CN114338075A - Attack object defense method based on extensive sniffing - Google Patents
Attack object defense method based on extensive sniffing Download PDFInfo
- Publication number
- CN114338075A CN114338075A CN202111322138.XA CN202111322138A CN114338075A CN 114338075 A CN114338075 A CN 114338075A CN 202111322138 A CN202111322138 A CN 202111322138A CN 114338075 A CN114338075 A CN 114338075A
- Authority
- CN
- China
- Prior art keywords
- attack
- sniffing
- node
- nodes
- distance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000007123 defense Effects 0.000 title claims abstract description 13
- 230000035515 penetration Effects 0.000 claims abstract description 13
- 230000002159 abnormal effect Effects 0.000 claims abstract description 10
- 230000006399 behavior Effects 0.000 claims abstract description 4
- 238000004891 communication Methods 0.000 claims description 4
- 238000005325 percolation Methods 0.000 claims 2
- 230000003213 activating effect Effects 0.000 claims 1
- 230000008569 process Effects 0.000 abstract description 8
- 230000009471 action Effects 0.000 abstract description 5
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000008595 infiltration Effects 0.000 description 4
- 238000001764 infiltration Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Abstract
In order to overcome the problems in the prior art, the invention actively observes the wide sniffing action, finds the actual attack target in the convergence process, and finally defends the attack target before the actual attack is initiated, thereby resisting the attack. In order to achieve the purpose, the attack object defense method based on the wide sniffing comprises the following steps: arranging observation points; analyzing the abnormal signals to find out the extensive sniffing behaviors; and constructing a permeable incidence relation tree according to incidence relations among the attacks, marking nodes corresponding to the penetration operations in the process of wide sniffing by an attacker, and calculating a terminal point reached by the shortest distance in the incidence relation graph according to the nodes through a shortest path algorithm, namely the final presumed attack target. The method has the beneficial effect that passive attack defense is changed into an active observation and exploration process. Sniffing is monitored to predict targets that may be attacked.
Description
Technical Field
The invention belongs to the field of network information security, and particularly relates to an attack object defense method and device based on extensive sniffing.
Background
Information security concerns the safety of power production. In modern society, the consequences of a power network being destroyed are not obvious. However, with the rapid development of the mobile internet era and the wide application of 5G communication, the newly added information application system brings great hidden danger to the safety of related information. The network security protection work of the power system faces more serious challenges.
Due to the continuous effort of the power system at ordinary times, the method has outstanding achievements in the aspect of information security management and control and resists against a lot of attacks. However, as the attack and defense are continuously upgraded, the existing attack is not directly attacked any more, but the attack is detected in a wide sniffing mode, and the destructive attack is sent out when the time is right. For the attack mode, the prior art is difficult to prevent. Since the normal sniffing is allowed in a regular range and the sniffing range is very wide, almost the entire network is included, even if the sniffing action is detected, it is difficult to determine the final attack target in the prior art.
Disclosure of Invention
In order to overcome the problems in the prior art, the invention provides an attack object defense method based on extensive sniffing, which actively observes the extensive sniffing action, finds an actual attack target in the convergence process of the attack object, and finally defends the attack target before the attack is actually initiated, thereby resisting the attack.
In order to achieve the purpose, the attack object defense method based on the wide sniffing comprises the following steps:
arranging observation points, and acquiring abnormal signals from the observation points;
analyzing the abnormal signals to find out the extensive sniffing behaviors;
constructing a permeable incidence relation tree according to incidence relations among attacks, marking nodes corresponding to penetration operations during wide sniffing of an attacker, and calculating a terminal point reached by the shortest distance in an incidence relation graph according to the nodes through a shortest path algorithm, wherein the terminal point is a presumed final attack target;
and prejudging the level of the attack, and preventing the presumed attack target according to the attack level.
Preferably, the penetrated association relation tree includes network elements of ports, services, components, middleware, applications, systems and vulnerabilities represented in the form of nodes.
Preferably, the existence relationship is represented by connecting lines among all the network elements in the association relationship tree, and the weight value on each line is obtained by adding the weight values of two nodes connected with the line. The weight can be considered as the distance between the actual nodes.
Preferably, the weight of each node is set according to the common degree, the importance degree and the hazard degree of the corresponding network unit, and the nodes corresponding to the ports, services, components, middleware, applications, systems and vulnerabilities involved in the infiltration operation are marked in the infiltration association tree according to the weight of the nodes.
Preferably, nodes where the weight is below a threshold are unmarked. Therefore, the whole incidence relation tree can be simplified, and the later-stage quick processing is facilitated.
Preferably, when a node relationship of one-way communication exists between the nodes, the two nodes are merged. This is also to reduce the number of nodes and speed up the processing efficiency.
Preferably, the shortest path algorithm herein adopts dijkstra algorithm;
initially, taking a node where a first observation point observing an abnormal signal is located as a start node, starting throwing the node into a priority queue, marking the position of A in an array, throwing the nodes communicated around A into the priority queue, recording the distance between the nodes into a corresponding array, updating the array if the distance is smaller than the distance in the array, and otherwise, keeping the array still; the initial first infinite positive will update; for the first time finish
Throwing out the node B with the nearest distance from the queue, marking the point as true, adding the adjacent node of the node into the queue, generating the next determined shortest point in the node which is not determined in the front and the adjacent node of the node, updating the length of each position calculated by the node B, and if the length is smaller than the length, updating;
and repeating the steps until all the nodes are traversed, and finding the shortest distance.
Preferably, the operation of preventing the presumed attack target includes respectively closing the ports, modifying the IP address, disabling a part of functions, closing the entire device and enabling the backup device according to the attack level.
The method has the beneficial effect that passive attack defense is changed into an active observation and exploration process. The sniffing monitoring is carried out, so that targets which are likely to be attacked are predicted, and finally, the targets which are likely to be attacked are focused and prevented, so that the defense work is completed with lower cost.
Drawings
Fig. 1 is a schematic diagram of an association tree according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the figures and examples.
An attack object defense method based on extensive sniffing comprises the following steps: arranging observation points, and acquiring abnormal signals from the observation points; and analyzing the abnormal signals to find the extensive sniffing behaviors in the abnormal signals. And constructing a permeable incidence relation tree according to the incidence relation among the attacks, wherein the permeable incidence relation tree comprises network units such as ports, services, components, middleware, applications, systems and vulnerabilities which are expressed in a node form. Marking nodes corresponding to the penetration operation of the attacker in the process of wide sniffing, and calculating an end point reached by the shortest distance in the incidence relation graph according to the nodes through a shortest path algorithm, wherein the end point is a presumed final attack target;
and prejudging the level of the attack, and preventing the presumed attack target according to the attack level.
The existing relations are represented by connecting lines among all the network units with the relations in the incidence relation tree, and the weight value on each line is obtained by adding the weight values of two nodes connected with the line.
Setting the weight of each node according to the common degree, the importance degree and the hazard degree of the corresponding network unit, and sequentially marking the nodes corresponding to the ports, the services, the components, the middleware, the applications, the systems and the leaks related to the infiltration operation in the infiltration association relation tree according to the weight values of the nodes.
The usual sniffing actions are: the host A sends a message to the host B, a local ARP cache table is inquired, and data transmission is carried out after an MAC address corresponding to the IP address of the host B is found. If not, A broadcasts an ARP request message (carrying the IP address and the physical address of the host A), the request IP address is the host B, and the MAC of the host B is sent to the host A. All hosts on the network, including B, receive the ARP request, but only host B conforms to the IP, and then send an ARP response message back to host A. The MAC address of B is included, and a updates the local ARP cache after receiving the response from B. The data is then transmitted using the MAC address. Thus, the local cache ARP table is the basis for local network traffic and is dynamic. Gateway spoofing for intranets is to masquerade an attacker as a gateway and let the spoofed host send data to itself. In this process, the sniffing action does not actively steal the data flowing through, but instead explores the structure of the content from the data trend. Since virtually no losses are incurred during the sniffing process, it is difficult to determine whether a normal operational need or a preparation for an attack is present even if found.
Through the technical scheme of the invention, for the sniffed penetration information port A, the corresponding incidence relation tree diagram is shown in FIG. 1. Nodes with weights lower than a threshold value are deleted in the graph, and meanwhile, two nodes with node relations of one-way communication are merged.
The weights of the connecting lines in the graph are calculated according to the weights of the connecting nodes. According to the Dijkstra algorithm, selecting the minimum weight side service E- > leak C, the service C- > leak B, the leak A- > penetration end point A and the service C- > service E which do not form a ring in sequence. At this time, a path port A-service C-service E-vulnerability C-penetration key B from the port A to the penetration end point exists, and when the penetration end point is B, the penetration end point node which can be reached by the penetration information port A through the shortest penetration path is considered to be B.
And obtaining all penetration end points corresponding to all nodes after the operations are carried out on all penetration information nodes. And counting the permeation endpoint with the largest occurrence number, namely the predicted final attack objective. The work of preventing the presumed attack target includes respectively closing the ports, modifying the IP address, forbidding partial functions, closing the whole device and starting the backup device according to the attack level.
In this embodiment, after finding the attack destination, a series of intranet MAC addresses corresponding to the attack destination IP are sent to the router, where the intranet MAC addresses are virtual and cannot be connected to any device, and are continuously performed according to a certain frequency, so that real address information cannot be stored in the router by updating, and as a result, all data of the router, including external attack instructions, can only be sent to the wrong MAC address, and substantial attacks cannot be caused.
And the network security personnel need to trace back the information of the attacker as far as possible in the period of time, and can alarm when necessary. And meanwhile, the final attack destination broken network is physically isolated, and standby redundant equipment is started to work normally.
The special description is that: the foregoing is illustrative of one embodiment provided in connection with the detailed description and is not intended to limit the invention to the specific embodiment described. The technical ideas and advantages similar to the structures and devices of the invention or made by the present invention can be considered as the protection scope of the invention.
Claims (8)
1. An attack object defense method based on extensive sniffing is characterized by comprising the following steps:
arranging observation points, and acquiring abnormal signals from the observation points;
analyzing the abnormal signals to find out the extensive sniffing behaviors;
constructing a permeable incidence relation tree according to incidence relations among attacks, marking nodes corresponding to penetration operations during wide sniffing of an attacker, and calculating a terminal point reached by the shortest distance in an incidence relation graph according to the nodes through a shortest path algorithm, wherein the terminal point is a presumed final attack target;
and prejudging the level of the attack, and preventing the presumed attack target according to the attack level.
2. The method for defending against an attack object based on broad sniffing as claimed in claim 1, wherein said pervasive associative relational network comprises network elements of ports, services, components, middleware, applications, systems, vulnerabilities expressed in node form.
3. The method for defending against attack objects based on broad sniffing according to any one of claims 1 or 2, wherein the existence relations are represented in the form of connecting lines among all the network elements in the association relation tree, and the weight value on each line is obtained by adding the weight values of the two nodes connected with the line.
4. The method according to claim 3, wherein the weight of each node is set according to the degree of commonness, importance, and degree of damage of the corresponding network element, and the nodes corresponding to the ports, services, components, middleware, applications, systems, and vulnerabilities involved in the percolation operation are sequentially marked in the percolation network according to the weight of the node.
5. The method of broad sniffing-based attack object defense according to claim 4, characterized in that nodes where the weight is below a threshold are unmarked.
6. The method of claim 4, wherein the merging operation is performed on two nodes when there is a node relationship of one-way communication between the nodes.
7. The method of claim 1, wherein the shortest path algorithm employs dijkstra's algorithm;
initially, taking a node where a first observation point observing an abnormal signal is located as a start node, starting throwing the node into a priority queue, marking the position of A in an array, throwing the nodes communicated around A into the priority queue, recording the distance between the nodes into a corresponding array, updating the array if the distance is smaller than the distance in the array, and otherwise, keeping the array still;
throwing out the node B with the nearest distance from the queue, marking the point as true, adding the adjacent node of the node into the queue, generating the next determined shortest point in the node which is not determined in the front and the adjacent node of the node, updating the length of each position calculated by the node B, and if the length is smaller than the length, updating;
and repeating the steps until all the nodes are traversed, and finding the shortest distance.
8. The method according to claim 1, wherein the protection against the presumed attack target comprises the steps of closing the port, modifying the IP address, disabling a part of functions, closing the entire device and activating a backup device according to the attack level.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111322138.XA CN114338075B (en) | 2021-11-10 | 2021-11-10 | Attack object defense method based on extensive sniffing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111322138.XA CN114338075B (en) | 2021-11-10 | 2021-11-10 | Attack object defense method based on extensive sniffing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338075A true CN114338075A (en) | 2022-04-12 |
| CN114338075B CN114338075B (en) | 2024-03-12 |
Family
ID=81045304
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111322138.XA Active CN114338075B (en) | 2021-11-10 | 2021-11-10 | Attack object defense method based on extensive sniffing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338075B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050193430A1 (en) * | 2002-10-01 | 2005-09-01 | Gideon Cohen | System and method for risk detection and analysis in a computer network |
| US20100212013A1 (en) * | 2007-07-20 | 2010-08-19 | Electronics And Telecommunications Research Instit | Log-based traceback system and method using centroid decomposition technique |
| US20100241895A1 (en) * | 2009-03-23 | 2010-09-23 | International Business Machines Corporation | Method and apparatus for realizing application high availability |
| CN102447695A (en) * | 2011-11-14 | 2012-05-09 | 中国科学院软件研究所 | Method for identifying key attack path in service system |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| KR101687811B1 (en) * | 2015-09-07 | 2017-02-01 | 박준영 | Design of Agent Type's ARP Spoofing Detection Scheme which uses the ARP probe Packet and Implementation of the Security Solution |
| CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
| CN109818953A (en) * | 2019-01-21 | 2019-05-28 | 常州工程职业技术学院 | A kind of sensor safe defense technique in mobile Internet of things system |
| CN110210229A (en) * | 2019-04-29 | 2019-09-06 | 国网宁夏电力有限公司电力科学研究院 | Appraisal procedure, system and the storage medium of the fragility of electric network information physical system |
| CN112020871A (en) * | 2019-03-29 | 2020-12-01 | 华为技术有限公司 | Method and device for reducing sniffing attack and integrated circuit |
| CN112313915A (en) * | 2018-11-05 | 2021-02-02 | 北京大学深圳研究生院 | Security modeling quantification method based on GSPN and halter strap theoretical network space mimicry defense |
| CN113452699A (en) * | 2021-06-24 | 2021-09-28 | 西安电子科技大学 | Springboard attack path analysis method based on configuration file |
-
2021
- 2021-11-10 CN CN202111322138.XA patent/CN114338075B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050193430A1 (en) * | 2002-10-01 | 2005-09-01 | Gideon Cohen | System and method for risk detection and analysis in a computer network |
| US20100212013A1 (en) * | 2007-07-20 | 2010-08-19 | Electronics And Telecommunications Research Instit | Log-based traceback system and method using centroid decomposition technique |
| US20100241895A1 (en) * | 2009-03-23 | 2010-09-23 | International Business Machines Corporation | Method and apparatus for realizing application high availability |
| CN102447695A (en) * | 2011-11-14 | 2012-05-09 | 中国科学院软件研究所 | Method for identifying key attack path in service system |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| KR101687811B1 (en) * | 2015-09-07 | 2017-02-01 | 박준영 | Design of Agent Type's ARP Spoofing Detection Scheme which uses the ARP probe Packet and Implementation of the Security Solution |
| CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
| CN112313915A (en) * | 2018-11-05 | 2021-02-02 | 北京大学深圳研究生院 | Security modeling quantification method based on GSPN and halter strap theoretical network space mimicry defense |
| CN109818953A (en) * | 2019-01-21 | 2019-05-28 | 常州工程职业技术学院 | A kind of sensor safe defense technique in mobile Internet of things system |
| CN112020871A (en) * | 2019-03-29 | 2020-12-01 | 华为技术有限公司 | Method and device for reducing sniffing attack and integrated circuit |
| CN110210229A (en) * | 2019-04-29 | 2019-09-06 | 国网宁夏电力有限公司电力科学研究院 | Appraisal procedure, system and the storage medium of the fragility of electric network information physical system |
| CN113452699A (en) * | 2021-06-24 | 2021-09-28 | 西安电子科技大学 | Springboard attack path analysis method based on configuration file |
Non-Patent Citations (5)
| Title |
|---|
| SATHI MUKHERJEE: "Dijkstra‘s algorithm for solving the shortest path problem on networks under intuitionistic fuzzy environment", SPRINGER LINK * |
| XIAORUILIU: "deep reinforcement learning for Cybersecurity assessment of wind integrated power systems", IEEE ACCESS, no. 9 * |
| 张传浩;谷学汇;孟彩霞;: "基于软件定义网络的反嗅探攻击方法", 计算机应用, no. 11 * |
| 杜兴勇;于远诚;刘浩力;: "ARP协议欺骗攻击及防御方法研究", 通化师范学院学报, no. 10 * |
| 谢冬青;李贵城;: "基于最小化攻击图的自动化渗透测试模型", 广州大学学报(自然科学版), no. 03 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338075B (en) | 2024-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sun et al. | Security and Privacy in the Internet of Vehicles | |
| CN103561004A (en) | Cooperative type active defense system based on honey nets | |
| CN107438068B (en) | method and device for preventing ARP attack | |
| KR20040022073A (en) | System for providing a real-time attacking connection traceback using of packet watermark insertion technique and method therefor | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN101945117A (en) | Method and equipment for preventing source address spoofing attack | |
| US8955049B2 (en) | Method and a program for controlling communication of target apparatus | |
| CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
| CN103428032A (en) | Attack positioning and assistant positioning device and method | |
| CN110247899A (en) | The system and method for ARP attack is detected and alleviated based on SDN cloud environment | |
| CN108632267A (en) | A kind of topology pollution attack defense method and system | |
| CN111355655A (en) | Quantum routing detection method and server for quantum cryptography network | |
| Kelli et al. | Risk analysis of DNP3 attacks | |
| Ma | An effective method for defense against IP spoofing attack | |
| CN107634971B (en) | Method and device for detecting flood attack | |
| CN103139219A (en) | Attack detection method of spanning tree protocol based on credible switchboard | |
| US20060095963A1 (en) | Collaborative attack detection in networks | |
| CN111191230B (en) | Rapid network attack backtracking mining method and application based on convolutional neural network | |
| CN114338075A (en) | Attack object defense method based on extensive sniffing | |
| Malliga et al. | A proposal for new marking scheme with its performance evaluation for IP traceback | |
| Barbhuiya et al. | An active DES based IDS for ARP spoofing | |
| KR101343693B1 (en) | Network security system and method for process thereof | |
| KR20170109949A (en) | Method and apparatus for enhancing network security in dynamic network environment | |
| Jeong et al. | ASD: ARP spoofing detector using openwrt | |
| CN110290156B (en) | Big data-based defense and network security device for distributed attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |