CN103457931B - A network anti-phishing attack methods and active defense - Google Patents

A network anti-phishing attack methods and active defense Download PDF

Info

Publication number
CN103457931B
CN103457931B CN201310355000.9A CN201310355000A CN103457931B CN 103457931 B CN103457931 B CN 103457931B CN 201310355000 A CN201310355000 A CN 201310355000A CN 103457931 B CN103457931 B CN 103457931B
Authority
CN
China
Prior art keywords
data
packet
node
network
attack
Prior art date
Application number
CN201310355000.9A
Other languages
Chinese (zh)
Other versions
CN103457931A (en
Inventor
胡汉平
王文龙
熊伟
刘翔
丁才华
王祖喜
Original Assignee
华中科技大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华中科技大学 filed Critical 华中科技大学
Priority to CN201310355000.9A priority Critical patent/CN103457931B/en
Publication of CN103457931A publication Critical patent/CN103457931A/en
Application granted granted Critical
Publication of CN103457931B publication Critical patent/CN103457931B/en

Links

Abstract

本发明公开了一种网络诱骗与反攻击的主动防御方法,包括以下步骤:通信双方设置多台主机进行数据的发送和接收,并通过一个地址和端口跳变服务器动态随机选择一台主机作为通信主机;发送方选择一条或多条传输链路发送诱骗报文,以检测传输链路的安全性和信道质量,如果链路安全就构造并发送带反攻击性的真实数据,与此同时,发送方继续发送诱骗报文进行链路探测;中间节点负责检测传输链路的安全状况并反馈给网络管理员;网络管理员根据节点的安全状况来更新传输路径,并采取安全防御措施。 The present invention discloses a phishing attack active defense and counter method, comprising the steps of: setting a plurality of communicating parties sent and received host data, and a dynamic random select a host through a server address and port as the communication hopping host; sender selects one or more transmission link transmitting decoy packets to the security and detecting channel quality of the transmission link, if the link to the security configuration and sends a counter-attack of real data, at the same time, send party continues to send decoy packets link detection; security center responsible for detecting transmission node and link back to the network administrator; network administrator to update the node transmission path according to the security situation and to take security defenses. 本发明能有效地预防与检测网络通信中常见的安全攻击,并能对攻击方进行一定的反向攻击。 The present invention can effectively prevent the detection of the common network communication security attacks and attacks on a certain reverse attacker.

Description

一种网络诱骗与反攻击的主动防御方法 A network anti-phishing attack methods and active defense

技术领域 FIELD

[0001]本发明涉及通信网络安全防御领域,具体涉及一种网络诱骗与反攻击的主动防御方法。 [0001] The present invention relates to the field of communication network security defense, and particularly relates to an anti-phishing attacks active defense methods.

背景技术 Background technique

[0002]近几年,随着通信网络技术的发展,各种类型的网络应用应运而生,政府和个人对网络的依赖程度越来越大。 [0002] In recent years, with the development of communication network technology, various types of network applications emerged, governments and individuals dependent on the network is growing. 同时,针对网络的攻击事件源源不断。 Meanwhile, a steady stream of attacks against the network. 尽管人们采用了各种方法和工具来加强网络通信的安全,但攻击成功的事件数量还是在不断上升。 Although people used a variety of methods and tools to enhance the security of network communications, but the success of the attack or the number of incidents is on the rise. 从最初的端口扫描攻击、缓冲区溢出攻击,到现在的分布式拒绝服务攻击(Distributed Denial ofService)、网络监听和中间人攻击,新的攻击手段和方法层出不穷,千变万化。 From the initial port scan attacks, buffer overflow attacks, and now distributed denial of service attack (Distributed Denial ofService), network monitoring and middle attack, new means and methods of attack after another, ever-changing.

[0003]传统的网络安全防护体系,如防火墙和入侵检测系统,主要是采用静态策略,对网络攻击采取被动防卫的手段。 [0003] The traditional network security protection systems, such as firewalls and intrusion detection systems, primarily using static policy, to take a passive means of defense against cyber attacks. 但是面对不断出现的新攻击方法,传统的被动防御的手段越来越显得力不从心;同时,随着网络环境复杂性的不断增加使得网络管理员的工作越来越繁重,一时的疏忽便可能留下严重的安全隐患。 But the face of emerging new attack methods, traditional passive defense means more and more appeared to be inadequate; the same time, as the network environment of increasing complexity makes network administrators work more and more onerous, it may remain negligence under serious security risks. 针对传统的网络安全防护体系存在的安全问题,主动防御系统已开始逐渐替代传统的被动防御系统。 Safety problems of traditional network security protection system, active defense system has begun to gradually replace the traditional passive defense system. 通过加强系统安全的动态性和管理的持续性,以入侵检测、漏洞评估和自适应调整为循环来提高网络安全。 By strengthening the security of the system dynamics and sustainability management to intrusion detection, vulnerability assessment and adaptive adjustment to cycle to improve network security.

[0004]现有的主动防御方法,如蜜罐、蜜网、蜜场和传统的动态目标防御等,主要是防御网络中的主机系统的安全,并没有考虑数据在传输过程中的安全性。 [0004] The conventional method of active defense, such as honeypot, honey network, honey, and conventional dynamic field goal defense, are primarily the secure host system defense network, and does not consider the security of data during transmission. 蜜罐主要是设置陷阱,吸引黑客的攻击,使其在陷阱机上浪费时间并且捕获其行为,通过记录黑客的攻击方法为以后制定防御策略来提供依据。 Honeypot is mainly set traps to attract hacker attacks, making it a waste of time on the trap machine and capture their behavior, by recording the attack methods hackers to develop defense strategies in the future to provide evidence. 传统的动态目标防御,即让网络系统中的各个节点变成一个个动态目标来抵御攻击。 The traditional goal of dynamic defense, that allow each node in the network system becomes a dynamic goal against attackers. 这些主动防御方法都是保护主机系统不被攻击,而数据在传输过程中,也会遭到截获、篡改等攻击。 These methods are active defense system to protect the host will not be attacked, and data during transmission, would have been intercepted, tampering attacks. 如何保证数据在传输过程中的安全,又如何对攻击行为作出反制,这些问题都亟待解决。 How to ensure the security of data during transmission, but also how to counter the aggressive behavior, these problems are solved.

发明内容 SUMMARY

[0005]针对现有技术的不足,本发明的目的在于提供一种网络诱骗与反攻击的主动防御方法,一方面可以诱骗攻击者对虚假的数据进行攻击,加强真实数据在传输时候的安全保密性,降低真实数据被攻击的概率;另一方面能够对攻击源作出相应的反向攻击。 [0005] for the deficiencies of the prior art, an object of the invention is to provide a phishing attack and counter active defense method, one can trick the attacker attack on false data, strengthen security and confidentiality of data in real time transmission and reduce the probability of attack of real data; on the other hand can be made corresponding to the attack source counter attack.

[0006]为了解决上述问题,本发明提供一种网络诱骗与反攻击的主动防御方法。 [0006] In order to solve the above problems, the present invention provides an anti-phishing attacks and active defense methods. 网络通信系统包括发送方、中间节点、网络管理员和接收方。 The network communication system includes a sender, an intermediate node, the network administrator, and the recipient. 发送方和接收方在网络中均由多台主机组成,并各设计一个地址端口跳变服务器进行控制;中间节点由代理-管理器组成,代理进程主要负责节点之间数据转发、校验、检测等工作,管理进程主要负责维护和调整协议参数,向管理器告警;网络管理器负责监控网络中节点的安全状态,动态选择安全的传输路径供通信双方使用。 The sender and receiver by more than one host in the network composition and design of an address of each server port hopping control; intermediate node by the agent - Composition manager, the data transfer process between the agent responsible for the node, checking, testing etc., the management process responsible for maintenance and adjustment protocol parameters, alerting to the manager; network Manager is responsible for monitoring the security status of nodes in the network, dynamically selected for both the security of the transmission path used for communication.

[0007]本发明提供的一种网络诱骗与反攻击的主动防御方法,包括以下步骤: [0007] A phishing attacks active defense and counter the present invention provides a method, comprising the steps of:

[0008] (I)发送方根据地址端口跳变服务器随机地选择一台主机作为当前通信主机,然后选择一条或多条传输链路发送诱骗报文,以检测传输链路的安全性和信道质量,检测结果包括节点安全状态、链路传输延迟和丢包率; [0008] (I) randomly selecting the sender address port of a host server as the current hopping communication host and select one or more transmission link transmitting decoy packets to the security and detecting channel quality of the transmission link , the detection result including the security node status, link transmission delay and packet loss rate;

[0009] (2)中间节点收到转发的数据报后,首先进行节点校验,通过检测报文的状态来判断是否有攻击发生和攻击类型,并根据具体的攻击行为向网络管理员发出相应的告警; [0009] (2) After an intermediate node receives the data packet forwarded, first check node, the packet is determined by detecting whether the state of the occurrence of attack and attack types, and issue the appropriate network administrator depending attacks alarm;

[0010] (3)网络管理员监听整个网络的安全状态,接收通信链路中节点发来的告警,若发现某个节点遭到了攻击,则标记该节点为不安全节点并启动该节点上的入侵检测系统,对包括流量和网络连接服务的状况进行分析,定位攻击源并作出相应的反向攻击; [0010] (3) network administrators monitor the security status of the entire network, the receiving node communication link sent by an alarm, if found a node under attack, the node is marked as unsafe node and starts on the node intrusion detection systems, including traffic and the situation of the network connection service is analyzed to locate the attack source and corresponding counter attacks;

[0011] (4)发送方在发送诱骗报文的同时监听网络管理员发来的决策,若收到网络管理员发来的安全告警,则重新选择一条新的路径并继续发送诱骗报文探测链路的安全性和信道质量;若管理员未发出告警,则开始发送带反向攻击性的真实数据; [0011] (4) the sender when sending messages to trick the listener network administrator sent by the decision, if it receives a network administrator sent to the security alarm, then re-select a new path and continues to send messages to detect phishing safety and quality of the link channel; If the administrator does not send an alarm, reverse transmission is started with aggressive real data;

[0012] (5)接收方根据地址端口跳变服务器随机地选择一台主机作为当前通信主机,收到数据报后,根据报文的类型来决定接收或丢弃报文,并动态监听网络管理员的决策,若接收方收到网络管理员的告警,说明之前接收到的数据可能遭到了破坏,则丢弃这段时间的数据并等待重传;若通信结束后还未收到网络管理员的告警,则存储数据并解密恢复出真实有用的数据。 After [0012] (5) randomly selects a recipient host port address hopping communication server as the current master, receiving the data message, according to the type of the packet received to determine or discard packets, monitor and dynamically network administrator the decision, if the recipient received the network administrator warning, indicating that the received data may have been destroyed before discarding the data from this period and waits for retransmission; not yet received a warning after the network administrator if the communication end , the data is stored and decrypted to recover the real useful data.

[0013]本发明具有以下的优点和有益效果: [0013] The present invention has the following advantages and benefits:

[0014] 1、本发明根据传输链路的安全可靠性,动态地选择安全、稳定的传输链路,保证了通信链路上节点的动态性,使攻击者无从发起攻击; [0014] 1, in accordance with the present invention, the safety and reliability of the transmission link, dynamically select a secure and stable transmission link, to ensure that the dynamic node over the communication link, unable to attack an attacker;

[0015] 2、本发明能够迷惑攻击者对网络中传输的诱骗数据发起攻击,降低真实数据被攻击的机率,能实时的检测攻击行为并采取防御措施; [0015] 2, the present invention can confuse an attacker to trick a data transmission network attack, reduce the chances of being attacked real data, real-time detection of attacks and take preventive measures;

[0016] 3、本发明能对攻击源进行反向攻击,从源头对攻击者进行反制,阻断攻击发生。 [0016] 3, the present invention is able to attack the source of the inverted attack, the attacker counter for the source, to block attacks.

附图说明 BRIEF DESCRIPTION

[0017]图1为本发明提供的一种网络诱骗与反攻击的主动防御方法具体实施方式的流程图。 [0017] FIG. 1. A network of the present invention provides a method of active defense flowchart decoy counter-attack a specific embodiment.

[0018]图2为本发明提供的节点校验与攻击检测流程图。 [0018] FIG 2 is a flowchart of check node and attack detection provided by the invention.

[0019]图3为本发明提供的反攻击数据设计流程图。 [0019] FIG. 3 provides a flow chart counter-attack the design data of the present invention.

具体实施方式 Detailed ways

[0020]下面结合附图对本发明的具体实施方式作进一步详细说明。 [0020] The following drawings of specific embodiments of the present invention are described in further detail in conjunction. 在此需要说明的是,对于这些实施方式的说明用于帮助理解本发明,但并不构成对本发明的限定。 Note that here, for the description of these embodiments to assist in understanding the present invention but do not limit the present invention. 此外,下面所描述的本发明各个实施方式中所涉及到的技术特征只要彼此之间未构成冲突就可以相互组合。 Moreover, various embodiments of the invention described below involved the technical features as long as no conflict with one another can be configured in combination with each other.

[0021]网络通信系统包括发送方、中间节点、网络管理员和接收方。 [0021] The network communication system includes a sender, an intermediate node, the network administrator, and the recipient. 发送方和接收方在网络中均设置多个节点进行数据的发送和接收,并各设计一个地址端口跳变服务器来动态地选择节点进行通信;中间节点在通信过程中进行数据报的校验和转发;网络管理员实时监控整个网络的安全状态。 Sender and receiver are disposed in a plurality of network nodes transmit and receive data, and each designed to address a hopping server port to dynamically select a communication node; intermediate node in the datagram communication process and check forwarding; network administrators real-time monitoring of the security status of the entire network. 如图1所示,本实施例的主动防御方法包括以下步骤: As shown, the active defense of the method of the present embodiment comprises the steps of Example 1:

[0022] (I)发送方发送诱骗报文,以检测传输链路的安全性和信道质量,诱骗报文的数据部分具有与真实密文相同的统计特性。 [0022] (I) decoy transmitter sends packets to the security and detecting channel quality of the transmission link, decoy packets having a real data portion of the ciphertext same statistical properties. 具体包括以下几个步骤: Specifically includes the following steps:

[0023] (1.1)采用混沌流密码加密系统产生的密钥序列作为报文的数据部分。 [0023] (1.1) using the key stream cipher encryption system chaotic sequence generated by a message data portion. 该加密系统产生的密钥序列具有串分布均匀、随机统计特性良好、相邻密钥相关性小等特点,密码系统的混淆与扩散性能良好,并且,该密码系统的工作密钥空间巨大,足以抵抗穷举密钥攻击; The sequence of key encryption system to produce a string having a uniform distribution of random good statistical properties, adjacent key associated characteristics of small, good confusion and diffusion properties of the cryptosystem, and huge space of the work key cryptosystem, sufficient resistance exhaustive key attack;

[0024] (1.2)在网络各个节点和通信双方中都安装混沌流密码加密系统,该系统可以同步产生混沌随机序列。 [0024] (1.2) at each node of the network and the communication are both mounted chaotic stream cipher encryption system, the system can be synchronized chaotic random sequence. 藉此,诱骗报文在传输过程中一旦被篡改就能很快能被当前节点所检测到(报文数据部分与节点自己当前产生的随机序列不相等),并能重新修复原始的诱骗报文并继续向目的节点转发报文来探测链路安全性; Whereby, decoy packets can quickly be tampered with once it is detected that the current node (random sequence portion of the message data currently generated in the node's own unequal) during transmission, and can be restored original decoy packets and continue to forward packets to the destination node to detect link security;

[0025] (1.3)对原始的IP数据报格式重新设计,新增IP选路、时间-1D、类型标识和摘要信息4个字段,并将这4个字段隐藏在IP报文的数据部分中。 [0025] (1.3) redesign of the original IP datagram format, the new IP routing, time -1D, and summary information type identifier field 4, and four hidden fields in the data portion of the IP packet . IP选路中存放一次通信过程中传输路径中节点的IP地址;时间-1D记录的是报文由节点发出的时间和标识该报文唯一性的标识符,报文发送前,网络中的所有节点先同步产生一个相同的随机数randoml,假设报文数据部分长度为N个字节,则rl=randoml%N表示报文数据部分的第rl个字节,若rl=0,则rl =rl + Ι,取数据部分的第rl个字节来填充ID。 IP routing IP address stored in a communication process in the transmission path node; -1D time is recorded and the time the packet identification packet sent by a node unique identifier before sending the message, the network all a first node sync generating the same random number randoml, assuming the message data portion length is N bytes, then rl = randoml% N rl byte represents the message data portion, if rl = 0, then rl rl = + Ι, taking part of the data bytes to fill rl ID. 在本实施例中,主要包括两种报文:诱骗报文和真实报文,利用类型标识用来区别这两种报文,同样,网络中所有节点产生另一个相同的随机数random2,r2=random2%N表示报文中数据部分的第r2个字节,若r2=0,贝Ijr2=r2+1,然后用数据部分的第r2个字节来填充报文的类型标识字段,而不是用固定的O或I。 In the present embodiment, mainly it includes two types of packets: decoy packet and the real message, using the type identifier to distinguish between the two packets, similarly, all the nodes in the network generates another random number of the same random2, r2 = random2% N represents a packet of data bytes r2 portion, if r2 = 0, beta Ijr2 = r2 + 1, then the packet type identifier field is filled with the r2 partial bytes of data, rather than fixed or I. O 这样做的最大好处是可以让攻击者无法轻易分析出有效和无效的数据而有选择性的进行攻击,另外,由于网络中所有节点都能动态同步产生诱骗随机数,所以节点很容易鉴别报文的类型。 The greatest benefit of this is that you can make an attacker can not easily analyze valid and invalid data and selective attack, In addition, because all nodes in the network synchronous dynamic random number generating trick, so it is easy to identify the packet node type. 摘要信息域是对新增加的4个控制字段签名,检测传输过程中控制字段是否被篡改破坏。 Summary information field is a newly added four control field signature, detecting whether the transmission has been tampered with during control field destroyed.

[0026] (1.4)发送方通过地址和端口跳变服务器动态选择一台主机并确定一条或多条传输链路来发送诱骗报文进行链路安全性和信道质量探测。 [0026] (1.4) where the sender address and port of the server to dynamically select a hopping host and determine one or more transmission links for transmitting decoy packet link channel quality and safety detection.

[0027] (2)中间节点收到转发的数据报文后,首先进行节点校验,通过检测报文的状态来判断是否有攻击发生,并根据具体的攻击行为向管理员发出相应的告警; After [0027] (2) an intermediate node receives the forwarded data packets, first check node, by detecting the state of the packet to determine whether there is an attack occurs, and issue the appropriate alert to the administrator depending attacks;

[0028]如图2所示,节点收到数据报文后,要按以下步骤进行处理: After [0028] As illustrated, Node 2 receives a data packet, according to the following process steps:

[0029] (2.1)判断报文的摘要信息是否正确。 [0029] (2.1) determine the packet summary information is correct. 如果不正确,则表示报文已经遭到了篡改攻击,标记该节点并向网络管理员告警;否则执行步骤(2.2); If not, it means that the packet has been tampering attacks, marking the node to the network administrator alarm; otherwise step (2.2);

[0030] (2.2)判断报文路径是否合法。 [0030] (2.2) determine the path that a packet is legitimate. 如果途经节点的IP地址不存在于IP选路中,则表示报文已经遭到了截获攻击,标记该节点并向网络管理员告警;否则执行步骤(2.3); If the IP address via the node does not exist in IP routing, it means that the packet has been intercepted attack, marking the node to the network administrator alarm; otherwise step (2.3);

[0031] (2.3)判断报文时间是否有效。 [0031] (2.3) judging whether the valid time of the packet. 若报文的发送时间、本地当前时间、延迟时间三者的差值,即“本地当前时间-发送时间-延迟时间”不在门限阀值以内,则表明遭到了重放攻击,标记该节点并向网络管理员告警。 If the packet transmission time, the current local time, the delay time difference between the three, namely, "local current time - transmission time - delay time" is not within the threshold threshold, it indicates that a replay attack was, to mark the node network administrator alarm. 例如数据报的发送时间是T0,到达节点的时间是Tl,检测到上一跳节点发送来的报文的延迟时间平均值为t(在网络相对安全的情况下,每个节点保存的t值可以根据多次测得的Tl-TO取平均值得到,在网络运作过程中,t的值可以每隔一段时间自适应重新计算并更新),现在取某个阀值AT,若|Tl-T0-t|>AT,则认为此报文是一个重放的非法报文,丢弃该报文后告警管理员;否则在节点的缓存表中查找是否存在此报文的ID项,若存在,则说明此报文是一个快速重放报文,丢弃该报文后向网络管理员告警;若不存在,则将该报文的IP源、目的地址、IP发送时间和唯一标识ID存放与缓存表中,然后执彳丁步骤(2.4); E.g. datagram transmission time is T0, the time to reach the node is Tl, the average delay time of the detected packet transmitted hop node is t (relative safety in the network, the value stored in each node t the plurality of times may be measured Tl-tO averaged to obtain, during the operation of the network, the value of t may be an adaptive intervals recalculate and update), the aT is now taking a certain threshold, if | Tl-T0 -t |> aT, believes that this packet is a replay of illegal packet, the packet is discarded after the alarm administrator; otherwise find out whether the packet ID entry exists in the cache table node, if present, the Description this message is a fast playback packet, and discards the packet when an alarm to a network administrator; if not, the packet is an IP source and destination addresses, IP ID uniquely identifies a transmission time and storage and cache table , the left foot is then performed in step D (2.4);

[0032] (2.4)判断报文的类型:若报文类型是真实报文,则更新报文的发送时间,然后向下个节点转发;若是诱骗报文,则比较本节点产生的动态随机序列PSl和报文数据部分随机序列的值PS2。 Dynamic random sequence if the decoy packet, the comparator generating node; if the packet type is a real message, the update message transmission time, and then down forwarding nodes: [0032] (2.4) Type determination packet PS2 PSl value and message data portion of the random sequence. 如果PSl与PS2值不相同,表明该数据已被篡改,则表示报文遭到了篡改攻击,标记此节点并向网络管理员告警,同时用PSl来填充数据报文的数据部分(PSl替换PS2),然后更新报文的发送时间并向下个节点转发;如果PSl与PS2值相同,则更新报文的发送时间并向下个节点转发; If PSl and PS2 values ​​are not the same, indicating that the data has been tampered with, indicating that the message was tampering attacks, to mark this node alarm network administrators, while the data part PSl to populate data packet (PSl replace PS2) then updates the forwarding message is sent to the next node; if PSl and PS2 same value, the update time of packets transmitted and forwarding the next node;

[0033] (3)网络管理员实时监控整个网络的安全状态,包括以下几个步骤: [0033] (3) real-time monitoring network administrators the security status of the entire network, including the following steps:

[0034] (3.1)若收到节点发来的告警,则将该节点标记为不安全节点并启动节点上的入侵检测系统,分析该节点的异常流量和网络连接服务,定位攻击源并发起反向攻击; [0034] (3.1) sent by the node if the alarm received, then the node and start node marked unsafe intrusion detection systems on a node, the node analyzes the abnormal traffic and network connection service, and the positioning initiated anti-attack source to attack;

[0035] (3.2)通知发送方选择一条新的传输路径并重传之前的数据,通知接收方删除之前收到的数据并等待重传; [0035] (3.2) selected by the sender notification data before a new transmission path and retransmits, notification data is received before the receiver and waits for retransmission deleted;

[0036] (4)发送方在发送诱骗报文的同时监听网络管理员发来的决策,若收到管理员发来的安全告警,则重新选择一条新的路径并继续发送诱骗报文探测链路的安全性和信道质量;若管理员未发出告警,则可以开始发送真实数据; [0036] (4) the sender when sending messages to trick the listener network administrator sent by the decision, if the received security alert sent to the administrator, then re-select a new path and continues to send messages to detect phishing chain safety and quality channel path; an alarm if the administrator has not, then the actual data transmission can be started;

[0037]本实施例中的真实数据是经过如下处理后而具有反向攻击性的数据,这样一来,即使真实数据被攻击者成功截获了,也能对其进行有效的反制,具体实施步骤如图3所示: [0037] In this example embodiment of the real data after the lapse of a process with a reverse aggressive data, so that, even if the data is real attacker successfully intercepted, it can be effective countermeasures, specific embodiments step 3:

[0038] (4.1)用密钥Kl对要传输的明文数据Plaintext进行加密,得到密文数据Ciphertext,同样用密钥Kl对口令Password进行加密,得到密文口令CipherPd,并将密文口令隐藏在密文数据中; [0038] (4.1) with the key Kl for the plaintext data to be transmitted Plaintext encryption, ciphertext data Ciphertext, key Kl encrypted by the same password for Password, ciphertext password CipherPd, hidden and encrypted password ciphertext data;

[0039] (4.2)计算Kl的摘要值得到密钥K2,用密钥K2加密一段病毒程序Virus,得到被加密后的病毒程序Mvr ius ; Summary [0039] (4.2) to calculate Kl variety of key K2, the key K2 encrypted with some virus program Virus, the virus obtained after the program is encrypted Mvr ius;

[0040] (4.3)将密文口令CipherPcU密文数据Ciphertext和加密过的病毒程序Mvrius进行捆绑,组合成一个新的应用程序New=Mvrius+CipherPd+Ciphertext,此时的程序New就是要发送的真实数据。 [0040] (4.3) The encrypted password and Ciphertext CipherPcU ciphertext data encrypted virus program Mvrius bundle, combined into a new application New = Mvrius + CipherPd + Ciphertext, at this time the program to be transmitted is the real New data. 它主要根据用户的解密情况来判断CipherPd经过解密后的值是否与之前的Password相等,从而决定是触发病毒程序Virus(该病毒程序一方面通过执行恶意代码来破坏当前的计算机使其无法正常运作,另一方面可以将Ciphertext进行置乱或直接删除,同时将攻击者的IP地址和端口号发往管理员让其处理)还是提取密文数据Ciphertext; It is mainly based on the decrypted user to determine CipherPd after the decrypted values ​​are equal before the Password, to determine the trigger virus program Virus (the virus program on the one hand to break the current computer by executing the malicious code so that it is not working properly, On the other hand ciphertext may be scrambled or delete, while the attacker's IP address and port number sent to the administrator allowed process) or to extract the ciphertext data ciphertext;

[0041] (5)接收方接收报文的同时,动态监听网络管理员的决策,根据报文的类型来接收或丢弃报文,并对最后数据进行解密提取有用数据。 [0041] (5) the recipient receives packets while dynamically monitor the network administrator decision, according to the type of received packets or discarded packets, and the last data is decrypted to extract useful data. 具体包括以下步骤: It includes the following steps:

[0042] (5.1)判断报文的类型,如果是真实报文,则接收报文,如果是诱骗报文,则丢弃报文; [0042] (5.1) determining the type of packet, if the packet is true, then the received packet, if the packet is a decoy packet, the packet is dropped;

[0043] (5.2)若收到管理员的告警,说明之前接收到的报文可能遭到了破坏,则丢弃这段时间的报文并等待重传;若通信结束后还未收到管理员的告警,则对报文进行重组恢复出数据; [0043] (5.2) If the administrator received the alarm, indicating a previously received message may have been destroyed, packets are discarded during this time and wait for retransmission; if not received the administrator of the communication end alarm, then the packet restructuring restore the data;

[0044] (5.3)解密数据,合法用户可以利用共享的密钥Kl和Kl的摘要信息K2对数据进行完整的解密,最后得到需要的有用数据;对于非法攻击者,如果只对数据的前部分破密成功或者利用了错误的密钥对口令进行了解密,那么就会触发隐藏在其中的病毒程序,从而对攻击者进行反制。 [0044] (5.3) to decrypt the data, the legitimate user can take advantage of the shared key Kl Kl and K2 summary of the data is complete decryption, and finally get useful data needed; for illegal attacker, if only the front part of the data descrambler success or use the wrong password decryption key, it will trigger the virus hidden in one program, and thus be counter-attacker.

[0045]其中上述方法中,步骤(I)和步骤(4)是同时进行的,即发送真实数据报文的同时,节点也发送诱骗报文以检测传输链路的安全性和稳定性,这样一来可以根据节点的安全状态反馈来动态的改变传输链路,确保通信过程中的安全。 [0045] wherein the above process, step (I) and step (4) are performed simultaneously, i.e. the actual data packets transmitted simultaneously, the node also transmits decoy packets to check the security and stability of the transmission link, so that the security may be fed to a state of the node to dynamically change the transmission link, to ensure security in the communication process.

[0046]本领域的技术人员容易理解,以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。 [0046] Those skilled in the art will readily appreciate, the above-described preferred embodiment of the present invention only but are not intended to limit the present invention, any modifications within the spirit and principle of the present invention, equivalent substitutions, and improvements, etc., should be included within the scope of the present invention.

Claims (6)

1.一种网络诱骗与反攻击的主动防御方法,其特征在于,包括以下步骤: (1)发送方根据地址端口跳变服务器随机地选择一台主机作为当前通信主机,然后选择一条或多条传输链路发送诱骗报文,以检测传输链路的安全性和信道质量,检测结果包括节点安全状态、链路传输延迟和丢包率; (2)中间节点收到转发的数据报后,首先进行节点校验,通过检测报文的状态来判断是否有攻击发生和攻击类型,并根据具体的攻击行为向网络管理员发出相应的告警; (3)网络管理员监听整个网络的安全状态,接收通信链路中节点发来的告警,若发现某个节点遭到了攻击,则标记该节点为不安全节点并启动该节点上的入侵检测系统,对包括流量和网络连接服务的状况进行分析,定位攻击源并作出相应的反向攻击; (4)发送方在发送诱骗报文的同时监听网络管理员发来的决 An anti-phishing attacks and active defense method comprising the steps of: (1) the sender selects the address port of a host server randomly hopping communication as the current master, and then select one or more decoy packet transmission link transmission, safety and to detect the channel quality of transmission link, including the detection result of the security status of a node, link transmission delay and packet loss rate; (2) an intermediate node receives the forwarded data packet, first a node checking, by detecting the state of the packet to determine whether the type of attack and attack, and issue an alarm to the network administrator depending attacks; (3) network administrators monitor the security status of the entire network, receiving node communication link sent by an alarm, if found a node under attack, the node is marked as unsafe start node and intrusion detection systems on the node, including the status of network connections and traffic analysis service, location attack the source and make the appropriate counter attacks; (4) the sender when sending decoy message sent by the network administrator monitor decisions 策,若收到网络管理员发来的安全告警,则重新选择一条新的路径并继续发送诱骗报文探测链路的安全性和信道质量;若管理员未发出告警,则开始发送带反向攻击性的真实数据; 其中,该真实数据是将密文口令、密文数据和加密过的病毒程序进行捆绑,组合成的一个新的应用程序,即此时的应用程序就是要发送的真实数据,所述发送带反向攻击性的真实数据过程为:该应用程序判断用户是否将密文口令解密为正确的明文口令,若解密正确,则提取密文数据;若解密不正确或为解密得到一个错误的明文口令,则触发恶意代码程序,并且将该应用程序自身删除或者将数据和口令进行置乱,从而无法得到真实的有用数据,同时将攻击者的IP地址和端口号发往网络管理员让其处理; (5)接收方根据地址端口跳变服务器随机地选择一台主机作为当前通信主机,收 Policy, if it receives a network administrator sent to the security alarm, then re-select a new path and continues to send decoy safety and quality packet inspection channel link; if the administrator has not issued a warning, then start sending with reverse wherein the real data, real data is the encrypted password, and the ciphertext data encrypted virus program bundled, combined into a new application, i.e. in this case the application is to be transmitted; real data offensive the transmission with reversing aggressive process of real data: the application determines whether the user password is a plaintext password to the correct decryption, if correctly decrypted the ciphertext data is extracted; incorrect or if the decryption is decrypted an error plaintext password, the malicious code to trigger the program, and the application itself, or delete data and password scrambling, and thus can not be real useful data, while the IP address and port number to send the attacker to network management members let process; (5) selecting a recipient host as the current host communication port random address hopping server, close 到数据报后,根据报文的类型来决定接收或丢弃报文,并动态监听网络管理员的决策,若接收方收到网络管理员的告警,说明之前接收到的数据可能遭到了破坏,则丢弃这段时间的数据并等待重传;若通信结束后还未收到网络管理员的告警,则存储数据并解密恢复出真实有用的数据。 After the datagram, depending on the type of message that determines a reception or dropping packets, and dynamically monitor the network administrator's decision, before the network administrator if the recipient received the alarm, indicating that the received data may have been compromised, the discard data from this period and waits for retransmission; not yet received a warning after the network administrator if the communication is completed, the stored data is decrypted and recovered real useful data.
2.根据权利要求1所述的网络诱骗与反攻击的主动防御方法,其特征在于,步骤(I)包括下述步骤: (1.1)采用流密码加密系统产生的序列作为报文的数据部分; (1.2)在网络各个节点都安装流密码加密系统,同步产生随机序列; (1.3)对原始的IP数据报格式重新设计,新增IP选路、时间-1D、类型标识和摘要信息4个字段,并将这4个字段隐藏在IP报文的数据部中; (1.4)发送方通过地址端口跳变服务器动态选择一台主机发送诱骗报文检测传输链路的安全性和信道质量。 The anti-phishing attacks and active defense method according to claim 1, wherein step (I) comprises the steps of: (1.1) using a partial sequence of the data stream cipher encryption system to produce a packet; (1.2) at each node of the network are installed stream cipher encryption system, generating a random synchronization sequence; (1.3) to the original IP datagram format redesigned new IP routing, time -1D, and summary information type identifier field 4 and four hidden fields in the IP packet data portion; and (1.4) where the sender address port hopping dynamically select a host server transmits decoy packets safety and detected channel quality of the transmission link.
3.根据权利要求1所述的网络诱骗与反攻击的主动防御方法,其特征在于,步骤(2)包括下述步骤: (2.1)判断报文的摘要信息是否正确,如果不正确,则表示报文已经遭到了篡改攻击,标记该节点并向网络管理员告警;否则执行步骤(2.2); (2.2)判断报文路径是否合法,如果途经节点的IP地址不存在于IP选路中,则表示网络已经遭到了截获攻击,标记该节点并告警网络管理员;否则执行步骤(2.3); (2.3)判断报文时间是否有效,若报文的发送时间、本地当前时间、延迟时间三者的差值,即本地当前时间-发送时间-延迟时间,不在门限阀值以内,则表明遭到了重放攻击,标记该节点并预警网络管理员;否则在缓存表中查找是存在此报文的ID项,若包含则说明此报文是一个快重放报文,丢弃该报文后告警网络管理员,若不存在,则将该报文的IP源、目的地址、IP发送时间 The phishing attack and anti proactive method according to claim 1, wherein the step (2) comprises the steps of: (2.1) determines the packet summary information is correct, If not, then the message has been tampered attack, marking the node to the network administrator alarm; otherwise step (2.2); (2.2) determine the legality of the packet path, if the IP address via the node does not exist in IP routing, then indicates that the network has been intercepted attack, marking the node and alert the network administrator; otherwise step (2.3); (2.3) determine the time the message is valid, if the packet transmission time, the current local time, the delay time of the three the difference, that is the current local time - transmission time - within the delay time, not threshold threshold, it indicates that was a replay attack, marking the node and alert the network administrator; otherwise, look in the cache table is this message ID exists item, if it indicates that the packet contains a playback fast packet discards the packet network administrator alarm, if not, the packet is an IP source and destination addresses, IP transmission time 唯一标识ID存放于缓存表中,然后执行步骤(2.4); (2.4)判断报文的类型:若报文类型是真实报文,则更新报文的发送时间,然后将报文向下个节点转发;若该报文是诱骗报文,则比较本节点产生的动态随机序列和收到的报文数据部分随机序列的值,如果值不相同,表明该数据已被篡改,则标记此节点并告警网络管理员,同时用节点产生的随机序列来填充数据报文的数据部分,然后更新报文的发送时间并向下个节点转发该数据;如果值相同,则更新报文的发送时间并向下个节点转发。 Unique ID stored in the cache table, and then the step (2.4); (2.4) determining the type of the packet: if the packet type is a real packet, the packet transmission time is updated, and sends the packet down node forwarding; if the packet is a decoy packet, the value of the random sequence of dynamic random sequence generated by the comparator node and the received message data portion, if the values ​​are not identical, indicating that the data has been tampered with, this node is marked and alert the network administrator, while a node generates a random sequence of data to fill the portion of the data packet, and then transmits the time update packet to the next node to forward the data; if the values ​​are the same transmission time, the message to update The next node forwards.
4.根据权利要求1所述的网络诱骗与反攻击的主动防御方法,其特征在于,步骤(3)包括下述步骤: (3.1)根据步骤(2)的检测结果,分析节点发来的告警信息,将告警节点标记为不安全节点并启动节点上的入侵检测系统,分析该节点的流量和网络连接服务,定位攻击源并对攻击源发起包括阻塞、扫描、拒绝服务的攻击; (3.2)通知发送方另选一条传输路径并重传之前的数据,通知接收方删除之前收到的数据并等待重传。 The anti-phishing attacks and active defense method according to claim 1, wherein the step (3) comprises the steps of: (3.1) according to step (2) of the detection results, the node sent alarm information, the alarm node and start node marked unsafe intrusion detection systems on a node, the node analyzes the network connection service and traffic, and the attack source is positioned to initiate attack involves blocking, scanning, denial of service attacks; (3.2) Alternatively, a notification sender both transmission path prior to transmission of data, notification data is received before the wait for the recipient to remove and retransmission.
5.根据权利要求1所述的网络诱骗与反攻击的主动防御方法,其特征在于,步骤(4)包括下述步骤: (4.1)用通信双方共享的密钥对要传输的明文数据进行加密,得到密文数据,同样用该密钥对隐藏的明文口令进行加密,得到密文口令; (4.2)计算步骤(4.1)中密钥的摘要值,用该摘要值作为密钥来加密一段病毒程序,得到被加密过的病毒程序。 The anti-phishing attacks and active defense method according to claim 1, wherein, in step (4) comprises the steps of: (4.1) to encrypt the plaintext data to be transmitted using the shared key communication to obtain the ciphertext data using the key to encrypt the same hidden plaintext passwords, the password ciphertext; (4.2) calculation step (4.1) in the digest value of the key, the digest value using as a key to encrypt some virus procedures to obtain the encrypted virus program.
6.根据权利要求4所述的网络诱骗与反攻击的主动防御方法,其特征在于,步骤(5)包括下述步骤: (5.1)判断报文的类型,如果是真实报文,则接收报文,如果是诱骗报文,则丢弃报文; (5.2)根据步骤(3.2)的结果来分析网络管理员的告警,若告警发生,则丢弃这段时间的报文并等待重传;若通信结束后还未收到管理员的告警,则对报文进行重组恢复数据; (5.3)解密数据,合法用户利用已知的共享密钥对数据进行完整解密,最后得到需要的有用数据;对于非法用户,如果只对数据的部分信息破密成功或者利用了错误的密钥进行了解密,则触发隐藏在其中的病毒程序,从而对其进行反制。 The phishing attack and anti proactive method of claim 4, wherein the step (5) comprises the steps of: (5.1) determines the type of message, if the message is authentic, the message is accepted packet, if the packet is a decoy packet, the packet is dropped; (5.2) the result of step (3.2) to analyze the network administrator alarm if an alarm occurs, packets are discarded and the period of the retransmission wait; if the communication after the administrator has not yet received the alarm, then the packet restructuring restore data; (5.3) to decrypt the data, using the legitimate user known shared key to decrypt the data integrity, and finally get useful data needed; for illegal user, or if only the successful use of dense wrong decryption key of the partial information data broken, triggering virus program hidden therein, so that its counter.
CN201310355000.9A 2013-08-15 2013-08-15 A network anti-phishing attack methods and active defense CN103457931B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310355000.9A CN103457931B (en) 2013-08-15 2013-08-15 A network anti-phishing attack methods and active defense

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310355000.9A CN103457931B (en) 2013-08-15 2013-08-15 A network anti-phishing attack methods and active defense

Publications (2)

Publication Number Publication Date
CN103457931A CN103457931A (en) 2013-12-18
CN103457931B true CN103457931B (en) 2016-08-10

Family

ID=49739885

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310355000.9A CN103457931B (en) 2013-08-15 2013-08-15 A network anti-phishing attack methods and active defense

Country Status (1)

Country Link
CN (1) CN103457931B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105978875B (en) * 2016-05-11 2019-04-05 中国人民解放军国防信息学院 A kind of dynamic Service realization method and system based on service hopping and intelligently cleaned

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104853003B (en) * 2015-04-30 2018-05-15 中国人民解放军国防科学技术大学 Based on Netfilter address, port hopping communication method implemented
CN106060184B (en) * 2016-05-11 2019-04-05 中国人民解放军国防信息学院 A kind of IP address hopping patterns generation method and jump controller based on three-dimensional
CN107065750B (en) * 2017-05-15 2019-04-02 中国工程物理研究院计算机应用研究所 The industrial control network dynamic security method of interior raw safety

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101118577A (en) * 2006-08-04 2008-02-06 大唐移动通信设备有限公司;上海大唐移动通信设备有限公司 Process and device for preventing fraudulent use of terminal software
CN102111394A (en) * 2009-12-28 2011-06-29 成都市华为赛门铁克科技有限公司 Network attack protection method, equipment and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8370936B2 (en) * 2002-02-08 2013-02-05 Juniper Networks, Inc. Multi-method gateway-based network security systems and methods

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101118577A (en) * 2006-08-04 2008-02-06 大唐移动通信设备有限公司;上海大唐移动通信设备有限公司 Process and device for preventing fraudulent use of terminal software
CN102111394A (en) * 2009-12-28 2011-06-29 成都市华为赛门铁克科技有限公司 Network attack protection method, equipment and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105978875B (en) * 2016-05-11 2019-04-05 中国人民解放军国防信息学院 A kind of dynamic Service realization method and system based on service hopping and intelligently cleaned

Also Published As

Publication number Publication date
CN103457931A (en) 2013-12-18

Similar Documents

Publication Publication Date Title
Al Fardan et al. Lucky thirteen: Breaking the TLS and DTLS record protocols
Sastry et al. Security considerations for IEEE 802.15. 4 networks
Bhargava et al. Security enhancements in AODV protocol for wireless ad hoc networks
KR100813007B1 (en) Wireless sensor network and adaptive method for monitoring the security thereof
Anderson et al. Preventing Internet denial-of-service with capabilities
Fisk et al. Eliminating steganography in Internet traffic with active wardens
US7509491B1 (en) System and method for dynamic secured group communication
Snoeren et al. Single-packet IP traceback
JP4545647B2 (en) Attack detection and prevention system
Fadlullah et al. DTRAB: combating against attacks on encrypted protocols through traffic-feature analysis
US6971028B1 (en) System and method for tracking the source of a computer attack
Handley et al. Internet denial-of-service considerations
Xu et al. Sustaining availability of web services under distributed denial of service attacks
US6886102B1 (en) System and method for protecting a computer network against denial of service attacks
Douligeris et al. DDoS attacks and defense mechanisms: classification and state-of-the-art
Feng et al. Design and implementation of network puzzles
US7367054B2 (en) Packet data communications
Yang et al. A DoS-limiting network architecture
Peng et al. Survey of network-based defense mechanisms countering the DoS and DDoS problems
US8677489B2 (en) Methods and apparatus for managing network traffic
Zander et al. A survey of covert channels and countermeasures in computer network protocols
US8301789B2 (en) Techniques for port hopping
US7590855B2 (en) Steganographically authenticated packet traffic
Chakrabarti et al. Internet infrastructure security: A taxonomy
Lucena et al. Covert channels in IPv6

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
CF01