[go: up one dir, main page]

CN115664833A - Network hijacking detection method based on local area network security equipment - Google Patents

Network hijacking detection method based on local area network security equipment Download PDF

Info

Publication number
CN115664833A
CN115664833A CN202211368185.2A CN202211368185A CN115664833A CN 115664833 A CN115664833 A CN 115664833A CN 202211368185 A CN202211368185 A CN 202211368185A CN 115664833 A CN115664833 A CN 115664833A
Authority
CN
China
Prior art keywords
information
ttl
session
network
bit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211368185.2A
Other languages
Chinese (zh)
Other versions
CN115664833B (en
Inventor
彭程竟
刘健
许光全
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University
Original Assignee
Tianjin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University filed Critical Tianjin University
Priority to CN202211368185.2A priority Critical patent/CN115664833B/en
Publication of CN115664833A publication Critical patent/CN115664833A/en
Application granted granted Critical
Publication of CN115664833B publication Critical patent/CN115664833B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及计算机通信、网络安全技术,为实现使用多层协议头部字段进行劫持检测,细分各种劫持情况;能实时检测网络中的数据流,系统资源消耗小;不需要借助其他网络资源或者提前建立正常信息的数据库来检测是否存在劫持。本发明采取的技术方案是,基于局域网安全设备的网络劫持检测方法,步骤如下:数据包头部信息检测,记录数据包头部信息,规则匹配,得出检测结果。本发明主要应用于网络通信安全场合。

Figure 202211368185

The invention relates to computer communication and network security technology. In order to realize hijacking detection by using multi-layer protocol header fields, and subdivide various hijacking situations; it can detect the data flow in the network in real time, and the system resource consumption is small; no need to rely on other network resources Or establish a database of normal information in advance to detect whether there is hijacking. The technical scheme adopted by the present invention is a network hijacking detection method based on a LAN security device, the steps are as follows: detecting data packet header information, recording the data packet header information, matching rules, and obtaining detection results. The present invention is mainly applied to network communication security occasions.

Figure 202211368185

Description

基于局域网安全设备的网络劫持检测方法Network hijacking detection method based on LAN security equipment

技术领域technical field

本发明涉及计算机通信、网络安全,具体涉及基于局域网安全设备的网络劫持检测方法。The invention relates to computer communication and network security, in particular to a network hijacking detection method based on local area network security equipment.

背景技术Background technique

伴随互联网飞速发展,网络劫持问题日益加重,网络流量劫持可以分类成局域网内的劫持和局域网外的劫持,目前出现的主要是局域网外的明文传输劫持,明文网络流量传输遭到攻击者拦截或者植入恶意数据,使得用户不能得到正常的网络服务甚至损害用户设备。例如,用户访问的网站内容无法正常显示、目标网站无法访问或者应用程序出错无法运行。攻击者主要针对TCP(传输控制协议)连接和建立在TCP之上的HTTP(超文本传输协议)连接,这些连接都是采用明文传输,通过伪造成合法的数据包,使得用户主机错误地处理接收到的报文。虽然目前互联网已有很多厂商使用加密传输协议与用户进行交互,但是仍然有很大一部分是使用明文传输的,所以对这一部分的会话劫持检测仍然是十分重要且有意义的。With the rapid development of the Internet, the problem of network hijacking has become more and more serious. Network traffic hijacking can be classified into hijacking within the LAN and hijacking outside the LAN. At present, the hijacking of plaintext transmission outside the LAN is mainly the hijacking. Entering malicious data, so that users cannot get normal network services or even damage user equipment. For example, the content of the website visited by the user cannot be displayed normally, the target website cannot be accessed, or the application fails to run due to an error. Attackers mainly target TCP (Transmission Control Protocol) connections and HTTP (Hypertext Transfer Protocol) connections built on top of TCP. These connections are transmitted in plain text, and by forging legal data packets, the user host will process the received data incorrectly. received message. Although many vendors on the Internet currently use encrypted transmission protocols to interact with users, a large part of them are still transmitted in plain text, so it is still very important and meaningful to detect session hijacking for this part.

目前针对明文传输的会话劫持攻击检测方法主要包括:The current session hijacking attack detection methods for plaintext transmission mainly include:

检测方法1:使用网络爬虫技术爬取各地区代理服务器的IP和端口号,配置浏览器使用代理服务器访问目标网站并记录网站内容,随后不使用代理服务器访问目标网站,对比前后的内容是否发生变化,若有则证明存在劫持。(专利号201410403660.4)Detection method 1: Use web crawler technology to crawl the IP and port numbers of proxy servers in various regions, configure the browser to use the proxy server to access the target website and record the content of the website, and then access the target website without using the proxy server, and compare whether the content has changed before and after , if there is, it proves the existence of hijacking. (Patent No. 201410403660.4)

检测方法2:在核心路由网络中统计一段时间内各个IP对应的网络流,记录其中每一个数据包的TTL值、IPID号变化,若超过设置的阈值且达到一定的数量,则判断存在劫持。(专利号201710112616.1)Detection method 2: Count the network flows corresponding to each IP within a period of time in the core routing network, and record the TTL value and IPID number changes of each data packet. If it exceeds the set threshold and reaches a certain number, it is judged that there is hijacking. (Patent No. 201710112616.1)

检测方法3:检测用户的网页是否异常,若是,则截图保存界面内容,获取检测数据对其逐一进行ping操作,把ping的丢包率、截图内容和结果日志提交给服务器进行模型检测,服务器以此来判断是否网络劫持。(专利号202010567944.2)Detection method 3: Detect whether the user's webpage is abnormal. If so, take a screenshot to save the interface content, obtain the detection data and perform ping operations on them one by one, and submit the ping packet loss rate, screenshot content and result log to the server for model detection. This is to determine whether it is a network hijacking. (Patent No. 202010567944.2)

相关技术研究现状Research status of related technologies

对于上述检测方法1,需要借助其他地区的网络资源来访问得到正常的数据,通过本网络访问得到的数据与正常数据作对比,才可得知是否遭受劫持,若是其他网络也遭受劫持攻击,则无法确定本网络是否遭到劫持。且无法实时检测。For the above detection method 1, it is necessary to access the normal data with the help of network resources in other regions, and compare the data obtained through this network access with the normal data to know whether it has been hijacked. If other networks are also hijacked, then It is not possible to determine whether this network has been hijacked. and cannot be detected in real time.

对于上述检测方法2,检测工具布置在核心路由网络节点,只能针对IP不能对IP之上每个端口进行区分数据流。目前的TCP/IP协议栈已从基于不同IP分配单独的IPID计数器进行IPID值生成,在2014年,在Linux 3.16中,内核开发人员认识到为每个IP目的地使用单独的计数器存在性能问题,所以全局递增计数器是不可取的,他们采用了由2048个全局递增计数器组成的混合方法。要确定为IP数据报使用哪个计数器,该数据报的目标地址将使用在系统启动时随机生成的秘密值进行散列。得到的散列(mod 211)用于确定计数器的索引。每个计数器是32位来容纳IPv6,而对于IPv4,IPID是从计数器的较低16位中提取的。For the above-mentioned detection method 2, the detection tool is arranged at the core routing network node, which can only distinguish the data flow for each port above the IP but not for the IP. The current TCP/IP protocol stack has started from assigning separate IPID counters based on different IPs for IPID value generation. In 2014, in Linux 3.16, kernel developers realized that there are performance issues with using separate counters for each IP destination. So global incrementing counters are not advisable, they took a hybrid approach consisting of 2048 globally incrementing counters. To determine which counter to use for an IP datagram, the destination address of that datagram is hashed with a secret value randomly generated at system startup. The resulting hash (mod 211) is used to determine the index of the counter. Each counter is 32 bits to accommodate IPv6, and for IPv4, the IPID is extracted from the lower 16 bits of the counter.

生成的IPID值并非线性增加,每次使用一个计数器来分配一个IPID,不是将其递增1,内核会给其添加一个均匀分布在1和上次使用该计数器以来的系统节拍数之间的数字。对于IPv6版本的TCP数据包,其IPID不一定存在,如果IPv6数据包的字节大小没有触发分片操作,则TCP/IP协议栈不为其分配IPID值。由此得知,数据包发送间隔无法预测且存在很大的差异,生成的IPID值波动非常大。且IPID值不一定存在每一个TCP数据报中。The generated IPID value does not increase linearly, each time a counter is used to assign an IPID, instead of incrementing it by 1, the kernel adds a number evenly distributed between 1 and the number of system ticks since the counter was last used. For the IPv6 version of the TCP data packet, its IPID does not necessarily exist. If the byte size of the IPv6 data packet does not trigger the fragmentation operation, the TCP/IP protocol stack does not assign an IPID value to it. It can be seen from this that the data packet sending interval is unpredictable and has a large difference, and the generated IPID value fluctuates greatly. And the IPID value does not necessarily exist in every TCP datagram.

因为IPID值已经变得不可预测,且已有越来越多的厂商使用新的TCP/IP协议栈,所以基于此维度进行TCP劫持检测的效果会变得糟糕。此外,需要在一段时间内收集各个IP数据流信息,对系统资源消耗巨大,而且没有细分每个IP具体的传输层端口号进行分类识别,会导致过多的误报且无法实时检测劫持。Because the IPID value has become unpredictable, and more and more manufacturers have used the new TCP/IP protocol stack, the effect of TCP hijacking detection based on this dimension will become worse. In addition, it is necessary to collect the information of each IP data flow within a period of time, which consumes a lot of system resources, and does not subdivide the specific transport layer port number of each IP for classification and identification, which will lead to too many false positives and cannot detect hijacking in real time.

对于上述检测方法3,需要提前建立正常访问的知识库,服务器通过对比才能得知是否遭受劫持,知识库的建立需要耗费巨大的精力,且很难做到实时更新各个网站的变化,随着时间推移,检测效果会降低。For the above detection method 3, it is necessary to establish a knowledge base for normal access in advance, and the server can know whether it has been hijacked through comparison. The establishment of the knowledge base requires a lot of energy, and it is difficult to update the changes of each website in real time. Over time, the detection effect will decrease.

发明内容Contents of the invention

为克服现有技术的不足,本发明旨在实现:For overcoming the deficiencies in the prior art, the present invention aims to realize:

1、使用多层协议头部字段进行劫持检测,细分各种劫持情况。1. Use multi-layer protocol header fields for hijacking detection and subdivide various hijacking situations.

2、能实时检测网络中的数据流,系统资源消耗小。2. It can detect the data flow in the network in real time, and the system resource consumption is small.

3、不需要借助其他网络资源或者提前建立正常信息的数据库来检测是否存在劫持。3. There is no need to rely on other network resources or establish a database of normal information in advance to detect whether there is hijacking.

为此,本发明采取的技术方案是,基于局域网安全设备的网络劫持检测方法,步骤如下:数据包头部信息检测,记录数据包头部信息,规则匹配,得出检测结果。For this reason, the technical scheme that the present invention takes is, the network hijacking detection method based on LAN security equipment, the steps are as follows: data packet header information detection, record data packet header information, rule matching, draw detection result.

详细步骤如下:The detailed steps are as follows:

(1)利用防火墙设备过滤非TCP协议和建立在TCP协议基础上的HTTP协议包,将得到的数据包进行深度包解析,提取其中网络层和应用层的头部字段信息;(1) Utilize the firewall device to filter non-TCP protocols and HTTP protocol packets based on the TCP protocol, carry out deep packet analysis of the obtained data packets, and extract the header field information of the network layer and the application layer;

主要包括:源IP、源端口号、目的IP、目的端口号、TTL值、TCP层的Flags信息位和HTTP响应状态码;It mainly includes: source IP, source port number, destination IP, destination port number, TTL value, Flags information bit of TCP layer and HTTP response status code;

(2)对得到的头部字段信息进行整理,生成条目信息,后续判断是否要对缓存中的条目信息进行更新或者保存该条条目信息在缓存中;(2) sort out the obtained header field information, generate entry information, and subsequently determine whether to update the entry information in the cache or save the entry information in the cache;

1)初始时,系统的条目信息为空,新到的数据包根据其四元组信息,直接将条目信息保存在缓存中,其中的四元组信息结构如下:1) Initially, the entry information of the system is empty, and the newly arrived data packet directly saves the entry information in the cache according to its quadruple information, and the quadruple information structure is as follows:

四元组=(Src_IP,Src_port,Dst_IP,Dst_port)Quad = (Src_IP, Src_port, Dst_IP, Dst_port)

其中的Src_IP代表源IP,Src_port代表源端口,Dst_IP代表目的IP,Dst_port代表目的端口Among them, Src_IP represents the source IP, Src_port represents the source port, Dst_IP represents the destination IP, and Dst_port represents the destination port

2)缓存不为空,则要判断新生成的条目信息中的四元组信息是否已存在于缓存中,如果不在,则直接将新生成的条目信息保存在缓存中,否则,需要将新生成条目信息与对应缓存中条目信息的TTL值进行比较,进行以下判断:2) The cache is not empty, it is necessary to judge whether the quadruple information in the newly generated entry information already exists in the cache, if not, then directly save the newly generated entry information in the cache, otherwise, the newly generated The entry information is compared with the TTL value of the entry information in the corresponding cache, and the following judgments are made:

(a)如果对比的绝对值超过阈值,则认为是存在异常的会话流,需要进行后续的判断,以细化各种情况;(a) If the absolute value of the comparison exceeds the threshold, it is considered to be an abnormal conversation flow, and subsequent judgments are required to refine various situations;

(b)如果对比的绝对值不超过阈值,则认为当前会话流正常,需要更新缓存中对应条目信息的TTL值;(b) If the absolute value of the comparison does not exceed the threshold, it is considered that the current session flow is normal, and the TTL value of the corresponding entry information in the cache needs to be updated;

其中TTL_Mean的生成公式如下:The generation formula of TTL_Mean is as follows:

TTL_Mean=(TTL_Mean*(n-1)+TTL)/nTTL_Mean=(TTL_Mean*(n-1)+TTL)/n

新生成的TTL值计算公式如下:The formula for calculating the newly generated TTL value is as follows:

Figure BDA0003924245630000031
Figure BDA0003924245630000031

其中New_TTL为整数,

Figure BDA0003924245630000032
为向下取整,TTL_Mean为该条数据流的TTL平均值,TTL为新生成条目TTL值,n为当前数据流包的总数;Where New_TTL is an integer,
Figure BDA0003924245630000032
For rounding down, TTL_Mean is the average TTL value of the data flow, TTL is the TTL value of the newly generated entry, and n is the total number of current data flow packets;

3)阈值的设置需要实际统计观察,由以下两种方法:3) The setting of the threshold requires actual statistical observation, and there are two methods as follows:

(a):对比多条数据流的极差,如果一条流的极差很小,那么认为这条数据流没有遭受攻击劫持;相反,则可认为遭受劫持攻击;在终端与外网测试服务器进行数据交互中,通过设置服务器返回包的内容,检查前后内容是否遭到更改,并且观察数据流TTL的变化,判断是否遭受劫持;(a): Comparing the range of multiple data streams, if the range of a stream is very small, then it is considered that this data stream has not been hijacked by an attack; otherwise, it can be considered as a hijacking attack; During data interaction, by setting the content of the server’s return packet, check whether the content has been changed before and after, and observe the change of the TTL of the data stream to determine whether it has been hijacked;

(b):通过对访问网站,观察是否返回正确内容,是否有植入恶意广告,是否跳转到其他不相关的网页,观察数据流TTL的变化,判断是否遭受劫持,考虑当前的网络环境,寻找一个适合的大小区分正常数据流和异常数据流;(b): By visiting the website, observe whether the correct content is returned, whether there is malicious advertisement implanted, whether it jumps to other irrelevant webpages, observe the change of data flow TTL, and judge whether it has been hijacked, considering the current network environment, Find a suitable size to distinguish between normal data flow and abnormal data flow;

(3)建立在TTL超过阈值的情况下,后续的判断对应的匹配规则:(3) When the TTL exceeds the threshold, the corresponding matching rules for subsequent judgments are established:

1):TCP协议Flags位:TCP协议中具有多种flag位,不同的flag位代表当前TCP会话的状态,通过Flags位的变化了解TCP会话是否正常以及出现的问题,flags状态位:1): TCP protocol Flags bit: There are various flag bits in the TCP protocol, and different flag bits represent the status of the current TCP session. Through the change of the Flags bit, we can understand whether the TCP session is normal and what problems occur. The flags status bit:

F:会话结束F: session ended

P:立即发送P: send immediately

A:确认位A: confirmation bit

R:重设位R: reset bit

S:同步位S: sync bit

R:此字段如果为1,则认为TCP会话过程中出现严重错误,结束此次会话,重新构建新会话;R: If this field is 1, it is considered that a serious error occurred during the TCP session, end this session, and rebuild a new session;

一个TCP数据包中同时包含多个信息位。A TCP packet contains multiple information bits at the same time.

·Flags信息位为SA,则认为TCP会话握手过程中遭受劫持;When the Flags information bit is SA, it is considered that the TCP session is hijacked during the handshake process;

·Flags信息为为FPA,可初步认为此会话存在异常,可结合HTTP层信息进一步判断;·Flags information is FPA, it can be preliminarily considered that there is an abnormality in this session, and it can be further judged by combining the HTTP layer information;

·Flags信息位为R,则可认为会话通信过程中遭到攻击者重置;When the Flags information bit is R, it can be considered that the attacker resets the session communication process;

·Flags信息位为F,则可初步认为可初步认为此会话存在异常,可结合HTTP层信息进一步判断;When the Flags information bit is F, it can be preliminarily considered that there is an abnormality in this session, which can be further judged by combining the HTTP layer information;

2):HTTP协议状态码:状态码是从目标服务器得到的详细信息,根据不同的状态码可以了解目标服务器的状态以及接下来会进行的操作,对这次数据请求的状态反馈等,给出主要状态码:2): HTTP protocol status code: The status code is the detailed information obtained from the target server. According to different status codes, you can understand the status of the target server and the next operation, and give the status feedback of this data request. Main status code:

200:页面请求成功30{0-7}:理解为页面重定向。200: The page request is successful. 30{0-7}: understood as page redirection.

·Flags信息位为FPA,且HTTP状态位为30{0-7},则判断该会话流中部分文件被劫持篡改;·The Flags information bit is FPA, and the HTTP status bit is 30{0-7}, then it is judged that some files in the session flow have been hijacked and tampered with;

·Flags信息位为F,且HTTP状态位为200,则判断会话被攻击者篡改内容且结束会话。·If the Flags information bit is F and the HTTP status bit is 200, it is judged that the content of the session has been tampered with by an attacker and the session ends.

本发明的特点及有益效果是:Features and beneficial effects of the present invention are:

本发明主要针对局域网安全进行网络劫持检测,内网客户端与互联网服务器进行交互,流量在返回局域网的过程中可能会遭受劫持或者篡改,通过对数据流的持续监测,挖掘数据流中出现异常的部分并作出警告,该发明能够取得以下有益效果:The invention is mainly aimed at network hijacking detection for local area network security. The intranet client interacts with the Internet server, and the traffic may be hijacked or tampered in the process of returning to the local area network. Part and warning, the invention can achieve the following beneficial effects:

1、针对目前网络出现的会话劫持行为,会让用户无法正常与目标服务器进行交互,甚至造成严重的财产损失。该发明通过多层协议的信息进行规则匹配,细化劫持行为,可以具体了解到发生的劫持行为,可为后续防范工作指明方向。1. Aiming at the current session hijacking behavior on the network, users will not be able to interact with the target server normally, and even cause serious property losses. The invention conducts rule matching through multi-layer protocol information, refines the hijacking behavior, can know the hijacking behavior in detail, and can point out the direction for the follow-up prevention work.

2、针对网络劫持检测的时效问题,本方案部署在进出流量都必须通过的防火墙上,作为一个检测模块实时检测每一条数据流是否发生异常,可以及时作出告警,以免造成更大的破坏和损失。2. For the timeliness of network hijacking detection, this solution is deployed on the firewall that must pass through the incoming and outgoing traffic. As a detection module, it can detect whether each data flow is abnormal in real time, and can issue an alarm in time to avoid greater damage and loss. .

3、针对防火墙设备的特点,本发明不占用较多系统资源,且数据计算量少,属于轻量级检测方法,降低对防火墙数据转发的性能影响。3. In view of the characteristics of the firewall device, the present invention does not occupy many system resources, and the amount of data calculation is small, which belongs to a lightweight detection method and reduces the performance impact on the data forwarding of the firewall.

附图说明:Description of drawings:

图1完整检测流程图。Figure 1 Complete detection flow chart.

图2建立在TTL超过阈值的情况下,后续的判断对应的匹配规则流程图。FIG. 2 establishes a flow chart of matching rules corresponding to subsequent judgments when the TTL exceeds a threshold.

图3当前局域网拓扑结构。Figure 3 The current LAN topology.

图4程序记录和监测每条会话流的状态示意图。Figure 4 is a schematic diagram of the program recording and monitoring the status of each session flow.

图5程序运行时如果遭到劫持,则会输出警告日志示意图。Figure 5. If the program is hijacked when it is running, it will output a warning log diagram.

具体实施方式Detailed ways

本方案的整体流程主要包括:数据包头部信息检测,记录数据包头部信息,规则匹配,得出检测结果。The overall process of this solution mainly includes: detecting data packet header information, recording data packet header information, matching rules, and obtaining detection results.

本发明的完整检测流程如图1所示。The complete detection process of the present invention is shown in FIG. 1 .

本发明方法作为一个检测模块主要部署在局域网防火墙设备上,外网流量进入局域网首先会经过防火墙,在防火墙检测过后流量才到达内网设备。网络管理员可根据当前网络情况,选择是否开启该检测模块。The method of the present invention is mainly deployed on the firewall device of the local area network as a detection module, and the traffic of the external network enters the local area network and first passes through the firewall, and the traffic arrives at the internal network device after being detected by the firewall. The network administrator can choose whether to enable the detection module according to the current network conditions.

详细说明如下:The details are as follows:

(1)防火墙设备会过滤掉非TCP协议和建立在TCP协议基础上的HTTP协议包,将得到的数据包进行深度包解析,提取其中网络层和应用层的头部字段信息(如有)。主要包括:源IP、源端口号、目的IP、目的端口号、TTL值、TCP层的Flags信息位和HTTP响应状态码(如有)。(1) The firewall device will filter out non-TCP protocols and HTTP protocol packets based on the TCP protocol, perform deep packet analysis on the obtained data packets, and extract the header field information (if any) of the network layer and application layer. It mainly includes: source IP, source port number, destination IP, destination port number, TTL value, Flags information bit of TCP layer and HTTP response status code (if any).

(2)对得到的头部字段信息进行整理,生成条目信息,后续判断是否要对缓存中的条目信息进行更新或者保存该条条目信息在缓存中。(2) Arrange the obtained header field information to generate entry information, and subsequently determine whether to update the entry information in the cache or save the entry information in the cache.

1)初始时,系统的条目信息为空,新到的数据包根据其四元组信息,直接将条目信息保存在缓存中。其中的四元组信息结构如下:1) Initially, the entry information of the system is empty, and the newly arrived data packet directly saves the entry information in the cache according to its quadruple information. The four-tuple information structure is as follows:

四元组=(Src_IP,Src_port,Dst_IP,Dst_port)Quad = (Src_IP, Src_port, Dst_IP, Dst_port)

其中的Src_IP代表源IP,Src_port代表源端口,Dst_IP代表目的IP,Dst_port代表目的端口Among them, Src_IP represents the source IP, Src_port represents the source port, Dst_IP represents the destination IP, and Dst_port represents the destination port

2)缓存不为空,则要判断新生成的条目信息中的四元组信息是否已存在于缓存中,如果不在,则直接将新生成的条目信息保存在缓存中,否则,需要将新生成条目信息与对应缓存中条目信息的TTL值进行比较,进行以下判断:2) The cache is not empty, it is necessary to judge whether the quadruple information in the newly generated entry information already exists in the cache, if not, then directly save the newly generated entry information in the cache, otherwise, the newly generated The entry information is compared with the TTL value of the entry information in the corresponding cache, and the following judgments are made:

(a)如果对比的绝对值超过阈值,则认为是存在异常的会话流,需要进行后续的判断,以细化各种情况。(a) If the absolute value of the comparison exceeds the threshold, it is considered to be an abnormal conversation flow, and subsequent judgments are required to refine various situations.

(b)如果对比的绝对值不超过阈值,则认为当前会话流正常,需要更新缓存中对应条目信息的TTL值。(b) If the absolute value of the comparison does not exceed the threshold, it is considered that the current session flow is normal, and the TTL value of the corresponding entry information in the cache needs to be updated.

其中TTL_Mean的生成公式如下:The generation formula of TTL_Mean is as follows:

TTL_Mean=(TTL_Mean*(n-1)+TTL)/nTTL_Mean=(TTL_Mean*(n-1)+TTL)/n

新生成的TTL值计算公式如下:The formula for calculating the newly generated TTL value is as follows:

Figure BDA0003924245630000051
Figure BDA0003924245630000051

其中New_TTL为整数,

Figure BDA0003924245630000052
为向下取整,TTL_Mean为该条数据流的TTL平均值,TTL为新生成条目TTL值,n为当前数据流包的总数。Where New_TTL is an integer,
Figure BDA0003924245630000052
For rounding down, TTL_Mean is the average TTL value of the data flow, TTL is the TTL value of the newly generated entry, and n is the total number of packets in the current data flow.

3)阈值的设置需要实际统计观察,主要由以下两种方法:3) The setting of the threshold requires actual statistical observation, mainly by the following two methods:

(a):对比多条数据流的极差,如果一条流的极差很小,那么基本可以认为这条数据流没有遭受攻击劫持;相反,则可认为遭受劫持攻击,实际上,在终端与外网测试服务器进行数据交互中,通过设置服务器返回包的内容,检查前后内容是否遭到更改,并且观察数据流TTL的变化,可判断是否遭受劫持。(a): Comparing the range of multiple data streams, if the range of one stream is very small, it can basically be considered that this data stream has not been hijacked by an attack; on the contrary, it can be considered as a hijacked attack. During the data interaction of the external network test server, by setting the content of the server’s return packet, checking whether the content has been changed before and after, and observing the change of the TTL of the data stream, it can be judged whether it has been hijacked.

(b):通过对访问网站,观察是否返回正确内容,是否有植入恶意广告,是否跳转到其他不相关的网页,观察数据流TTL的变化,可判断是否遭受劫持。考虑当前的网络环境,寻找一个适合的大小区分正常数据流和异常数据流。(b): By observing whether the visited website returns correct content, whether there is malicious advertisement implanted, whether it jumps to other irrelevant webpages, and observing the change of data flow TTL, it can be judged whether it has been hijacked. Considering the current network environment, find a suitable size to distinguish normal data flow from abnormal data flow.

(3)建立在TTL超过阈值的情况下,后续的判断对应的匹配规则如图2所示:(3) When the TTL exceeds the threshold, the corresponding matching rules for subsequent judgments are shown in Figure 2:

1):TCP协议Flags位:TCP协议中具有多种flag位,不同的flag位代表当前TCP会话的状态,通过Flags位的变化可以了解TCP会话是否正常以及出现的问题。表1给出主要的Flags状态位:1): TCP protocol Flags bit: There are various flag bits in the TCP protocol, and different flag bits represent the status of the current TCP session. Through the change of the Flags bit, you can know whether the TCP session is normal and the problems that occur. Table 1 shows the main Flags status bits:

表1Table 1

Ff PP AA RR SS 会话结束session ended 立即发送send immediately 确认位confirmation bit 重设位reset bit 同步位sync bit

R:此字段如果为1,则认为TCP会话过程中出现严重错误,结束此次会话,重新构建新会话;R: If this field is 1, it is considered that a serious error occurred during the TCP session, end this session, and rebuild a new session;

一个TCP数据包中可同时包含多个信息位。A TCP data packet can contain multiple information bits at the same time.

·Flags信息位为SA,则认为TCP会话握手过程中遭受劫持。· If the Flags information bit is SA, it is considered that the TCP session is hijacked during the handshake process.

·Flags信息为为FPA,可初步认为此会话存在异常,可结合HTTP层信息进一步判断。·Flags information is FPA, it can be preliminarily considered that there is an abnormality in this session, and it can be further judged by combining the HTTP layer information.

·Flags信息位为R,则可认为会话通信过程中遭到攻击者重置。· If the Flags information bit is R, it can be considered that the attacker resets the session communication process.

·Flags信息位为F,则可初步认为可初步认为此会话存在异常,可结合HTTP层信息进一步判断。·If the Flags information bit is F, it can be preliminarily considered that there is an abnormality in this session, which can be further judged by combining the HTTP layer information.

2):HTTP协议状态码:状态码是从目标服务器得到的详细信息,根据不同的状态码可以了解目标服务器的状态以及接下来会进行的操作,对这次数据请求的状态反馈等,给出主要状态码:2): HTTP protocol status code: The status code is the detailed information obtained from the target server. According to different status codes, you can understand the status of the target server and the next operation, and give the status feedback of this data request. Main status code:

200:页面请求成功30{0-7}:可以理解为页面重定向。200: The page request is successful. 30{0-7}: It can be understood as page redirection.

·Flags信息位为FPA,且HTTP状态位为30{0-7},则可判断该会话流中部分文件被劫持篡改。·If the Flags information bit is FPA, and the HTTP status bit is 30{0-7}, it can be judged that some files in the session flow have been hijacked and tampered with.

·Flags信息位为F,且HTTP状态位为200,则可判断会话被攻击者篡改内容且结束会话。·If the Flags information bit is F and the HTTP status bit is 200, it can be judged that the content of the session has been tampered with by an attacker and the session will end.

下面结合附图和具体的实例来详述本发明的技术方案。The technical solutions of the present invention will be described in detail below in conjunction with the accompanying drawings and specific examples.

下面对一个实际的实例进行方案描述:The following is a scheme description of an actual example:

假设当前局域网拓扑结构如图3所示。Assume that the current LAN topology is as shown in Figure 3.

内网流量的进出都会经过防火墙的过滤,检测程序部署在防火墙或者将防火墙的端口镜像出来,将流量存储在旁路设备上,可在旁路设备进行非实时检测。The incoming and outgoing intranet traffic will be filtered by the firewall. The detection program is deployed on the firewall or the port of the firewall is mirrored, and the traffic is stored on the bypass device, which can be used for non-real-time detection on the bypass device.

持续捕获现网中的流量,程序记录和监测每条会话流的状态,如图4所示。Continuously capture the traffic in the live network, and the program records and monitors the status of each session flow, as shown in Figure 4.

程序持续记录每条数据流的信息,如果新的数据包检测字段没突破阈值,则计算新的TTL值保存在系统缓存对应的条目中,如果新到的数据包的头部字段TTL突破阈值,则根据提前设置好的规则输出检测结果,程序运行时如果遭到劫持,则会输出警告日志,如图5所示。The program keeps recording the information of each data stream. If the new data packet detection field does not exceed the threshold, the new TTL value is calculated and stored in the corresponding entry of the system cache. If the header field TTL of the newly arrived data packet exceeds the threshold, Then output the detection results according to the rules set in advance. If the program is hijacked while running, it will output a warning log, as shown in Figure 5.

可以看出本发明能检测出不同的劫持行为,且实时输出检测结果。It can be seen that the present invention can detect different hijacking behaviors, and output the detection results in real time.

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明披露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. All should be covered within the protection scope of the present invention.

Claims (2)

1. A network hijacking detection method based on local area network security equipment is characterized by comprising the following steps: and detecting the header information of the data packet, recording the header information of the data packet, and obtaining a detection result by rule matching.
2. The method for detecting network hijacking based on local area network security equipment as claimed in claim 1, wherein the detailed steps are as follows:
(1) Filtering a non-TCP protocol and an HTTP (hyper text transport protocol) protocol packet established on the basis of a TCP (transmission control protocol) protocol by using firewall equipment, performing deep packet analysis on the obtained data packet, and extracting header field information of a network layer and an application layer;
the method mainly comprises the following steps: the method comprises the steps of obtaining a source IP, a source port number, a destination IP, a destination port number, a TTL value, a Flags information bit of a TCP layer and an HTTP response state code;
(2) The obtained header field information is sorted to generate entry information, and whether the entry information in the cache needs to be updated or stored in the cache is judged subsequently;
1) Initially, entry information of the system is empty, and a newly-arrived data packet directly stores the entry information in a cache according to the four-tuple information, wherein the four-tuple information has the following structure:
quadruplet = (Src _ IP, src _ port, dst _ IP, dst _ port)
Wherein Src _ IP represents source IP, src _ port represents source port, dst _ IP represents destination IP, and Dst _ port represents destination port
2) If the cache is not empty, judging whether the quadruple information in the newly generated entry information exists in the cache, if not, directly storing the newly generated entry information in the cache, otherwise, comparing the newly generated entry information with the TTL value of the entry information in the corresponding cache, and judging as follows:
(a) If the absolute value of the comparison exceeds the threshold value, the abnormal conversation flow is considered to exist, and subsequent judgment is needed to refine various conditions;
(b) If the absolute value of the comparison does not exceed the threshold, the current session flow is considered to be normal, and the TTL value of the corresponding item information in the cache needs to be updated;
the generation formula of TTL _ Mean is as follows:
TTL_Mean=(TTL_Mean*(n-1)+TTL)/n
the newly generated TTL value calculation formula is as follows:
Figure FDA0003924245620000011
wherein the New _ TTL is an integer,
Figure FDA0003924245620000012
for rounding down, TTL _ Mean is the TTL average value of the data flow, TTL is the newly generated item TTL value, and n is the total number of the current data flow packets;
3) The setting of the threshold requires actual statistical observation by two methods:
(a) The method comprises the following steps Comparing the range of a plurality of data streams, if the range of one stream is very small, the data stream is considered not to be attacked and hijacked; conversely, a hijacking attack may be considered to have been suffered; in the data interaction between the terminal and the external network test server, whether the content is changed before and after is checked by setting the content of a server return packet, and whether hijacking is suffered is judged by observing the change of data flow TTL;
(b) The method comprises the following steps Whether correct content is returned or not, whether malicious advertisements are implanted or not and whether other irrelevant webpages are skipped or not are observed by visiting the website, the change of data stream TTL is observed, whether hijacking is suffered or not is judged, and a proper size is searched to distinguish normal data streams from abnormal data streams in consideration of the current network environment;
(3) Establishing a matching rule corresponding to subsequent judgment under the condition that TTL exceeds a threshold value:
1): TCP protocol Flags bit: the TCP protocol has a plurality of flag bits, different flag bits represent the state of the current TCP session, whether the TCP session is normal or not and the problems are known through the change of the flag bits, and the flag bits are as follows:
f: end of session
P: send immediately
A: acknowledgement bit
R: reset bit
S: synchronization bit
If the field is 1, considering that serious errors occur in the TCP session process, ending the session and reconstructing a new session;
a TCP data packet simultaneously comprises a plurality of information bits;
if the flag information bit is SA, the TCP session is considered to be hijacked in the handshake process;
the Flags information is FPA, the session can be considered to be abnormal preliminarily, and further judgment can be carried out by combining HTTP layer information;
if the Flags information bit is R, it can be considered that an attacker resets the session communication process;
if the Flags information bit is F, it may be preliminarily considered that the session is considered to be abnormal, and may be further determined by combining HTTP layer information;
2): HTTP protocol status code: the state code is the detailed information obtained from the target server, the state of the target server and the operation to be performed next can be known according to different state codes, and the state feedback of the data request and the like are given as main state codes:
200: page request success 30-0-7 } understood to be a page redirect;
if the Flags information bit is FPA and the HTTP status bit is 30 page 0-7, then it is determined that part of the file in the session stream is hijacked and tampered;
if the Flags information bit is F and the HTTP status bit is 200, it is determined that the attacker tampered with the content and the session is ended.
CN202211368185.2A 2022-11-03 2022-11-03 Network hijacking detection method based on LAN security equipment Active CN115664833B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211368185.2A CN115664833B (en) 2022-11-03 2022-11-03 Network hijacking detection method based on LAN security equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211368185.2A CN115664833B (en) 2022-11-03 2022-11-03 Network hijacking detection method based on LAN security equipment

Publications (2)

Publication Number Publication Date
CN115664833A true CN115664833A (en) 2023-01-31
CN115664833B CN115664833B (en) 2024-04-02

Family

ID=84995825

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211368185.2A Active CN115664833B (en) 2022-11-03 2022-11-03 Network hijacking detection method based on LAN security equipment

Country Status (1)

Country Link
CN (1) CN115664833B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117395082A (en) * 2023-12-11 2024-01-12 深圳市移卡科技有限公司 Business processing methods, electronic equipment and storage media
CN119854047A (en) * 2025-03-20 2025-04-18 江西省科技基础条件平台中心(江西省计算中心) Information security protection method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566320A (en) * 2016-06-30 2018-01-09 中国电信股份有限公司 A kind of network kidnaps detection method, device and network system
CN108959923A (en) * 2018-05-31 2018-12-07 深圳壹账通智能科技有限公司 Comprehensive safety cognitive method, device, computer equipment and storage medium
WO2020062644A1 (en) * 2018-09-25 2020-04-02 平安科技(深圳)有限公司 Json hijack bug detection method, apparatus and device, and storage medium
WO2021197292A1 (en) * 2020-03-30 2021-10-07 上海连尚网络科技有限公司 Method for detecting dhcp hijacking, and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566320A (en) * 2016-06-30 2018-01-09 中国电信股份有限公司 A kind of network kidnaps detection method, device and network system
CN108959923A (en) * 2018-05-31 2018-12-07 深圳壹账通智能科技有限公司 Comprehensive safety cognitive method, device, computer equipment and storage medium
WO2020062644A1 (en) * 2018-09-25 2020-04-02 平安科技(深圳)有限公司 Json hijack bug detection method, apparatus and device, and storage medium
WO2021197292A1 (en) * 2020-03-30 2021-10-07 上海连尚网络科技有限公司 Method for detecting dhcp hijacking, and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘立坤: "深度报文检测的性能提升与安全增强", 中国博士学位论文全文数据库信息科技辑, no. 02, pages 0055 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117395082A (en) * 2023-12-11 2024-01-12 深圳市移卡科技有限公司 Business processing methods, electronic equipment and storage media
CN117395082B (en) * 2023-12-11 2024-03-22 深圳市移卡科技有限公司 Service processing method, electronic device and storage medium
CN119854047A (en) * 2025-03-20 2025-04-18 江西省科技基础条件平台中心(江西省计算中心) Information security protection method and device and electronic equipment

Also Published As

Publication number Publication date
CN115664833B (en) 2024-04-02

Similar Documents

Publication Publication Date Title
US9848004B2 (en) Methods and systems for internet protocol (IP) packet header collection and storage
US10277614B2 (en) Information processing apparatus, method for determining activity and computer-readable medium
US7903566B2 (en) Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data
US8726382B2 (en) Methods and systems for automated detection and tracking of network attacks
US7831822B2 (en) Real-time stateful packet inspection method and apparatus
US9661008B2 (en) Network monitoring apparatus, network monitoring method, and network monitoring program
EP2661049B1 (en) System and method for malware detection
US10581880B2 (en) System and method for generating rules for attack detection feedback system
US7995496B2 (en) Methods and systems for internet protocol (IP) traffic conversation detection and storage
US20050278779A1 (en) System and method for identifying the source of a denial-of-service attack
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
Hussein et al. SDN security plane: An architecture for resilient security services
CN101557329B (en) Application layer-based data segmenting method and device thereof
US8762515B2 (en) Methods and systems for collection, tracking, and display of near real time multicast data
CN108111466A (en) A kind of attack detection method and device
Sung et al. Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation
JP2009510815A (en) Method and system for reassembling packets before search
CN115664833B (en) Network hijacking detection method based on LAN security equipment
CN103428224A (en) Method and device for intelligently defending DDoS attacks
CN110958231A (en) Industrial control safety event monitoring platform and method based on Internet
CN107018084A (en) DDOS attack defending against network security system and method based on SDN frameworks
WO2009052039A1 (en) Efficient intrusion detection
CN114826646A (en) Network abnormal behavior detection method and device and electronic equipment
CN102316074A (en) HTTP (hyper text transfer protocol) multithreading restoration method based on libnids
US7266088B1 (en) Method of monitoring and formatting computer network data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant