CN103312689B - Network hiding method for computer and network hiding system based on method - Google Patents
Network hiding method for computer and network hiding system based on method Download PDFInfo
- Publication number
- CN103312689B CN103312689B CN201310132080.1A CN201310132080A CN103312689B CN 103312689 B CN103312689 B CN 103312689B CN 201310132080 A CN201310132080 A CN 201310132080A CN 103312689 B CN103312689 B CN 103312689B
- Authority
- CN
- China
- Prior art keywords
- address
- network
- computer
- behavior
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network hiding method for a computer and a network hiding system based on the method. In the network hiding method, a passive processing strategy and an active processing strategy are adopted. The active processing strategy comprises the following steps of S1, when a detection behavior is ongoing according to judgment, replying false information to confuse a detector and increase the attacking difficulty; S2, faking false data traffic and a real host network behavior, and disturbing a sniffing behavior; and S3, dynamically and randomly jumping to hide a real host by taking the IP (Internet Protocol) address of the real host as a jumping element. In the network hiding system, four layers of network hiding models, including an access behavior control module, a dynamic multi-address module, a traffic confusing module and a protocol stack fingerprint confusing module are adopted. Due to the adoption of the method and system, unknown security problems can be blocked in advance, the occurrence of malicious network behaviors is blocked at a source, and advance protection is truly realized; due to the hiding characteristic, the aim of nipping in the bud can be fulfilled in the system; and the computer security is well ensured.
Description
Technical field
The present invention relates to computer security communication technical field, a kind of network invisible method more particularly, to computer and
The stealthy system of network based on the method.
Background technology
Since having stepped into the epoch of informationization from the mankind, computer technology is sent out with computer network with unthinkable speed
Zhan Zhe.While network facility is provided, the safe transmission of information is just particularly important, but at the same time, emerges in an endless stream
But the moment annoyings us to network security problem.For current existing safeguard procedures:Fire wall, antivirus software, traffic monitoring,
Intrusion detection etc. all has some common or uniqueness defects, and fire wall can not neatly carry out Initiative Defense, and
The filtering rule for depending on keeper largely to add;Antivirus software can not killing change irregularly the new virus of multiterminal, and can only be
Remedial efforts can be just carried out after virus infection;Traffic monitoring or intruding detection system can then collect substantial amounts of without use value
Data, increased the burden of staff's analyze data, at the same also can only abnormal behaviour generation after just be alarmed or
Blocking.
It can be seen that it is all in abnormal behaviour even security incident that existing security protection greatest weakness is Passive Defence
Just repaired after generation, the demand of real-time guarantees user security can not be met, but had than larger hysteresis quality, only
Tackle the problem at its root and can be only achieved real security protection.Only change from passive to active, just tried before invasion ahead of time
Potential safety hazard is strangled in cradle, the featured function of this exactly stealthy system of our networks.
After the stealthy system of network is opened, we it is normal enjoy internet be we bring it is convenient while, and also
Can be stealthy in network safely, allow invader's " invisible ", it is impossible to determine target of attack, and legal user can be with us just
Often communicated.And cannot be utilized because attacker cannot detect for unknown security breaches and also just be difficult to be found profit
With.And the host of propagation is can not find because of stealthy for malicious virus, and effectiveness is lost, substantially increase attacker and ooze
The difficulty of saturating or virus infection.Can so accomplish with foresight, anticipation hostile network behavior in advance can prevent trouble before it happens again,
Unknown security breaches are taken precautions against, accomplishes that hundred poison are not invaded, malicious access is prevented in advance.Therefore the stealthy system of network and its strategy have very
Big development prospect.
The content of the invention
The technical problems to be solved by the invention are:There is provided a kind of network invisible method of computer and based on the method
The stealthy system of network, can in advance block unknown safety problem, and the generation of hostile network behavior is just blocked in source, and real does
To protecting in advance, due to it is stealthy the characteristics of, the system can really prevent trouble before it happens.Ensure computer security well.
In order to solve the above technical problems, the technical scheme is that:A kind of network invisible method of computer, the net
Network invisible method includes taking probe data packet passive treatment strategy and active process strategy, and the passive treatment strategy includes
Packet to the computer of coming in and going out judges its legitimacy, illegal data traffic is taken and do not received, responded, no
Give normal protocol stack and write the processing mode of record of bad behavior;The active process strategy includes following three kinds of modes:S1,
When judging that detection behavior is carried out, false info-perfluxity surveyor is replied, increase it and attack difficulty;S2, forgery are false
Data traffic and true mainframe network behavior, upset sniff behavior;S3, using the IP address of true main frame as saltus step unit, move
State random jump, reaches the stealthy of true main frame, and in S2, the true main frame is hidden in what is forged by forgery false data flow
In a group computer, reduce detected probability, the false data flow refers to emulating server behavior, in true main frame institute
The network segment in make full use of the network segment under untapped IP address construction data traffic, imitate the network row of actual computer
For for detection lock onto target increases difficulty.
In order to solve the above technical problems, another technical scheme of the invention is:A kind of stealthy system of the network of computer, bag
Include:
Behavior- Based control module is accessed, normal network behavior is set up into a state respectively with the network behavior of exception
Chain, it is whether legal to network behavior to be judged in advance;
Dynamic multiple access module, the mobilism of dynamic change and Computer IP address for computer physical address;
Flow obscures module, manipulative communications cover address, forgery active data flow and the passive data of forgery for computer
Flow;
Protocol fingerprint obscures module, for the data that main frame is received carry out branch using dual stack model treatment with
And dynamic modification Protocol fingerprint feature obscures the judgement of malicious person.
Further, the network behavior judges to include to two differentiations of module of server and personal computer, for
Personal computer, because it is not for the external world provides service, therefore the active SYN requests that will not receive to be sent from the external world, therefore every connects
The source IP address for receiving SYN is all suspicious, if this computer and certain distance host had not set up connection, other side but sends
RST bags or ACK+PUSH+URG bags are also the tendency of scanning behavior;Server due to need be provided out service, therefore port with
Address can not only be changed and also must inform client, it is necessary to the state chain of the packet to being subject to judges.
Further, the dynamic change of the computer physical address includes:Activity is detected first with ARP request
IP address, filters out the IP address being not used by and is added to address pool;Then a thread is created, is responsible for monitoring ARP and receiving
All of request.Whether the IP address for checking the ARP request by IP address management platform pretends the IP address of main frame, if
It is just to send an arp reply, ARP is not replied otherwise;Finally also need to safeguard the state of IP address, that is, create a thread prison
The IP address for replying ARP is listened, if purpose IP address are not the machine addresses and source IP address is not the IP address of our falsenesses, that
May determine that the IP address is occupied.Timing in addition updates IP states, i.e. a period of time does not receive the IP address
The state that ARP replys this IP address is set to " free time ".
Further, the mobilism of the Computer IP address includes:The dynamic change and void of the IP address of true main frame
Intend the dynamic change of the IP address of main frame.
Further, the manipulative communications cover address includes false IP address, MAC Address and port numbers, false IP address
It is this network segment nobody IP address for using.
Further, the active data flow of forging includes packet, the band of the connection control with Transmission Control Protocol load
The UDP message bag of load and the tcp data bag with application layer load.
Further, the passive data traffic of forgery is to respond the detection number that fictitious host computer is received with virtual protocol stack
According to bag, including ARP protocol reply, icmp reply, the reply that the reply of SYN scannings and ACK are scanned.
Further, the Protocol fingerprint is to be detected by operating system protocol stack characteristic fingerprint and application features
Fingerprint detection.
Above-mentioned technical proposal is employed, beneficial effects of the present invention are:
1st, kernel dynamic filtration;Main frame needs to be reached before protocol stack is unpacked in packet and judges, and is malice scanning
Or the packet of detection is directly filtered or submission is processed by stealthy protocol stack, deceptive information fascination surveyor is replied.
2nd, kernel data fingerprint modification;Kernel is modified by the fingerprint characteristic of the data to sending, and obscures evil
The judgement of meaning person, it is to avoid malicious person obtains from the characteristic fingerprint of packet and utilizes value information.
3rd, dynamic address pond builds and safeguards;In order to stealthy main frame needs its IP address of dynamic change and forges many falsenesses
Main frame.Firstly the need of the IP address being not used by acquisition LAN, dynamic more new IP address state is secondly needed, finally needed
The IP address and MAC Address of the network segment are built at random.
4th, true host IP address dynamic hop;In order to the judgement for influenceing malicious person needs to make the IP address of true main frame to move
State saltus step, saltus step process is operated by client layer, and proper communication is ensured by time delay.
5th, the network service of true main frame is forged;Data are actively built between the computer forged and between external network
Stream, it is to avoid sniff, increases the difficulty that malicious person determines target.
6th, the detection for false main frame is replied in real time;Need to respond the packet for detecting after main frame is forged,
Prove that the main frame forged is movable, and need to reply the probe data packet for scanning.
7th, simulation road is by increase network complexity;Forge routing function and expand network topology increase network complexity, will be true
Real main frame completely it is stealthy wherein, due to network topology mapping more should, the double increase of network complexity, attacker detects very
The difficulty of real main frame is also waited than double increase.
In sum, the present invention fully excavates the internal relation of each field of procotol, thus proposes four-layer network network
Stealthy model, mainly includes:Access Behavior- Based control layer and realize that real time data bag is supervised using Netfilter frameworks using LKM modes
Control and access Behavior- Based control, to realize the effectively stealthy offer decision-making of system and performing foundation;Dynamic multiple access layer can effectively change association
Physical address, logical address, the port address of packet are discussed, with other layer of co-simulation network traffics;Flow obscure layer energy according to
Different stealthy strategies is mourned in silence or false response pattern using network, produces multiple network protocol traffic, increases network complexity,
Fascination or spoofing attack person are without influenceing normal network service;Finally, Protocol fingerprint obscures layer modification grouping field information,
The acquisition of information of interference attack person.The present invention can in advance block unknown safety problem, and hostile network behavior is just blocked in source
Generation, it is real to accomplish to protect in advance, due to it is stealthy the characteristics of, the system can really prevent trouble before it happens, and ensure well
Computer security.
Brief description of the drawings
Fig. 1 is dynamic multiple access process chart of the invention;
Fig. 2 is ARP packet structures figure of the invention;
Fig. 3 is that ARP of the invention detects flow chart;
Fig. 4 is dynamic of the invention more new IP address state diagram;
Fig. 5 is false network operational flowchart of the invention;
Fig. 6 is of the invention to copy route network design sketch;
Fig. 7 is the structural representation of the stealthy system of inventive network;
Specific embodiment
The present invention is further described with reference to the accompanying drawings and examples.
A kind of network invisible method of computer, the network invisible method includes taking probe data packet passive treatment
Strategy and active process strategy, the passive treatment strategy include judging that its is legal to the packet of the computer that comes in and goes out
Property, illegal data traffic is taken and do not receive, do not respond, normal protocol stack is not given and write the treatment side of record of bad behavior
Formula;The active process strategy includes following three kinds of modes:S1, when judging that detection behavior is carried out, reply false
Info-perfluxity surveyor, increases it and attacks difficulty;S2, forgery false data flow and true mainframe network behavior, upset sniff
Behavior;S3, using the IP address of true main frame as saltus step unit, dynamic random saltus step reaches the stealthy of true main frame, in S2, institute
State true main frame to be hidden in a group computer forged by forgery false data flow, reduce detected probability, the falseness
Data traffic refers to emulating server behavior, and untapped IP ground under the network segment is made full use of in the network segment where true main frame
Location constructs data traffic, imitates the network behavior of actual computer, for detection lock onto target increases difficulty.
The invention also discloses a kind of stealthy system of the network of computer, as shown in fig. 7, comprises:
Behavior- Based control module is accessed, normal network behavior is set up into a state respectively with the network behavior of exception
Chain, it is whether legal to network behavior to be judged in advance;
Dynamic multiple access module, the mobilism of dynamic change and Computer IP address for computer physical address;
Flow obscures module, manipulative communications cover address, forgery active data flow and the passive data of forgery for computer
Flow;
Protocol fingerprint obscures module, for the data that main frame is received carry out branch using dual stack model treatment with
And dynamic modification Protocol fingerprint feature obscures the judgement of malicious person.
Judge more detailed description the following is network behavior, network behavior judges to include to server and personal computer
Two differentiations of module, for personal computer, because it is not for the external world provides service, therefore will not receive the active sent from the external world
SYN is asked, therefore every source IP address for receiving SYN is all suspicious, if this computer and certain distance host were not
Connection is set up, other side but sends RST bags or ACK+PUSH+URG bags are also the tendency of scanning behavior;Server is outside due to needing
Service is provided, therefore port can not only be changed and also must inform client, it is necessary to the shape of the packet to being subject to address
State chain is judged.Hereinafter access Behavior- Based control criterion is specifically described from ps and server side:
Judge that the main frame is suspicious by there are suspicious actions in ps for the first time:
(1) there is port and hit symptom (data packet request of request the unopened port of main frame) by mistake then throwing away packet,
And the source address information is added to suspicious address list.
(2) ps will not receive SYN packets, and every address for being sent to SYN can be classified as suspect object.
(3) source IP address and port information of the several packets of corresponding record, if same IP address continuous several times occur going out
The packet person of existing different port can throw away the packet, and the packet replied after protocol stack response is not directly to outgoing
Send.
(4) connection mechanism is taken based on for ack msg bag, the IP address information of connection is set up before and after record, if receiving
To ack msg bag, but then the main frame belongs to abnormal not to build connection before this.
(5) taken with any of other marks except ACK for there is abnormal NULL or the FIN of being designated of TCP flags
The packet matched somebody with somebody, then the main frame may scanning, suspicious address can be regarded as.
(6) the scan data bag for UDP does not reply the port state data packets of ICMP (because UDP is returned using ICMP
It is multiple to judge port status, port unreachable are replied if port shutdown, do not react if open, can also obscure and attack
The person of hitting).
Occur following behavior in the server and be considered as suspect object:
(1) there is port to hit by mistake, that is, request server do not provide service port be considered as it is suspicious.
(2) there is high-frequency request behavior, such as multiple SYN requests are considered as suspicious.
(3) one multiple port of source address request of short time, are considered as suspicious.
(4) packet TCP flags are received occur NULL or FIN extremely and regarded with the identification information of the collocation except ACK
For suspicious.
(5) receiving the ack msg bag of the source address for not setting up connection, to regard source address be suspect object.
We determine principle to judge using minority in numerous rules, as long as meeting one i.e. in the rule set up
Can determine whether out that the main frame may be scanned or detect, you can the IP address is added blacklist, forbids any of the address
Access and request.Can also be its setting weights according to regular number is met come dynamic.Meet the fewer weights of rule higher,
Blacklist is directly drawn in if meeting more than 4, the authority according to each address judges to be judging the suspicious of the IP address
Communication of the no completely cut off IP address to real system.
The processing data packets flow of Linux network core one is as described below.
Packet is given out a contract for a project flow:The flow arrives the network equipment since the packet of web application sends function
The packet of driving sends function to be terminated.
(1) transport layer process, if sent using udp protocol, packet is just entered by sendto () through sockets interface
The udp_sending () of udp protocol module.After completing udp protocol encapsulation, then enter through ip_push_pending_frames ()
Enter IP agreement module.If sent using Transmission Control Protocol, the tcp_sendmsg () that packet enters Transmission Control Protocol module completes TCP
After protocol encapsulation, then enter IP agreement module through ip_queue_xmit (), be that can find correct data is activation path needs
The ip_route_output_flow () of routing module is called to search routing iinformation.
(2) network layer handles, the data after UDP and TCP treatment enter the ip_output () of IP agreement module.It is determined that hair
After sending out jaws equipment, data enter dev_queue_xmit () interface letter through ip_finish_output2 and neighbours' subsystem
Number, by the function, packet enters the network equipment.
(3) network device processing, according to the type of underlying device equipment, dev_queue_xmit () function hands over packet
To the transmission function of equipment.If underlying device is xx network interface cards, packet enters network by net_send_packet () function,
Before transmission, packet can be packaged into standard frame type.For the network for employing Logical Link Protocol, dev_queue_xmit
Function can give Logical Link Protocol pattern packet, then be sent through the network equipment of bottom.
Packet receives flow:The flow since the packet receiver function of network device driver, to network application journey
The packet receiver function of sequence terminates.
(1) network device processing.After packet arrival equipment, hardware interrupts are triggered to complete the reception work of data.
Interrupt handling routine calls net_rx to be further processed packet.After parsing the content encapsulated in frame, packet is by ip_
Rcv functions are submitted to IP agreement module, if network equipment upper strata is Logical Link Protocol module, then packet must first quilt
Its protocol module is delivered to, after completion processing, then IP agreement module is submitted to by ip_rcv functions.
(2) network layer handles.After packet enters IP agreement module, ip_rcv_finish first determines whether it is local reception
The packet that packet is still forwarded, if local entrance ip_local_deliver functions complete the further of IP agreement
Treatment.After going out data content from IP packet parsings, packet can be submitted to transmission by ip_local_deliver_finish functions
The receiver function of layer.If the packet of forwarding, then give ip_route_input by packet and search routing table, determine data
Forward-path, then gives ip_forward functions, then be into ip_outpupt by ip_forward_finish by packet
Forwarding packet is prepared.
(3) transport layer process, if fruit receives for udp protocol, into udp protocol module, if TCP then enters tcp module.
The module loads hook, intercepted data bag by handling process, and checks the information of each field of packet,
The information such as the type of such as packet, port, TCP marks, specify to compare to do by information above and proper network agreement
Go out to judge, and dynamically generation judgment rule addition filter list, provide foundation to access Behavior- Based control.
The following is to dynamic multiple access module more detailed description.
Communication between computer is to distinguish mutual with address, and address here is not single IP address.Its bag
Include MAC Address, IP address and port numbers.And need to set up dynamic address pond in the stealthy system of network for the saltus step of address is provided
Address information, and the IP address of saltus step true main frame in real time.Dynamic multiple access occupies critically important ground in the stealthy system of network
Position, the address information of dynamic change, the address that the address information and network topology of false main frame remap both is from dynamic
The treatment of multiple access.It is as shown in Figure 1 dynamic multiple access process chart.
Wherein, the dynamic change of computer physical address includes:The IP address of activity is detected first with ARP request,
Filter out the IP address being not used by and be added to address pool, ARP packet structures are as shown in Figure 2;Then a thread is created, is born
Duty monitors ARP and receives all of request.Check whether the IP address of the ARP request pretends master by IP address management platform
The IP address of machine, if just sending an arp reply, ARP is not replied otherwise, and ARP detections flow is as shown in Figure 3;Also finally
Need to safeguard the state of IP address, that is, create a thread and monitor the IP address for replying ARP, if purpose IP address are not the machine ground
Location and source IP address are not the IP address of our falsenesses, then may determine that the IP address is occupied.In addition regularly more
The ARP that new IP states, i.e. a period of time do not receive the IP address replys the state of this IP address and is set to " free time ", dynamically
More new IP address state is as shown in Figure 4.
Wherein, the mobilism of Computer IP address includes:The dynamic change of the IP address of true main frame and fictitious host computer
The dynamic change of IP address.
The dynamic change of IP address mainly includes two aspects:The dynamic change and fictitious host computer of the IP address of true main frame
IP address dynamic change.The IP address dynamic change of true main frame refers to select certain amount at random after address pool is set up
Available IP address as true main-machine communication when the IP address that may use, in initialization be that order is filled out due to address pool
Therefore enter each IP address need to only produce a random number of 0-255 when choosing, and as last position of IP address, extract
Go out IP address, in the status information of the extraction IP address, and judge whether it can use, change IP row are added into if available
Table, regenerates random number and is selected if unavailable, until selecting the IP address that user requires number untill.It is false
The IP address dynamic change of main frame refers to that the communication between false main frame and between external network and true main frame needs dynamic
Select address of the available IP address as communication.IP systems of selection are selected with the IP address of true main frame in the true main frame network segment
Select similar.False network needs real time processing network packet and needs to be responded according to real system in real time for scanning.
Its false network operating process such as Fig. 5.According to the theoretical foundation of Fig. 5, imitation route network effect of the false simulation road after is such as
Shown in Fig. 6.
The following is obscuring flow module more detailed description:
Flow obscures the communication for simulating actual computer in a network, and network service is filled using junk traffic, increases
The communication data of the HTTP of network complexity, system main analog filling TCP, UDP and application layer.Net on communication object
Network, if invader will be seen that in network there is many communication connections by sniff.And actual communication is also at wherein, just it is stealthy in
Wherein.
Wherein, manipulative communications cover address includes false IP address, MAC Address and port numbers, and false IP address is Home Network
Section nobody IP address for using.Associated address information is obtained from address pool first, secondly therefrom random screening goes out certain amount
Available address family as false main frame address, then by collecting port information and the association of the network behavior of true main frame
View type information, so as to simulate the network behavior of true main frame, needs to be constructed using Iibnet various each after address is chosen
The network packet of sample, and be sent on network.The both sides of network service are mainly included between false main frame and false main frame
The communication of communication, false main frame and external network, the communication between false main frame and true main frame.
For the dynamic change strategy of address:
(1) communicate source MAC:Build the MAC Address that correspondence first three word forged during falseness IP is true manufacturer.
(2) communication objective MAC Address:The MAC Address of the correspondence falseness purpose IP address forged during false host ip.
(3) communicate source IP address:The address of false main frame, i.e., the IP address that the true main frame network segment is not used by.
(4) communication objective IP address:The IP address that the machine network segment is not used by, the IP address of the common website of external network,
The IP address of true main frame.
(5) source port address:Source port address can be generated (port >'s 1024 can be used) at random.
(6) destination interface address:Protocol information according to false data Packet type determines port numbers.
Wherein, active data flow is forged including the packet for connecting control with Transmission Control Protocol load, with load
UDP message bag and the tcp data bag with application layer load.
(1) TCP connections control bag main analog TCP three-way handshake, then carries packet and sends.
(2) packet that UDP is generated with load data bag main analog QQ etc. using the application layer software of udp protocol.Profit
UDP message bag is constructed with libnet, the data message that a part of packet is carried is the data message produced by QQ softwares, in addition
A part is that data segment is, using the packet of Filling Random Sequences, to allow it to appear to by the data traffic of encryption more
Highlight the authenticity of camouflage.
(3) network development process of application layer main analog HTTP.Gone forward side by side by carrying out spot check data flow in true LAN
The data that row statistics is obtained learn that the behavior of general individual's main frame frequency of use highest application layer is web page browsing, be correspond to
Http protocol, therefore it is very representative to forge HTTP flows.Because three first layers data head is packaged, in data segment loading
HTTP related data message.Then combine this several part to be integrated, be encapsulated into web browsing data bag.
Wherein, it is to respond the probe data packet that fictitious host computer is received with virtual protocol stack to forge passive data traffic, bag
Include ARP protocol reply, icmp reply, the reply of SYN scannings and the reply of ACK scannings.
Whether ARP to reply create a thread and monitor in real time has main frame to inquire the corresponding MAC Address of false host ip, if
Detect ARP request and then reply the corresponding MAC Address of the IP.This function is mainly realized using libpcap and libnet.ICMP is returned
It is aobvious to monitor the detection bag for whether having ICMP in real time, the packet for being designated reply is replied if having.It refers to when prison that SYN is replied
Other side's ACK or RST packet is replied when hearing and having SYN to ask, if forging open port, then ACK is replied, this can regard as
Transmission Control Protocol sets up the second step of connection three-way handshake, tells that fictitious host computer waits establishment of connection to scanning person;If forging
Close port, then can reply a RST packet.If the communication between false main frame can then continue to connect using this mechanism
Operation and subsequent communications.And judgement scans or is that the method for the connection between false main frame is to look for the source IP address of SYN,
If IP address is not to be communicated for falseness, may determine that the main frame of the source IP address is scanned, can be with
Notify that true main frame shields the request of the IP address.And the main frame of falseness replys ack msg bag according to normal protocol flow.
The following is obscuring Protocol fingerprint module more detailed description.
Protocol fingerprint is to be detected by operating system protocol stack characteristic fingerprint and application features fingerprint detection.
Following is a brief introduction of several OS Type prospecting tools realizes technology.
(1) Nmap is the comprehensive scanning software of One function, can carry out active spy to the OS Type of target of attack
Survey.The networking character value that wherein Nmap is utilized when detecting mainly includes:TCP initialization sequence ISN patterns, not segment identification
It is flags contents and option content in DF, ACK confirm sequence number pattern, receives window size, TCP header mark, unreachable
UDP datagram response datagram content.Nmap is constructed and is sent seven kinds of TCP probe data packets (referred to as Tx) and a kind of UDP detections
Packet (referred to as PU).Comprehensive analysis is carried out with existing protocol stack characteristic value pair by the response that every kind of detection data is grouped
Than so judge the OS Type of destination host.
(2) by sending UDP datagram, to the close port of target of attack, to inspire, ICMP ports are unreachable to disappear Xprobev
Breath, and judgement is analyzed based on fuzzy algorithmic approach and logic tree to networking character value in ICMP message.Its networking character value is main
Including:IP total lengths, IPID, IP is checked and whether accurate, and UDP packet header verifies and correctness, priority subsegment position (TOS
Value), DF response, the value of IP TTL, icmp error message application (Quoting) size, icmp error message response is complete
Property, the request of ICMP timestamps, ICMP information requests, ICMP address masks request.
(3) RING has used one to set up in routine, without the new probing remote operating system technology in dangerous TCP transmission.It
Analog network congestion, does not send response datagram in time to destination host, by analyzing destination host between each secondary data report
Time delay judge the OS Type of destination host.
The following is to application features fingerprint detection more detailed description.
Be operated in the software of application layer, due to software work platform, software version, the custom of code writers difference
And can use different strategies when packet is sent.By taking Web server as an example, the Apache on linux system is operated in
Server and the IIS server catalyst Catalysts being operated in Microsoft-Windows systems, when different types of request is processed,
Can be in data packet head or HTTP payload segments using the processing mode with oneself feature, this feature is commonly known as HTTP
Using these features, we can judge which kind of server system uses to fingerprinting (HTTP fingerprints) easily
HTTP server, or even operating system is further inferred that out, some following institutes of HTTP fingerprint detection methods for Web server
State:
(1) packet header statement detection in plain text, for the Web server without any precautionary measures, HTTP packet header
Server fields give the type of server processed the HTTP packets in plain text, for example:
IIS7 server data packet headers:
HTTP/1.1 404 Not Found
Content-Type:text/html
Server:Microsoft-IIS/7.0
Date:Tue, 07 Aug 2,012 00:02:19 GMT
Content-Length:1163
Apache/2.2.22 servers (running on linux system) data packet header:
HTTP/1.1 200 OK
Date:Mon, 06 Aug 2,012 08:18:44 GMT
Server:Apache/2.2.22(Unix)mod_ssl/2.2.22
OpenSSL/1.0.1b DAV/2
Content-Length:563
Keep-Alive:Timeout=5, max=100
Connection:Keep-Alive
Content-Type:text/html;Charset=ISO-8859-1
In " Server:" followed by character string will process notebook data packet server be exposed.
(2) to the treatment behavior of specific protocol
1) is in the reply packet to normal request HEAD/HTTP/1.1, Apache Server and IIS servers
Different features have been embodied in data packet header again, as shown in example in (1), the data packet header of IIS7 servers
Server fields occur first, Date fields then just occur, and Apache Server contrast, this is also one and differentiates clothes
The feature of business device software type.
2) to the treatment similar to DELETE options (lack of competence option), the reply of Apache is " HTTP/ to
1.1405Method Not Allowed ", and the reply of IIS servers is then usually " HTTP/1.1 403Forbidden ", this
Difference is there is on a bit.
3) treatment that is asked incorrect protocol type, should such as process the Web server of http protocol, and we are to it
The request of other type protocols is sent, " JUNK " agreement such as made up, then the usual reply of Apache Server is " HTTP/1.1
2000K ", but IIS replys " HTTP/1.1 400Bad Request ", also can be used as the foundation for differentiating.
In sum, the present invention fully excavates the internal relation of each field of procotol, thus proposes four-layer network network
Stealthy model, mainly includes:Access Behavior- Based control layer and realize that real time data bag is supervised using Netfilter frameworks using LKM modes
Control and access Behavior- Based control, to realize the effectively stealthy offer decision-making of system and performing foundation;Dynamic multiple access layer can effectively change association
Physical address, logical address, the port address of packet are discussed, with other layer of co-simulation network traffics;Flow obscure layer energy according to
Different stealthy strategies is mourned in silence or false response pattern using network, produces multiple network protocol traffic, increases network complexity,
Fascination or spoofing attack person are without influenceing normal network service;Finally, Protocol fingerprint obscures layer modification grouping field information,
The acquisition of information of interference attack person.The present invention can in advance block unknown safety problem, and hostile network behavior is just blocked in source
Generation, it is real to accomplish to protect in advance, due to it is stealthy the characteristics of, the system can really prevent trouble before it happens, and ensure well
Computer security.
The present invention is not limited to above-mentioned specific embodiment, one of ordinary skill in the art from above-mentioned design,
Without performing creative labour, done a variety of conversion are within the scope of the present invention.
Claims (9)
1. the network invisible method of a kind of computer, it is characterised in that the network invisible method includes adopting probe data packet
Passive treatment strategy and active process strategy are taken, the passive treatment strategy includes sentencing the packet of the computer that comes in and goes out
Disconnected its legitimacy, takes illegal data traffic and does not receive, do not respond, normal protocol stack is not given and record of bad behavior is write
Processing mode;The active process strategy includes following three kinds of modes:S1, when judging that detection behavior is carried out, return
Multiple false info-perfluxity surveyor, increases it and attacks difficulty;S2, forgery false data flow and true mainframe network behavior,
Upset sniff behavior;S3, using the IP address of true main frame as saltus step unit, dynamic random saltus step reaches the stealthy of true main frame,
In S2, the true main frame is hidden in a group computer forged by forgery false data flow, reduces detected probability,
The false data flow refers to emulating server behavior, is made full use of in the network segment where true main frame and do not make under the network segment
IP address constructs data traffic, imitates the network behavior of actual computer, for detection lock onto target increases difficulty.
2. the stealthy system of network of the computer of the network invisible method based on the computer described in claim 1, its feature exists
In, including:
Behavior- Based control module is accessed, normal network behavior is set up into a state chain respectively with the network behavior of exception, it is right
Whether network behavior is legal to be judged in advance;
Dynamic multiple access module, the mobilism of dynamic change and Computer IP address for computer physical address;
Flow obscures module, manipulative communications cover address, forgery active data flow and the passive data traffic of forgery for computer;
Protocol fingerprint obscures module, carries out branch using dual stack model treatment for the data that main frame is received and moves
State modification Protocol fingerprint feature obscures the judgement of malicious person.
3. the stealthy system of the network of computer as claimed in claim 2, it is characterised in that it is right that the network behavior judges to include
Two differentiations of module of server and personal computer, for personal computer, because it is not for the external world provides service, therefore will not connect
By the active SYN requests sent from the external world, therefore every source IP address for receiving SYN is all suspicious, if this computer
Connection had not been set up with certain distance host, and other side but sends RST bags or ACK+PUSH+URG bags are also the tendency of scanning behavior;
Server due to needing to be provided out service, therefore port and address can not only change and also client must be informed, it is necessary to
The state chain of the packet to receiving judges.
4. the stealthy system of the network of computer as claimed in claim 2, it is characterised in that the computer physical address it is dynamic
State change includes:The IP address of activity is detected first with ARP request, the IP address being not used by is filtered out and is added to address
Pond;Then a thread is created, is responsible for monitoring ARP and receiving all of request;Check that the ARP please by IP address management platform
Whether the IP address asked pretends the IP address of main frame, if just sending an arp reply, ARP is not replied otherwise;Also finally
Need to safeguard the state of IP address, that is, create a thread and monitor the IP address for replying ARP, if purpose IP address are not the machine
Address and source IP address are not the IP address of our falsenesses, then may determine that the IP address is occupied;Timing in addition
IP states are updated, i.e., the ARP replies for not receiving the IP address for a period of time are then set to the state of the IP address " free time ".
5. the stealthy system of the network of computer as claimed in claim 2, it is characterised in that the dynamic of the Computer IP address
Change includes:The dynamic change of the IP address of the dynamic change and fictitious host computer of the IP address of true main frame.
6. the stealthy system of the network of computer as claimed in claim 2, it is characterised in that the manipulative communications cover address includes void
False IP address, MAC Address and port numbers, false IP address are this network segment nobody IP address for using.
7. a kind of stealthy system of the network of computer as claimed in claim 2, it is characterised in that the forgery active data stream
Amount includes the packet for connecting control with Transmission Control Protocol load, the UDP message bag with load and with application layer load
Tcp data bag.
8. the stealthy system of the network of computer as claimed in claim 2, it is characterised in that the passive data traffic of forgery is
The probe data packet that fictitious host computer is received, including ARP protocol reply, icmp reply are responded with virtual protocol stack, SYN scannings
Reply the reply with ACK scannings.
9. the stealthy system of the network of computer as claimed in claim 2, it is characterised in that the Protocol fingerprint is by behaviour
Make the detection of system protocol stack characteristic fingerprint and application features fingerprint detection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310132080.1A CN103312689B (en) | 2013-04-08 | 2013-04-08 | Network hiding method for computer and network hiding system based on method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310132080.1A CN103312689B (en) | 2013-04-08 | 2013-04-08 | Network hiding method for computer and network hiding system based on method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103312689A CN103312689A (en) | 2013-09-18 |
| CN103312689B true CN103312689B (en) | 2017-05-24 |
Family
ID=49137474
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310132080.1A Expired - Fee Related CN103312689B (en) | 2013-04-08 | 2013-04-08 | Network hiding method for computer and network hiding system based on method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103312689B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108282786A (en) * | 2018-04-13 | 2018-07-13 | 上海连尚网络科技有限公司 | A kind of method and apparatus for detecting DNS spoofing attacks in WLAN |
Families Citing this family (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9326230B2 (en) * | 2013-10-08 | 2016-04-26 | Qualcomm Incorporated | Multidimensional algorithm for roaming |
| CN104660563B (en) * | 2013-11-21 | 2018-05-04 | 中国移动通信集团公司 | A kind of processing method, equipment and the system of active probe response |
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
| CN107771320B (en) * | 2015-05-08 | 2021-08-31 | 思杰系统有限公司 | System and method for improving security of Secure Socket Layer (SSL) communications |
| CN104917757A (en) * | 2015-05-08 | 2015-09-16 | 中国科学院信息工程研究所 | Event-triggered MTD protection system and method |
| CN107241297B (en) * | 2016-03-28 | 2021-04-27 | 阿里巴巴集团控股有限公司 | Communication interception method and device, and server |
| CN106060184B (en) * | 2016-05-11 | 2019-04-05 | 中国人民解放军国防信息学院 | A kind of IP address hopping patterns generation method and jump controller based on three-dimensional |
| CN106161670B (en) * | 2016-06-02 | 2020-09-22 | 黄小勇 | Address translation processing method and address translation processing device |
| CN106790641B (en) * | 2017-01-11 | 2019-08-23 | 中国人民解放军国防信息学院 | A kind of end hopping Web service access control method and device |
| CN106878187A (en) * | 2017-04-19 | 2017-06-20 | 天津微梦无界科技有限公司 | A kind of distributed network topology detection method |
| CN107864119B (en) * | 2017-09-04 | 2020-09-11 | 南京理工大学 | Network traffic confusion method and system on Android platform |
| CN110046498B (en) * | 2018-01-16 | 2020-12-01 | 北京中科晶上超媒体信息技术有限公司 | Scheduling method of operating system executive |
| CN111355691A (en) * | 2018-12-24 | 2020-06-30 | 国网信息通信产业集团有限公司 | Method for pseudo hiding of key nodes with heterogeneous redundant interference |
| CN110113333A (en) * | 2019-04-30 | 2019-08-09 | 中国人民解放军战略支援部队信息工程大学 | A kind of ICP/IP protocol fingerprint mobilism processing method and processing device |
| CN112087413B (en) * | 2019-06-14 | 2023-01-31 | 张长河 | Network attack intelligent dynamic protection and trapping system and method based on active detection |
| CN110445794A (en) * | 2019-08-13 | 2019-11-12 | 中科天御(苏州)科技有限公司 | A kind of industry internet safety protecting method and system based on dynamic security |
| CN112422483B (en) * | 2019-08-23 | 2022-04-08 | 东北大学秦皇岛分校 | Identity protection strategy for ubiquitous power Internet of things |
| CN110601878B (en) * | 2019-08-28 | 2022-02-01 | 孙红波 | Method for constructing stealth network |
| CN112688900B (en) * | 2019-10-18 | 2022-10-11 | 张长河 | Local area network safety protection system and method for preventing ARP spoofing and network scanning |
| CN111628993B (en) * | 2020-05-26 | 2022-01-21 | 中国电子科技集团公司第五十四研究所 | Network spoofing defense method and device based on host fingerprint hiding |
| CN112738032B (en) * | 2020-12-17 | 2022-10-11 | 公安部第三研究所 | Communication system for preventing IP deception |
| CN114710309A (en) * | 2021-09-28 | 2022-07-05 | 北京卫达信息技术有限公司 | Flow confusion method, device and system |
| CN114244622B (en) * | 2021-12-27 | 2024-02-09 | 天融信雄安网络安全技术有限公司 | Camouflage method and device of network equipment, electronic equipment and storage medium |
| CN114338155B (en) * | 2021-12-28 | 2024-04-30 | 四川邦辰信息科技有限公司 | Network privacy protection method and system based on multidimensional fingerprint confusion |
| CN114500118B (en) * | 2022-04-15 | 2022-07-01 | 远江盛邦(北京)网络安全科技股份有限公司 | Method and device for hiding satellite network topology |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1784065A (en) * | 2004-11-29 | 2006-06-07 | 北京三星通信技术研究有限公司 | Invisible method for movable host in movable IPv6 environment |
| CN1822593A (en) * | 2006-03-20 | 2006-08-23 | 赵洪宇 | Network safety protective method for preventing reject service attack event |
| CN101159683A (en) * | 2007-10-15 | 2008-04-09 | 华为技术有限公司 | Method and apparatus for controlling data flow |
| CN101771702A (en) * | 2010-01-05 | 2010-07-07 | 中兴通讯股份有限公司 | Method and system for defending distributed denial of service attack in point-to-point network |
-
2013
- 2013-04-08 CN CN201310132080.1A patent/CN103312689B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1784065A (en) * | 2004-11-29 | 2006-06-07 | 北京三星通信技术研究有限公司 | Invisible method for movable host in movable IPv6 environment |
| CN1822593A (en) * | 2006-03-20 | 2006-08-23 | 赵洪宇 | Network safety protective method for preventing reject service attack event |
| CN101159683A (en) * | 2007-10-15 | 2008-04-09 | 华为技术有限公司 | Method and apparatus for controlling data flow |
| CN101771702A (en) * | 2010-01-05 | 2010-07-07 | 中兴通讯股份有限公司 | Method and system for defending distributed denial of service attack in point-to-point network |
Non-Patent Citations (1)
| Title |
|---|
| 《利用地址解析协议的地址空间欺骗技术》;胡若云等;《信息与电子工程》;20050930;186-188,216 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108282786A (en) * | 2018-04-13 | 2018-07-13 | 上海连尚网络科技有限公司 | A kind of method and apparatus for detecting DNS spoofing attacks in WLAN |
| CN108282786B (en) * | 2018-04-13 | 2020-10-16 | 上海连尚网络科技有限公司 | Method and equipment for detecting DNS spoofing attack in wireless local area network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103312689A (en) | 2013-09-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103312689B (en) | Network hiding method for computer and network hiding system based on method | |
| Maximov et al. | Hiding computer network proactive security tools unmasking features | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
| US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
| CN108111482A (en) | A kind of intelligent grid industrial control network safety test system and test method | |
| CN102546624A (en) | Method and system for detecting and defending multichannel network intrusion | |
| WO2006071985A2 (en) | Threat scoring system and method for intrusion detection security networks | |
| CN106790193A (en) | The method for detecting abnormality and device of Intrusion Detection based on host network behavior | |
| CN101364981A (en) | Hybrid intrusion detection method based on Internet protocol version 6 | |
| Kotenko et al. | Agent-based modeling and simulation of botnets and botnet defense | |
| KR102002880B1 (en) | Method for detecting malcious packets based on machine learning model and apparatus using the same | |
| Srinivasan | Detection of Black Hole Attack Using Honeypot Agent-Based Scheme with Deep Learning Technique on MANET. | |
| CN1326365C (en) | Worm blocking system and method using hardware-based pattern matching | |
| Rowe et al. | Thwarting cyber-attack reconnaissance with inconsistency and deception | |
| RU2705773C1 (en) | Method of protecting an information network from intrusions | |
| RU2703329C1 (en) | Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them | |
| Kotenko et al. | Agent-based simulation of DDOS attacks and defense mechanisms | |
| Prasad et al. | IP traceback for flooding attacks on Internet threat monitors (ITM) using Honeypots | |
| Maskat et al. | Mobile agents in intrusion detection system: review and analysis | |
| Hussain et al. | An adaptive SYN flooding attack mitigation in DDOS environment | |
| Hwang et al. | NetShield: Protocol anomaly detection with datamining against DDoS attacks | |
| Hashim et al. | On the negative selection and the danger theory inspired security for heterogeneous networks | |
| Kotenko et al. | Agent Teams in Cyberspace: Security Guards in the Global Internet | |
| Panda et al. | A Taxonomy on Man-in-the-Middle Attack in IoT Network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170524 Termination date: 20180408 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |