CN104104675A - Internet control message protocol camouflage capture and analysis technology - Google Patents
Internet control message protocol camouflage capture and analysis technology Download PDFInfo
- Publication number
- CN104104675A CN104104675A CN201410312275.9A CN201410312275A CN104104675A CN 104104675 A CN104104675 A CN 104104675A CN 201410312275 A CN201410312275 A CN 201410312275A CN 104104675 A CN104104675 A CN 104104675A
- Authority
- CN
- China
- Prior art keywords
- packet
- icmp
- camouflage
- protocol
- data packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention relates to an Internet control message protocol camouflage capture and analysis technology. The technology comprises the following operation steps: (1) data packet decoding and filtering, (2) data packet recombination, (3) ICMP scanning attack detection, and (4) protocol camouflage detection. According to the technology, IP data packets with the protocol type of ICMP are captured via decoding and filtering network data packets, and the complete IP data packets are obtained via recombination of the data packets. The complete IP data packets are filtered by an ICMP scanning attack detection module and then transmitted to a protocol camouflage detection module which analyzes the data packets according to different types, codes and contents in ICMP protocol heads so that a result that whether the data packets are camouflage protocol data packets is obtained. Compared with technologies in the prior art, the technology is closely combined with practical application situations and easy to realize so that large data can be detected in a high-speed and high-efficiency way, the hidden ICMP protocol data can be timely discovered and the requirement for practical application can be met.
Description
Technical field
The present invention relates to Internet Control Message Protocol camouflage and catch and analytical technology, belong to Computer Applied Technology field.
Background technology
Along with develop rapidly and the expansion of computer networking technology, the particularly fast development of Internet in recent years, increasing people have felt the importance of network security.Simultaneously in the world, for the intrusion behavior of important information resource and network infrastructure and the quantity of attempt intrusion behavior still in constant increase.In addition, prism door event, allows complexity, the threat hidden and tool destructive power that people face for network security have understanding more clearly.
Along with lost network attack and invasion row are constantly exposed the impact causing of national security, economy, social life, effectively the information security communication technology also becomes very important problem.So a kind of novel Cyberthreat recognition technology is arisen at the historic moment, it has realized analysis and the identification of agreement camouflage on traditional network invasion monitoring basis, and it can find to be hidden in the network intrusions behavior of the proper communication agreement that disguises oneself as in mass data.So far,, in order better to find hidden Internet Control Message Protocol Camouflaged data, we have invented " Internet Control Message Protocol camouflage is caught and analytical technology ".
Summary of the invention
In order effectively to find to be hidden in the ICMP agreement camouflage intrusion behavior in mass data, lower loss and impact that concealed intrusion behavior brings.The embodiment of the present invention provides Internet Control Message Protocol camouflage to catch and analytical technology.Improve energetically described in secret communication behavior ability of discovery technical scheme with this as follows:
1.Internet Internet Control Message Protocol (ICMP) camouflage is caught and analytical technology, its feature is mainly manifested in packet restructuring and pretends with agreement the core process of analyzing, ICMP packet can be caught and be obtained by bottom packet capturing technology: (1) filters out IP protocol data bag from network packet, whether analyzing IP packet is packet segment, if the packet of burst, transfer to so the processing of packet recombination module, not the packet of burst, transfer to the processing of agreement camouflage analysis module; (2) whether the analysis of packet recombination module is current is last IP fragmentation packet, if current all IP fragmentation packets are recombinated, so the complete IP bag after reconfiguring is transferred to the processing of agreement camouflage analysis module; (3) decoding ICMP protocol header part, analyzes ICMP request or acknowledgement type, ICMP command code, data packet length, draws whether be the ICMP packet of camouflage; Its concrete operation step is as follows:
(1) Packet Filtering
1. filter Ethernet data bag: from nautical mile packet, filter out IP packet;
2. whether burst IP bag judges: detect whether current IP packet is fragment packets, if fragment packets is transferred to the processing of packet recombination module; If not fragment packets, transfer to the processing of agreement camouflage detection module;
(2) packet recombination module processing
Whether 1. search is new packet grouping: by source IP, come source port, object IP, destination interface and do HASH computing and draw a HASH value, whether search in packet grouping chained list by this HASH value is new grouping, if, create a new grouping and add grouping chained list to, if not, be so just inserted in the burst chained list of existing grouping according to the cheap amount order in burst flag bit;
Whether finish receiving: check whether current IP packet is last fragment packets, and if so, that just represents that current group has received all fragment packets, can carry out the restructuring of packet if 2. detecting packet data package;
3. packet restructuring: all fragment packets of current group are synthesized to a new IP packet according to the side-play amount der group in burst flag bit;
(3) camouflage of ICMP agreement is analyzed
1. the ICMP packet of decoding: according to ICMP protocol header structure decoding current I CMP packet, obtain ICMP type, code, verification and and different content dissimilar and that code is corresponding,
2. inspect-type type corresponding different code and the content different from code corresponding relation: ICMP; If type is not mated with code, it is exactly the packet of camouflage so;
3. scope of examination length: check whether PING order length exceedes 64 bytes, error message and whether be less than whether 8 byte errors headings, time inquiring message are less than 20 byte headings, whether mask query message is less than 12 byte headings, if so, it is exactly the packet of camouflage;
Below that technology of the present invention is further described:
Described packet restructuring, refer to the MTU (MTU) that exceedes Ethernet due to data packet length, IP layer will carry out Fragmentation to packet so, make the length of every a slice all be less than or equal to MTU, and packet restructuring is exactly by the IP packet of burst arrival is carried out to buffer memory, by the time after gathering all packet segments, it is reconfigured, generate a new complete packet, because its flow is conventionally larger, the impact of recombinating on performance in order to reduce packet, therefore the technology of the present invention has adopted memory pool reuse technology, the way that HASH table fast finding technology is combined with buffer memory linked list order memory technology.Organizational form when IP fragmentation and reassembly is stored by a hash table, and the grouping chained list of different headings is stored in hash table, does not have a grouping storage of linked list to have the burst chained list of identical heading.
Described ICMP agreement camouflage is analyzed:
1) to IP decoded packet data, obtain type in ICMP protocol header, code, verification and and content-data, due to different types, the corresponding different content of code, whether type of detection mates with code the ICMP packet that can find that part is pretended.
2) check ICMP data packet length.Whether by whether dissimilar, code check content-length are met to normal behaviour uninterrupted, detecting is agreement Camouflaged data.Such as normal type 0, code 0 represent the echo order of PING, its normal size can not exceed 64 bytes, and if there is the PING packet that exceedes 64 bytes, it may be just that the PING program of pretending is informed user so.
The present invention compares with existing Intrusion Detection, has following outstanding feature and remarkable advantage:
(1), for traditional Intrusion Detection, the protocol contents to packet and behavior have been carried out analyzing targetedly, can effectively detect hidden intrusion behavior.
(2) adopt various protocols camouflage test point to combine, greatly strengthened the practicality of function.
Brief description of the drawings:
Fig. 1 is the decoded packet data flow chart of the technology of the present invention.
Fig. 2 is the IP packet restructuring flow chart of the technology of the present invention.
Fig. 3 is the ICMP agreement camouflage overhaul flow chart of the technology of the present invention.
Fig. 4 is organization chart when IP packet is recombinated in the technology of the present invention.
Concrete practice mode:
Embodiment:
Technical scheme for a better understanding of the present invention, existing chart in by reference to the accompanying drawings just concrete implement to be explained in further detail as follows:
The camouflage of operation accompanying drawing Internet Control Message Protocol is caught with the concrete operation step of analytical technology as follows:
(1) decoded packet data---(Packet Filtering operating procedure, as shown in Figure 1)
1. the ether bag of decoding: filter Ethernet data bag according to data link.
2. decoded ip packet: according to network type decoded ip packet, ARP packet, other packet.
3. verification and inspection: calculate IP verification and whether normal.
4. decoding network layer data bag: according to protocol type decoding tcp data bag, UDP message bag, ICMP packet
(2) packet restructuring---(packet reorganization operation step, as shown in Figure 2)
1. judge whether fragment packets: detect IP fragmentation standard for whether being fragment packets, and cheaply whether amount is greater than zero.
2. judge that whether IP packet is overtime: when transmission data block, detect current IP packet and whether be less than minimum life span.
3. search heading: in existing grouping hash table, search and whether have congenial heading grouping, do not find and just create new grouping, be inserted into hash table, be just inserted in burst chained list by side-play amount if existed.Hash table structure as shown in Figure 4.
4. determine whether last burst: whether detect current packet segment is last fragment data of identical heading, if last burst just reconfigures current burst chained list, generate a new complete IP packet.
(3) agreement camouflage detects---and (agreement camouflage detects operating procedure, as shown in Figure 3)
1. the ICMP protocol header of decoding: decode ICMP type, code, verification and, data content field value.
2. whether inspect-type mates with code: check whether ICMP type mates with code value, the error message code value that is 3 such as type is less than 15, type is that 0 query message is PING packet etc., type is 13,14 time inquiring message, code value is 0, and content-length is greater than 20 bytes; Type be 17,18 mask query message code value be 0 and content-length be greater than 12 bytes.
Claims (1)
1.Internet Internet Control Message Protocol (ICMP) camouflage is caught and analytical technology, its feature is mainly manifested in packet restructuring and pretends with agreement the core process of analyzing, ICMP packet can be caught and be obtained by bottom packet capturing technology: (1) filters out IP protocol data bag from network packet, whether analyzing IP packet is packet segment, if the packet of burst, transfer to so the processing of packet recombination module, not the packet of burst, transfer to the processing of agreement camouflage analysis module; (2) whether the analysis of packet recombination module is current is last IP fragmentation packet, if current all IP fragmentation packets are recombinated, so the complete IP bag after reconfiguring is transferred to the processing of agreement camouflage analysis module; (3) decoding ICMP protocol header part, analyzes ICMP request or acknowledgement type, ICMP command code, data packet length, draws whether be the ICMP packet of camouflage; Its concrete operation step is as follows:
(1) Packet Filtering
1. filter Ethernet data bag: from nautical mile packet, filter out IP packet;
2. whether burst IP bag judges: detect whether current IP packet is fragment packets, if fragment packets is transferred to the processing of packet recombination module: if not fragment packets, transfer to the processing of agreement camouflage detection module;
(2) packet recombination module processing
Whether 1. search is new packet grouping: by source IP, come source port, object IP, destination interface and do HASH computing and draw a HASH value, whether search in packet grouping chained list by this HASH value is new grouping, if, create a new grouping and add grouping chained list to, if not, be so just inserted in the burst chained list of existing grouping according to the cheap amount order in burst flag bit;
Whether finish receiving: check whether current IP packet is last fragment packets, and if so, that just represents that current group has received all fragment packets, can carry out the restructuring of packet if 2. detecting packet data package;
3. packet restructuring: all fragment packets of current group are synthesized to a new IP packet according to the side-play amount der group in burst flag bit;
(3) camouflage of ICMP agreement is analyzed
1. the ICMP packet of decoding: according to ICMP protocol header structure decoding current I CMP packet, obtain ICMP type, code, verification and and different content dissimilar and that code is corresponding;
2. inspect-type type corresponding different code and the content different from code corresponding relation: ICMP; If type is not mated with code, it is exactly the packet of camouflage so;
3. scope of examination length: check whether PING order length exceedes 64 bytes, error message and whether be less than whether 8 byte errors headings, time inquiring message are less than 20 byte headings, whether mask query message is less than 12 byte headings, if so, it is exactly the packet of camouflage.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410312275.9A CN104104675A (en) | 2014-06-24 | 2014-06-24 | Internet control message protocol camouflage capture and analysis technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410312275.9A CN104104675A (en) | 2014-06-24 | 2014-06-24 | Internet control message protocol camouflage capture and analysis technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104104675A true CN104104675A (en) | 2014-10-15 |
Family
ID=51672476
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410312275.9A Pending CN104104675A (en) | 2014-06-24 | 2014-06-24 | Internet control message protocol camouflage capture and analysis technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104104675A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110324210A (en) * | 2019-08-06 | 2019-10-11 | 杭州安恒信息技术股份有限公司 | The detection method and device of private communication channel communication are carried out based on ICMP agreement |
| CN110677497A (en) * | 2019-10-23 | 2020-01-10 | 中国工商银行股份有限公司 | Network medium distribution method and device |
| CN112929364A (en) * | 2021-02-05 | 2021-06-08 | 上海观安信息技术股份有限公司 | Data leakage detection method and system based on ICMP tunnel analysis |
| CN114095265A (en) * | 2021-11-24 | 2022-02-25 | 中国南方电网有限责任公司超高压输电公司昆明局 | ICMP hidden tunnel detection method, device and computer equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6513122B1 (en) * | 2001-06-29 | 2003-01-28 | Networks Associates Technology, Inc. | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities |
| CN1435977A (en) * | 2002-02-01 | 2003-08-13 | 联想(北京)有限公司 | Method for detecting and responding of fire wall invasion |
| CN101789931A (en) * | 2009-12-31 | 2010-07-28 | 暨南大学 | Network intrusion detection system and method based on data mining |
| CN103281336A (en) * | 2013-06-19 | 2013-09-04 | 上海众恒信息产业股份有限公司 | Network intrusion detection method |
-
2014
- 2014-06-24 CN CN201410312275.9A patent/CN104104675A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6513122B1 (en) * | 2001-06-29 | 2003-01-28 | Networks Associates Technology, Inc. | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities |
| CN1435977A (en) * | 2002-02-01 | 2003-08-13 | 联想(北京)有限公司 | Method for detecting and responding of fire wall invasion |
| CN101789931A (en) * | 2009-12-31 | 2010-07-28 | 暨南大学 | Network intrusion detection system and method based on data mining |
| CN103281336A (en) * | 2013-06-19 | 2013-09-04 | 上海众恒信息产业股份有限公司 | Network intrusion detection method |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110324210A (en) * | 2019-08-06 | 2019-10-11 | 杭州安恒信息技术股份有限公司 | The detection method and device of private communication channel communication are carried out based on ICMP agreement |
| CN110677497A (en) * | 2019-10-23 | 2020-01-10 | 中国工商银行股份有限公司 | Network medium distribution method and device |
| CN112929364A (en) * | 2021-02-05 | 2021-06-08 | 上海观安信息技术股份有限公司 | Data leakage detection method and system based on ICMP tunnel analysis |
| CN114095265A (en) * | 2021-11-24 | 2022-02-25 | 中国南方电网有限责任公司超高压输电公司昆明局 | ICMP hidden tunnel detection method, device and computer equipment |
| CN114095265B (en) * | 2021-11-24 | 2024-04-05 | 中国南方电网有限责任公司超高压输电公司昆明局 | ICMP hidden tunnel detection method and device and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101656634B (en) | Intrusion detection method based on IPv6 network environment | |
| CN1330131C (en) | System and method for detecting network worm in interactive mode | |
| EP2434689B1 (en) | Method and apparatus for detecting message | |
| CN102594625B (en) | White data filtering method in a kind of APT intelligent detection and analysis platform and system | |
| EP3135018B1 (en) | Policy-based payload delivery for transport protocols | |
| CN101640666B (en) | Device and method for controlling flow quantity facing to target network | |
| CN106330584B (en) | A kind of recognition methods of Business Stream and identification device | |
| US9917783B2 (en) | Method, system and non-transitory computer readable medium for profiling network traffic of a network | |
| CN103780610A (en) | Network data recovery method based on protocol characteristics | |
| CN104104675A (en) | Internet control message protocol camouflage capture and analysis technology | |
| CN102739473A (en) | Network detecting method using intelligent network card | |
| US20080291912A1 (en) | System and method for detecting file | |
| CN107666486A (en) | A kind of network data flow restoration methods and system based on message protocol feature | |
| CN103997489A (en) | Method and device for recognizing DDoS bot network communication protocol | |
| US20170155668A1 (en) | Identifying malicious communication channels in network traffic by generating data based on adaptive sampling | |
| CN102833263A (en) | Method and device for intrusion detection and intrusion protection | |
| CN112532642A (en) | Industrial control system network intrusion detection method based on improved Suricata engine | |
| CN112532614A (en) | Safety monitoring method and system for power grid terminal | |
| CN105847250A (en) | VoIP stream media multi-dimensional information steganography real time detection method | |
| CN106789728A (en) | A kind of voip traffic real-time identification method based on NetFPGA | |
| CN103685221A (en) | A network invasion detection method | |
| CN103580956A (en) | Method and device for detecting data integrity | |
| CN103746869A (en) | Data/mask and regular expression combined multistage deep packet detection method | |
| CN114327833A (en) | Efficient flow processing method based on software-defined complex rule | |
| CN104660584A (en) | Trojan virus analysis technique based on network conversation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141015 |