Illegal external connection monitoring method based on wireless and wired data flow similarity analysis

Abstract

The invention discloses an illegal external connection monitoring method based on wireless and wired data flow similarity analysis, which utilizes illegal external connection monitoring equipment provided with a wireless communication module to realize monitoring, and comprises the following steps of: mirroring all internal network data to the illegal external connection monitoring equipment; enabling the illegal external connection monitoring device to receive all internal network flow data; recording all network communication data; performing feature analysis on the network communication, and constructing a network communication model of the network communication; enabling the illegal external connection monitoring device to receive all wireless network flow data; recording all encryptedwireless network communication data between the two; performing feature analysis on the encrypted wireless network communication, and constructing a network communication model of the encrypted wireless network communication; comparing the two network communication models, and judging whether the network communication model is illegally externally connected or not according to the similarity. According to the invention, the wired network communication model and the wireless network communication model are compared, so that illegal external connection behaviors can be accurately monitored in real time.

Description

technical field [0001] The invention relates to an illegal outreach monitoring method, in particular to an illegal outreach monitoring method based on similarity analysis of wireless and wired data streams. Background technique [0002] For the isolated intranet of the industrial control system, illegal outreach has always been the top priority of the integrity protection of the network boundary because of its huge harm. With the popularization of smart phones and 4G / 5G technology, the main manifestation of illegal outreach is the outreach through smart phones (4G / 5G), which is more convenient, faster and cheaper than the early telephone dialing. Low, the most common way is to connect the terminal computer connected to the intranet to the personal hotspot opened by the smartphone through wireless WIFI, which will bring unpredictable security risks to the original internal network. At present, there are mainly the following technical solutions for monitoring illegal outreach...

AI Technical Summary

Problems solved by technology

[0004] Supervise the use of the wireless network by installing a client agent on the terminal desktop system, mainly for the supervision of the terminal's own wireless network card, privately connected wireless WIFI, and the use of free wireless WIFI; its advantages are short detection time and fast response, but its existence The following disadvantages: cannot manage and control the terminal desktop system without client agent installed; cannot supervise the private connection of wireless routing devices, because such devices cannot install client agent; cannot use technical means to prohibit installed terminals from uninstalling the software system , thereby disabling its function

[0006] Mainly through ICMP, TCP and UDP scanning technology, learn from the operating system fingerprint identification technology to form a local protocol feature library, so as to judge whether the target machine is a NAT access device, smart phone device, portable WIFI access device and free WIFI access equipment, etc.; its advantage is that it can more accurately discover some smart phones and portable WIFI access, and can more accurately identify routing devices and wireless AP access through NAT, but it has the following disadvantages: it needs to deploy a Scanning the host brings a new risk point to the intranet; if the external host is only used as a network springboard, without routing forwarding and NAT functions, it will not be possible to determine whether it is external; this solution needs to send data packets to the internal network, and the It will cause communication interference to the original internal network

[0008] The existing outreach monitoring solution based on data monitoring is detected by bypass monitoring and analyzing data packets inside the network, which is suitable for networks with public network egress (such as the Internet). Special fields are used to judge and distinguish portable WIFI access, smart phone access and NAT device access; its advantage is that it can more accurately discover some smart phones and portable WIFI access, and can more accurately identify NAT access devices, but its existence The following disadvantages: the coverage of monitoring data determines its detection range, there are false negatives, it is suitable for networks with public egress links, and it is not suitable for use as an inspection tool; due to limited detection technology, there is a possibility of false negatives