Traffic hijacking detection method and device based on multi-dimensional protocol feature cross-validation

By employing a multi-dimensional protocol feature cross-validation method, network traffic characteristics are monitored in real time and comprehensively evaluated. This solves the problem of false positives and false negatives in existing traffic hijacking detection methods in complex network environments, enabling rapid identification and efficient protection against unknown and novel attacks.

CN122179154APending Publication Date: 2026-06-09NO 15 INST OF CHINA ELECTRONICS TECH GRP

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NO 15 INST OF CHINA ELECTRONICS TECH GRP
Filing Date
2026-02-26
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing traffic hijacking detection methods are ill-equipped to deal with unknown or new types of attacks, and are prone to false positives and false negatives in complex network environments, failing to provide comprehensive attack identification and efficient protection.

Method used

By using a method based on multi-dimensional protocol feature cross-validation, we can monitor the five-tuple information, TTL value, TCP sequence number change pattern and DNS response consistency in network traffic in real time. Combined with the border gateway protocol path, SSL/TLS certificate and hash value of returned content, we can perform comprehensive evaluation and weighted decision-making to quickly identify unknown attacks.

Benefits of technology

It improves the accuracy and response speed of traffic hijacking detection, effectively identifies new types of attacks such as route hijacking, DNS poisoning, and HTTPS tampering, and provides broader and more comprehensive protection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122179154A_ABST
    Figure CN122179154A_ABST
Patent Text Reader

Abstract

Embodiments of the present disclosure provide a traffic hijacking detection method and device based on multi-dimensional protocol feature cross-validation, which comprises: monitoring quintuple information, TTL value, TCP sequence number change pattern and DNS response consistency in network traffic in real time to detect whether the traffic is abnormal; monitoring border gateway protocol path, SSL / TLS certificate and hash value of returned content, and judging whether it is a hijacking event according to the monitoring results and their weights; when a hijacking event or abnormal traffic is detected, triggering an alarm and response measures. The present scheme can realize efficient traffic hijacking detection and quickly identify various new network attacks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security detection technology, specifically to a traffic hijacking detection method and apparatus based on multi-dimensional protocol feature cross-validation. Background Technology

[0002] With the rapid development of the internet, the methods and means of cyberattacks have become increasingly diversified, especially traffic hijacking attacks. Traffic hijacking is a technique that modifies network traffic or changes routing paths to redirect legitimate data traffic to targets controlled by attackers, thereby achieving various purposes such as information theft, service disruption, and malware propagation. These attacks not only threaten user privacy and data security but also severely impact the stability and reliability of network services.

[0003] Existing traffic hijacking detection methods largely rely on traditional network monitoring technologies, such as traffic pattern analysis, anomaly detection, and signature matching. However, these methods often face the following challenges: 1. As attack techniques continue to evolve, attackers are constantly exploring new hijacking methods, and traditional detection methods based on known attack characteristics are often unable to effectively address unknown or novel attacks. 2. Traffic hijacking attacks involve multiple protocol layers, such as DNS, routing, and HTTPS. Existing detection methods often target a single protocol, making it difficult to provide comprehensive attack identification. 3. Traditional traffic hijacking detection is prone to false positives and false negatives, especially in complex network environments, leading to a decline in user experience and increased maintenance costs.

[0004] Therefore, there is an urgent need for a more efficient and accurate traffic hijacking detection method that can adapt to new attack methods and comprehensively analyze traffic characteristics from multiple dimensions, thereby improving detection accuracy and response speed. Summary of the Invention

[0005] The embodiments described herein provide a traffic hijacking detection method, apparatus, and computer-readable storage medium storing a computer program based on multi-dimensional protocol feature cross-validation. By cross-validating multi-dimensional protocol features, the detection accuracy and adaptability are improved, enabling the detection system to quickly identify unknown attack methods, including novel route hijacking, DNS poisoning, and HTTPS tampering, thus providing broader and more comprehensive protection.

[0006] According to the first aspect of this disclosure, a traffic hijacking detection method based on multi-dimensional protocol feature cross-validation is provided, including: real-time monitoring of five-tuple information, TTL value, TCP sequence number change pattern and DNS response consistency in network traffic to detect whether the traffic is abnormal; monitoring the boundary gateway protocol path, SSL / TLS certificate and hash value of returned content, and determining whether it is a hijacking event based on the monitoring results and their weights; and triggering alarms and response measures when a hijacking event or abnormal traffic is detected.

[0007] In some embodiments of this disclosure, real-time monitoring of five-tuple information, TTL values, TCP sequence number change patterns, and DNS response consistency in network traffic to detect traffic anomalies includes: deploying lightweight probing modules on terminal devices and edge routers to capture network traffic and extract key features; real-time monitoring of five-tuple information in network communication, including source IP address, source port, destination IP address, destination port, and transport protocol, and analyzing whether there are abnormal changes in port traffic; real-time acquisition and tracking of the TTL value of each IP packet, and detecting whether the routing path has been tampered with by detecting fluctuations in the TTL value; monitoring the TCP sequence number of each packet during TCP connection establishment, and detecting whether abnormal patterns occur by analyzing the growth trend of the TCP sequence number; and real-time acquisition of DNS server response information, and detecting whether DNS is poisoned or hijacked by cross-validating the response results of multiple public DNS servers.

[0008] In some embodiments of this disclosure, obtaining the response information of the DNS server in real time and detecting whether DNS is polluted or hijacked by cross-validating the response results of multiple public DNS servers includes: sending the same query request to multiple public DNS servers and obtaining the returned results; for each DNS query, comparing whether the responses from different DNS servers are consistent; if all DNS servers return the same IP address, the response is normal; if the difference between the returned IP addresses is greater than a preset difference threshold, then DNS pollution or hijacking exists.

[0009] In some embodiments of this disclosure, monitoring the border gateway protocol path, SSL / TLS certificate, and hash value of returned content, and determining whether it is a hijacking event based on each monitoring result and its weight, includes: monitoring whether the border gateway protocol routing path is abnormal; if abnormal updates to the border gateway protocol routing path are detected, it is marked as a potential routing hijacking event; checking the server certificate of HTTPS traffic, and determining whether the certificate has been replaced or forged by checking whether the intermediate certificate is missing or whether the certificate authority is on the whitelist; calculating and storing the hash value of the returned content in real time, and comparing the hash value with the baseline data to determine whether the page has been tampered with based on the matching degree; and weighted summing the abnormal detection results of the border gateway protocol path, SSL / TLS certificate, and hash value of returned content to obtain a comprehensive score; if the comprehensive score exceeds a preset threshold, it is determined to be a content hijacking event.

[0010] In some embodiments of this disclosure, monitoring whether the Border Gateway Protocol (BGP) routing path is abnormal, and marking it as a potential route hijacking event if an abnormal update of the BGP routing path is detected, includes: periodically collecting BGP routing update information through a BGP route listener; executing the Traceroute command at preset intervals to record the normal path; comparing the BGP routing update information with the normal path, and determining that the change is abnormal if the number of changes exceeds a preset threshold within a preset time interval.

[0011] In some embodiments of this disclosure, checking the server certificate of HTTPS traffic to determine whether the certificate has been replaced or forged by checking whether the intermediate certificate is missing or whether the certificate authority is on the whitelist includes: obtaining the SSL / TLS certificate of the HTTPS traffic during the TLS handshake process, checking the certificate's issuing authority, validity period, and certificate chain information; maintaining a trusted CA whitelist database, comparing the certificate information with the trusted CA whitelist, and if it is detected that the certificate's issuing authority is not on the whitelist or that there is an anomaly in the certificate chain, then it is determined that the certificate has been replaced or forged.

[0012] In some embodiments of this disclosure, the process of calculating and storing the hash value of the returned content in real time, comparing the hash value with baseline data, and determining whether the page has been tampered with based on the matching degree includes: crawling the HTML, CSS, and JavaScript elements of the page from multiple popular websites and generating a baseline hash value for each website; each time the page is accessed, performing a hash calculation on the returned page content, comparing the hash value of the returned content with the baseline hash value, and determining that the page has been tampered with if the matching degree between the hash value of the returned content and the baseline hash value in the database is lower than a set threshold.

[0013] In some embodiments of this disclosure, when a hijacking event or abnormal traffic is detected, the alarm and response measures include: triggering an alarm when BGP path routing updates are frequent or abnormal; issuing an alarm immediately if an intermediate certificate is missing or the certificate authority is not in the whitelist, and using a man-in-the-middle interception strategy to interrupt the connection with the server; triggering an alarm if the hash value of the returned content matches the baseline hash value in the database less than a set threshold; and periodically optimizing the detection algorithm, updating the feature database, and training and adjusting based on new attack samples.

[0014] According to a second aspect of this disclosure, a traffic hijacking detection device based on multi-dimensional protocol feature cross-validation is provided. The device includes at least one processor and at least one memory storing a computer program. When the computer program is executed by the at least one processor, the device causes the following to occur: monitor in real time the five-tuple information, TTL value, TCP sequence number change pattern, and DNS response consistency in network traffic to detect whether the traffic is abnormal; monitor the boundary gateway protocol path, SSL / TLS certificate, and hash value of the returned content, and determine whether a hijacking event is occurring based on the monitoring results and their weights; and trigger alarms and response measures when a hijacking event or abnormal traffic is detected.

[0015] According to a third aspect of this disclosure, a computer-readable storage medium storing a computer program is provided, wherein the computer program, when executed by a processor, implements the steps of the traffic hijacking detection method based on multidimensional protocol feature cross-validation according to the first aspect of this disclosure.

[0016] The traffic hijacking detection method and apparatus based on multi-dimensional protocol feature cross-validation, according to embodiments of this disclosure, can effectively detect new types of network attacks by real-time monitoring and comprehensive analysis of various network protocol features. By combining technologies such as historical BGP paths, DNS monitoring, HTTPS certificate verification, and a popular website feature database, the system ensures rapid response to various network hijacking events. A weighted decision model comprehensively evaluates the detection results, improving the accuracy and timeliness of judgment, thereby achieving efficient traffic hijacking detection and defense. Attached Figure Description

[0017] The accompanying drawings, which form part of this application, are used to provide a further understanding of the application and to make other features, objects, and advantages of the application more apparent. The illustrative embodiments and descriptions of this application are used to explain the application and do not constitute an undue limitation of the application. In the drawings: Figure 1 An exemplary flowchart is shown for a traffic hijacking detection method based on multidimensional protocol feature cross-validation according to an embodiment of the present disclosure; Figure 2This is a schematic block diagram of a traffic hijacking detection device based on multidimensional protocol feature cross-validation according to an embodiment of the present disclosure. Detailed Implementation

[0018] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort should fall within the scope of protection of the present application.

[0019] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate for the embodiments of this application described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0020] This disclosure proposes a traffic hijacking detection method based on multi-dimensional protocol feature cross-validation, aiming to improve the detection efficiency and accuracy of traffic hijacking through comprehensive analysis of various network protocol features.

[0021] To further explain the embodiments of this disclosure in detail, Figure 1 An exemplary flowchart is shown for a traffic hijacking detection method based on multidimensional protocol feature cross-validation according to an embodiment of the present disclosure.

[0022] exist Figure 1 At box S102, the five-tuple information, TTL value, TCP sequence number change pattern and DNS response consistency in network traffic are monitored in real time to detect whether the traffic is abnormal.

[0023] According to one embodiment of this disclosure, a lightweight detection module is designed to ensure efficient data collection with low network resource consumption during the data acquisition phase. This module can be deployed on terminal devices or installed in edge routers, providing comprehensive support for traffic hijacking detection. The lightweight detection module can capture and analyze network traffic packets and extract key features, especially those specific to traffic hijacking attacks such as DNS hijacking and BGP hijacking, transmitting only valuable data to upper-layer systems or security servers for further processing. For example, the detection module can monitor and collect multi-layer protocol data in the network, including IP, TCP / UDP, DNS, and HTTP / HTTPS protocols. Through traffic classification methods, it monitors different types of traffic in real time, such as data packets, DNS requests, and HTTP requests. After data collection, the module preprocesses the raw data packets, such as protocol parsing, removing duplicate packets, and timestamping, to reduce the burden of transmission and storage. Based on multi-dimensional protocol characteristics, key features that may involve hijacking attacks are extracted. Examples include abnormal DNS request responses, abnormal changes to HTTP request headers, and TCP connection anomalies.

[0024] Specifically, real-time monitoring of network communication involves analyzing the five-tuple information (source IP address, source port, destination IP address, destination port, and transport protocol) to identify any abnormal changes in port traffic. For example, traffic data can be collected using NetFlow or sFlow protocols, the five-tuple information can be extracted, and the real-time traffic can be compared to a normal five-tuple pattern. If frequent changes in certain five-tuple combinations or behaviors inconsistent with normal patterns are detected, an anomaly can be identified.

[0025] The system acquires and tracks the TTL value of each IP packet in real time, detecting fluctuations in the TTL value to identify whether the routing path has been tampered with. For example, the initial TTL value for most hosts might be 64, 128, or 255. The TTL value decreases by 1 with each hop in the network, so the TTL value can be used to infer the origin of the packet and its hop count. If the TTL value is set to a specific starting value and the packets do not decrease normally, or if the TTL value is abnormally low, it may indicate spoofed IP packets or routing loops, leading to abnormal traffic.

[0026] During TCP connection establishment, the TCP sequence number of each packet is monitored, and the growth trend of the TCP sequence number is analyzed to detect abnormal patterns. In normal traffic, the sequence number increments sequentially across different packets within each connection (considering window size and packet size). If the TCP sequence number unexpectedly resets or wraps around within the same connection, it may indicate that the connection was interrupted and re-established or that malicious activity exists (such as a SYN flood attack). If the sequence number changes irregularly or are too close together, it may indicate that packets have been tampered with or forged.

[0027] Real-time acquisition of DNS server response information, and cross-validation of responses from multiple public DNS servers to detect DNS poisoning or hijacking. Normally, for the same DNS query request, the DNS response should be consistent (i.e., the same domain name should resolve to the same IP address). The same query request can be sent to multiple public DNS servers, and the returned results obtained. For each DNS query, the responses from different DNS servers are compared for consistency. If all DNS servers return the same IP address, the response is normal; if the difference between the returned IP addresses exceeds a preset difference threshold, for example, a change exceeding 15% is marked as suspicious poisoning or hijacking. For example, if the DNS resolution of the same domain name returns multiple IP addresses, and these addresses are not properly load-balanced, it may be DNS hijacking. If the resolution result of a domain name changes frequently, it may indicate DNS cache poisoning or a man-in-the-middle attack. If an unusual domain name resolution or DNS record type appears in a DNS response, it should be immediately marked as abnormal traffic.

[0028] Considering that lightweight detection modules require a certain level of computing power when deployed on terminal devices or routers, this module employs edge computing for traffic processing. This means that most analysis tasks are completed at the data source or network edge, reducing the need for data transmission to the cloud or central server, thereby lowering latency. When multiple detection modules are deployed on different terminal devices or edge routers, they work collaboratively through a distributed network to improve the coverage and accuracy of traffic hijacking detection.

[0029] In box S104, monitor the border gateway protocol path, SSL / TLS certificate, and hash value of returned content, and determine whether it is a hijacking event based on the monitoring results and their weights.

[0030] Specifically, monitor Border Gateway Protocol (BGP) routing paths for anomalies. If abnormal updates are detected, mark it as a potential route hijacking event. BGP route update information can be collected periodically using a BGP route listener. At regular intervals (e.g., every hour or 24 hours), execute the Traceroute command to record normal paths. Detect abnormal changes by comparing these records with normal paths. Set a threshold for the number of changes within a short period (e.g., 3 path changes within 10 minutes); if this threshold is exceeded, it is considered abnormal.

[0031] Inspect server certificates in HTTPS traffic to determine if they have been replaced or forged by checking for missing intermediate certificates or if the certificate authority (CA) is on the whitelist. If the certificate authority is not on the whitelist or the certificate chain is abnormal, the certificate is considered replaced or forged. For example, during the TLS handshake, obtain the SSL / TLS certificate from the HTTPS traffic and use the OpenSSL library or Python's ssl module to parse the certificate, checking the issuing authority, validity period, and certificate chain information. Maintain a trusted CA (Certificate Authority) whitelist database and compare certificate information with the trusted CA whitelist to check for missing intermediate certificates or if the CA is on the whitelist.

[0032] The system calculates and stores the hash value of the returned content in real time, compares the hash value with baseline data, and determines whether the page has been tampered with based on the matching degree. Web crawlers can be used to periodically scrape HTML, CSS, JavaScript, and other elements from multiple popular websites (such as Google, Facebook, Amazon, etc.) and generate a baseline hash value for each website. A hash database is configured to store and compare the page content of each popular website in real time. On each access, a hash algorithm (such as SHA-256) is used to hash the returned page content, and the hash value of the returned content is compared with the baseline hash value. If the matching degree between the returned content's hash value and the baseline hash value in the database is lower than a set threshold, the page is considered to have been tampered with.

[0033] Finally, the anomaly detection results for the border gateway protocol path, SSL / TLS certificate, and hash value of the returned content are weighted and summed to obtain a comprehensive score. If the comprehensive score exceeds a preset threshold, it is determined to be a content hijacking event. For example, the weighted decision model sets the weights as follows: path anomaly accounts for 40% weight, certificate problem accounts for 30% weight, and content anomaly accounts for 30% weight. Each monitoring result is scored according to its weight, and the final comprehensive score is calculated. For example, if the score for path anomaly is 70, certificate problem is 90, and content anomaly is 60, then the comprehensive score is: Overall score = (70 × 0.4) + (90 × 0.3) + (60 × 0.3) = 28 + 27 + 18 = 73 If the overall score exceeds 85%, the system considers a content hijacking incident to have occurred. It provides users with an easy-to-use interface that displays real-time detection results, historical data, and alert records, and saves logs for each detection for subsequent auditing and analysis.

[0034] Finally, in box S106, when a hijacking event or abnormal traffic is detected, alarms and response measures are triggered.

[0035] For example, an alarm is triggered when BGP path routes are updated frequently or abnormally; an alarm is immediately issued if an intermediate certificate is missing or the certificate authority is not on the whitelist, and a man-in-the-middle interception strategy is used to interrupt the connection with the server; an alarm is triggered if the hash value of the returned content matches the baseline hash value in the database less than a set threshold.

[0036] Regularly optimize the detection algorithm, update the feature database, and train and adjust it based on new attack samples. Specifically, collect and store newly emerging network attack samples, and update information such as hash values ​​and network protocol characteristics in the feature database in a timely manner. Regularly extract features from new attack samples and train them using machine learning models (such as decision trees, random forests, and neural networks) to continuously improve the system's ability to identify new types of attacks. Regularly optimize the detection algorithm, adjusting the algorithm and parameters based on new attack samples to ensure that the algorithm can adapt to constantly changing attack methods. Deep learning training can be performed using frameworks such as TensorFlow or PyTorch, traditional machine learning algorithm training can be performed using Scikit-learn, and data mining techniques can be used for feature selection and model adjustment.

[0037] Figure 2 This is a schematic block diagram of a traffic hijacking detection device based on multi-dimensional protocol feature cross-validation according to embodiments of the present disclosure. Figure 2 As shown, the device 200 may include a processor 210 and a memory 220 storing a computer program. When the computer program is executed by the processor 210, the device 200 is made capable of performing actions such as... Figure 1 The steps of the method are shown. In one example, device 200 may be a computer device or a cloud computing node. Device 200 may: monitor in real time the five-tuple information, TTL value, TCP sequence number change pattern, and DNS response consistency in network traffic to detect abnormal traffic; monitor the border gateway protocol path, SSL / TLS certificate, and hash value of returned content, and determine whether it is a hijacking event based on the monitoring results and their weights; and trigger alarms and response measures when a hijacking event or abnormal traffic is detected.

[0038] In embodiments of this disclosure, the device 200 can deploy lightweight detection modules on terminal devices and edge routers to capture network traffic and extract key features; monitor network communication in real time, including the five-tuple information of source IP address, source port, destination IP address, destination port, and transport protocol, and analyze whether there are abnormal changes in port traffic; acquire and track the TTL value of each IP packet in real time, and detect whether the routing path has been tampered with by detecting fluctuations in the TTL value; monitor the TCP sequence number of each packet during TCP connection establishment, and detect whether abnormal patterns occur by analyzing the growth trend of the TCP sequence number; acquire the response information of the DNS server in real time, and detect whether the DNS is poisoned or hijacked by cross-validating the response results of multiple public DNS servers.

[0039] In the embodiments of this disclosure, the device 200 can initiate the same query request to multiple public DNS servers and obtain the returned results; for each DNS query, the responses from different DNS servers are compared to see if they are consistent. If all DNS servers return the same IP address, the response is normal; if the difference between the returned IP addresses is greater than a preset difference threshold, then DNS pollution or hijacking exists.

[0040] In the embodiments of this disclosure, the device 200 can monitor whether the border gateway protocol routing path is abnormal. If an abnormal update of the border gateway protocol routing path is detected, it is marked as a potential routing hijacking event. It checks the server certificate of HTTPS traffic and determines whether the certificate has been replaced or forged by checking whether the intermediate certificate is missing or whether the certificate authority is in the whitelist. It calculates and stores the hash value of the returned content in real time and compares the hash value with the benchmark data to determine whether the page has been tampered with based on the matching degree. It weights and sums the abnormal detection results of the border gateway protocol path, SSL / TLS certificate and hash value of the returned content to obtain a comprehensive score. If the comprehensive score exceeds a preset threshold, it is determined to be a content hijacking event.

[0041] In the embodiments of this disclosure, the device 200 can periodically collect border gateway protocol routing update information through a BGP route listener; execute the Traceroute command at preset intervals to record normal paths; compare the border gateway protocol routing update information with normal paths, and if the number of changes within a preset time interval exceeds a preset threshold, it is determined to be an abnormal change.

[0042] In the embodiments of this disclosure, the device 200 can obtain the SSL / TLS certificate of HTTPS traffic during the TLS handshake process, check the certificate issuing authority, validity period, and certificate chain information; maintain a trusted CA whitelist database, compare the certificate information with the trusted CA whitelist, and if it is detected that the certificate issuing authority is not in the whitelist or there is an anomaly in the certificate chain, it is determined that the certificate has been replaced or forged.

[0043] In the embodiments of this disclosure, the device 200 can crawl HTML, CSS, and JavaScript elements of pages from multiple popular websites and generate a base hash value for each website. Each time a page is accessed, the returned page content is hashed, and the hash value of the returned content is compared with the base hash value. If the matching degree between the hash value of the returned content and the base hash value in the database is lower than a set threshold, it is determined that the page has been tampered with.

[0044] In the embodiments of this disclosure, the device 200 can trigger an alarm when BGP path routing updates are frequent or abnormal; if an intermediate certificate is missing or the certificate authority is not in the whitelist, an alarm is immediately issued and the connection with the server is interrupted using a man-in-the-middle interception strategy; if the hash value of the returned content matches the baseline hash value in the database less than a set threshold, an alarm is triggered; the detection algorithm is periodically optimized, the feature database is updated, and training and adjustments are performed based on new attack samples.

[0045] In embodiments of this disclosure, processor 210 may be, for example, a central processing unit (CPU), a microprocessor, a digital signal processor (DSP), a processor based on a multi-core processor architecture, etc. Memory 220 may be any type of memory implemented using data storage technologies, including but not limited to random access memory, read-only memory, semiconductor-based memory, flash memory, disk storage, etc.

[0046] Furthermore, in embodiments of this disclosure, device 200 may also include input device 230, such as a keyboard, mouse, etc. Additionally, device 200 may also include output device 240, such as a display, for example, to display real-time detection results, historical data, and alarm records, and to save logs of each detection for subsequent auditing and analysis.

[0047] In other embodiments of this disclosure, a computer-readable storage medium storing a computer program is also provided, wherein the computer program, when executed by a processor, is capable of performing the following functions: Figure 1 The steps of the traffic hijacking detection method based on multidimensional protocol feature cross-validation are shown.

[0048] In summary, the traffic hijacking detection method and apparatus based on multi-dimensional protocol feature cross-validation according to the embodiments of this disclosure can effectively detect new types of network attacks by real-time monitoring and comprehensive analysis of various network protocol features. By combining technologies such as historical BGP paths, DNS monitoring, HTTPS certificate verification, and a popular website feature database, the system can ensure rapid response to various network hijacking events. The weighted decision model comprehensively evaluates the detection results, improving the accuracy and timeliness of judgment, thereby achieving efficient traffic hijacking detection and defense.

[0049] It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions, and although a logical order is shown in the flowchart, in some cases the steps shown or described may be executed in a different order than that shown here.

[0050] Obviously, those skilled in the art should understand that the various units or steps of this application described above can be implemented using general-purpose computing devices. They can be centralized on a single computing device or distributed across a network of multiple computing devices. Optionally, they can be implemented using computer-executable program code, thereby storing them in a storage device for execution by a computing device, or fabricating them separately as individual integrated circuit modules, or fabricating multiple modules or steps into a single integrated circuit module. Thus, this application is not limited to any particular combination of hardware and software.

[0051] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

Claims

1. A traffic hijacking detection method based on multi-dimensional protocol feature cross-validation, characterized in that, The method includes: Real-time monitoring of network traffic's five-tuple information, TTL value, TCP sequence number change pattern, and DNS response consistency to detect traffic anomalies; Monitor the border gateway protocol path, SSL / TLS certificate, and hash value of returned content; based on the monitoring results and their weights, determine whether a hijacking event has occurred; and When a hijacking event or abnormal traffic is detected, an alarm and response measures are triggered.

2. The traffic hijacking detection method based on multi-dimensional protocol feature cross-validation according to claim 1, characterized in that, The real-time monitoring of network traffic, including the five-tuple information, TTL value, TCP sequence number change pattern, and DNS response consistency, to detect traffic anomalies includes: Deploy lightweight probe modules on terminal devices and edge routers to capture network traffic and extract key features; Real-time monitoring of network communication includes a five-tuple of information: source IP address, source port, destination IP address, destination port, and transport protocol, and analysis of whether there are any abnormal changes in port traffic; The TTL value of each IP packet is acquired and tracked in real time, and the routing path is detected to be tampered with by detecting fluctuations in the TTL value. During TCP connection establishment, the TCP sequence number of each data packet is monitored, and the growth trend of the TCP sequence number is analyzed to detect any abnormal patterns; and It obtains DNS server response information in real time and detects whether DNS is polluted or hijacked by cross-validating the response results of multiple public DNS servers.

3. The traffic hijacking detection method based on multi-dimensional protocol feature cross-validation according to claim 2, characterized in that, The process of obtaining DNS server response information in real time and detecting DNS pollution or hijacking by cross-validating the response results of multiple public DNS servers includes: Send the same query request to multiple public DNS servers and obtain the returned results; For each DNS query, the responses from different DNS servers are compared to see if they are consistent. If all DNS servers return the same IP address, the response is normal; if the difference between the returned IP addresses is greater than a preset difference threshold, then DNS pollution or hijacking has occurred.

4. The traffic hijacking detection method based on multi-dimensional protocol feature cross-validation according to claim 1, characterized in that, The monitoring of the border gateway protocol path, SSL / TLS certificate, and hash value of the returned content, based on each monitoring result and its weight, determines whether it is a hijacking event, including: Monitor whether the Border Gateway Protocol (BGP) routing path is abnormal. If an abnormal update of the BGP routing path is detected, mark it as a potential routing hijacking event. Check the server certificate of HTTPS traffic. By checking whether the intermediate certificate is missing or whether the certificate authority is on the whitelist, you can determine whether the certificate has been replaced or forged. The hash value of the returned content is calculated and stored in real time, and compared with benchmark data to determine whether the page has been tampered with based on the matching degree; and The anomaly detection results of the border gateway protocol path, SSL / TLS certificate, and hash value of the returned content are weighted and summed to obtain a comprehensive score. If the comprehensive score exceeds a preset threshold, it is determined to be a content hijacking event.

5. The traffic hijacking detection method based on multi-dimensional protocol feature cross-validation according to claim 4, characterized in that, The monitoring of border gateway protocol routing paths for anomalies, and the marking of potential routing hijacking events as abnormal updates to border gateway protocol routing paths, includes: Periodically collect Border Gateway Protocol routing update information using a BGP route listener; The Traceroute command is executed at preset intervals to record the normal path. The border gateway protocol routing update information is compared with the normal path. If the number of changes exceeds a preset threshold within a preset time interval, it is determined to be an abnormal change.

6. The traffic hijacking detection method based on multi-dimensional protocol feature cross-validation according to claim 4, characterized in that, The process of checking the server certificate for HTTPS traffic, including determining whether the certificate has been replaced or forged by checking whether an intermediate certificate is missing or whether the certificate authority is on the whitelist, includes: During the TLS handshake process, obtain the SSL / TLS certificate of the HTTPS traffic and check the certificate issuing authority, validity period, and certificate chain information; Maintain a trusted CA whitelist database, compare certificate information with the trusted CA whitelist, and if the certificate issuing authority is not detected to be in the whitelist or there is an anomaly in the certificate chain, it is determined that the certificate has been replaced or forged.

7. The traffic hijacking detection method based on multi-dimensional protocol feature cross-validation according to claim 4, characterized in that, The process of calculating and storing the hash value of the returned content in real time, comparing the hash value with benchmark data, and determining whether the page has been tampered with based on the matching degree includes: Scrape HTML, CSS, and JavaScript elements from multiple popular websites and generate a baseline hash value for each website; Each time a page is accessed, a hash calculation is performed on the returned page content. The hash value of the returned content is compared with the baseline hash value. If the matching degree between the hash value of the returned content and the baseline hash value in the database is lower than a set threshold, the page is determined to have been tampered with.

8. The traffic hijacking detection method based on multi-dimensional protocol feature cross-validation according to claim 1, characterized in that, The alarm and response measures triggered when a hijacking event or abnormal traffic is detected include: An alert is triggered when BGP path routes are updated frequently or abnormally. If the intermediate certificate is missing or the certificate authority is not on the whitelist, an alert will be issued immediately, and a man-in-the-middle interception strategy will be used to interrupt the connection with the server. If the hash value of the returned content does not match the baseline hash value in the database by a set threshold, an alarm is triggered; and Regularly optimize the detection algorithm, update the feature database, and train and adjust based on new attack samples.

9. A traffic hijacking detection device based on multi-dimensional protocol feature cross-validation, characterized in that, The device includes: At least one processor; and At least one memory storing a computer program; When the computer program is executed by the at least one processor, the device performs the steps of the traffic hijacking detection method based on multidimensional protocol feature cross-validation as described in any one of claims 1 to 8.

10. A computer-readable storage medium storing a computer program, characterized in that, The computer program, when executed by a processor, implements the steps of the traffic hijacking detection method based on multidimensional protocol feature cross-validation as described in any one of claims 1 to 8.