Unlock instant, AI-driven research and patent intelligence for your innovation.

A host-based network attack springboard detection method and device

A technology of network attack and detection method, applied in the direction of data exchange network, digital transmission system, electrical components, etc.

Active Publication Date: 2017-03-15
NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
View PDF3 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] The technical problem to be solved by the present invention is: Aiming at the problem that network attackers in the prior art usually use multi-level springboard hosts to implement the attack steps when carrying out network attacks, so as to achieve the purpose of concealing the identity of the attacker, the solution is to trace the identity of the attacker through the network To trace the source and find the attacker, it is necessary to be able to detect the springboard host of the network attack, so as to curb the network attack through the springboard host and find the attacker hidden behind the springboard host step by step

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A host-based network attack springboard detection method and device
  • A host-based network attack springboard detection method and device
  • A host-based network attack springboard detection method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0078] Embodiment 1: A springboard detection method for host-based network attacks includes:

[0079] Step 1: The data packet capture module captures the data packets of the host, uniquely identifies each data packet, outputs the data packets after classification, and performs step 2; the data packets are divided into remote login protocol data packets and unidentified application layer protocol packet;

[0080] Step 2: the data flow identification and analysis module receives the data packet captured by the data packet capture module, identifies the qualified remote login protocol data packet, and classifies it into the data flow waiting for the springboard detection module to detect, and establishes a classified data flow queue, Carry out classified storage, perform step 3; discard unqualified TCP data packets;

[0081] Step 3: The springboard detection module detects whether the data flow group meets the detection requirements, and if the detection requirements are met, th...

Embodiment 2

[0083] Embodiment two: on the basis of embodiment one, in step 1, carrying out unique identification of each TCP data packet is to carry out unique identification by the quadruple information of TCP data packet, and concrete steps are: extract the source IP address of TCP data packet, destination IP Address, source port and destination port four-tuple information, the four-tuple information is used as the unique identifier of the TCP data packet.

Embodiment 3

[0084] Embodiment three: on the basis of embodiment one or two, the specific steps of said step 2 are:

[0085] Step 21: the data flow identification and analysis module judges that the data packet captured by the capture module is received, and judges whether it is a TCP data packet, if it is a TCP data packet, then perform step 2; otherwise, discard this TCP data packet;

[0086] Step 22: determine whether the TCP data packet belongs to the data flow of the classified data flow queue, if the storage queue is not established, then the storage queue will be established for this TCP data packet, and this TCP data packet will be added in the storage queue; otherwise, the This time, the TCP data packet is added to the corresponding data stream storage queue, and step 23 is performed;

[0087] Step 23: judge whether this TCP data packet belongs to the remote login data packet, if it belongs to the remote login data packet, then directly add this TCP data packet in the correspondin...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to the field of multistage network springboard host detection, in particular to a network attack springboard detection method. For solving existing technical problems, a network attack springboard detection method and device based on a host are provided. Tracing is conducted to find out an attacker, it is necessary that the network attack springboard host can be detected, therefore, network attacks conducted through the springboard host can be restrained, and the attacker hidden behind the springboard host is found out step by step. In the network attack springboard detection method and device based on the host, a data packet capturing module captures data packets of the host, a data stream recognition and analysis module receives the data packets captured by the data packet capturing module, a springboard detection module detects whether data stream groups meet detection requirements or not, if the data stream groups meet the detection requirements, detection is conducted, the springboard detection module conducts data matching on the data stream groups and calculates an Echo_RTT value and an Ack_RTT value, the relationship value between the Echo_RTT and the Ack_RTT is judged, and the springboard credibility rating is determined.

Description

technical field [0001] The invention relates to the field of multi-level network springboard host detection, in particular to a network attack springboard detection method and device. Background technique [0002] At present, network attacks are becoming more and more rampant, and the attack methods are becoming more and more complex. Attackers usually use multi-level springboard hosts to implement attack steps when carrying out network attacks, so as to achieve the purpose of hiding the identity of the attacker. The springboard host refers to the host that the attacker attacks and controls in advance. The attacker logs in to multiple springboard hosts step by step to form a springboard attack chain, and implements specific network attacks through the last springboard host, such as figure 1 mentioned. Since the victim can only trace the last springboard host, the attacker can use the springboard attack chain to evade tracking and hide his identity. Most of the springboard ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06H04L12/26
Inventor 刘波陈周国蒲石郝尧黄宸
Owner NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP