A method and system for detecting and blocking terminal direct connection behavior

By combining the Netlink protocol and ARP scanning, the network card status is monitored in real time and multiple rounds of verification are performed. This solves the problems of dynamic adaptability and security of direct-connection technology for terminals in enterprise network security, achieving accurate identification and automatic blocking, and improving protection efficiency and security.

CN121509067BActive Publication Date: 2026-07-14中孚安全技术有限公司

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
中孚安全技术有限公司
Filing Date
2025-12-10
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing direct-connection technology for terminals has poor dynamic adaptability and insufficient security in enterprise network security. It is difficult to achieve real-time monitoring and automated blocking, and there is a risk of data leakage.

Method used

By monitoring the network card status through the Netlink protocol, combined with ARP scanning and multi-round verification mechanisms, the system can capture direct network cable connection behavior in real time. By comparing the MAC vendor prefix checksum with the device fingerprint database, it can accurately identify and block or allow connections based on the risk level.

Benefits of technology

It enables accurate identification of direct network cable connections in complex network topologies, provides dynamic adaptive protection, improves identification accuracy and security, reduces the risk of data leakage, and meets the real-time protection needs of enterprises.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121509067B_ABST
    Figure CN121509067B_ABST
Patent Text Reader

Abstract

The application relates to the field of direct connection detection, and provides a terminal direct connection behavior detection and blocking method and system. The method comprises the following steps: after detecting a network card insertion action, starting ARP scanning, sending an RTM_GETADDR message to a kernel by using Netlink, extracting an IP address, a subnet mask and a gateway address bound by the network card, calculating an IP address range and a host quantity in a local area network, and cyclically sending ARP message detection to all IP addresses and entering an ARP cache table; reading a MAC address in the ARP cache table and filtering invalid MAC addresses; if after filtering, there is only one valid MAC in the ARP table of the network card after multiple ARP scanning, the network line is directly connected; after detecting the network line direct connection, checking a MAC address manufacturer prefix according to a MAC database and a device fingerprint database entered in advance, and excluding intermediate device camouflage attacks; judging a risk level of the device directly connected with the network line, and blocking, alarming or releasing according to different risk levels.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of direct connection detection technology, and in particular to a method and system for detecting and blocking direct connection behavior of terminals. Background Technology

[0002] The statements in this section are merely background information related to the present invention and do not necessarily constitute prior art.

[0003] In enterprise network security scenarios, the practice of internal employees bypassing firewalls and directly connecting terminal devices to external devices via network cables has become a significant risk factor for sensitive data breaches. Because such unauthorized connections operate outside the oversight of the enterprise's security system, they can lead to the illegal theft or transmission of sensitive content such as core business data and customer information, causing severe economic losses and reputational damage to the enterprise. Therefore, accurately identifying the actual topology of the enterprise's internal network, dynamically monitoring the network communication behavior of terminal devices in real time, and proactively blocking unauthorized connections before data breaches or other security threats occur have become critical needs that urgently need to be addressed in the field of enterprise network security.

[0004] Currently, the technology for direct communication between terminal devices via network cables primarily relies on the synergy of physical layer connections and network protocols to complete data transmission. This type of technology exhibits several characteristics. At the physical connection level, a physical link can be directly established between two devices using crossover or straight-through network cables. The stability of the physical link itself ensures low-latency, high-bandwidth transmission quality, demonstrating reliable physical layer direct connection performance. Regarding network configuration, this technology typically employs static configuration methods, manually setting network parameters such as IP addresses and subnet masks, without relying on dynamic address allocation protocols like DHCP. Therefore, it has certain applicability in fixed scenarios such as industrial control equipment interconnection and emergency file transfer. In terms of connection status determination, the ARP protocol provides a lightweight technical basis for identifying direct connections. By analyzing the device's ARP cache table, it is possible to quickly verify whether a single target MAC address exists in the communication link between two devices, thereby assisting in determining whether a direct connection is established. Meanwhile, with the development of interface technology, the USB-C interface can also transmit Ethernet signals through alternative modes to achieve high-speed direct communication between devices. Currently, security protection for such scenarios mainly focuses on monitoring mobile storage media such as USB flash drives and external hard drives, thereby achieving indirect protection of sensitive data.

[0005] However, existing direct-connection technologies and associated security solutions for terminals have revealed numerous objective shortcomings in practical applications, making it difficult to meet the dynamic and automated security protection needs of enterprises. Firstly, they suffer from poor dynamic adaptability. Existing technologies are weak in their ability to perceive changes in network topology. When terminal device connections are adjusted or the network environment changes, they cannot adaptively identify and configure, requiring manual intervention to update the status, significantly reducing protection efficiency. Secondly, they have inherent security deficiencies. Existing direct-connection technologies generally lack strict authentication and access control mechanisms, allowing external devices to easily access internal enterprise terminals. This makes data transmission vulnerable to attacks such as eavesdropping and tampering, resulting in significant security vulnerabilities. Summary of the Invention

[0006] To address the technical problems mentioned above, this invention provides a method and system for detecting and blocking direct connection behavior of terminals. This invention employs a hierarchical judgment mechanism involving physical layer monitoring, ARP scanning verification, and multi-round verification. First, it relies on the Netlink protocol to capture the network card insertion / removal status in real time, ensuring that subsequent detection is initiated only in scenarios with valid physical connections. During the ARP scanning phase, binary operations and the ipcalc command are combined to accurately pinpoint the network segment range, and a 10ms timeout mechanism ensures detection efficiency and accuracy. The core judgment stage effectively avoids misjudgments caused by unstable communication during the initial device startup by filtering invalid MAC addresses and performing two rounds of repeated scanning with a 3-second interval. Combined with MAC vendor prefix verification and device fingerprint database comparison, it can accurately identify spoofing attacks such as ARP spoofing, while excluding non-direct connection scenarios such as gateway routing. This significantly improves the accuracy of direct connection behavior judgment, enabling precise location even in complex network topologies.

[0007] To achieve the above objectives, the present invention adopts the following technical solution:

[0008] The first aspect of the present invention provides a method for detecting and blocking direct connection behavior of a terminal.

[0009] A method for detecting and blocking direct connection behavior of a terminal includes:

[0010] It establishes communication with the kernel routing subsystem using the Netlink socket of the Linux system, and monitors the plugging / unplugging status and carrier status of all network cards on the device in real time;

[0011] When a network card insertion is detected, an ARP scan is initiated. Netlink sends an RTM_GETADDR message to the kernel to extract the IP address, subnet mask, and gateway address bound to the network card. This is used to calculate the range of IP addresses and the number of hosts within the same local area network. ARP packets are then sent to all IP addresses in a loop to probe and record the data in the ARP cache table.

[0012] Read the MAC addresses in the ARP cache table and filter invalid MAC addresses; if, after filtering, only one valid MAC address is found in the network card's ARP table after multiple ARP scans, it is determined to be a direct connection of the network cable; after detecting a direct connection of the network cable, check the MAC address manufacturer prefix based on the pre-entered MAC database and device fingerprint database to eliminate intermediate device spoofing attacks.

[0013] Determine the risk level of devices directly connected to the network cable, and block, alarm, or allow access based on different risk levels.

[0014] Further, calculate the IP address range within the same local area network (LAN); methods include: converting the IP address and subnet mask into binary, and then calculating the network address and broadcast address within the same LAN through AND / OR operations; calculating the IP address range within the same LAN based on the network address and broadcast address; or, directly calling the ipcalc command to obtain the IP address range within the same LAN.

[0015] Furthermore, the invalid MAC addresses include statically bound MAC addresses and MAC addresses that have expired and become invalid.

[0016] Furthermore, the device fingerprint database is a database used to store and analyze network device feature information. By collecting device MAC addresses as unique feature fingerprint information for unique devices, it is used for device identification, classification, and behavior analysis.

[0017] Furthermore, based on different risk levels, blocking, alerting, or allowing passage will be implemented; methods include:

[0018] If the risk level is high, the networks of both parties will be blocked, communication will not be allowed, and an alarm message will be generated; the blocking methods include dynamically injecting iptables or nftables DROP rules via netfilter.

[0019] If the risk level is medium, an alarm log will be generated and stored.

[0020] If the risk level is low, proceed directly.

[0021] Furthermore, the direct connection via Ethernet cable can be enabled or disabled. When disabled, all configurations are cleared, including sending messages to the kernel to interrupt the monitoring of the network card status and clearing netfilter blocking rules. When enabled, the link status is continuously monitored, and the corresponding blocking rules are automatically deleted when the network card is unplugged or disabled.

[0022] A second aspect of the present invention provides a system for detecting and blocking direct connection behavior of a terminal.

[0023] A system for detecting and blocking direct terminal connection behavior, comprising:

[0024] The network interface card (NIC) status monitoring module is configured to establish communication with the kernel routing subsystem via the Netlink socket of the Linux system, and monitor the insertion / removal status and carrier status of all NICs on the device in real time.

[0025] The calculation and ARP scanning module is configured to: when a network card insertion action is detected, start ARP scanning, use Netlink to send an RTM_GETADDR message to the kernel to extract the IP address, subnet mask and gateway address bound to the network card, calculate the range of IP addresses and the number of hosts in the same local area network, and send ARP packets to all IP addresses in a loop to probe and enter the ARP cache table.

[0026] The network cable direct connection detection module is configured to: read the MAC address in the ARP cache table and filter invalid MAC addresses; if, after filtering, after multiple ARP scans, there is only one valid MAC address in the network card's ARP table, then it is determined to be a network cable direct connection; after detecting a network cable direct connection, it checks the MAC address manufacturer prefix based on the pre-entered MAC database and device fingerprint database to eliminate intermediate device spoofing attacks.

[0027] The risk engine assessment module is configured to determine the risk level of devices directly connected to the network cable and to block, alarm, or allow access based on the different risk levels.

[0028] A third aspect of the present invention provides a computer device comprising:

[0029] A processor, adapted to execute computer programs;

[0030] A computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the method for detecting and blocking direct terminal connection behavior as described in the first aspect above.

[0031] A fourth aspect of the present invention provides a computer-readable storage medium storing a computer program adapted to be loaded by a processor and to execute steps in the method for detecting and blocking direct terminal connection behavior as described in the first aspect above.

[0032] The fifth aspect of the present invention provides a computer program product or computer program.

[0033] This invention provides a computer program product or computer program including computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform the steps of the terminal direct connection behavior detection and blocking method described in the first aspect above.

[0034] Compared with the prior art, the beneficial effects of the present invention are:

[0035] This invention establishes a native communication channel between the Linux system's Netlink sockets (AF_Netlink) and the kernel routing subsystem (Netlink_ROUTE protocol), enabling real-time capture of network card insertion / removal actions and carrier state changes, ensuring the immediacy of physical layer connection awareness. Based on a fast scanning strategy using the ARP protocol, combined with a 10ms timeout response design, it can quickly locate active devices within the network segment and obtain ARP information, achieving rapid identification of direct connection behavior. Combined with the dynamic rule injection capabilities of the Netfilter protocol stack, it can issue iptables or nftables DROP blocking rules in real time for illegal direct connection behavior, achieving zero-delay response to threats. The synergistic use of kernel communication, ARP protocol processing, and the Netfilter protocol stack forms a complete real-time closed loop from state awareness and behavior recognition to threat blocking, effectively avoiding the problems of missed detection and delayed handling of direct connection behavior.

[0036] This invention allows users to pre-enter information on legitimate directly connected devices through a preset whitelist configuration. While the system enables global monitoring of direct network connections, it can automatically allow communication requests between terminals and devices in the whitelist, thus ensuring network security and meeting the diverse business needs of enterprises, achieving a precise balance between security protection and business efficiency.

[0037] This invention constructs a dual authentication barrier by pre-entering MAC vendor characteristic prefixes (such as the switch-specific 00:00:0C prefix) and a device fingerprint database containing the device's unique MAC identifier. During the direct connection determination phase, the MAC information of the access device is compared with the database data to accurately verify the device's identity and legitimacy. This can quickly identify and block spoofing attacks implemented through ARP spoofing, fundamentally improving the anti-interference capability of direct connection detection and ensuring the reliability and stability of the protection system. Attached Figure Description

[0038] The accompanying drawings, which form part of this invention, are used to provide a further understanding of the invention. The illustrative embodiments of the invention and their descriptions are used to explain the invention and do not constitute an improper limitation of the invention.

[0039] Figure 1This is a flowchart illustrating the method for detecting and blocking direct terminal connection behavior according to an embodiment of the present invention;

[0040] Figure 2 This is a flowchart of one embodiment of the method for detecting and blocking direct terminal connection behavior shown in this invention;

[0041] Figure 3 This is a structural diagram of a system for detecting and blocking direct terminal connection behavior, as shown in an embodiment of the present invention.

[0042] Figure 4 This is a structural diagram of a computer device shown in an embodiment of the present invention. Detailed Implementation

[0043] The present invention will be further described below with reference to the accompanying drawings and embodiments.

[0044] It should be noted that the following detailed description is illustrative and intended to provide further explanation of the invention. Unless otherwise specified, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains.

[0045] It should be noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of exemplary embodiments according to the invention. As used herein, the singular form is intended to include the plural form as well, unless the context clearly indicates otherwise. Furthermore, it should be understood that when the terms "comprising" and / or "including" are used in this specification, they indicate the presence of features, steps, operations, devices, components, and / or combinations thereof.

[0046] As introduced in the background technology, existing technologies and supporting security solutions for direct connection of terminals via network cables suffer from poor dynamism and low security. In addition, existing technologies and supporting security solutions for direct connection of terminals via network cables also have the following problems: (1) Low degree of automation. Monitoring of direct connection communication behavior relies mainly on manual inspection or post-event log analysis, making it difficult to achieve real-time monitoring and threat warning, and even more difficult to trigger automated blocking response, resulting in serious lag in the discovery and handling of security threats. (2) Low topology identification accuracy. In encrypted communication scenarios or complex interconnected topologies of multiple devices, existing identification methods based on ARP cache analysis and other technologies are prone to misjudgment or omission, and cannot accurately locate illegal direct connection nodes. (3) Obvious lack of control. Existing security strategies mostly target mobile storage media connected via USB-C interface for control, but lack effective monitoring means for communication links established directly via network cables. This allows employees to bypass security supervision through direct connection via network cables and directly achieve illegal transmission of sensitive data, making it difficult to effectively curb the risk of data leakage.

[0047] To address at least one of the aforementioned technical problems, the present invention provides a method and system for detecting and blocking direct connection behavior of terminals. The technical solution of the present invention will be described in detail below through several embodiments.

[0048] Figure 1 This is a flowchart illustrating a method for detecting and blocking direct terminal connection behavior according to an embodiment of the present invention; see also... Figure 1 The method includes:

[0049] It establishes communication with the kernel routing subsystem using the Netlink socket of the Linux system, and monitors the plugging / unplugging status and carrier status of all network cards on the device in real time;

[0050] When a network card insertion is detected, an ARP scan is initiated. Netlink sends an RTM_GETADDR message to the kernel to extract the IP address, subnet mask, and gateway address bound to the network card. This is used to calculate the range of IP addresses and the number of hosts within the same local area network. ARP packets are then sent to all IP addresses in a loop to probe and record the data in the ARP cache table.

[0051] Read the MAC addresses in the ARP cache table and filter invalid MAC addresses; if, after filtering, only one valid MAC address is found in the network card's ARP table after multiple ARP scans, it is determined to be a direct connection of the network cable; after detecting a direct connection of the network cable, check the MAC address manufacturer prefix based on the pre-entered MAC database and device fingerprint database to eliminate intermediate device spoofing attacks.

[0052] Determine the risk level of devices directly connected to the network cable, and block, alarm, or allow access based on different risk levels.

[0053] In some embodiments, the physical layer and network interface card (NIC) status are detected and monitored: This relies on the Linux system's Netlink socket (AF_Netlink) to communicate with the kernel routing subsystem (Netlink_ROUTE protocol) to achieve efficient and native NIC status acquisition and monitoring. The Linux kernel's RTMGRP_LINK (link-state multicast) event is registered via the Netlink protocol (AF_Netlink socket). Netlink listens for and acquires the NIC's carrier status, which is directly reflected by the kernel through the IFF_RUNNING flag. Real-time monitoring of NIC insertion / removal events is performed, supporting the detection of multiple NICs. ARP scanning is only enabled after a NIC insertion is detected.

[0054] In some embodiments, ARP scanning is enabled: Netlink communicates with the kernel, and the IPv4 / IPv6 address, subnet mask, and gateway address bound to the network card are extracted using the RTM_GETADDR message. The IP address range and number of hosts within the same local area network are calculated based on the IP address and subnet mask. There are two calculation methods: (a) Convert the IP address and subnet mask to binary, and then calculate the address range within the same network segment using AND / OR operations: Network address = IP address & subnet mask (binary AND operation); Broadcast address = Network address | Subnet mask inverse (binary OR operation); IP address range = (Network address + 1) ~ (Broadcast address - 1). (b) Use the ipcalc command, for example: ipcalc 192.168.1.100 / 25 directly outputs the result. ARP packets are sent to all IP addresses in a loop, with a timeout of 10ms for each IP. No reply within the timeout period indicates that the IP is not in use. ARP listening is also performed, and the ARP information of the replies is recorded.

[0055] In some embodiments, ARP entry analysis involves reading the ARP cache table ( / proc / net / arp or NetlinkRTM_GETNEIGH) and extracting all MAC addresses that have responded to the previous ARP scan. Invalid MAC addresses are filtered out, including statically bound MAC addresses and MAC addresses that have timed out (default retention time is 300 seconds). After filtering, if the network card's ARP table shows exactly one valid MAC address, it indicates a direct connection has been detected. Upon detecting a direct connection, a decision cannot be made immediately; two more ARP scans are performed, with a 3-second interval. If only one valid MAC address is found, the connection is confirmed as direct. This method prevents false positives caused by devices establishing communication immediately after startup.

[0056] In some embodiments, the legitimacy check involves detecting a direct network cable connection and then checking the MAC address vendor prefix (e.g., switch MAC addresses begin with 00:00:0C) based on a pre-recorded MAC database and device fingerprint database to rule out spoofing attacks from intermediate devices. The device fingerprint database is a database that stores and analyzes network device characteristic information. It creates unique "fingerprints" by collecting various device attributes for device identification, classification, and behavior analysis. The MAC address is the unique characteristic information of the device. The check also determines whether the MAC address is the gateway's address. A gateway MAC address does not necessarily indicate a direct connection, as gateway addresses are used for cross-network segment routing, not for devices within the local area network, and therefore direct connections are not possible.

[0057] In some embodiments, risk levels and whitelists are used: Upon detecting a direct network connection, a response is required. Different devices exhibit different risk levels for direct network connections, each corresponding to a different action. The risk level of the directly connected device is determined based on an existing whitelist, currently categorized into three levels: high risk, medium risk, and low risk. High risk involves blocking both networks, preventing communication, and generating an alarm log. The blocking is real-time; it occurs immediately upon the occurrence of a direct network connection, ensuring information security and preventing leakage. The blocking scheme involves dynamically injecting iptables or nftablesDROP rules via netfilter (e.g., iptables -A FORWARD -s target IP -j DROP). Medium risk does not interrupt communication but generates an alarm log, which is stored in an sqlite3 database for long-term retention. Low risk neither blocks communication nor generates an alarm log, allowing direct access. Different devices have different risk levels, providing clear distinctions and avoiding a "one-size-fits-all" approach, resulting in more flexible management.

[0058] In some embodiments, audit logs support compliance: Audit logs record device information for direct connection activities, including device serial number, MAC address, IP address, computer name, account information, time of occurrence of the direct connection activity, processing result (blocking / allowing), and processing time. This information is stored in the database in real time and displayed in a pop-up window in the lower right corner to promptly notify the operations and maintenance administrator. If the issue exists on the management end, it will be promptly reported to the management end. Log formats support JSON and XML output, meeting compliance requirements such as ISO27001 and GDPR, and supporting interoperability with various management platforms.

[0059] In some embodiments, the automatic recovery mechanism includes: Direct connection via Ethernet cable can be enabled and disabled. Disabling it clears all configurations, including sending a message to the kernel to interrupt network card status monitoring and clearing netfilter blocking rules to prevent wasting system resources. Enabling it continuously monitors the link status, and automatically deletes corresponding blocking rules when the network card is unplugged or disabled. Policy rollback is supported; if blocking rules conflict with the device, the device's functionality takes precedence, automatically restoring the default configuration without hindering normal device operation.

[0060] Figure 2 This is a flowchart of one embodiment of the method for detecting and blocking direct terminal connection behavior shown in this invention; see also... Figure 2 The various stages are closely linked to form a closed-loop management system, including the following steps:

[0061] Step 1: Network Card Status Monitoring. This step establishes communication between the Linux system's Netlink socket (AF_Netlink) and the kernel routing subsystem (Netlink_ROUTE protocol). By registering the kernel RTMGRP_LINK link status multicast event, it monitors the insertion / removal status and carrier status of all network cards on the device in real time. The kernel directly reflects the carrier status through the IFF_RUNNING flag. This step supports multi-network card status detection, and subsequent processes are only triggered when a network card insertion action is detected.

[0062] After the network card is inserted, the process enters the network segment IP calculation stage in steps 2 and 3. The system uses Netlink to send an RTM_GETADDR message to the kernel to extract the IPv4 / IPv6 address, subnet mask, and gateway address bound to the network card. Then, it calculates the IP address range and the number of hosts within the same local area network using two methods: First, it converts the IP address and subnet mask to binary, performs an AND operation to obtain the network address, and an OR operation to obtain the broadcast address, thus determining the IP address range as the network address plus 1 to the broadcast address minus 1; second, it directly calls the ipcalc command (such as ipcalc 192.168.1.100 / 25) to quickly output the results.

[0063] Steps 4 to 6 constitute the ARP scanning phase, employing a collaborative mode of active probing and passive listening: the system cyclically sends ARP packets to all calculated IP addresses, setting a timeout of 10ms for each IP; if no response is received within the timeout period, the IP is determined to be unused; simultaneously, the ARP listening function is enabled, synchronously recording all responding ARP information to provide data support for subsequent table entry analysis.

[0064] Steps 7 to 12 constitute the core logic for determining a direct network connection, ensuring identification accuracy through multiple rounds of verification and validity checks. In step 8, the system reads the ARP cache table (source: / proc / net / arp or Netlink RTM_GETNEIGH), extracts the reply MAC address obtained from the previous scan, filters out statically bound and timed-out (default 300s) invalid MAC addresses, and if the number of ARP entries for the network card is unique, a direct connection is initially determined to be possible. To avoid misjudgments caused by communication establishment during the initial device startup, the system will repeat the ARP scan twice at 3-second intervals. Only when both scan results meet the "unique ARP entries" condition will the direct connection be confirmed. Steps 9 and 10 further strengthen the legitimacy check: the MAC address vendor prefix is ​​verified through the pre-entered MAC database (e.g., switch MAC addresses start with 00:00:0C), and the device fingerprint database (with MAC address as the core feature) is used to eliminate intermediate device spoofing attacks; at the same time, it is determined whether the MAC address is the gateway address. If it is the gateway address, direct connection is excluded - because the gateway needs to undertake cross-network segment routing function and does not belong to the directly connected devices within the local area network.

[0065] In the risk engine assessment phase of steps 13 and 14, directly connected devices are rated for risk based on a preset whitelist, categorized into high, medium, and low levels. Different levels correspond to different handling strategies to avoid a "one-size-fits-all" approach. Specifically, steps 15 to 21, for high-risk levels, dynamically inject iptables or nftables DROP rules (such as iptables -A FORWARD -s target IP -j DROP) via netfilter to block communication between the two parties in real time, ensuring no leakage of sensitive data without delay, and generating alarm logs. Steps 22 to 24, for medium-risk levels, do not interrupt communication but record detailed audit logs and store them in the sqlite3 database to provide a basis for subsequent tracing and investigation. Steps 25 to 26, for low-risk levels, directly allow communication without logging, ensuring normal business efficiency.

[0066] Steps 27 to 30 visualize the processing results, clearly displaying all direct connection behaviors and corresponding processing actions on the UI page to ensure that the entire operation is traceable.

[0067] Steps 31 to 33 constitute the resource reclamation phase: When the network card is detected to be unplugged or disabled, the system automatically clears the previously configured netfilter blocking rules, interrupts the network card status monitoring process, and releases the occupied system resources. At this point, the entire detection and control process is completed in a closed loop.

[0068] After the method described in this embodiment is applied, when a machine wants to directly connect to the computer terminal via a network cable, the machine equipped with the network cable direct connection detection function will immediately detect the direct connection behavior as soon as the network cable is plugged in, and will provide feedback according to the actual configuration policy. If it is not on the whitelist and is of high risk, the network will be immediately disconnected, and the connection will fail when attempting to directly connect to copy files.

[0069] This invention significantly improves topology identification accuracy and direct connection determination accuracy. Through a hierarchical determination mechanism involving physical layer monitoring, ARP scanning verification, and multi-round verification, it leverages the Netlink protocol to capture network card insertion / removal status in real time, ensuring targeted detection triggers. The ARP scanning phase combines binary operations and the ipcalc command to accurately pinpoint the network segment range, while a 10ms timeout mechanism ensures detection efficiency. The core determination process avoids false positives during device startup by filtering invalid MAC addresses and performing two rounds of repeated scanning at 3-second intervals. Combined with MAC vendor prefix verification and device fingerprint database comparison, it eliminates spoofing attacks and gateway routing issues, thus accurately locating direct connection behavior even in complex network topologies, completely solving the problems of false positives and false negatives in existing technologies. Simultaneously, this technology achieves dynamic adaptation and fully automated protection. Based on the native communication capabilities between Netlink and the kernel, it perceives network changes in real time, completing the entire process from network segment calculation to threat handling without manual intervention. Blocking high-risk direct connection behavior is executed in real time through dynamic rule injection via netfilter, transforming threat handling from reactive remediation to proactive blocking, significantly reducing reliance on manual intervention while improving protection efficiency. In terms of security protection, this invention breaks through the limitations of existing control measures that only target USB-C mobile media. It constructs full lifecycle protection for direct network cable connections, forming a complete security closed loop through multiple mechanisms such as authentication, access control, and risk classification. High-risk data leakage is blocked in real time to curb it at the source, while medium-risk data leakage is logged to provide evidence for tracing, filling the gap in the control of direct network cable connections. In addition, this invention optimizes resource usage through an on-demand startup mechanism, automatically releasing resources when the network card is removed or its function is turned off. The policy rollback mechanism ensures that normal business is prioritized when there is a conflict with device functions, achieving a balance between security and efficiency. The audit logs, which cover all information, support multi-format output, comply with compliance standards, and, together with real-time notifications and visualization, make security incidents fully traceable and verifiable, providing strong support for enterprise security management and compliance auditing.

[0070] The above combination Figure 1 The method for detecting and blocking direct connection behavior of terminals provided in the embodiments of the present invention has been described in detail. Next, the system for detecting and blocking direct connection behavior of terminals provided in the embodiments of the present invention will be described in conjunction with the accompanying drawings.

[0071] See attached document Figure 3The diagram illustrates a system architecture for detecting and blocking direct terminal connection behavior according to an embodiment of the present invention. The system includes the following components:

[0072] The network interface card (NIC) status monitoring module is configured to establish communication with the kernel routing subsystem via the Netlink socket of the Linux system, and monitor the insertion / removal status and carrier status of all NICs on the device in real time.

[0073] The calculation and ARP scanning module is configured to: when a network card insertion action is detected, start ARP scanning, use Netlink to send an RTM_GETADDR message to the kernel to extract the IP address, subnet mask and gateway address bound to the network card, calculate the range of IP addresses and the number of hosts in the same local area network, and send ARP packets to all IP addresses in a loop to probe and enter the ARP cache table.

[0074] The network cable direct connection detection module is configured to: read the MAC address in the ARP cache table and filter invalid MAC addresses; if, after filtering, after multiple ARP scans, there is only one valid MAC address in the network card's ARP table, then it is determined to be a network cable direct connection; after detecting a network cable direct connection, it checks the MAC address manufacturer prefix based on the pre-entered MAC database and device fingerprint database to eliminate intermediate device spoofing attacks.

[0075] The risk engine assessment module is configured to determine the risk level of devices directly connected to the network cable and to block, alarm, or allow access based on the different risk levels.

[0076] In some embodiments, calculating the IP address range within the same local area network includes: converting the IP address and subnet mask into binary, and then calculating the network address and broadcast address within the same local area network through AND-OR operations; calculating the IP address range within the same local area network based on the network address and broadcast address; or, directly calling the ipcalc command to obtain the IP address range within the same local area network.

[0077] In some embodiments, the invalid MAC address includes statically bound MAC addresses and MAC addresses that have expired.

[0078] In some embodiments, the device fingerprint database is used to store and analyze network device feature information. By collecting device MAC addresses as unique feature fingerprint information for unique devices, it is used for device identification, classification, and behavior analysis.

[0079] In some embodiments, blocking, alarming, or allowing access is performed based on different risk levels; including: if the risk level is high, blocking the networks of both parties, disallowing communication, and generating alarm information; the blocking method includes dynamically injecting iptables or nftablesDROP rules via netfilter; if the risk level is medium, generating and storing alarm logs; if the risk level is low, allowing access directly.

[0080] In some embodiments, direct connection via Ethernet cable can be enabled or disabled. When disabled, all configurations are cleared, including sending a message to the kernel to interrupt the monitoring of the network card status and clearing netfilter blocking rules. When enabled, the link status is continuously monitored, and the corresponding blocking rules are automatically deleted when the network card is unplugged or disabled.

[0081] The system for detecting and blocking direct terminal connections according to embodiments of the present invention can correspond to the execution of the method described in the embodiments of the present invention, and the above and other operations and / or functions of each module of the system for detecting and blocking direct terminal connections are respectively for implementing Figure 1 For the sake of brevity, the corresponding processes of each method in the code will not be elaborated here.

[0082] See Figure 4 The diagram shows the structure of a computer device, which includes a processor, a communication interface, and a computer-readable storage medium. The processor, communication interface, and computer-readable storage medium are connected via a bus or other means. The communication interface is used to receive and send data. The computer-readable storage medium can be stored in the computer device's memory. The computer-readable storage medium stores computer programs, including program instructions, and the processor executes the program instructions stored in the computer-readable storage medium. The processor (or CPU, Central Processing Unit) is the computing and control core of the computer device, adapted to implement one or more instructions, specifically adapted to load and execute one or more instructions to achieve the corresponding steps in the method embodiment for detecting and blocking direct connection behavior of terminals.

[0083] This embodiment provides a computer-readable storage medium (Memory), which is a memory device in a computer device used to store programs and data. It is understood that the computer-readable storage medium here can include both the built-in storage medium in the computer device and extended storage media supported by the computer device. The computer-readable storage medium provides storage space that stores the processing system of the computer device.

[0084] Furthermore, this storage space also contains one or more instructions suitable for loading and execution by the processor. These instructions can be one or more computer programs (including program code). It should be noted that the computer-readable storage medium here can be high-speed RAM memory or non-volatile memory, such as at least one disk storage device; optionally, it can also be at least one computer-readable storage medium located remotely from the aforementioned processor.

[0085] In one embodiment, the computer-readable storage medium stores one or more instructions; the processor loads and executes one or more instructions stored in the computer-readable storage medium to implement the corresponding steps in the above-described method embodiment for detecting and blocking direct connection behavior of terminals.

[0086] This embodiment provides a computer program product or computer program that includes computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform the corresponding steps in the above-described method embodiment for detecting and blocking direct terminal connections.

[0087] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of hardware embodiments, software embodiments, or embodiments combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage and optical storage) containing computer-usable program code.

[0088] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0089] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0090] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0091] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The program can be stored in a computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. The storage medium can be a magnetic disk, optical disk, read-only memory (ROM), or random access memory (RAM), etc.

[0092] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the present invention by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. A method for detecting and blocking direct connection behavior of a terminal, characterized in that, include: It establishes communication with the kernel routing subsystem using the Netlink socket of the Linux system, and monitors the plugging / unplugging status and carrier status of all network cards on the device in real time; When a network card insertion is detected, an ARP scan is initiated. Netlink sends an RTM_GETADDR message to the kernel to extract the IP address, subnet mask, and gateway address bound to the network card. This is used to calculate the range of IP addresses and the number of hosts within the same local area network. ARP packets are then sent to all IP addresses in a loop to probe and record the data in the ARP cache table. Read the MAC addresses from the ARP cache table and filter out invalid MAC addresses; If, after filtering and multiple ARP scans, there is only one valid MAC address in the network card's ARP table, then it is determined that the network cable is directly connected. After detecting a direct network cable connection, the MAC address vendor prefix is ​​checked based on the pre-recorded MAC database and device fingerprint database to rule out intermediate device spoofing attacks. Determine the risk level of devices directly connected to the network cable, and block, alarm, or allow access based on different risk levels.

2. The method for detecting and blocking direct terminal connection behavior according to claim 1, characterized in that, Calculate the range of IP addresses within the same local area network (LAN). Methods include: converting the IP address and subnet mask into binary, then using AND / OR operations to calculate the network address and broadcast address within the same LAN; calculating the range of IP addresses within the same LAN based on the network address and broadcast address; or, directly calling the ipcalc command to obtain the range of IP addresses within the same LAN.

3. The method for detecting and blocking direct terminal connection behavior according to claim 1, characterized in that, The invalid MAC addresses include statically bound MAC addresses and MAC addresses that have expired.

4. The method for detecting and blocking direct terminal connection behavior according to claim 1, characterized in that, The device fingerprint database is a database used to store and analyze the characteristic information of network devices. By collecting the device MAC address, it serves as a unique characteristic fingerprint information for each device, and is used for device identification, classification, and behavior analysis.

5. The method for detecting and blocking direct terminal connection behavior according to claim 1, characterized in that, Depending on the risk level, blocking, alerting, or allowing passage may be implemented; methods include: If the risk level is high, the networks of both parties will be blocked, communication will not be allowed, and an alarm message will be generated; the blocking methods include dynamically injecting iptables or nftables DROP rules via netfilter. If the risk level is medium, an alarm log will be generated and stored. If the risk level is low, proceed directly.

6. The method for detecting and blocking direct terminal connection behavior according to claim 1, characterized in that, Direct connection via Ethernet cable can be enabled or disabled. When disabled, all configurations are cleared, including sending messages to the kernel to interrupt the monitoring of the network card status and clearing netfilter blocking rules. When enabled, the link status is continuously monitored, and the corresponding blocking rules are automatically deleted when the network card is unplugged or disabled.

7. A system for detecting and blocking direct terminal connection behavior, characterized in that, include: The network interface card (NIC) status monitoring module is configured to establish communication with the kernel routing subsystem via the Netlink socket of the Linux system, and monitor the insertion / removal status and carrier status of all NICs on the device in real time. The calculation and ARP scanning module is configured to: when a network card insertion action is detected, start ARP scanning, use Netlink to send an RTM_GETADDR message to the kernel to extract the IP address, subnet mask and gateway address bound to the network card, calculate the range of IP addresses and the number of hosts in the same local area network, and send ARP packets to all IP addresses in a loop to probe and enter the ARP cache table. The network cable direct connection detection module is configured to read the MAC address in the ARP cache table and filter invalid MAC addresses; If, after filtering and multiple ARP scans, there is only one valid MAC address in the network card's ARP table, then it is determined that the network cable is directly connected. After detecting a direct network cable connection, the MAC address vendor prefix is ​​checked based on the pre-recorded MAC database and device fingerprint database to rule out intermediate device spoofing attacks. The risk engine assessment module is configured to determine the risk level of devices directly connected to the network cable and to block, alarm, or allow access based on the different risk levels.

8. A computer device, characterized in that, A processor, adapted to execute computer programs; A computer-readable storage medium storing a computer program, which, when executed by the processor, implements the steps of the method for detecting and blocking direct terminal connection behavior as described in any one of claims 1-6.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program adapted to be loaded by a processor and to execute the steps of the method for detecting and blocking direct terminal connection behavior as described in any one of claims 1-6.

10. A computer program product, characterized in that, The computer program product includes a computer program that, when executed by a processor, implements the steps of the method for detecting and blocking direct terminal connection behavior as described in any one of claims 1-6.