CN114338075B - Attack object defense method based on extensive sniffing - Google Patents
Attack object defense method based on extensive sniffing Download PDFInfo
- Publication number
- CN114338075B CN114338075B CN202111322138.XA CN202111322138A CN114338075B CN 114338075 B CN114338075 B CN 114338075B CN 202111322138 A CN202111322138 A CN 202111322138A CN 114338075 B CN114338075 B CN 114338075B
- Authority
- CN
- China
- Prior art keywords
- nodes
- attack
- node
- sniffing
- extensive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 230000007123 defense Effects 0.000 title claims abstract description 13
- 230000002159 abnormal effect Effects 0.000 claims abstract description 8
- 238000010586 diagram Methods 0.000 claims abstract description 4
- 230000008595 infiltration Effects 0.000 claims description 6
- 238000001764 infiltration Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 abstract description 6
- 230000009471 action Effects 0.000 abstract description 4
- 230000000149 penetrating effect Effects 0.000 abstract description 4
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
In order to overcome the problems in the prior art, the invention actively observes the sniffing action, finds the actual attack target in the convergence process, and finally defends the attack target before actually launching the attack, thereby resisting the attack. To achieve the object, the present invention is a method for defending an attack object based on extensive sniffing, comprising: arranging an observation point; analyzing the abnormal signal to find a wide sniffing behavior therein; constructing a penetrating association relation tree according to the association relation between attacks, marking out nodes corresponding to penetrating operation in the middle when an attacker sniffs widely, and calculating an end point reached through the shortest distance in an association relation diagram according to the nodes through a shortest path algorithm, namely a presumed final attack target. The invention has the beneficial effect of changing passive attack defense into active observation exploration process. Sniffing is monitored to predict targets that may be attacked.
Description
Technical Field
The invention belongs to the field of network information security, and particularly relates to an attack object defense method and device based on extensive sniffing.
Background
Information security relates to the safety of power production. In modern society, the consequences of a power network being destroyed are not envisaged. However, with the rapid development of the mobile internet age and the wide application of 5G communication, the newly-added informationized application system brings great hidden trouble to the related information security. The network security protection of the power system faces more serious challenges.
Because of the continuous efforts of the power system at ordinary times, outstanding results are achieved in the information security control aspect, and various attacks are resisted. However, as the attack and defense are continuously upgraded, the existing attack is not directly performed any more, but is detected by a wide sniffing mode, and destructive attack is properly issued at the right moment. For this attack mode, it is difficult to prevent in the prior art. Since the normal sniffing is allowed in a rule range and the sniffing range is very wide, almost the whole network is involved, and even if the sniffing is detected, the final attack target is difficult to judge in the prior art.
Disclosure of Invention
In order to overcome the problems in the prior art, the invention provides an attack object defense method based on extensive sniffing, which actively observes the extensive sniffing actions, finds an actual attack object in the convergence process of the attack object, and finally defends the attack object before the attack is actually initiated, thereby defending the attack.
To achieve the object, the present invention is a method for defending an attack object based on extensive sniffing, comprising:
arranging an observation point, and acquiring an abnormal signal from the observation point;
analyzing the abnormal signal to find a wide sniffing behavior therein;
constructing a penetrating association tree according to the association between attacks, marking out nodes corresponding to penetrating operation in the way when an attacker sniffs widely, and calculating an end point reached through the shortest distance in an association graph according to the nodes through a shortest path algorithm, namely a presumed final attack target;
and pre-judging the attack level, and preventing the presumed attack target according to the attack level.
Preferably, the infiltrated association relation tree includes network elements of ports, services, components, middleware, applications, systems and vulnerabilities expressed in the form of nodes.
Preferably, all network elements with relations in the association relation tree represent the relations in a connection form, and the weight value on each line is obtained by adding the weight values of two nodes connected with the weight value. The weight may be considered as the distance between the actual nodes.
Preferably, the weight of each node is set according to the common degree, the importance degree and the harm degree of the corresponding network element, and the nodes corresponding to the ports, the services, the components, the middleware, the applications, the systems and the loopholes involved in the infiltration operation are marked in the association relation tree of the infiltration according to the weight of the node.
Preferably, nodes in which the weight is below the threshold are not marked. Therefore, the whole association relation tree can be simplified, and the post-fast processing is facilitated.
Preferably, the merging operation is performed on two nodes when a node relation of unidirectional communication exists between the nodes. This is also to reduce the number of nodes and to speed up the processing efficiency.
Preferably, the shortest path algorithm here employs the dijkstra algorithm;
initially, taking a node where an observation point of a first observed abnormal signal is located as a starting node, starting throwing into a priority queue, marking the position of A in an array, throwing the nodes communicated around A into the priority queue, recording the distance between the nodes into a corresponding array, updating the array if the distance between the nodes is smaller than the distance in the array, otherwise, maintaining the array motionless; the initial first time is an infinite positive update; the first time ends
The node B closest to the node B is thrown out of the queue, the node B is marked as true, the adjacent node of the node B is added into the queue, the shortest point determined next time is generated in the node which is not determined before and the node adjacent to the node B, the length of each position is calculated through the node B when the length is updated, and if the length is smaller than the length, the length of each position is updated;
repeating the steps until all the nodes are traversed, and finding the shortest distance.
Preferably, the work of protecting against the presumed attack targets includes closing ports, modifying IP addresses, disabling part of the functions, closing the whole device and enabling the backup device, respectively, according to the attack level.
The invention has the beneficial effect of changing passive attack defense into active observation exploration process. Sniffing is monitored, so that targets possibly attacked are predicted, and finally, vector placement is carried out, and important precautions are carried out on the targets possibly attacked, so that defense work is completed at a lower cost.
Drawings
Fig. 1 is a schematic diagram of an association tree according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the drawings and examples.
An attack object defense method based on extensive sniffing comprises the following steps: arranging an observation point, and acquiring an abnormal signal from the observation point; the anomaly signal is analyzed to find a wide range of sniffing behavior therein. And constructing a permeated association relation tree according to the association relation between attacks, wherein the permeated association relation tree comprises network units of ports, services, components, middleware, applications, systems and vulnerabilities which are expressed in a node form. Marking out nodes corresponding to the penetration operation during the extensive sniffing of an attacker, and calculating an end point reached by the shortest distance in the association relation graph according to the nodes through a shortest path algorithm, namely a presumed final attack target;
and pre-judging the attack level, and preventing the presumed attack target according to the attack level.
And the network elements with the relations in the association relation tree represent the relations in a connection form, and the weight value on each line is obtained by adding the weight values of two nodes connected with the weight values.
Setting the weight of each node according to the common degree, the importance degree and the harm degree of the corresponding network unit, and marking the nodes corresponding to ports, services, components, middleware, applications, systems and vulnerabilities involved in the infiltration operation in the association relation tree of the infiltration according to the weight of the nodes.
Typical sniffing actions are: the host A sends a message to the host B, queries a local ARP cache table, and performs data transmission after finding the MAC address corresponding to the IP address of the host B. If not found, A broadcasts an ARP request message (carrying the IP address and physical address of host A), requests the IP address as host B, and sends the MAC of host B to host A. All hosts on the network, including host B, receive the ARP request, but only host B conforms to the IP, and then sends an ARP response message back to host a. The address of B is contained in the address, and after receiving the response of B, A updates the local ARP cache. The data is then sent using the MAC address. Thus, the local cache ARP table is the basis for local network traffic and is dynamic. The gateway spoofing of the intranet is to disguise an attacker as a gateway, so that the spoofed host sends data to itself. During this process, the sniffing action does not actively steal the data flowing through, but rather the architecture of the content is ascertained from the data trend. Since no loss is actually caused during the sniffing process, even if it is found that it is difficult to judge whether normal work is required or in preparation for attack.
The technical scheme of the invention is that the corresponding association relation tree diagram of the detected permeation information port A is shown in figure 1. Nodes with weights lower than a threshold value are deleted in the graph, and two nodes with unidirectional communication node relations are combined.
The weight of the connection in the graph is calculated according to the weight of the connection node. According to the Di Jie Style algorithm, the minimum weight edge service E- > vulnerability C, the service C- > vulnerability B, the vulnerability A- > permeation endpoint A and the service C- > service E which do not form a ring are sequentially selected. At this time, there is a path port a-service C-service E-leak C-permeation key B from the port a to the permeation endpoint, and at this time, the permeation endpoint is B, and the permeation endpoint node that the permeation information port a can reach through the shortest permeation path is considered as B.
And after the operation is performed on all the permeation information nodes, obtaining all permeation end points corresponding to all the nodes. And counting the permeation endpoint with the largest occurrence number, namely the predicted final attack objective. The work of defending the presumed attack target comprises closing the port, modifying the IP address, prohibiting part of the functions, closing the whole equipment and starting the backup equipment according to the attack level.
In this embodiment, after the attack destination is found, a series of intranet MAC addresses corresponding to the attack destination IP are sent to the router, where the intranet MAC addresses are virtual and cannot be connected to any device, and are continuously performed according to a certain frequency, so that real address information cannot be stored in the router through updating, and as a result, all data of the router, including external attack instructions, can only be sent to the wrong MAC address, and no substantial attack can be caused.
And network security personnel need to trace back information of an attacker as much as possible in the period of time, and can alarm if necessary. And meanwhile, the final attack purpose network disconnection is physically isolated, and standby redundant equipment is started to work normally.
What needs to be specified is: the above description of one embodiment provided in connection with the specific content does not set forth a limitation on the practice of the invention. The invention should be considered as limited in scope by the following description, which is intended to cover all modifications, variations, equivalents, and alternatives falling within the spirit and scope of the invention.
Claims (5)
1. An attack object defending method based on extensive sniffing, which is characterized by comprising the following steps:
arranging an observation point, and acquiring an abnormal signal from the observation point;
analyzing the abnormal signal to find a wide sniffing behavior therein;
constructing a permeable association tree according to the association between attacks, marking out nodes corresponding to the permeable operation in the way when an attacker sniffs widely, calculating the end points reached by the shortest distance in the association diagram according to the nodes through a shortest path algorithm, obtaining all permeable end points corresponding to all nodes after the operations are performed on all permeable information nodes, and counting the permeable end points with the largest occurrence number as a predicted final attack target;
pre-judging the attack level, and preventing the presumed attack target according to the attack level;
the network elements with the relation in the association relation tree represent the relation in a connection form, and the weight value on each line is obtained by adding the weight values of two nodes connected with the weight values;
setting the weight of each node according to the common degree, the importance degree and the harm degree of the corresponding network unit, and marking the nodes corresponding to ports, services, components, middleware, applications, systems and vulnerabilities involved in the infiltration operation in the association relation tree of the infiltration according to the weight of the nodes;
the shortest path algorithm adopts a Di Jie Style algorithm:
initially, taking a node where an observation point of a first observed abnormal signal is located as a starting node, starting throwing into a priority queue, marking the position of A in an array, throwing the nodes communicated around A into the priority queue, recording the distance between the nodes into a corresponding array, updating the array if the distance between the nodes is smaller than the distance in the array, otherwise, maintaining the array motionless;
the node B closest to the node B is thrown out of the queue, the node B is marked as true, the adjacent node of the node B is added into the queue, the shortest point determined next time is generated in the node which is not determined before and the node adjacent to the node B, the length of each position is calculated through the node B when the length is updated, and if the length is smaller than the length, the length of each position is updated;
repeating the steps until all the nodes are traversed, and finding the shortest distance.
2. The attack object defense method based on extensive sniffing according to claim 1, wherein the infiltrated association tree contains network elements of ports, services, components, middleware, applications, systems, vulnerabilities represented in the form of nodes.
3. The attack object defense method based on extensive sniffing according to claim 1, characterized in that nodes in which the weight is below a threshold are not marked.
4. The attack object defense method based on extensive sniffing according to claim 1, wherein the merging operation is performed on two nodes when there is a node relationship of unidirectional communication between the nodes.
5. The attack object defense method based on extensive sniffing according to claim 1, wherein the work of protecting against the presumed attack object includes closing ports, modifying IP addresses, prohibiting part of functions, closing the entire device and enabling the backup device, respectively, according to the attack level.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111322138.XA CN114338075B (en) | 2021-11-10 | 2021-11-10 | Attack object defense method based on extensive sniffing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111322138.XA CN114338075B (en) | 2021-11-10 | 2021-11-10 | Attack object defense method based on extensive sniffing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338075A CN114338075A (en) | 2022-04-12 |
| CN114338075B true CN114338075B (en) | 2024-03-12 |
Family
ID=81045304
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111322138.XA Active CN114338075B (en) | 2021-11-10 | 2021-11-10 | Attack object defense method based on extensive sniffing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338075B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102447695A (en) * | 2011-11-14 | 2012-05-09 | 中国科学院软件研究所 | Method for identifying key attack path in service system |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| KR101687811B1 (en) * | 2015-09-07 | 2017-02-01 | 박준영 | Design of Agent Type's ARP Spoofing Detection Scheme which uses the ARP probe Packet and Implementation of the Security Solution |
| CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
| CN109818953A (en) * | 2019-01-21 | 2019-05-28 | 常州工程职业技术学院 | A kind of sensor safe defense technique in mobile Internet of things system |
| CN110210229A (en) * | 2019-04-29 | 2019-09-06 | 国网宁夏电力有限公司电力科学研究院 | Appraisal procedure, system and the storage medium of the fragility of electric network information physical system |
| CN112020871A (en) * | 2019-03-29 | 2020-12-01 | 华为技术有限公司 | Method and device for reducing sniffing attack and integrated circuit |
| CN112313915A (en) * | 2018-11-05 | 2021-02-02 | 北京大学深圳研究生院 | Security modeling quantification method based on GSPN and halter strap theoretical network space mimicry defense |
| CN113452699A (en) * | 2021-06-24 | 2021-09-28 | 西安电子科技大学 | Springboard attack path analysis method based on configuration file |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6952779B1 (en) * | 2002-10-01 | 2005-10-04 | Gideon Cohen | System and method for risk detection and analysis in a computer network |
| KR100922582B1 (en) * | 2007-07-20 | 2009-10-21 | 한국전자통신연구원 | Log-based traceback system and method by using the centroid decomposition technique |
| CN101847148B (en) * | 2009-03-23 | 2013-03-20 | 国际商业机器公司 | Method and device for implementing high application availability |
-
2021
- 2021-11-10 CN CN202111322138.XA patent/CN114338075B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102447695A (en) * | 2011-11-14 | 2012-05-09 | 中国科学院软件研究所 | Method for identifying key attack path in service system |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| KR101687811B1 (en) * | 2015-09-07 | 2017-02-01 | 박준영 | Design of Agent Type's ARP Spoofing Detection Scheme which uses the ARP probe Packet and Implementation of the Security Solution |
| CN106850607A (en) * | 2017-01-20 | 2017-06-13 | 北京理工大学 | The quantitative estimation method of the network safety situation based on attack graph |
| CN112313915A (en) * | 2018-11-05 | 2021-02-02 | 北京大学深圳研究生院 | Security modeling quantification method based on GSPN and halter strap theoretical network space mimicry defense |
| CN109818953A (en) * | 2019-01-21 | 2019-05-28 | 常州工程职业技术学院 | A kind of sensor safe defense technique in mobile Internet of things system |
| CN112020871A (en) * | 2019-03-29 | 2020-12-01 | 华为技术有限公司 | Method and device for reducing sniffing attack and integrated circuit |
| CN110210229A (en) * | 2019-04-29 | 2019-09-06 | 国网宁夏电力有限公司电力科学研究院 | Appraisal procedure, system and the storage medium of the fragility of electric network information physical system |
| CN113452699A (en) * | 2021-06-24 | 2021-09-28 | 西安电子科技大学 | Springboard attack path analysis method based on configuration file |
Non-Patent Citations (5)
| Title |
|---|
| ARP协议欺骗攻击及防御方法研究;杜兴勇;于远诚;刘浩力;;通化师范学院学报(第10期);全文 * |
| deep reinforcement learning for Cybersecurity assessment of wind integrated power systems;xiaoruiliu;IEEE Access(第9期);全文 * |
| Dijkstra‘s algorithm for solving the shortest path problem on networks under intuitionistic fuzzy environment;sathi mukherjee;Springer link;全文 * |
| 基于最小化攻击图的自动化渗透测试模型;谢冬青;李贵城;;广州大学学报(自然科学版)(第03期);全文 * |
| 基于软件定义网络的反嗅探攻击方法;张传浩;谷学汇;孟彩霞;;计算机应用(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338075A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ali et al. | Detecting ddos attack on sdn due to vulnerabilities in openflow | |
| US9160761B2 (en) | Selection of a countermeasure | |
| Shakil et al. | A novel dynamic framework to detect DDoS in SDN using metaheuristic clustering | |
| Shi et al. | Chaos: An sdn-based moving target defense system | |
| US7917957B2 (en) | Method and system for counting new destination addresses | |
| CN103561004A (en) | Cooperative type active defense system based on honey nets | |
| CN103457931A (en) | Active defense method for network trick and counter attack | |
| CN110719299A (en) | Honeypot construction method, device, equipment and medium for defending network attack | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN101945117A (en) | Method and equipment for preventing source address spoofing attack | |
| Lin et al. | Using signaling games to model the multi-step attack-defense scenarios on confidentiality | |
| US20140165143A1 (en) | Method and a program for controlling communication of target apparatus | |
| Nehra et al. | FICUR: Employing SDN programmability to secure ARP | |
| Ge et al. | Modeling and analysis of integrated proactive defense mechanisms for internet of things | |
| Ma | An effective method for defense against IP spoofing attack | |
| CN108322454B (en) | Network security detection method and device | |
| CN114338075B (en) | Attack object defense method based on extensive sniffing | |
| Malliga et al. | A proposal for new marking scheme with its performance evaluation for IP traceback | |
| KR20170109949A (en) | Method and apparatus for enhancing network security in dynamic network environment | |
| Prasad et al. | On the security of software-defined networks | |
| Barbhuiya et al. | An active DES based IDS for ARP spoofing | |
| Liu et al. | NetObfu: A lightweight and efficient network topology obfuscation defense scheme | |
| KR102046612B1 (en) | The system for defending dns amplification attacks in software-defined networks and the method thereof | |
| CN110290156B (en) | Big data-based defense and network security device for distributed attack | |
| KR101914831B1 (en) | SDN to prevent an attack on the host tracking service and controller including the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |