmits the vulnerability to the vulnerability scanner; the reverse scanning agent module receives a control instruction from the vulnerability scanner, changes operation manner and/or mode according to the control instruction, and updates a vulnerability rule.

Abstract: A website scanning apparatus having a policy analysis device for determining whether a link in a target website belongs to a known web application used by the target website, if the link belongs to the identified web application, then a vulnerability scanning is not performed on the link; a crawler device for obtaining the link content that the link points to; a web application identification device for determining whether the link belongs to a known web application; a full scan device for performing a full vulnerability scanning on a link determined as not belonging to the known web application; and a known web application vulnerability detection device for performing vulnerability detection on the website for the determined identified web application according to known vulnerabilities of the identified web application to determine whether the known vulnerabilities of the identified web application exist in the website is provided.

Abstract: Defending a distributed denial of service attack includes intercepting a service packet sent by the client to a server, according to a rule agreed with the client, obtaining the information carried by a first preset field of the service packet, the inherent information carried by an inherent field of the service packet, and the added information carried by at least one second preset field, according to the hash algorithm agreed with the client, performing a hash processing on the inherent information and at least one added information so as to obtain a hash result, and determining the service packet is discarded when the hash result is different from the information carried by the first preset field.

Abstract: Disclosed are a method and an apparatus for determining an automatic scanning action.

Abstract: A trojan detection method and device, used to solve the problem in the prior art of being unable to effectively detect a trojan in a network, the method comprising: when a trojan heartbeat is detected in a session, according to whether the trojan heartbeat detection frequency is fixed, increasing the recorded session weight by a corresponding weight and recording the increased weight, and checking whether each packet transmitted from a controlling end to a controlled end complies with the characteristics of a trojan control command packet; if yes, then increasing by a third weight onto the recorded session weight and recording the same, and when the session weight reaches an alarm threshold, generating an alarm to notify that the session is initiated by a trojan. An embodiment of the present invention achieves trojan detection by detecting the packet in the session, thereby the trojan in a network can be detected.

Abstract: A method, device and system for network security protection comprise: according to a received scan task, a network security device performs a security bug scan of the scan task appointed web site, and when a scan result is obtained, transmits the scan result to a network application firewall, so that the network application firewall can configure a individuality security strategy for the web site according to the received scan result. The problem that it can not he implemented complete individuality security configuration of the web site can be solved in this way.

Abstract: The present invention discloses a device and method for data matching and a device and method for network intrusion detection. The method for data matching includes: searching in a regular expression set one or more complex regular expressions causing a sharp increase in number of states generated based on a regular expression during interaction; constructing a corresponding simplified expression for each complex regular expression; compiling a simplified state machine; compiling one or more substate machines, wherein each of the one or more substate machines is compiled based on a corresponding one of the one or more complex regular expressions; and matching data based on the simplified state machine and the one or more substate machines. The present invention further discloses a device for data matching employing the method for data matching and a device and method for intrusion detection employing the device and method for data matching.

Abstract: The invention discloses a website scanning apparatus for performing a security vulnerability scanning on a target website, which apparatus comprises: a web page obtaining component obtaining current content and/or features of a web page corresponding to a link to be processed; a link processing component including a change judgment device for judging whether the web page corresponding to the link to be processed has been changed based on stored web page content and/or features corresponding to the link to be processed as well as the current web page content and/or features of the link to be processed; and a vulnerability detecting component for performing a security vulnerability detection on a web page corresponding to a link to be processed for which the web page has been changed. The invention also discloses a website scanning method corresponding thereto.

Abstract: Disclosed are a method and an apparatus for determining an automatic scanning action.

Abstract: The present invention discloses a XSS detection method for detecting the XSS vulnerabilities in a web page, comprising for each parameter-value pair in a set of parameter-value pairs that can be accepted by the web page: constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which a dedicated script is inserted; acquiring the dynamic web page content corresponding to the assembled URL; and simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities. The present invention further discloses a corresponding XSS detection device and a web site security scanning system and a web scanning system using such a device.

Abstract: The invention discloses a security configuration verification device for performing a security configuration verification on a network device, which comprises: one or more preconfigured scanning policies; a scanning policy generator, which selects a scanning policy from the one or more preconfigured scanning policies to generate a new scanning policy corresponding to the network device; and a scanner, which performs the security scanning on the network device with the generated new scanning policy and thereby performs the security configuration verification. The invention also discloses a corresponding security configuration verification method and a network system employing the verification device.

Abstract: The invention discloses a vulnerability monitoring method for performing a vulnerability monitoring on a system in which data execution protection (DEP) is enabled, which method comprises the steps of: monitoring an operation with respect to the DEP; and considering that an action exploiting the vulnerability has occurred in the system when an operation to close the DEP is detected. The invention also discloses a corresponding vulnerability monitoring apparatus.

Abstract: The invention discloses a website scanning apparatus for performing a security vulnerability scanning on a target website, which apparatus comprises: a web page obtaining component obtaining current content and/or features of a web page corresponding to a link to be processed; a link processing component including a change judgment device for judging whether the web page corresponding to the link to be processed has been changed based on stored web page content and/or features corresponding to the link to be processed as well as the current web page content and/or features of the link to be processed; and a vulnerability detecting component for performing a security vulnerability detection on a web page corresponding to a link to be processed for which the web page has been changed. The invention also discloses a website scanning method corresponding thereto.