TWI714386B - Method for detecting hidden network address and management server - Google Patents

Method for detecting hidden network address and management server Download PDF

Info

Publication number
TWI714386B
TWI714386B TW108144951A TW108144951A TWI714386B TW I714386 B TWI714386 B TW I714386B TW 108144951 A TW108144951 A TW 108144951A TW 108144951 A TW108144951 A TW 108144951A TW I714386 B TWI714386 B TW I714386B
Authority
TW
Taiwan
Prior art keywords
terminal computer
http packet
network
address
private
Prior art date
Application number
TW108144951A
Other languages
Chinese (zh)
Other versions
TW202123650A (en
Inventor
華荐治
蔡雨龍
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW108144951A priority Critical patent/TWI714386B/en
Application granted granted Critical
Publication of TWI714386B publication Critical patent/TWI714386B/en
Publication of TW202123650A publication Critical patent/TW202123650A/en

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method for detecting a hidden network address and a management server. The method includes: receiving an HTTP packet from a terminal computer forwarded by a network address translation device; in response to determining that the content of the user agent field of the HTTP packet is new, determining that the terminal computer is an unmanaged device, and blocking the HTTP packet from being sending to a proxy server; demanding the terminal computer to install the plug-in component; receiving and recording the private IP address collected by the plug-in component, and asking the proxy server to add the private IP address to the white list.

Description

探知隱匿網路位址的方法及管控伺服器Method for detecting hidden network address and controlling server

本發明是有關於一種網路安全技術,且特別是有關於一種探知隱匿網路位址的方法及管控伺服器。The present invention relates to a network security technology, and particularly relates to a method for detecting hidden network addresses and controlling servers.

企業網路內部IP掃描作業通常因受限於網路位址轉換(Network Address Translation,NAT)裝置,其又稱網路掩蔽、IP掩蔽裝置。由於NAT裝置的私有IP(Private IP)特性可將終端電腦架設於NAT裝置的內部封閉網段內,規避企業IP管控系統,從而直接導致發生資安風險的死角。IP scanning operations in corporate networks are usually limited by network address translation (NAT) devices, which are also called network masking and IP masking devices. Due to the private IP (Private IP) feature of the NAT device, the terminal computer can be set up in the internal closed network segment of the NAT device, circumventing the corporate IP control system, which directly leads to a dead end of information security risk.

有鑑於此,本發明提供一種探知隱匿網路位址的方法及管控伺服器,其可用於解決上述技術問題。In view of this, the present invention provides a method for detecting hidden network addresses and a control server, which can be used to solve the above technical problems.

本發明提供一種探知隱匿網路位址的方法,適於一管控伺服器,所述方法包括:從一網路位址轉換裝置接收來自一終端電腦的一第一HTTP封包,其中終端電腦經網路位址轉換裝置分配有一私有IP位址,且第一HTTP封包具有一第一使用者代理欄位;反應於判定第一HTTP封包的第一使用者代理欄位的內容為新內容,判定終端電腦為一未受管控裝置,並阻擋第一HTTP封包被傳送至連接於網路位址轉換裝置的一代理伺服器;要求終端電腦安裝一外掛程式元件,其中外掛程式元件用以蒐集終端電腦的私有IP位址;接收並記錄外掛程式元件蒐集的私有IP位址,並要求代理伺服器將私有IP位址加入至一白名單。The present invention provides a method for detecting hidden network addresses, which is suitable for a control server. The method includes: receiving a first HTTP packet from a terminal computer from a network address conversion device, wherein the terminal computer is connected to the network The path address conversion device is assigned a private IP address, and the first HTTP packet has a first user agent field; in response to determining that the content of the first user agent field of the first HTTP packet is new content, the terminal is determined The computer is an uncontrolled device and blocks the first HTTP packet from being sent to a proxy server connected to the network address conversion device; the terminal computer is required to install a plug-in component, and the plug-in component is used to collect the terminal computer’s information Private IP address: Receive and record the private IP address collected by the plug-in component, and request the proxy server to add the private IP address to a whitelist.

本發明提供一種管控伺服器,包括儲存電路及處理器。儲存電路儲存多個模組。處理器耦接儲存電路,存取前述模組以執行下列步驟:從一網路位址轉換裝置接收來自一終端電腦的一第一HTTP封包,其中終端電腦經網路位址轉換裝置分配有一私有IP位址,且第一HTTP封包具有一第一使用者代理欄位;反應於判定第一HTTP封包的第一使用者代理欄位的內容為新內容,判定終端電腦為一未受管控裝置,並阻擋第一HTTP封包被傳送至連接於網路位址轉換裝置的一代理伺服器;要求終端電腦安裝一外掛程式元件,其中外掛程式元件用以蒐集終端電腦的私有IP位址;接收並記錄外掛程式元件蒐集的私有IP位址,並要求代理伺服器將私有IP位址加入至一白名單。The invention provides a management and control server, which includes a storage circuit and a processor. The storage circuit stores multiple modules. The processor is coupled to the storage circuit and accesses the aforementioned module to perform the following steps: Receive a first HTTP packet from a terminal computer from a network address conversion device, wherein the terminal computer is assigned a private address via the network address conversion device IP address, and the first HTTP packet has a first user agent field; in response to determining that the content of the first user agent field of the first HTTP packet is new content, it is determined that the terminal computer is an uncontrolled device, And block the first HTTP packet from being sent to a proxy server connected to the network address conversion device; request the terminal computer to install a plug-in component, where the plug-in component is used to collect the private IP address of the terminal computer; receive and record The private IP address collected by the plug-in component and request the proxy server to add the private IP address to a whitelist.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.

請參照圖1,其是依據本發明之一實施例繪示的網路系統示意圖。如圖1所示,網路系統100包括管控伺服器101、NAT裝置102、終端電腦103、104、代理伺服器105、外部網路106。Please refer to FIG. 1, which is a schematic diagram of a network system according to an embodiment of the present invention. As shown in FIG. 1, the network system 100 includes a control server 101, a NAT device 102, terminal computers 103 and 104, a proxy server 105, and an external network 106.

管控伺服器101例如是用於管理企業網路之專用伺服器,其可包括儲存電路1011及處理器1012。儲存電路1011例如是任意型式的固定式或可移動式隨機存取記憶體(Random Access Memory,RAM)、唯讀記憶體(Read-Only Memory,ROM)、快閃記憶體(Flash memory)、硬碟或其他類似裝置或這些裝置的組合,而可用以記錄多個程式碼或模組。The control server 101 is, for example, a dedicated server for managing an enterprise network, and it may include a storage circuit 1011 and a processor 1012. The storage circuit 1011 is, for example, any type of fixed or removable random access memory (Random Access Memory, RAM), read-only memory (Read-Only Memory, ROM), flash memory (Flash memory), hard disk Disk or other similar devices or a combination of these devices can be used to record multiple codes or modules.

處理器1012耦接於儲存電路1011,並可為一般用途處理器、特殊用途處理器、傳統的處理器、數位訊號處理器、多個微處理器(microprocessor)、一個或多個結合數位訊號處理器核心的微處理器、控制器、微控制器、特殊應用積體電路(Application Specific Integrated Circuit,ASIC)、現場可程式閘陣列電路(Field Programmable Gate Array,FPGA)、任何其他種類的積體電路、狀態機、基於進階精簡指令集機器(Advanced RISC Machine,ARM)的處理器以及類似品。The processor 1012 is coupled to the storage circuit 1011, and can be a general purpose processor, a special purpose processor, a traditional processor, a digital signal processor, multiple microprocessors, one or more combined digital signal processing Microprocessor, controller, microcontroller, Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA), any other type of integrated circuit , State machines, processors based on Advanced RISC Machine (ARM) and similar products.

在本發明的實施例中,管控伺服器101可提供網路或IP管理人員有效迅速的進行管理,清楚了解目前IP使用狀況,並可管控每個IP與設定,負責執行監測IP與身分認證程序,負責偵測由NAT之內部私有IP之HTTP封包,並提供瀏覽器之外掛程式元件106給未受管控裝置(例如終端電腦104)下載安裝,取得相關回傳資訊。In the embodiment of the present invention, the management and control server 101 can provide network or IP management personnel to effectively and quickly manage, clearly understand the current IP usage, and can control each IP and settings, and is responsible for implementing monitoring IP and identity authentication procedures , Responsible for detecting HTTP packets from the internal private IP of NAT, and providing browser plug-in component 106 to unmanaged devices (such as terminal computer 104) to download and install, and obtain related return information.

NAT裝置102例如是企業網路中,用於提供私有IP(Private IP)的內部封閉網路架構之設備。終端電腦103例如是企業網路中,已經受到管控伺服器101管控之終端裝置,而終端電腦104例如是企業網路中,尚未受到管控伺服器101管控之終端裝置。在本發明的實施例中,終端電腦104的私有IP位址例如是為本發明的方法主要想要探知並揭露的標的物。The NAT device 102 is, for example, a device in an internal closed network architecture that provides a private IP (Private IP) in an enterprise network. The terminal computer 103 is, for example, a terminal device in the corporate network that has been controlled by the control server 101, and the terminal computer 104 is, for example, a terminal device in the corporate network that has not yet been controlled by the control server 101. In the embodiment of the present invention, the private IP address of the terminal computer 104 is, for example, the object that the method of the present invention mainly wants to detect and expose.

代理伺服器105例如是企業網路中,具備網路連線(Intranet)至外部網路(Internet)之代理功能。並且,代理伺服器105可用於隔絕外部網路與企業網路終端,進而達到保護企業網路的隱私或安全,並防止攻擊。在本發明的實施例中,代理伺服器105可與管控伺服器101介接的架構可達到控管上網的效果,並強迫未受管控裝置(例如終端電腦104)執行接受控管的程序。The proxy server 105 is, for example, in a corporate network, and has a proxy function from an intranet to an external network (Internet). In addition, the proxy server 105 can be used to isolate the external network and the corporate network terminal, thereby protecting the privacy or security of the corporate network and preventing attacks. In the embodiment of the present invention, the structure in which the proxy server 105 can interface with the control server 101 can achieve the effect of controlling the Internet, and forcing the uncontrolled device (such as the terminal computer 104) to execute the controlled program.

外掛程式元件106例如是瀏覽器之外掛元件(可採用Java Applet實現)。在本發明的實施例中,當未受管控裝置(例如終端電腦104)的瀏覽器欲連至外部網路(Internet)時,管控伺服器101將透過網路將外掛程式元件106發送至終端電腦104的瀏覽器並要求安裝。在終端電腦104完成外掛程式元件106的安裝之後,外掛程式元件106會將終端電腦104之IP、網卡MAC與主機名稱等資訊給管控伺服器101,但可不限於此。The plug-in component 106 is, for example, a browser plug-in component (which can be implemented using a Java Applet). In the embodiment of the present invention, when the browser of an uncontrolled device (such as the terminal computer 104) wants to connect to the external network (Internet), the control server 101 will send the plug-in component 106 to the terminal computer via the network 104 browser and require installation. After the terminal computer 104 completes the installation of the plug-in component 106, the plug-in component 106 will send the terminal computer 104’s IP, network card MAC, and host name to the control server 101, but it is not limited to this.

請參照圖2,其是依據本發明之一實施例繪示的探知隱匿網路位址的方法流程圖。本實施例的方法可由圖1的網路系統100執行,以下即搭配圖1所示的元件說明圖2各步驟的細節。Please refer to FIG. 2, which is a flowchart of a method for detecting a hidden network address according to an embodiment of the present invention. The method of this embodiment can be executed by the network system 100 in FIG. 1. The details of each step in FIG. 2 are described below with the components shown in FIG. 1.

首先,在終端電腦104(即,未受管控裝置)介接網路至NAT裝置102時,NAT裝置102將在步驟201中分配私有IP位址(例如,192.168.1.2)予終端電腦104,使得終端電腦104可在取得私有IP位址後開始傳送網路封包(例如圖2所示的第一HTTP封包),但此階段企業管理者並無法得知終端電腦104之相關資訊。First, when the terminal computer 104 (ie, an unmanaged device) interfaces the network to the NAT device 102, the NAT device 102 will assign a private IP address (for example, 192.168.1.2) to the terminal computer 104 in step 201, so that The terminal computer 104 can start transmitting network packets (such as the first HTTP packet shown in FIG. 2) after obtaining the private IP address, but at this stage, the enterprise manager cannot know the relevant information of the terminal computer 104.

在NAT裝置102接收來自終端電腦104的第一HTTP封包之後,可將此第一HTTP封包轉傳至管控伺服器101,以供管控伺服器101作進一步檢視。After the NAT device 102 receives the first HTTP packet from the terminal computer 104, it can forward the first HTTP packet to the management server 101 for further review by the management server 101.

在本實施例中,第一HTTP封包可包括第一使用者代理(user agent)欄位,其內容可記錄有終端電腦104的作業系統所對應的第一作業系統字串,以及終端電腦104的瀏覽器及第一瀏覽器名稱與版本字串。在不同的實施例中,上述第一作業系統字串可以是「Windows NT 10.0」或「Win64; x64」等態樣,而第一瀏覽器名稱與版本字串可以是「Chrome/77.0.3865.90」或「Safari/537.36」等態樣,但本發明可不限於此。In this embodiment, the first HTTP packet may include a first user agent (user agent) field, and its content may record the first operating system string corresponding to the operating system of the terminal computer 104 and the The name and version string of the browser and the first browser. In different embodiments, the first operating system string can be "Windows NT 10.0" or "Win64; x64", and the first browser name and version string can be "Chrome/77.0.3865.90" Or "Safari/537.36" etc., but the present invention is not limited to this.

在管控伺服器101取得第一HTTP封包之後,可判斷第一HTTP封包的第一使用者代理欄位的內容是否為新內容。在一實施例中,管控伺服器101可判斷第一作業系統字串及第一瀏覽器名稱與版本字串的至少其中之一是否為新。若是,則管控伺服器101可判定終端電腦104為未受管控裝置,並在步驟202中判定第一HTTP封包的第一使用者代理欄位的內容為新內容,但本發明可不限於此。After the control server 101 obtains the first HTTP packet, it can determine whether the content of the first user agent field of the first HTTP packet is new content. In one embodiment, the control server 101 can determine whether at least one of the first operating system string and the first browser name and version string is new. If so, the control server 101 may determine that the terminal computer 104 is an uncontrolled device, and determine that the content of the first user agent field of the first HTTP packet is new content in step 202, but the present invention is not limited to this.

在判定第一HTTP封包的第一使用者代理欄位的內容為新內容之後,管控伺服器101可阻擋第一HTTP封包被傳送至連接於代理伺服器105,並進一步要求終端電腦104安裝先前提及的外掛程式元件106。相應地,終端電腦104可在步驟203中安裝外掛程式元件106。After determining that the content of the first user agent field of the first HTTP packet is new content, the control server 101 can block the first HTTP packet from being transmitted to the proxy server 105, and further require the terminal computer 104 to install the prerequisite And the plug-in component 106. Correspondingly, the terminal computer 104 can install the plug-in component 106 in step 203.

在本發明的實施例中,外掛程式元件106可用於蒐集終端電腦104的私有IP位址(即,192.168.1.2)、網卡MAC位址及主機名稱,並將這些蒐集到的資訊提供至管控伺服器101,但可不限於此。In the embodiment of the present invention, the plug-in component 106 can be used to collect the private IP address (ie, 192.168.1.2), network card MAC address and host name of the terminal computer 104, and provide the collected information to the control server器101, but not limited to this.

在管控伺服器101接收到外掛程式元件106提供的終端電腦104的私有IP位址之後,管控伺服器101可在步驟204中將此私有IP位址記錄於管控伺服器101的資料庫中。在一實施例中,管控伺服器101可比對原有資料庫中的活動IP列表(其欄位可包含IP資訊、網卡MAC資訊、主機名稱資訊、管控狀態等),並依據管控狀態為未控管之裝置,輸出管控名單列表。之後,管控伺服器101可再針對未管控之裝置列表進行管控設定,但本發明可不限於此。After the control server 101 receives the private IP address of the terminal computer 104 provided by the plug-in component 106, the control server 101 can record the private IP address in the database of the control server 101 in step 204. In one embodiment, the control server 101 can compare the active IP list in the original database (the fields can include IP information, network card MAC information, host name information, control status, etc.), and based on the control status as uncontrolled Control device, output control list list. After that, the control server 101 can perform control settings for the uncontrolled device list, but the invention is not limited to this.

並且,管控伺服器101還可通知代理伺服器105將終端電腦104的私有IP位址記錄於白名單中。相應地,代理伺服器105可依管控伺服器101的通知而執行步驟205,以將終端電腦104的私有IP位址記錄於白名單中,並回傳確認訊息至管控伺服器101,以告知管控伺服器101。在此情況下,終端電腦104可視為已從未受管控裝置變為已受管控裝置。In addition, the management and control server 101 can also notify the proxy server 105 to record the private IP address of the terminal computer 104 in the white list. Correspondingly, the proxy server 105 can execute step 205 in accordance with the notification from the control server 101 to record the private IP address of the terminal computer 104 in the whitelist, and return a confirmation message to the control server 101 to inform the control server 101 Server 101. In this case, the terminal computer 104 can be regarded as having become a controlled device from an uncontrolled device.

在圖2中,假設終端電腦104(即,已受管控裝置)欲另發送一第二HTTP封包(其包括第二使用者代理欄位)至外部網路106,則管控伺服器101可在判定第二HTTP封包的第二使用者代理欄位的內容不為新內容(因其完全相同於第一HTTP封包的第一使用者代理欄位的內容)之後,允許(即,不阻擋)代理伺服器105將第二HTTP封包轉送/放行至外部網路106。In Figure 2, assuming that the terminal computer 104 (that is, the controlled device) wants to send a second HTTP packet (which includes a second user agent field) to the external network 106, the control server 101 can determine After the content of the second user agent field of the second HTTP packet is not new content (because it is exactly the same as the content of the first user agent field of the first HTTP packet), the proxy server is allowed (that is, not blocked) The device 105 forwards/releases the second HTTP packet to the external network 106.

並且,在代理伺服器105接收到第二HTTP封包並在步驟206中確認其屬於白名單之後,可相應地放行第二HTTP封包至外部網路106。Moreover, after the proxy server 105 receives the second HTTP packet and confirms that it belongs to the whitelist in step 206, it can release the second HTTP packet to the external network 106 accordingly.

請參照圖3,其是依據本發明之一實施例繪示的探知隱匿網路位址的方法流程圖。本實施例的方法可由圖1的管控伺服器101執行,以下即搭配圖1的內容說明圖3各步驟。Please refer to FIG. 3, which is a flowchart of a method for detecting a hidden network address according to an embodiment of the present invention. The method of this embodiment can be executed by the control server 101 of FIG. 1. The steps in FIG. 3 will be described below with the content of FIG. 1.

首先,在步驟S310中,處理器1012可從NAT裝置102接收來自終端電腦104的第一HTTP封包。在步驟S320中,反應於判定第一HTTP封包的第一使用者代理欄位的內容為新內容,處理器1012可判定終端電腦104為未受管控裝置,並阻擋第一HTTP封包被傳送至代理伺服器105。在步驟S330中,處理器1012可要求終端電腦104安裝外掛程式元件106。在步驟S340中,處理器1012可接收並記錄外掛程式元件106蒐集的私有IP位址,並要求代理伺服器105將私有IP位址加入至白名單。圖3各步驟的細節可參照先前實施例中的說明,於此不另贅述。First, in step S310, the processor 1012 may receive the first HTTP packet from the terminal computer 104 from the NAT device 102. In step S320, in response to determining that the content of the first user agent field of the first HTTP packet is new content, the processor 1012 may determine that the terminal computer 104 is an uncontrolled device, and block the first HTTP packet from being transmitted to the agent Server 105. In step S330, the processor 1012 may request the terminal computer 104 to install the plug-in component 106. In step S340, the processor 1012 may receive and record the private IP address collected by the plug-in component 106, and request the proxy server 105 to add the private IP address to the whitelist. For details of each step in FIG. 3, reference may be made to the description in the previous embodiment, which will not be repeated here.

綜上所述,本發明可在取得(未受管控的)終端電腦發送的HTTP封包之後,對其進行分析並記錄封包內容,並配合瀏覽器之外掛程式元件技術,取得終端電腦的相關特徵資訊(例如終端電腦的作業系統版本與使用的網路瀏覽器版本)等,以達到揭露網路中隱匿之電腦為目的。藉此,本發明可探知隱匿真實IP的電腦存在,並進而加以降低因未控管的電腦可能引發的資安風險。In summary, the present invention can analyze and record the contents of the HTTP packet sent by the terminal computer (uncontrolled), and cooperate with the browser plug-in component technology to obtain relevant feature information of the terminal computer. (For example, the operating system version of the terminal computer and the version of the web browser used), etc., for the purpose of exposing hidden computers in the network. In this way, the present invention can detect the existence of a computer hiding the real IP, and further reduce the information security risk that may be caused by the uncontrolled computer.

由上可知,本發明至少具有以下特點:(1)可快速且精確的達到揭露網路中活動利用NAT網路架構的私有IP終端電腦的目的,利用乙太網(Ethernet)標準之網路通訊協定與封包擷取為基礎架構,可在無特殊硬體需求或網路環境限制的情境下以純軟體形式實作,無需花費高成本建置硬體設備;(2)利用以未受管控裝置的HTTP封包自動判別技術所擷取出的本機作業系統與瀏覽器組態資訊,搭配瀏覽器之外掛程式元件技術,取得該電腦裝置特徵資訊,可判別活動設備存在於一般網路或隱匿於NAT網路環境下,達到全面性與反隱匿的偵測效果;(3)可建立企業內部全面性的IP整合管理機制,充分提升網路品質與效能。透過管控伺服器便可提供網路或IP管理人員有效迅速的進行管理,清楚了解目前IP使用狀況。It can be seen from the above that the present invention has at least the following features: (1) It can quickly and accurately achieve the purpose of exposing activities in the network using a private IP terminal computer using the NAT network architecture, and using the Ethernet standard network communication Protocol and packet capture are the infrastructure, which can be implemented in pure software form without special hardware requirements or network environment restrictions, without the need to build hardware equipment at a high cost; (2) Using uncontrolled devices The local operating system and browser configuration information extracted by the HTTP packet automatic identification technology, combined with the browser plug-in component technology, obtains the characteristic information of the computer device, and can determine whether the active equipment exists in the general network or hidden in the NAT network Under the road environment, it can achieve comprehensive and anti-concealment detection effects; (3) A comprehensive IP integrated management mechanism within the enterprise can be established to fully improve network quality and efficiency. The control server can provide network or IP management personnel to effectively and quickly manage, and clearly understand the current IP usage status.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be determined by the scope of the attached patent application.

100:網路系統 101:管控伺服器 1011:儲存電路 1012:處理器 102:NAT裝置 103、104:終端電腦 105:代理伺服器 106:外部網路 201~206、S310~S340:步驟100: network system 101: Control server 1011: storage circuit 1012: processor 102: NAT device 103, 104: terminal computer 105: Proxy server 106: External network 201~206, S310~S340: steps

圖1是依據本發明之一實施例繪示的網路系統示意圖。 圖2是依據本發明之一實施例繪示的探知隱匿網路位址的方法流程圖。 圖3是依據本發明之一實施例繪示的探知隱匿網路位址的方法流程圖。 FIG. 1 is a schematic diagram of a network system according to an embodiment of the present invention. FIG. 2 is a flowchart of a method for detecting a hidden network address according to an embodiment of the present invention. Fig. 3 is a flowchart of a method for detecting a hidden network address according to an embodiment of the present invention.

S310~S340:步驟 S310~S340: steps

Claims (10)

一種探知隱匿網路位址的方法,適於一管控伺服器,所述方法包括: 從一網路位址轉換裝置接收來自一終端電腦的一第一HTTP封包,其中該終端電腦經該網路位址轉換裝置分配有一私有IP位址,且該第一HTTP封包具有一第一使用者代理欄位; 反應於判定該第一HTTP封包的該第一使用者代理欄位的內容為新內容,判定該終端電腦為一未受管控裝置,並阻擋該第一HTTP封包被傳送至連接於該網路位址轉換裝置的一代理伺服器; 要求該終端電腦安裝一外掛程式元件,其中該外掛程式元件用以蒐集該終端電腦的該私有IP位址; 接收並記錄該外掛程式元件蒐集的該私有IP位址,並要求該代理伺服器將該私有IP位址加入至一白名單。 A method for detecting hidden network addresses is suitable for a control server, and the method includes: Receive a first HTTP packet from a terminal computer from a network address conversion device, wherein the terminal computer is assigned a private IP address via the network address conversion device, and the first HTTP packet has a first use Agent field; In response to determining that the content of the first user agent field of the first HTTP packet is new content, it is determined that the terminal computer is an uncontrolled device, and the first HTTP packet is blocked from being transmitted to the network connected to the network. A proxy server of the address conversion device; Request the terminal computer to install a plug-in component, wherein the plug-in component is used to collect the private IP address of the terminal computer; Receive and record the private IP address collected by the plug-in component, and request the proxy server to add the private IP address to a whitelist. 如申請專利範圍第1項所述的方法,更包括: 從該網路位址轉換裝置接收來自該終端電腦的一第二HTTP封包,其中該第二HTTP封包具有一第二使用者代理欄位; 反應於判定該第二HTTP封包的該第二使用者代理欄位的內容不為新內容,允許該代理伺服器放行該第二HTTP封包至一外部網路,其中該代理伺服器在判定該終端電腦的該私有IP位址已記錄於該白名單中之後,放行該第二HTTP封包至該外部網路。 The method described in item 1 of the scope of patent application further includes: Receiving a second HTTP packet from the terminal computer from the network address conversion device, wherein the second HTTP packet has a second user agent field; In response to determining that the content of the second user agent field of the second HTTP packet is not new content, the proxy server is allowed to pass the second HTTP packet to an external network, wherein the proxy server is determining the terminal After the private IP address of the computer has been recorded in the whitelist, the second HTTP packet is released to the external network. 如申請專利範圍第1項所述的方法,其中該第一使用者代理欄位的內容包括一第一作業系統字串及一第一瀏覽器名稱與版本字串,其中反應於判定該第一作業系統字串及該第一瀏覽器名稱與版本字串的至少其中之一為新,判定該第一HTTP封包的該第一使用者代理欄位的內容為新內容。For the method described in claim 1, wherein the content of the first user agent field includes a first operating system string and a first browser name and version string, which reflects the determination of the first At least one of the operating system string and the first browser name and version string is new, and the content of the first user agent field of the first HTTP packet is determined to be new content. 如申請專利範圍第1項所述的方法,其中該外掛程式元件更用以蒐集該終端電腦的網卡MAC位址及主機名稱。Such as the method described in item 1 of the scope of patent application, wherein the plug-in component is further used to collect the MAC address and host name of the network card of the terminal computer. 如申請專利範圍第1項所述的方法,其中在判定該終端電腦為該未受管控裝置之後,所述方法更包括將該外掛程式元件發送至該終端電腦。According to the method described in item 1 of the scope of patent application, after determining that the terminal computer is the uncontrolled device, the method further includes sending the plug-in component to the terminal computer. 一種管控伺服器,包括: 一儲存電路,儲存多個模組;以及 一處理器,耦接該儲存電路,存取該些模組以執行下列步驟: 從一網路位址轉換裝置接收來自一終端電腦的一第一HTTP封包,其中該終端電腦經該網路位址轉換裝置分配有一私有IP位址,且該第一HTTP封包具有一第一使用者代理欄位; 反應於判定該第一HTTP封包的該第一使用者代理欄位的內容為新內容,判定該終端電腦為一未受管控裝置,並阻擋該第一HTTP封包被傳送至連接於該網路位址轉換裝置的一代理伺服器; 要求該終端電腦安裝一外掛程式元件,其中該外掛程式元件用以蒐集該終端電腦的該私有IP位址; 接收並記錄該外掛程式元件蒐集的該私有IP位址,並要求該代理伺服器將該私有IP位址加入至一白名單。 A control server, including: A storage circuit for storing multiple modules; and A processor, coupled to the storage circuit, accesses the modules to perform the following steps: Receive a first HTTP packet from a terminal computer from a network address conversion device, wherein the terminal computer is assigned a private IP address via the network address conversion device, and the first HTTP packet has a first use Agent field; In response to determining that the content of the first user agent field of the first HTTP packet is new content, it is determined that the terminal computer is an uncontrolled device, and the first HTTP packet is blocked from being transmitted to the network connected to the network. A proxy server of the address conversion device; Request the terminal computer to install a plug-in component, wherein the plug-in component is used to collect the private IP address of the terminal computer; Receive and record the private IP address collected by the plug-in component, and request the proxy server to add the private IP address to a whitelist. 如申請專利範圍第6項所述的管控伺服器,其中該處理器更經配置以: 從該網路位址轉換裝置接收來自該終端電腦的一第二HTTP封包,其中該第二HTTP封包具有一第二使用者代理欄位; 反應於判定該第二HTTP封包的該第二使用者代理欄位的內容不為新內容,允許該代理伺服器放行該第二HTTP封包至一外部網路,其中該代理伺服器在判定該終端電腦的該私有IP位址已記錄於該白名單中之後,放行該第二HTTP封包至該外部網路。 For example, the control server described in item 6 of the scope of patent application, wherein the processor is further configured to: Receiving a second HTTP packet from the terminal computer from the network address conversion device, wherein the second HTTP packet has a second user agent field; In response to determining that the content of the second user agent field of the second HTTP packet is not new content, the proxy server is allowed to pass the second HTTP packet to an external network, wherein the proxy server is determining the terminal After the private IP address of the computer has been recorded in the whitelist, the second HTTP packet is released to the external network. 如申請專利範圍第6項所述的管控伺服器,其中該第一使用者代理欄位的內容包括一第一作業系統字串及一第一瀏覽器名稱與版本字串,其中反應於判定該第一作業系統字串及該第一瀏覽器名稱與版本字串的至少其中之一為新,該處理器判定該第一HTTP封包的該第一使用者代理欄位的內容為新內容。For example, in the control server described in item 6 of the scope of patent application, the content of the first user agent field includes a first operating system string and a first browser name and version string, which is reflected in determining the At least one of the first operating system string and the first browser name and version string is new, and the processor determines that the content of the first user agent field of the first HTTP packet is new content. 如申請專利範圍第6項所述的管控伺服器,其中該外掛程式元件更用以蒐集該終端電腦的網卡MAC位址及主機名稱。For example, in the control server described in item 6 of the scope of patent application, the plug-in component is used to collect the MAC address and host name of the network card of the terminal computer. 如申請專利範圍第6項所述的管控伺服器,其中在判定該終端電腦為該未受管控裝置之後,該處理器更經配置以將該外掛程式元件發送至該終端電腦。For example, in the control server described in item 6 of the scope of patent application, after determining that the terminal computer is the uncontrolled device, the processor is further configured to send the plug-in component to the terminal computer.
TW108144951A 2019-12-09 2019-12-09 Method for detecting hidden network address and management server TWI714386B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108144951A TWI714386B (en) 2019-12-09 2019-12-09 Method for detecting hidden network address and management server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108144951A TWI714386B (en) 2019-12-09 2019-12-09 Method for detecting hidden network address and management server

Publications (2)

Publication Number Publication Date
TWI714386B true TWI714386B (en) 2020-12-21
TW202123650A TW202123650A (en) 2021-06-16

Family

ID=74669709

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108144951A TWI714386B (en) 2019-12-09 2019-12-09 Method for detecting hidden network address and management server

Country Status (1)

Country Link
TW (1) TWI714386B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI440334B (en) * 2009-04-02 2014-06-01 Chunghwa Telecom Co Ltd Monitoring computer devices and intercepting DNS packets based on Internet control methods and systems
CN106302237A (en) * 2016-08-30 2017-01-04 成都科来软件有限公司 A kind of method utilizing packet content identification mobile terminal
TWI628936B (en) * 2017-04-25 2018-07-01 中華電信股份有限公司 Automatic control system for controlling the existence of internet protocol address device and control method thereof
US20190089736A1 (en) * 2015-03-18 2019-03-21 Cequence Security, Inc. Passive detection of forged web browsers

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI440334B (en) * 2009-04-02 2014-06-01 Chunghwa Telecom Co Ltd Monitoring computer devices and intercepting DNS packets based on Internet control methods and systems
US20190089736A1 (en) * 2015-03-18 2019-03-21 Cequence Security, Inc. Passive detection of forged web browsers
CN106302237A (en) * 2016-08-30 2017-01-04 成都科来软件有限公司 A kind of method utilizing packet content identification mobile terminal
TWI628936B (en) * 2017-04-25 2018-07-01 中華電信股份有限公司 Automatic control system for controlling the existence of internet protocol address device and control method thereof

Also Published As

Publication number Publication date
TW202123650A (en) 2021-06-16

Similar Documents

Publication Publication Date Title
US8972571B2 (en) System and method for correlating network identities and addresses
US8631499B2 (en) Platform for analyzing the security of communication protocols and channels
US7646728B2 (en) Network monitoring and intellectual property protection device, system and method
JP4827972B2 (en) Network monitoring device, network monitoring method, and network monitoring program
CN105743878B (en) Dynamic service handling using honeypots
CN104601570A (en) Network security monitoring method based on bypass monitoring and software packet capturing technology
WO2021139643A1 (en) Method and apparatus for detecting encrypted network attack traffic, and electronic device
US9444821B2 (en) Management server, communication cutoff device and information processing system
CN111447089B (en) Terminal asset identification method and device and computer readable storage medium
JP2007295039A (en) Device and method for detecting network address converter
US8161558B2 (en) Network management and administration
CN112437100A (en) Vulnerability scanning method and related equipment
CN109617972B (en) Connection establishing method and device, electronic equipment and storage medium
WO2020132949A1 (en) Industrial control system monitoring method, device and system, and computer-readable medium
CN112532658B (en) Cloud network escape event scanning method and device and computer readable storage medium
TWI714386B (en) Method for detecting hidden network address and management server
JP5898024B2 (en) Malware detection apparatus and method
KR101491322B1 (en) Self-configuring local area network security
US10015179B2 (en) Interrogating malware
TWI628936B (en) Automatic control system for controlling the existence of internet protocol address device and control method thereof
KR101997181B1 (en) Apparatus for managing domain name servide and method thereof
US20240163294A1 (en) System and method for capturing malicious flows and associated context for threat analysis
CN114629683B (en) Access method, device, equipment and storage medium of management server
WO2024116666A1 (en) Detection system, detection method, and program
CN107196905B (en) Trusted network access client and access method for Windows platform