CN106878992B - Wireless network security detection method and system - Google Patents
Wireless network security detection method and system Download PDFInfo
- Publication number
- CN106878992B CN106878992B CN201510959329.5A CN201510959329A CN106878992B CN 106878992 B CN106878992 B CN 106878992B CN 201510959329 A CN201510959329 A CN 201510959329A CN 106878992 B CN106878992 B CN 106878992B
- Authority
- CN
- China
- Prior art keywords
- enterprise
- client
- blacklist
- wireless
- wireless network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Abstract
The invention discloses a wireless network security detection method and a wireless network security detection system, wherein the method comprises the following steps: the method comprises the steps that a hardware sensor deployed inside an enterprise continuously captures all data traffic in the current wireless environment and transmits the data traffic to a central control server in real time; the central control server analyzes the required characteristic information from the data traffic; matching and detecting the characteristic information in a characteristic library; further checking the connection condition of the hot spot and the client belonging to the enterprise to generate a black and white list; sending the blacklist to a management terminal for displaying and sending an alarm prompt to an administrator; and the management terminal blocks and isolates the hot spots in the blacklist and the terminal. The invention improves the security of the wireless network, can be compatible with various wireless network environments of enterprises, does not influence the existing wireless network structure of the enterprises, can be deployed seamlessly, and can carry out intelligent and convenient management.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a wireless network security detection method and system.
Background
With the development of network technology, wireless networks have become more and more widespread due to their convenience. Some companies and families have added wireless APs (Access points) due to the wireless internet Access requirements of different devices, so that the mobility of internet Access devices is enhanced, and the limitation of wired networks is overcome.
For enterprise users, with the increasing of hot spots in an enterprise network, hot spots of different manufacturers and models coexist; meanwhile, the distribution is disordered, and the safety of the equipment is weak. Because data is radiated and spread by using wireless signals in the wireless network, an attacker can intercept, replay and destroy the communication data of the user by invading any position covered by the hotspot in the wireless network, thereby bringing great security risk to the network information security of enterprises.
Hot spots in enterprises mainly have the following modes, and various modes have certain potential safety hazards and problems.
1. Legal hot spot
Enterprises have planned and built hotspots, called legitimate hotspots. From the security perspective, a legal hotspot should be the only hotspot inside an enterprise, and other hotspots may bring security risks to the enterprise.
However, legal hot spots also have potential safety hazards, even if passwords such as wireless encryption protocols WEP and WPA are set, the problems of weak passwords, insufficient encryption level and the like exist, and under the environment that various cracking strategies and cracking tools fill the network, the encryption protocols are also in the same nominal form for attackers, so that hackers can easily enter the internal network of an enterprise through the hot spots, and serious consequences such as information leakage and falsification are caused; a legitimate hotspot may also receive a DDoS attack, resulting in a failure to serve properly.
2. Other hot spots covered
Due to the penetration of wireless networks and uncertainty of boundaries, wireless networks of some neighboring enterprises may overlap each other. Such hotspots present two problems for the network security of the enterprise. Firstly, whether the hot spot of the opposite side is safe is not determined; secondly, the enterprise staff may access the hot spot of the other side. There is a possibility that information is leaked.
3. Hot spot built by staff privately
The portable WiFi can be used as a hotspot communicated with the network as long as a computer terminal business with the network is found; there are also many end tools that provide tools for sharing WiFi. Many employees intentionally and unintentionally establish hotspots on their own terminals, but the security of the employees is difficult to guarantee, and the employees are easy to be invaded by hackers and enter the enterprise network, so that the internal data of the enterprise can be stolen.
4. Malicious hotspot
In addition to the hot spots described above, some attackers may also be interested in creating malicious hot spots around the enterprise, using the same or similar names as the enterprise hot spots, to which the employee's terminals are connected, either intentionally or unintentionally. And an attacker can acquire the internal information of the enterprise through the hotspot and even enter the internal network of the enterprise through invading the terminal.
Therefore, network security technologies such as security and access controllability need to be paid high attention to wireless networks.
Although enterprises may regularly perform security check of wireless networks, detect security conditions of the wireless networks, whether illegal hotspots exist, and the like, it is difficult to form a normal state. The security situation of the whole wireless network cannot be concerned for a long time, and the real-time discovery and blocking cannot be realized for illegal hot spots with relatively high contingency. There is also a lack of a method and system for detecting security conditions of wireless networks that can operate continuously and stably.
When a hotspot is attacked by DDoS flooding, many enterprises are attacked to the condition that the network cannot be used continuously, and then discovery and corresponding processing are performed. For the phishing hotspot attack, few means are found, so that some terminals are connected to the phishing hotspot unintentionally, and information leakage is caused. Effective protective measures are also lacking, and attacks can be found and blocked in time.
When a security event occurs, such as: whether some terminals establish WiFi privately or not, whether some terminals are connected with illegal hotspots or not, whether the hotspots receive attacks or not and the like. For time auditing and tracking, there is a lack of necessary data support and processing means.
Disclosure of Invention
In view of the above, the present invention has been made to provide a wireless network security detection method and system to overcome the above problems or to at least partially solve or alleviate the disadvantages of the above problems.
According to an aspect of the present invention, there is provided a wireless network security detection method, including the steps of:
the method comprises the steps that a hardware sensor deployed inside an enterprise continuously captures all data traffic in the current wireless environment and transmits the data traffic to a central control server in real time;
the central control server analyzes the required characteristic information from the data traffic;
the central control server carries out matching detection on the characteristic information in a characteristic library;
the central control server further checks the connection condition of the hot spots and the client terminals belonging to the enterprise to generate a black and white list;
the central control server sends the blacklist to a management terminal for displaying and sends an alarm prompt to an administrator;
and the management terminal blocks and isolates the hot spots in the blacklist and the terminal.
Optionally, the hardware sensor includes a wireless network card, and collects, in real time or at regular time, wireless data packets received or sent by a hotspot and a client in a wireless network.
Optionally, the feature information includes: the system comprises a hotspot SSID, a hotspot encryption mode, a hotspot channel, a hotspot MAC address and a client MAC address.
Optionally, the matching and detecting, by the central control server, the feature information in a feature library includes:
and counting the SSID name and the client MAC address of the wireless hotspot in the wireless data packet, and dividing the hotspot and the client which belong to the enterprise and the hotspot and the client which do not belong to the enterprise.
Optionally, the central control server further checks the connection condition between the hot spot belonging to the enterprise and the client, and generating a black-and-white list includes:
if the hot spot inside the enterprise is not connected with the client inside the enterprise, judging that the hot spot inside the enterprise is abnormal, and dividing the client into a blacklist;
if the client side in the enterprise is connected with a hotspot in the enterprise, judging that the client side in the enterprise is abnormal, and dividing the client side into a blacklist;
if a plurality of wireless hotspots with the same SSID name appear in hotspots inside the enterprise and the frequency of receiving broken wire packages by one or more wireless hotspots in the plurality of wireless hotspots exceeds a preset threshold value, determining that an abnormality occurs and dividing the hotspot into a blacklist;
if the number of hot spots connected by a client inside an enterprise in a certain time period exceeds a preset threshold value, the client is divided into a blacklist.
Optionally, the blocking and isolating, by the management terminal, the hot spot and the terminal in the blacklist includes:
the management terminal can block and isolate the hot spots and the terminals in the blacklist according to the instructions of the manager;
or adding the hot spots/clients in the blacklist into the white list according to the confirmation of the user;
or, on the premise of setting the automatic blocking strategy, the hot spots and the terminals in the blacklist are automatically blocked and isolated.
According to another aspect of the present invention, there is provided a wireless network security detection system, comprising a hardware sensor, a central control server, and a management terminal, wherein,
the hardware sensor is deployed in an enterprise, continuously captures all data traffic in the current wireless environment, and transmits the data traffic to the central control server in real time;
the central control server analyzes the required characteristic information from the data traffic; matching and detecting the characteristic information in a characteristic library; further checking the connection condition of the hot spot and the client belonging to the enterprise to generate a black and white list; the central control server sends the blacklist to a management terminal for displaying and sends an alarm prompt to an administrator;
and the management terminal blocks and isolates the hot spots and the terminals in the blacklist.
Optionally, the hardware sensor includes a wireless network card, and collects, in real time or at regular time, wireless data packets received or sent by a hotspot and a client in a wireless network.
Optionally, the feature information includes: the system comprises a hotspot SSID, a hotspot encryption mode, a hotspot channel, a hotspot MAC address and a client MAC address.
Optionally, the matching and detecting, by the central control server, the feature information in a feature library includes:
and counting the SSID name and the client MAC address of the wireless hotspot in the wireless data packet, and dividing the hotspot and the client which belong to the enterprise and the hotspot and the client which do not belong to the enterprise.
Optionally, the central control server further checks the connection condition between the hot spot belonging to the enterprise and the client, and generating a black-and-white list includes:
if the hot spot inside the enterprise is not connected with the client inside the enterprise, judging that the hot spot inside the enterprise is abnormal, and dividing the client into a blacklist;
if the client side in the enterprise is connected with a hotspot in the enterprise, judging that the client side in the enterprise is abnormal, and dividing the client side into a blacklist;
if a plurality of wireless hotspots with the same SSID name appear in hotspots inside the enterprise and the frequency of receiving broken wire packages by one or more wireless hotspots in the plurality of wireless hotspots exceeds a preset threshold value, determining that an abnormality occurs and dividing the hotspot into a blacklist;
if the number of hot spots connected by a client inside an enterprise in a certain time period exceeds a preset threshold value, the client is divided into a blacklist.
Optionally, the blocking and isolating, by the management terminal, the hot spot and the terminal in the blacklist includes:
the management terminal can block and isolate the hot spots and the terminals in the blacklist according to the instructions of the manager;
or adding the hot spots/clients in the blacklist into the white list according to the confirmation of the user;
or, on the premise of setting the automatic blocking strategy, the hot spots and the terminals in the blacklist are automatically blocked and isolated.
According to the wireless network security detection method and system, the collected wireless data packets are detected, so that malicious hotspots/clients in the wireless network can be detected and blocked and isolated. The safety of the wireless network is improved, the wireless network management system can be compatible with various wireless network environments of enterprises, does not influence the existing wireless network structure of the enterprises, can be deployed seamlessly, and can be managed intelligently and conveniently.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 shows a flow diagram of a wireless network security detection method according to one embodiment of the invention;
FIG. 2 illustrates a block diagram of a wireless network security detection system according to one embodiment of the present invention;
FIG. 3 is a diagram illustrating a configuration of a central control server of the wireless network security detection system according to an embodiment of the present invention;
fig. 4 is a diagram illustrating a management terminal structure of a wireless network security detection system according to an embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
The invention is further described with reference to the following figures and detailed description of embodiments.
As shown in fig. 1, a wireless network security detection method according to an embodiment of the present invention specifically includes the following steps:
The hardware sensor comprises a wireless network card and can acquire a hot spot in a wireless network in real time or at regular time and a wireless data packet received or sent by a client. The format of the wireless data packet may be 802.11, etc. The sensor packages the collected wireless data packet and transmits the wireless data packet to the central control server in a wired or wireless connection mode.
The hot spot includes: wireless routers, wireless APs, etc. The client comprises: mobile terminals, PCs, notebook computers, etc.
And step 102, the central control server analyzes required characteristic information from the data traffic.
The characteristic information includes: a hotspot SSID, a hotspot encryption mode, a hotspot channel, a hotspot MAC address, a client MAC address and the like; the method can also comprise the following steps: the time of client access, the IP allocated to the client, the connection relationship between the AP and the client, and the like.
And 103, the central control server performs matching detection on the feature information in a feature library.
And counting the SSID name and the client MAC address of the wireless hotspot in the wireless data packet, and dividing the hotspot and the client which belong to the enterprise and the hotspot and the client which do not belong to the enterprise.
if the hot spot inside the enterprise is not connected with the client inside the enterprise, judging that the hot spot inside the enterprise is abnormal, and dividing the client into a blacklist; or the client can be added into the dynamic white list according to the confirmation of a manager or a user;
if the client side in the enterprise is connected with a hotspot in the enterprise, judging that the client side in the enterprise is abnormal, and dividing the client side into a blacklist; or the client can be added into the dynamic white list according to the confirmation of a manager or a user;
if a plurality of wireless hotspots with the same SSID name appear in hotspots inside the enterprise and the frequency of receiving broken wire packages by one or more wireless hotspots in the plurality of wireless hotspots exceeds a preset threshold value, determining that an abnormality occurs and dividing the hotspot into a blacklist;
if the number of hot spots connected by a client in an enterprise within a certain time period exceeds a preset threshold value, dividing the client into a blacklist; or the client can be added into the dynamic white list according to the confirmation of a manager or a user; when a client frequently connects more than a predetermined number of hotspots, the client may be a scanner, attempting to crack hotspots within the enterprise.
And 105, the central control server sends the blacklist to the management terminal for displaying and sends an alarm prompt to an administrator.
The management terminal includes: and the mobile terminal, the PC, the notebook computer and the like are connected with the central control server.
And step 106, the management terminal blocks and isolates the hot spots and the terminals in the blacklist.
Specifically, the management terminal can block and isolate the hot spots and the terminals in the blacklist according to the instruction of the manager;
or adding the hot spots/clients in the blacklist into the white list according to the confirmation of the user;
or, on the premise of setting the automatic blocking strategy, the hot spots and the terminals in the blacklist are automatically blocked and isolated.
In one embodiment, the hot spots and terminals in the blacklist are blocked and isolated by using an implementation mechanism of a radio link layer or an upper layer protocol.
When the object to be blocked appears, the blocking device starts the targeted blocking action in time.
The advantage is that the precise blocking is achieved in a more intelligent manner and at a lower cost (less transmission time and less transmission power).
Precision blocking devices allow certain wireless devices to be available in the area in which they are operating while other wireless devices are blocked.
Because the working principle different from that of the interference device is adopted, the accurate blocking device can inhibit the transmission of the wireless device by using lower transmission power, thereby achieving the same working effect as that of the interference device. For example, to block wireless devices in the same area, the transmission power of the device is exactly blocked by half or less of the jammer, and in some cases, by even a tenth of the transmission power of the jammer. Because the emission function of the blocked object is inhibited, the signal field intensity in the whole working area does not rise obviously, even the total field intensity of the signal is lower than the state of the wireless equipment when the wireless equipment works at full load
Currently, in wireless, the common blocking means includes: deauthentication flooding, disassociation flooding, authentication flooding, association flooding, early EAP flooding, EAPOL-initiated flooding, EAPOL exit flooding, CTS flooding, NAV attack, FakeAP, AirJack, FataJack, and the like. For example,
in the authentication/de-authentication blocking process, the blocking equipment interferes the control process between the wireless terminal and the AP by sending messages such as authentication, association, de-authentication, de-association and the like in a targeted manner, so that the wireless terminal cannot be successfully associated, and the blocking purpose is finally achieved.
In the AirJack blocking process, the blocking equipment affects the time slot allocation of the AP, so that some terminals can not obtain available time slots to communicate with the AP all the time, and thus are blocked. Although the wireless terminal appears to have established a connection with the AP at this time, it cannot communicate.
As shown in fig. 2, a wireless network security detection system according to an embodiment of the present invention specifically includes:
hardware sensor, central control server, management terminal, wherein,
the hardware sensors are distributed at various positions in an enterprise office environment and used for continuously capturing all data traffic in the current wireless environment and transmitting the data traffic to the central control server in real time.
The hardware sensor comprises a wireless network card and can acquire a hot spot in a wireless network in real time or at regular time and a wireless data packet received or sent by a client. The format of the wireless data packet may be 802.11, etc. The sensor packages the collected wireless data packet and transmits the wireless data packet to the central control server in a wired or wireless connection mode.
The hot spot includes: wireless routers, wireless APs, etc. The client comprises: mobile terminal, PC with wireless network card, notebook computer, etc.
As shown in fig. 3, the central server includes:
a receiving unit for receiving data traffic from the hardware sensor;
the analyzing unit is used for analyzing the required characteristic information from the data flow;
the matching detection unit is used for carrying out matching detection on the characteristic information in a characteristic library;
the black and white list generating unit is used for further checking the connection condition of the hot spot and the client terminal belonging to the enterprise to generate a black and white list;
and the sending unit is used for sending the black and white list to the management terminal.
Specifically, the analyzing unit analyzes the required feature information from the data traffic, and the analyzing unit includes:
a hotspot SSID, a hotspot encryption mode, a hotspot channel, a hotspot MAC address, a client MAC address and the like; the method can also comprise the following steps: the time of client access, the IP allocated to the client, the connection relationship between the AP and the client, and the like.
The matching detection unit carries out matching detection on the feature information in a feature library, and comprises the following steps:
and counting the SSID name and the client MAC address of the wireless hotspot in the wireless data packet, and dividing the hotspot and the client which belong to the enterprise and the hotspot and the client which do not belong to the enterprise.
The black and white list generation unit further checks the connection condition of the hot spot and the client terminal belonging to the enterprise to generate the black and white list, and the black and white list generation unit comprises the following steps:
if the hot spot inside the enterprise is not connected with the client inside the enterprise, judging that the hot spot inside the enterprise is abnormal, and dividing the client into a blacklist; or the client can be added into a white list according to the confirmation of a manager or a user;
if the client side in the enterprise is connected with a hotspot in the enterprise, judging that the client side in the enterprise is abnormal, and dividing the client side into a blacklist; or the client can be added into a white list according to the confirmation of a manager or a user;
if a plurality of wireless hotspots with the same SSID name appear in hotspots inside the enterprise and the frequency of receiving broken wire packages by one or more wireless hotspots in the plurality of wireless hotspots exceeds a preset threshold value, determining that an abnormality occurs and dividing the hotspot into a blacklist;
if the number of hot spots connected by a client in an enterprise within a certain time period exceeds a preset threshold value, dividing the client into a blacklist; or the client can be added into the dynamic white list according to the confirmation of a manager or a user; when a client frequently connects more than a predetermined number of hotspots, the client may be a scanner, attempting to crack hotspots within the enterprise.
And the central control server sends the blacklist to the management terminal for displaying and sends an alarm prompt to an administrator.
As shown in fig. 4, the management terminal includes:
the receiving unit is used for receiving the black and white list sent by the central control server;
the display alarm unit is used for displaying the received black and white list and sending an alarm prompt to an administrator;
the black and white list management unit is used for adding the hot spots/clients in the black list into the white list according to the confirmation of the user;
and the blocking and isolating unit is used for blocking and isolating the hot spots and the terminals in the blacklist according to the instruction of the administrator or the set automatic blocking strategy.
The management terminal includes: and the mobile terminal, the PC, the notebook computer and the like are connected with the central control server. Further, the management terminal may be a Web management platform operating on a mobile terminal, a PC, a notebook computer, or the like connected to the central control server.
In one embodiment, the blocking and isolating unit blocks and isolates the hot spots and the terminals in the blacklist by using an implementation mechanism of a radio link layer or an upper layer protocol.
When the object to be blocked appears, the blocking and isolating unit starts the targeted blocking action in time.
The advantage is that the precise blocking is achieved in a more intelligent manner and at a lower cost (less transmission time and less transmission power).
The blocking and isolating unit allows certain wireless devices within the area of operation to be used while other wireless devices are blocked.
Because the working principle different from that of the interference device is adopted, the emission of the wireless equipment can be suppressed by using lower emission power, thereby achieving the same working effect as that of the interference device. For example, blocking wireless devices in the same area, the transmit power needs to be half or less than the jammer, and in some cases, even only one tenth of the jammer transmit power. Because the emission function of the blocked object is inhibited, the signal field intensity in the whole working area does not rise obviously, even the total field intensity of the signal is lower than the state of the wireless equipment when the wireless equipment works at full load
Currently, in wireless, the common blocking means includes: deauthentication flooding, disassociation flooding, authentication flooding, association flooding, early EAP flooding, EAPOL-initiated flooding, EAPOL exit flooding, CTS flooding, NAV attack, FakeAP, AirJack, FataJack, and the like. For example:
in the authentication/de-authentication blocking process, the blocking and isolating unit interferes the control process between the wireless terminal and the AP by sending messages such as authentication, association, de-authentication, de-association and the like in a targeted manner, so that the wireless terminal cannot be successfully associated, and the blocking purpose is finally achieved.
In the AirJack blocking process, the blocking and isolating unit blocks some terminals by affecting the timeslot allocation of the AP so that some terminals always cannot obtain available timeslots to communicate with the AP. Although the wireless terminal appears to have established a connection with the AP at this time, it cannot communicate.
According to the wireless network security detection method and system provided by the embodiment, the collected wireless data packets are detected, so that malicious hotspots/clients in the wireless network can be detected, blocked and isolated. The safety of the wireless network is improved, the wireless network management system can be compatible with various wireless network environments of enterprises, does not influence the existing wireless network structure of the enterprises, can be deployed seamlessly, and can be managed intelligently and conveniently.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of a wireless network security detection system in accordance with embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
Reference herein to "one embodiment," "an embodiment," or "one or more embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. Moreover, it is noted that instances of the word "in one embodiment" are not necessarily all referring to the same embodiment.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Moreover, it should also be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.
Claims (10)
1. A wireless network security detection method is characterized by comprising the following steps: the method comprises the steps that a hardware sensor deployed inside an enterprise continuously captures all data traffic in the current wireless environment and transmits the data traffic to a central control server in real time;
the central control server analyzes the required characteristic information from the data traffic;
the central control server carries out matching detection on the characteristic information in a characteristic library;
the central control server further checks the connection condition of the hot spots and the client terminals belonging to the enterprise to generate a black and white list;
the central control server sends the blacklist to a management terminal for displaying and sends an alarm prompt to an administrator;
the management terminal blocks and isolates the hot spots in the blacklist from the terminal;
the matching detection of the feature information in the feature library by the central control server comprises the following steps: counting SSID names and client MAC addresses of wireless hotspots in wireless data packets, and dividing hotspots and clients belonging to the enterprise and hotspots and clients not belonging to the enterprise;
the central control server further checks the connection condition of the hot spot and the client terminal belonging to the enterprise, and the generation of the black and white list comprises the following steps: if the hot spot inside the enterprise is not connected with the client inside the enterprise, judging that the hot spot inside the enterprise is abnormal, and dividing the client into a blacklist; if the client side in the enterprise is connected with the hot spot in the enterprise, judging that the client side in the enterprise is abnormal, and dividing the client side into a blacklist.
2. The wireless network security detection method of claim 1, wherein the hardware sensor comprises a wireless network card, and collects the wireless data packets received or transmitted by the hotspot and the client in the wireless network in real time or at regular time.
3. The wireless network security detection method of claim 1, wherein the feature information comprises: the system comprises a hotspot SSID, a hotspot encryption mode, a hotspot channel, a hotspot MAC address and a client MAC address.
4. The wireless network security detection method of claim 1, wherein the central control server further checks the connection between the hot spot and the client belonging to the enterprise, and the generating of the black-and-white list comprises:
if a plurality of wireless hotspots with the same SSID name appear in hotspots inside the enterprise and the frequency of receiving broken wire packages by one or more wireless hotspots in the plurality of wireless hotspots exceeds a preset threshold value, determining that an abnormality occurs and dividing the hotspot into a blacklist;
if the number of hot spots connected by a client inside an enterprise in a certain time period exceeds a preset threshold value, the client is divided into a blacklist.
5. The wireless network security detection method of claim 1, wherein the blocking and isolating of the hotspot and the terminal in the blacklist by the management terminal comprises:
the management terminal can block and isolate the hot spots and the terminals in the blacklist according to the instructions of the manager;
or adding the hot spots/clients in the blacklist into the white list according to the confirmation of the user;
or, on the premise of setting the automatic blocking strategy, the hot spots and the terminals in the blacklist are automatically blocked and isolated.
6. A wireless network security detection system is characterized by comprising a hardware sensor, a central control server and a management terminal, wherein,
the hardware sensor is deployed in an enterprise, continuously captures all data traffic in the current wireless environment, and transmits the data traffic to the central control server in real time;
the central control server analyzes the required characteristic information from the data traffic; matching and detecting the characteristic information in a characteristic library; further checking the connection condition of the hot spot and the client belonging to the enterprise to generate a black and white list; the central control server sends the blacklist to a management terminal for displaying and sends an alarm prompt to an administrator;
the management terminal blocks and isolates hotspots in the blacklist and the terminal;
the central control server counts the SSID name and the client MAC address of the wireless hotspot in the wireless data packet, and divides the hotspot and the client which belong to the enterprise and the hotspot and the client which do not belong to the enterprise;
the central control server checks that if the hot spot inside the enterprise is connected with a client not inside the enterprise, the hot spot inside the enterprise is judged to be abnormal, and the client is divided into a blacklist; if the client side in the enterprise is connected with the hot spot in the enterprise, judging that the client side in the enterprise is abnormal, and dividing the client side into a blacklist.
7. The wireless network security detection system of claim 6, wherein the hardware sensor comprises a wireless network card for collecting in real time or regularly wireless data packets received or transmitted by a hotspot or a client in the wireless network.
8. The wireless network security detection system of claim 6, wherein the feature information comprises: the system comprises a hotspot SSID, a hotspot encryption mode, a hotspot channel, a hotspot MAC address and a client MAC address.
9. The wireless network security detection system of claim 6, wherein the central control server further checks the connection between the hot spot and the client belonging to the enterprise, and the generating of the black-and-white list comprises:
if a plurality of wireless hotspots with the same SSID name appear in hotspots inside the enterprise and the frequency of receiving broken wire packages by one or more wireless hotspots in the plurality of wireless hotspots exceeds a preset threshold value, determining that an abnormality occurs and dividing the hotspot into a blacklist;
if the number of hot spots connected by a client inside an enterprise in a certain time period exceeds a preset threshold value, the client is divided into a blacklist.
10. The wireless network security detection system of claim 6, wherein the managing terminal blocking and isolating the blacklisted hot spots and terminals comprises:
the management terminal can block and isolate the hot spots and the terminals in the blacklist according to the instructions of the manager;
or adding the hot spots/clients in the blacklist into the white list according to the confirmation of the user;
or, on the premise of setting the automatic blocking strategy, the hot spots and the terminals in the blacklist are automatically blocked and isolated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510959329.5A CN106878992B (en) | 2015-12-18 | 2015-12-18 | Wireless network security detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510959329.5A CN106878992B (en) | 2015-12-18 | 2015-12-18 | Wireless network security detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106878992A CN106878992A (en) | 2017-06-20 |
| CN106878992B true CN106878992B (en) | 2020-02-18 |
Family
ID=59238855
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510959329.5A Active CN106878992B (en) | 2015-12-18 | 2015-12-18 | Wireless network security detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106878992B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107484173A (en) * | 2017-09-30 | 2017-12-15 | 北京奇虎科技有限公司 | Wireless network intrusion detection method and device |
| CN109462851A (en) * | 2018-12-28 | 2019-03-12 | 北京奇安信科技有限公司 | Fishing hot spot detecting method, device, electronic equipment and storage medium |
| CN110087242B (en) * | 2019-04-29 | 2020-08-21 | 四川英得赛克科技有限公司 | Method for rapidly judging legality of wireless access equipment in industrial control environment |
| CN111479273B (en) * | 2020-05-25 | 2023-04-07 | 北京字节跳动网络技术有限公司 | Method, device, equipment and storage medium for detecting network access security |
| CN111783099A (en) * | 2020-06-18 | 2020-10-16 | 杭州海康威视数字技术股份有限公司 | Equipment safety analysis method, device and equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104270761A (en) * | 2014-09-30 | 2015-01-07 | 北京金山安全软件有限公司 | pseudo-WIFI (Wireless Fidelity) identification and processing method and device |
| CN104540134A (en) * | 2014-12-03 | 2015-04-22 | 北京奇虎科技有限公司 | Wireless access node detection method, wireless network detection system and server |
| CN104852894A (en) * | 2014-12-10 | 2015-08-19 | 北京奇虎科技有限公司 | Wireless message monitor detecting method, system and central control server |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20130084442A (en) * | 2012-01-17 | 2013-07-25 | 삼성전자주식회사 | Base station for detecting denial-of-service attack in communication system and method thereof |
-
2015
- 2015-12-18 CN CN201510959329.5A patent/CN106878992B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104270761A (en) * | 2014-09-30 | 2015-01-07 | 北京金山安全软件有限公司 | pseudo-WIFI (Wireless Fidelity) identification and processing method and device |
| CN104540134A (en) * | 2014-12-03 | 2015-04-22 | 北京奇虎科技有限公司 | Wireless access node detection method, wireless network detection system and server |
| CN104852894A (en) * | 2014-12-10 | 2015-08-19 | 北京奇虎科技有限公司 | Wireless message monitor detecting method, system and central control server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106878992A (en) | 2017-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7216365B2 (en) | Automated sniffer apparatus and method for wireless local area network security | |
| US8789191B2 (en) | Automated sniffer apparatus and method for monitoring computer systems for unauthorized access | |
| EP2068525B1 (en) | Method and system for providing wireless vulnerability management for local area computer networks | |
| US7970894B1 (en) | Method and system for monitoring of wireless devices in local area computer networks | |
| US7856656B1 (en) | Method and system for detecting masquerading wireless devices in local area computer networks | |
| CN106878992B (en) | Wireless network security detection method and system | |
| US20150040194A1 (en) | Monitoring of smart mobile devices in the wireless access networks | |
| KR102157661B1 (en) | Wireless intrusion prevention system, wireless network system, and operating method for wireless network system | |
| CN104540134B (en) | Wireless access node detection method, wireless network detecting system and server | |
| CN104486765A (en) | Wireless intrusion detecting system and detecting method | |
| CN104852894A (en) | Wireless message monitor detecting method, system and central control server | |
| Boob et al. | Wireless intrusion detection system | |
| CN106878241A (en) | Malice hot spot detecting method and system | |
| Lovinger et al. | Detection of wireless fake access points | |
| KR100874015B1 (en) | WLAN intrusion prevention system and method | |
| US9100429B2 (en) | Apparatus for analyzing vulnerability of wireless local area network | |
| VanSickle et al. | Effectiveness of tools in identifying rogue access points on a wireless network | |
| Timofte | Wireless intrusion prevention systems | |
| Davies et al. | Improving compliance with bluetooth device detection | |
| Sriharipriya et al. | Manipulation and Detection of DOS attacks on IEEE802. 11 Protocol | |
| Li et al. | Wireless network security detection system design based on client | |
| Vartak et al. | An experimental evaluation of over-the-air (ota) wireless intrusion prevention techniques | |
| Meade | Guidelines for the development and evaluation of IEEE 802.11 intrusion detection systems (IDS) | |
| Tao | A novel intrusion detection system for detection of MAC address spoofing in wireless networks. | |
| Karanth et al. | Monitoring of Wireless Networks for Intrusions and Attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220825 Address after: No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science and Technology Park, High-tech Zone, Binhai New District, Tianjin 300000 Patentee after: 3600 Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |