CN105721442A - Spurious response system and method based on dynamic variation and network security system and method - Google Patents
Spurious response system and method based on dynamic variation and network security system and method Download PDFInfo
- Publication number
- CN105721442A CN105721442A CN201610042150.8A CN201610042150A CN105721442A CN 105721442 A CN105721442 A CN 105721442A CN 201610042150 A CN201610042150 A CN 201610042150A CN 105721442 A CN105721442 A CN 105721442A
- Authority
- CN
- China
- Prior art keywords
- false response
- false
- address
- information
- response information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Abstract
The invention provides a spurious response system and method based on dynamic variation and a network security system and method.The spurious response system comprises a spurious response information configuration unit and a spurious response unit, the spurious response information configuration unit configures spurious response information which can be varied dynamically and comprises a spurious IP address and a spurious MAC address at a minimum according to user configuration information, and the spurious response unit constructs a spurious response data packet and conducts spurious response on suspected scanning detection data packets according to the spurious response information.According to the spurious response system and method, spurious response is conducted on scanning detection behaviors of attackers, spurious response can be varied dynamically according to configuration, thereby the attackers cannot obtain the topological structure of a network and cannot accurately obtain real information of hosts in the network, in this way, network penetration attacking behaviors are effectively defended, and safety and stability of the network are maintained.
Description
Technical field
The present invention relates to network safety filed, particularly relate to a kind of based on the false response system of dynamic mapping, false response method and based on this network safety system and network security defence method.
Background technology
Along with the fast development of computer network and information technology, global IT application process is constantly accelerated, and network effect in society is more and more important, becomes the national strategy resource containing the key areas such as government, business, finance, communication.Meanwhile, network security threats also emerges in an endless stream, assailant enters network system by the method for technological means or social engineering, carry out information stealth, system destruction, the activities such as malice deception, not only have impact on the Working Life of general public, also become the significant problem threatening economic, society or even national security.
Intranet is along with the development of network and extensive use in the units such as government, enterprise, colleges and universities gradually.Owing to administering and maintaining of Intranet is more convenient, and being effectively improved the work efficiency of enterprises and institutions and employee, therefore, in the nineties in last century and the beginning of this century, Intranet obtains at China's industry-by-industry and develops on an unprecedented scale.The safety of Intranet is extremely important in real network environment, but is ignored by most of Network Security Devices.Existing method generally detects aggressive behavior by collection flow, but abnormal flow often produces after aggressive behavior, thus aggressive behavior cannot be carried out Real-time defence by this type of method.Another kind of method is to dispose network security protection system on the main frame accessing network, although can defend part aggressive behavior, but depends on operating system and cannot accomplish user transparent.Scanning probe is usually assailant and carries out the first step of Intranet penetration attack, assailant can utilize scanning probe instrument that local network is detected, accurately and quickly determine the open state of the existing state of main frame in current network, host port, the type of host operating system and the information such as version, leak that may be present etc. according to response results, keep lay the foundation for follow-up network attack and long-term control.Therefore, blocking Intranet penetration attack can nip in the bud most intrusion behaviors, thus reaching the effect prevented trouble before it happens, reduces the loss that malicious attack brings.
Application number is that the patent of invention of 200910085033.X discloses and a kind of detects the method and system that port base line is, including: by the IP address of shielded each client with in the corresponding relation write configuration file of its open port numbers;Monitor the accessed situation of shielded each client, safeguard that each access client is to the open port access list of shielded client and not open port access list;According to each access client open port access list to shielded client and not open port access list, calculate the open port of each protected client respectively and number that not open port is crossed by each access client average access;It is scanned judging according to preset scanning judgment criterion.The method to fast-scan line for having good Detection results, but slow scan behavioral value effect is poor.
Application number be 201510018050.7 patent of invention disclose a kind of cyber attack scenarios based on multi-source alarm log and generate method, first collect the alarm log that multiple network safety protection equipment produces, extract effective alarm log data by pretreatment;For the alarm log that individual equipment obtains, by single Source log polymerization and mapping, shield distinct device journal format difference, analyze extracting attack event information;The attack that never homology is extracted, carries out convergence analysis, generates the assault with higher credibility;And then by attack association analysis, generate cyber attack scenarios figure, analyze the whole attack process of an attack action.Owing to having merged heterogeneous event logs, so the attack information analyzed can more completely portray the attack that network suffers.But the method does not account for the credibility of each alarm source, if assailant is scanned detecting the attack activity without carrying out next step in addition, the method can lose efficacy.
Application number be 201220157554.9 patent of invention disclose the monitoring system of a kind of Intranet based on many confidence levels, including high band wide data analysis institution, hierarchy type content analysis mechanism, network resource accession mechanism, multilamellar information-leakage prevention mechanism, virus wooden horse Active immunity module, multiple anti-illegal AM access module;The data wire of described high wideband data analysis institution connects described hierarchy type content analysis and described network resource accession mechanism, and described multilamellar information-leakage prevention mechanism, described virus wooden horse Active immunity module multiple prevent that illegal AM access module is connected with described network resource accession mechanism with described.This system is provided that legitimacy management and the behavior auditing of Intranet resource to a certain extent, it is prevented that the attack being internally sourced and unauthorized access behavior, but more owing to relating to module, disposes complexity, and its practicality and versatility are poor.
Generally speaking, existing network penetration attacks detection method cannot obtain good effect in actual applications, and its basic reason is in that, assailant utilizes scanning probe instrument that objective network is scanned, and the response message obtained is often really, determines.Assailant can analyze the network architecture, host computer system by Multiple-Scan and find out leak therein, finally progressively permeates and controls network, reaches to attack purpose.
Summary of the invention
For effective defending against network penetration attack behavior, the present invention looks for another way, it is proposed to a kind of false response system based on dynamic mapping and false response method, and proposes the network safety system based on dynamic mapping false response and method.Its basic fundamental thought is: by the scanning probe behavior of assailant is carried out false response, and false response can carry out dynamic mapping according to configuration, so that assailant cannot obtain topology of networks, cannot accurately obtain the real information of main frame in network, thus effectively having defendd network penetration attacks behavior, maintain the safety and stability of network.
This invention address that the technical scheme that above-mentioned technical problem is taked is as follows:
A kind of false response system based on dynamic mapping, including: false response information configuration unit and false response unit, described false response information configuration unit is connected to described false response unit, described false response information configuration unit configures the false response information of dynamic conversion according to user configuration information, described false response information at least includes the IP address of falseness and false MAC Address, and the request data package sent to false response unit is constructed false response packet based on described false response information by described false response unit.
Further according to false response system of the present invention, wherein said false response information includes false IP address, the falseness false MAC Address corresponding to IP address and false false port corresponding to IP address, and described request data package includes at least one in ARP request packet, ICMP request data package, TCPSYN request data package;For ARP request packet, described false response unit extracts the target ip address in ARP request packet, and according to including the false response information structuring ARP false response packet of this target ip address;For ICMP request data package, described false response unit extracts the target ip address in ICMP request data package, and according to including the false response information structuring ICMP false response packet of this target ip address;For TCPSYN request data package, described false response unit extracts the target ip address in TCPSYN request data package and target port, and according to including the false response information structuring TCPSYN+ACK false response packet of this target ip address and target port.
Further according to false response system of the present invention, wherein said false response information configuration unit includes false response information memory cell 12, false response information generating unit 13 and false response information dynamic mapping unit 17, described false response information generating unit 13 and false response information dynamic mapping unit 17 are connected to described false response information memory cell 12, described false response information generating unit 13 generates some false response information according to user configuration information and is stored in described false response information memory cell 12, described false response information dynamic mapping unit 17 is according to the false response information of storage in user configuration information dynamic mapping false response information memory cell 12, described false response unit is connected to described false response information memory cell 12;Described user configuration information includes carrying out the IP address range of false response, can carry out the mac address range of false response, the port range that can carry out false response and each port carries out the probability of false response, can carry out the OS Type of false response and version scope and false response information and carry out the time interval information of dynamic mapping.
Further according to false response system of the present invention, wherein said false response information generating unit 13 comprises: response IP generation module 21, response MAC generation module 22, echo port generation module 23 and response OS Type and version generation module 24, the described response IP generation module 21 IP address range according to the carried out false response set in user configuration information, randomly selects a part of IP address and generates the IP address list that can carry out false response;The described response MAC generation module 22 mac address range according to the carried out false response set in user configuration information, for the MAC Address that each IP address stochastic generation of response IP generation module 21 generation is corresponding;Described echo port generation module 23 carries out the probability of false response according to the port range of carried out false response set in user configuration information and each port, and some ports that each IP address stochastic generation of generating for response IP generation module 21 is corresponding and each port carry out the probability of false response;Described response OS Type and version generation module 24 scope according to the OS Type of the carried out false response of setting in user configuration information with version, the OS Type corresponding for each IP address stochastic generation of response IP generation module 21 generation and version information.
Further according to false response system of the present invention, wherein said false response information dynamic mapping unit 17 comprises false response information modified module 31 and false response conversion repeats enquiry module 32, described false response information modified module 31 and false response conversion repeat enquiry module 32 and are commonly connected to described false response information memory cell 12, the time interval information that described false response information modified module 31 carries out dynamic mapping according to the false response information set in user configuration information regularly revises stored false response information in false response information memory cell 12, the conversion of described false response repeats the enquiry module 32 false response information to amendment and carries out duplication elimination query, and notify that the false response information repeated is deleted or revised to false response information modified module 31;Described false response information modified module 31 revises false response information according to one of following two mode: one, described false response information modified module 31 is according to the new false response information of user configuration information stochastic generation some, simultaneously the original false response information of random erasure some;Two, the IP address in every false response information, MAC Address, port and/or OS Type and version are modified by described false response information modified module 31 according to the amendment probability of every the false response information set in user configuration information.
Further according to false response system of the present invention, wherein said false response unit includes arp response unit 14, ICMP response unit 15 and port responses unit 16, and described arp response unit 14, ICMP response unit 15 and port responses unit 16 are all connected to described false response information configuration unit;Described arp response unit 14 constructs the process of ARP false response packet: first arp response unit 14 extracts the target ip address in ARP request packet, target ip address is inquired about in false response information, if inquire about less than, then directly by this ARP request data packet discarding, if can inquire, then the MAC Address by extracting this target ip address and this target ip address corresponding in false response information constructs ARP false response packet;Described ICMP response unit 15 constructs the process of ICMP false response packet: first ICMP response unit 15 extracts the target ip address in ICMP request data package, target ip address is inquired about in false response information, if inquire about less than, then directly this ICMP request data package is abandoned, if can inquire, then the MAC Address by extracting this target ip address and this target ip address corresponding in false response information constructs ICMP false response packet;Described port responses unit 16 constructs the process of TCPSYN+ACK false response packet: first port responses unit 16 extracts the target ip address in TCPSYN request data package and target port, target ip address is inquired about in false response information, if inquire about less than, then directly this TCPSYN request data package is abandoned, if can inquire, then whether inquiry target port is included in the port of false response information including target ip address inquired further, if do not comprised, then directly this TCPSYN request data package is abandoned, if comprised, then by extracting this target ip address, target port, MAC Address and the target ip address OS Type of correspondence and version information in false response information that target ip address is corresponding in false response information construct TCPSYN+ACK false response packet.
Further according to false response system of the present invention, wherein also including log unit 18, described log unit 18 is connected to described false response unit, and according to false response unit, the response results of request data package is generated log information.
A kind of false response method based on dynamic mapping, comprises the following steps:
(1), IP address range according to default carried out false response, the mac address range of false response can be carried out, can carry out the port range of false response and each port carries out the probability of false response and can carry out the OS Type of false response and generate some false response information with version scope, every false response information includes false IP address, false false MAC Address corresponding to IP address, false false port corresponding to IP address and false dummy operations system type corresponding to IP address and version, and dynamically revise described false response information according to default interval;
(2), in the following manner to association requests packet respond, generate corresponding false response packet:
(2-1), for ARP request packet, first the target ip address in ARP request packet is extracted, target ip address is inquired about in the false response information that step (1) generates, if inquire about less than, then by this ARP request data packet discarding, if can inquire, then according to the false response information structuring ARP false response packet including this target ip address inquired;
(2-2), for ICMP request data package, first the target ip address in ICMP request data package is extracted, target ip address is inquired about in the false response information that step (1) generates, if inquire about less than, then this ICMP request data package is abandoned, if can inquire, then according to the false response information structuring ICMP false response packet including this target ip address inquired;
(2-3), for TCPSYN request data package, first the target ip address in TCPSYN request data package and target port are extracted, target ip address is inquired about in the false response information that step (1) generates, if inquire about less than, then this TCPSYN request data package is abandoned, if can inquire, then whether inquiry target port is included in the port of false response information including target ip address inquired further, if do not comprised, then this TCPSYN request data package is abandoned, if comprised, according to the false response information structuring TCPSYN+ACK false response packet including this target ip address and target port inquired;
(3), log information is generated according to the response results of all kinds of request data package.
A kind of network safety system, including: packet pretreatment unit and false response system of the present invention, whether described packet pretreatment unit is connected in described false response system the input of false response unit, suspicious for decision request packet and suspicious request data package is supplied to described false response unit carries out false response.
A kind of network security defence method, comprises the following steps:
(1), the request data package accessing network is carried out dubiety judgement, if the number of the request data package with identical source IP address sent in certain time period exceedes a certain threshold value, then judge that this request data package is suspicious request data package, otherwise judge that this request data package is normal request data package;
(2), for suspicious request data package step (1) belonging to of judging, according to false response method of the present invention, suspicious request data package is carried out false response log information by generating false response packet;
(3), for what step (1) judged belong to normal request data package, then directly let pass.
Technical solutions according to the invention have techniques below innovation and technique effect:
The proposition that the present invention initiates can based on the false response system and method for dynamic mapping, when network (preferred Intranet) is scanned detecting by assailant, the scanning probe packet that assailant is sent carries out false response, making it cannot obtain the real information of main frame in network (preferred Intranet) topological structure and network (preferred Intranet), wherein false response information includes at least the type of the operating system of false IP address, false MAC Address, falseness and the open port of version and falseness;It is simultaneously introduced the thought of dynamic mapping, at set intervals the false response information built is modified, assailant finally cannot carry out follow-up aggressive behavior because collecting the real information of network (preferred Intranet), the penetration attack behavior of network (preferred Intranet) has effectively been defendd based on this, maintain the safety and stability of network, achieve a kind of brand-new network security technology, there is application value widely.
Accompanying drawing explanation
Fig. 1 is the population structure block diagram of false response system of the present invention;
Fig. 2 is the first preferred structure block diagram of false response information generating unit in false response system of the present invention;
Fig. 3 is the structured flowchart of false response information dynamic mapping unit in false response system of the present invention;
Fig. 4 is the structured flowchart of log unit in false response system of the present invention;
Fig. 5 is the population structure block diagram of the network safety system including false response system of the present invention;
Fig. 6 is the second preferred structure block diagram of false response information generating unit in false response system of the present invention;
In figure, the implication of each accompanying drawing labelling is as follows:
11-request data package, 12-false response information memory cell, 13-false response information generating unit, 14-ARP response unit, 15-ICMP response unit, 16-port responses unit, 17-false response information dynamic mapping unit, 18-log unit, 19-packet pretreatment unit;
21-responds IP generation module, and 22-responds Mac generation module, 23-echo port generation module, and 24-responds OS Type and version generation module, 25-vulnerability information generation module;
31-false response information modified module, the conversion of 32-false response repeats enquiry module;
41-ARP log pattern, 42-ICMP log pattern, 43-port log pattern.
Detailed description of the invention
Below in conjunction with accompanying drawing, technical scheme is described in detail, so that those skilled in the art can be more clearly understood from the solution of the present invention, but does not therefore limit the scope of the invention.
False response system based on dynamic mapping of the present invention, including false response information configuration unit, false response unit and log unit, described false response information configuration unit is connected to false response unit, described false response unit is connected to log unit, wherein said false response information configuration unit configures the false response information of dynamic conversion according to user configuration information, these false response information include the IP address of falseness, false MAC Address, the open port of false OS Type and version and falseness, described false response unit is according to the false response information architecture false response packet of configuration in false response information configuration unit, suspicious request data package is carried out false response.IP address, MAC Address, port and the information such as OS Type and version comprised in these false response packets is all false structure, it is not real, described log unit is for collecting the response results of false response unit, in order to aggressive behavior is carried out the analysis of profound level by network manager.So based on false response system of the present invention, the scanning probe packet of assailant can not obtain the real information of main frame in topology of networks and network.So that this false response system of the present invention can Suppression network penetration attack behavior completely when being applied to network security defence, network penetration attacks is exactly that assailant utilizes scanning probe instrument that objective network is frequently scanned, analyze based on the true response message obtained in scanning process and determine network topology structure, interior planar network architecture, host computer system information, and then find out leak therein, finally progressively permeate and control network, reach to attack purpose, and the network safety system of the false response system constructing of proposition is innovated based on the present invention, to the scanning probe response package of assailant is the response message of false configuration, thus assailant is scanned how many times and cannot be obtained the real information of main frame in topology of networks and network, thus losing the basis carrying out attack further, effectively defend network security, there is when being applied to Intranet very prominent safety protective effect.
Of the present invention false response system and method based on dynamic mapping and network safety system based on this false response system are described in detail, it is preferred that include following embodiment below in conjunction with accompanying drawing.
First preferred implementation
As shown in Figure 1, false response system based on dynamic mapping of the present invention includes false response information configuration unit, false response unit and log unit, wherein said false response information configuration unit specifically includes false response information memory cell 12, false response information generating unit 13 and false response information dynamic mapping unit 17, described false response information generating unit 13 and false response information dynamic mapping unit 17 and is simultaneously coupled to described false response information memory cell 12.Described false response information generating unit 13 is for generating some false response information according to user configuration information and being stored in false response information memory cell 12, the false response information wherein stored is supplied to false response unit by described false response information memory cell 12, and described false response information dynamic mapping unit 17 is according to the false response information of storage in user configuration information dynamic mapping false response information memory cell 12.Wherein said user configuration information includes the scope that can carry out the IP address of false response, the scope of the MAC Address of false response can be carried out, port range and each port probability responded and OS Type and the version scope that false response can be carried out of false response can be carried out, false response information carries out the time interval information of dynamically change, because IP address, MAC Address, port and OS Type and version are the essential informations that assailant is scanned that detection needs, these information are carried out false conversion, it is enough to confuse assailant and reach the purpose of network security defence.For improving safety further, those skilled in the art can increase other multiple configuration information for false response further on the basis of above-mentioned user configuration information, as increased the vulnerability information etc. carrying out false response.
Concrete described false response information generating unit 13 is as shown in Figure 2, comprise response IP generation module 21, response Mac generation module 22, echo port generation module 23 and response OS Type and version generation module 24, the response IP generation module 21 therein IP address range according to the carried out false response set in user configuration information, randomly selects a part of IP address and generates the IP address list that can carry out false response;The response Mac generation module 22 therein mac address range according to the carried out false response set in user configuration information, for the Mac address that each IP address stochastic generation of response IP generation module 21 generation is corresponding;Echo port generation module 23 therein carries out the probability of false response according to the port range of carried out false response set in user configuration information and each port, and some ports that each IP address stochastic generation of generating for response IP generation module 21 is corresponding and each port carry out the probability of false response;Response OS Type therein and version generation module 24 scope according to the OS Type of the carried out false response of setting in user configuration information with version, the OS Type corresponding for each IP address stochastic generation of response IP generation module 21 generation and version information;The false response information that last false response information generating unit 13 generates stores in false response information memory cell 12.
In described false response information memory cell 12, storage has some false response information, each false response information includes the MAC Address corresponding to IP address, IP address, port and OS Type and version, wherein an IP address in every false response information corresponds to a MAC Address, but may correspond to some ports and each port each has the probability carrying out false response, different IP has different MAC Address, but can have same OS Type and version.
Described false response information dynamic mapping unit 17 is according to the false response information of storage in user configuration information dynamic mapping false response information memory cell 12, concrete described false response information dynamic mapping unit 17 comprises false response information modified module 31 and false response conversion repeats enquiry module 32, as shown in Figure 3, described false response information modified module 31 and false response conversion repeat enquiry module 32 and connect, and it is commonly connected to false response information memory cell 12, described false response information modified module 31 regularly revises stored false response information in false response information memory cell 12 according to the false response information dynamic transformation period interval set in user configuration information, when modifying, IP address range according to the carried out false response set in user configuration information, the mac address range of false response can be carried out, the port range of false response can be carried out and probability that each port responds, OS Type and the version scope of false response can be carried out, the false response information that stochastic generation some is new, concrete generating mode is identical with the generating mode of false response information in above-mentioned false response information generating unit 13, every new false response information includes IP address and the MAC Address corresponding with IP address, port and OS Type and version, some original false response information of storage in random erasure false response information memory cell 12 simultaneously;And the false response information in false response information memory cell 12 is carried out real-time query by false response conversion repetition enquiry module 32 in amendment process, by inquiring about the false response information judging whether duplicate in false response information memory cell 12, whether IP address and Mac address as wherein stored repeat, if there is repetition, then false response conversion repetition enquiry module 32 sends deletion amendment signal to false response information modified module 31, false response information modified module 31 the false response information repeated deleted.By false response information dynamic mapping unit 17 dynamic mapping false response information at predetermined intervals, it is possible to more guarantee that scanning probe packet cannot obtain any valuable attack information from response data.
Described false response unit is connected to described false response information configuration unit and log unit, for the request data package of scanning probe network is generated response data packet, and provides false response message in the response data packet generated.When network is scanned detecting by assailant, ARP(AddressResolutionProtocol must be sent, address resolution protocol) request data package, ICMP(InternetControlMessageProtocol, Internet Control Message Protocol) request data package and TCPSYN(TCP:TransmissionControlProtocol, transmission control protocol, SYN:Synchronous, TCP/IP sets up the handshake used when connecting) one or more in request data package, as long as therefore when tackling scanning probe and attacking to suspicious ARP request packet, ICMP request data package and TCPSYN request data package carry out false response, can effectively defend the information detection to network and penetration attack, assailant is made cannot accurately to obtain the real information of Intranet topological structure and main frame.So false response unit of the present invention includes arp response unit 14, ICMP response unit 15 and port responses unit 16, as shown in Figure 1, described arp response unit 14, ICMP response unit 15 and port responses unit 16 are all connected to described false response information memory cell 12 as to the response unit of three types packet, and generate the false response packet of corresponding types respectively according to the false response information of configuration in false response information memory cell 12, and response results is sent to log unit 18 generates log information.
ARP request packet is carried out false response by concrete described arp response unit 14, and according to the false response information structuring ARP false response packet in false response information memory cell 12, response results is sent to log unit 18 generates log information simultaneously;Detailed process is: first arp response unit 14 extracts the target ip address needing inquiry Mac address in ARP request packet, target ip address is inquired about in false response information memory cell 12, if inquire about less than, then directly by this data packet discarding, if can inquire, then according to the false response information structuring ARP false response packet including this target ip address, concrete constructs ARP false response packet by the Mac address extracting this target ip address and this target ip address corresponding in false response information, the ARP log pattern 41 that response results is sent to log unit 18 simultaneously generates log information.
ICMP request data package is carried out false response by described ICMP response unit 15, and according to the false response information structuring ICMP false response packet in false response information memory cell 12, response results is sent to log unit 18 generates log information simultaneously;Detailed process is: first described ICMP response unit 15 extracts the target ip address in ICMP request data package, target ip address is inquired about in false response information memory cell 12, if inquire about less than, then directly by this data packet discarding, if can inquire, then according to the false response information structuring ICMP false response packet including this target ip address, concrete constructs ICMP false response packet by the Mac address extracting this target ip address and this target ip address corresponding in false response information, the ICMP log pattern 42 that response results is sent to log unit 18 simultaneously generates log information
Request is set up the TCP TCPSYN request data package connected and is carried out false response by described port responses unit 16, according to the false response information structuring TCPSYN+ACK false response packet in false response information memory cell 12, response results is sent to log unit 18 generates log information simultaneously;First concrete described port responses unit 16 extracts the target ip address in TCPSYN request data package and target port, target ip address is inquired about in false response information memory cell 12, if inquire about less than, then directly by this data packet discarding, if can inquire, then whether inquiry target port is included in port corresponding with target ip address in false response information memory cell 12 further, if do not comprised, then directly by this data packet discarding, if comprising target port, then according to the false response information structuring TCPSYN+ACK false response number bag including this target ip address and target port, concrete by extracting this target ip address, target port, the MAC Address that target ip address is corresponding in false response information, corresponding OS Type and version information structure TCPSYN+ACK false response packet, the port log pattern 43 that response results is sent to log unit 18 simultaneously generates log information.
Described log unit 18 is as shown in Figure 4, ARP log pattern 41, ICMP log pattern 42 and port log pattern 43 is included corresponding to three kinds of response units, wherein said ICMP log pattern 42, for receiving the ICMP response results that ICMP response unit 15 sends over, generates ICMP false response log information according to response results;ARP log pattern 41 receives the arp response result that arp response unit 14 sends over, and generates ARP false response log information according to response results;The port responses result that port log pattern 43 receiving port response unit 16 sends over, generates port false response log information according to response results.These log informations contribute to network manager's analytical attack behavior and adjust the Safeguard tactics of network, port false response log information as collected by analysis port log pattern 43 may determine which host port and host services have been detected by assailant, thus can primarily determine that the intention of assailant and assailant are likely to the malicious code used, it is simple to follow-up take further Safeguard tactics.
The present invention further proposes a kind of false response method based on dynamic mapping on the basis of above-mentioned false response system, comprises the following steps:
(1), IP address range according to default carried out false response, the mac address range of false response can be carried out, port range and each port probability responded and the OS Type that can carry out false response that can carry out false response generate some false response information with version scope, every false response information includes IP address, MAC Address corresponding to IP address, port and OS Type and version, wherein an IP address in every false response information corresponds to a MAC Address, and dynamically revise false response information according to default interval;
(2), in the following manner to all kinds of request data package respond, and generate the false response packet of correspondence:
(2-1), for ARP request packet, first the target ip address in ARP request packet is extracted, target ip address is inquired about in the false response information that step (1) generates, if inquire about less than, then by this data packet discarding, if can inquire, then according to the false response information structuring ARP false response packet including this target ip address inquired;
(2-2), for ICMP request data package, first the target ip address in ICMP request data package is extracted, target ip address is inquired about in the false response information that step (1) generates, if inquire about less than, then by this data packet discarding, if can inquire, then according to the false response information structuring ICMP false response packet including this target ip address inquired
(2-3), for TCPSYN request data package, first the target ip address in TCPSYN request data package and target port are extracted, target ip address is inquired about in the false response information that step (1) generates, if inquire about less than, then by this data packet discarding, if can inquire, then whether inquiry target port is included in the port of false response information including target ip address inquired further, if do not comprised, then by this data packet discarding, if comprised, according to the false response information structuring TCPSYN+ACK false response packet including this target ip address and target port inquired;
(3), log information is generated according to the response results of all kinds of request data package.
So can to the response data packet of suspicious scanning probe response package falseness by the false response system and method for the present invention, so that assailant cannot obtain the real information of main frame in topology of networks and network by scanning probe, thus when described false response system is applied to network security protection system, can Suppression network penetration attack behavior completely, utilize scanning probe instrument that objective network is frequently scanned because network penetration attacks is exactly assailant, analyze based on the true response message obtained in scanning process and determine network topology structure, interior planar network architecture, host computer system information, and then find out leak therein, finally progressively permeate and control network, reach to attack purpose, and based on the network safety system of false response system constructing of the present invention, to the scanning probe response package of assailant is the response message of false configuration, thus no matter assailant scans how many times all without obtaining the real information of main frame in network topology structure and network, thus losing the basis carrying out attack further, effectively defend network security.Therefore the present invention innovates the network complete system of proposition and refers to the network safety system of aforementioned false response system.
For further improving the security protection efficiency of system, on the basis of above-mentioned network safety system, present invention further propose that a kind of network safety system with the suspicious anticipation function of packet, as shown in Figure 5, described network safety system increases packet pretreatment unit 19 further on the basis of above-mentioned false response system, described packet pretreatment unit 19 is connected to the input of false response unit, such request data package needs to first pass through packet pretreatment unit 19 and carries out suspicious anticipation, the specifically packet pretreatment unit 19 ARP request packet to accessing network, ICMP request data package and TCPSYN request data package carry out suspicious judgement process, normal request data package is then directly let pass through judging, no longer carry out false response process, for suspicious ARP request packet, ICMP request data package and TCPSYN request data package then carry out false response in the manner previously described.Preferred described packet pretreatment unit 19 carries out the suspicious anticipation of packet according to number of request determination methods same in the unit interval well known in the art, namely ARP request packet is judged, whether ICMP request data package and TCPSYN request data package can be suspected to be to send the ARP request packet with identical source IP address in the time period, the number of ICMP request data package or TCPSYN request data package is foundation, if the ARP request packet with identical source IP address sent in certain time period, the number of ICMP request data package or TCPSYN request data package exceedes a certain threshold value, then think suspicious request data package, require over false response unit and it is carried out false response.Can save the false response process accessing packet normal in network by arranging packet pretreatment unit 19, while ensureing security performance, improve operational efficiency, belong to a kind of preferred network Prevention-Security means of the present invention.
Second preferred implementation
Differing only in of the false response system described in second preferred implementation of the present invention and security system and above-mentioned first preferred implementation, false response information generating unit 13 therein farther includes leaky information generating module 25, as shown in Figure 6, also corresponding in user configuration information therein include the some system vulnerability information that can carry out false response and every vulnerability information carries out the probability of false response, the probability of false response is carried out by the vulnerability information generation module 25 some system vulnerability information according to the carried out false response in user configuration information and every vulnerability information, the some vulnerability informations corresponding for each IP address stochastic generation of response IP generation module 21 generation and each vulnerability information carry out the probability of false response, and it is stored in false response information memory cell 12, the false response information so built by present embodiment is removed and is included IP address, MAC Address corresponding to IP address, outside port and OS Type and version, also include vulnerability information, so that the false response packet of response unit structure farther includes to be easier to the vulnerability information of fascination aggressive behavior, because most scanning penetration attacks are to be permeated by the leak finding out in network system and control network, so by the false response system of present embodiment, can further improve false response quality, security of system can be ensured to greatest extent.In addition, the concrete structure of false response system and security system described in present embodiment and work process thereof are identical with above-mentioned first embodiment, again do not do repeated description.Additionally more information can, on the basis of the second embodiment, be further included in false response information by those skilled in the art as required, and this depends on the concrete application of system, but broadly falls into the technology design category of the present invention.
3rd preferred implementation
Differing only in of the false response system described in 3rd preferred implementation of the present invention and security system and above-mentioned first preferred implementation or the second preferred implementation, false response information dynamic mapping unit 17 therein is different to the dynamic mapping work process of false response information, described false response information dynamic mapping unit 17 still comprises false response information modified module 31 and false response conversion repetition enquiry module 32 in the present embodiment, but the mode that false response information modified module 31 regularly false response information stored in false response information memory cell 12 modifies according to the false response information dynamic transformation period interval set in user configuration information is different from the first embodiment, in the third embodiment, user configuration information includes the probability that when false response information carries out the interval of dynamically change and dynamically changes every time, each false response information is modified, false response information modified module 31 is according to the dynamic transformation period interval set in user configuration information, each false response information is modified by the amendment probability corresponding according to each false response information, repeated the enquiry module 32 false response information to amendment by false response conversion simultaneously and carry out duplication elimination query, the false response information deletion that will repeat.In addition, the concrete structure of false response system and security system described in present embodiment and work process thereof and above-mentioned first embodiment or the second embodiment identical, again do not do repeated description.
The present invention breaks through the thinking of legacy network static state Passive Defence, a kind of false response system and method based on dynamic mapping is proposed, when network is scanned detecting by assailant, the scanning probe packet that assailant is sent carries out false response, make it cannot obtain the real information of main frame in network topology structure and network, wherein false response information comprises the IP address of falseness, false MAC Address, false OS Type and the open port of version and falseness, it is simultaneously introduced the thought of dynamic mapping, at set intervals the false response information built is modified, this effectively reduces the definitiveness of network especially Intranet, similarity and nature static, make assailant cannot pass through scanning probe and obtain the real information of main frame in Intranet topological structure and Intranet, can not be accumulated in Intranet obtain knowledge, thus breaking the advantage of assailant, penetration attack behavior has been blocked from source, maintain the safety and stability of network.False response system of the present invention is particularly suited for Intranet (LAN), has extraordinary security protection performance through test in Intranet.
Below it is only that the preferred embodiment of the present invention is described; technical scheme is not limited to this; the any known deformation that those skilled in the art make on the basis that the major technique of the present invention is conceived broadly falls into the claimed technology category of the present invention, and the protection domain that the present invention is concrete is as the criterion with the record of claims.
Claims (10)
1. the false response system based on dynamic mapping, it is characterized in that, including: false response information configuration unit and false response unit, described false response information configuration unit is connected to described false response unit, described false response information configuration unit configures the false response information of dynamic conversion according to user configuration information, described false response information at least includes the IP address of falseness and false MAC Address, and the request data package sent to false response unit is constructed false response packet based on described false response information by described false response unit.
2. false response system according to claim 1, it is characterized in that, described false response information includes false IP address, the falseness false MAC Address corresponding to IP address and false false port corresponding to IP address, and described request data package includes at least one in ARP request packet, ICMP request data package, TCPSYN request data package;For ARP request packet, described false response unit extracts the target ip address in ARP request packet, and according to including the false response information structuring ARP false response packet of this target ip address;For ICMP request data package, described false response unit extracts the target ip address in ICMP request data package, and according to including the false response information structuring ICMP false response packet of this target ip address;For TCPSYN request data package, described false response unit extracts the target ip address in TCPSYN request data package and target port, and according to including the false response information structuring TCPSYN+ACK false response packet of this target ip address and target port.
3. false response system according to claim 2, it is characterized in that, described false response information configuration unit includes false response information memory cell (12), false response information generating unit (13) and false response information dynamic mapping unit (17), described false response information generating unit (13) and false response information dynamic mapping unit (17) are connected to described false response information memory cell (12), described false response information generating unit (13) generates some false response information according to user configuration information and is stored in described false response information memory cell (12), described false response information dynamic mapping unit (17) is according to the false response information of storage in user configuration information dynamic mapping false response information memory cell (12), described false response unit is connected to described false response information memory cell (12);Described user configuration information includes carrying out the IP address range of false response, can carry out the mac address range of false response, the port range that can carry out false response and each port carries out the probability of false response, can carry out the OS Type of false response and version scope and false response information and carry out the time interval information of dynamic mapping.
4. false response system according to claim 3, it is characterized in that, described false response information generating unit (13) comprises: response IP generation module (21), response MAC generation module (22), echo port generation module (23) and response OS Type and version generation module (24), described response IP generation module (21) IP address range according to the carried out false response set in user configuration information, randomly selects a part of IP address and generates the IP address list that can carry out false response;Described response MAC generation module (22) according to the mac address range of carried out false response set in user configuration information, the MAC Address that each IP address stochastic generation of generating for response IP generation module (21) is corresponding;Described echo port generation module (23) carries out the probability of false response according to the port range of carried out false response set in user configuration information and each port, and some ports that each IP address stochastic generation of generating for response IP generation module (21) is corresponding and each port carry out the probability of false response;The scope of described response OS Type and version generation module (24) OS Type according to the carried out false response set in user configuration information and version, OS Type that each IP address stochastic generation of generating for response IP generation module (21) is corresponding and version information.
5. the false response system according to claim 3 or 4, it is characterized in that, described false response information dynamic mapping unit (17) comprises false response information modified module (31) and false response conversion repeats enquiry module (32), described false response information modified module (31) and false response conversion repeat enquiry module (32) and are commonly connected to described false response information memory cell (12), the time interval information that described false response information modified module (31) carries out dynamic mapping according to the false response information set in user configuration information regularly revises stored false response information in false response information memory cell (12), the conversion of described false response repeats the enquiry module (32) the false response information to amendment and carries out duplication elimination query, and notify the false response information that false response information modified module (31) is deleted or amendment repeats;Described false response information modified module (31) revises false response information according to one of following two mode: one, described false response information modified module (31) is according to the new false response information of user configuration information stochastic generation some, simultaneously the original false response information of random erasure some;Two, the IP address in every false response information, MAC Address, port and/or OS Type and version are modified by described false response information modified module (31) according to the amendment probability of every the false response information set in user configuration information.
6. the false response system according to any one of claim 2-5, it is characterized in that, described false response unit includes arp response unit (14), ICMP response unit (15) and port responses unit (16), and described arp response unit (14), ICMP response unit (15) and port responses unit (16) are all connected to described false response information configuration unit;The process of described arp response unit (14) structure ARP false response packet is: first arp response unit (14) extracts the target ip address in ARP request packet, target ip address is inquired about in false response information, if inquire about less than, then directly by this ARP request data packet discarding, if can inquire, then the MAC Address by extracting this target ip address and this target ip address corresponding in false response information constructs ARP false response packet;The process of described ICMP response unit (15) structure ICMP false response packet is: first ICMP response unit (15) extracts the target ip address in ICMP request data package, target ip address is inquired about in false response information, if inquire about less than, then directly this ICMP request data package is abandoned, if can inquire, then the MAC Address by extracting this target ip address and this target ip address corresponding in false response information constructs ICMP false response packet;The process of described port responses unit (16) structure TCPSYN+ACK false response packet is: first port responses unit (16) extracts the target ip address in TCPSYN request data package and target port, target ip address is inquired about in false response information, if inquire about less than, then directly this TCPSYN request data package is abandoned, if can inquire, then whether inquiry target port is included in the port of false response information including target ip address inquired further, if do not comprised, then directly this TCPSYN request data package is abandoned, if comprised, then by extracting this target ip address, target port, MAC Address and the target ip address OS Type of correspondence and version information in false response information that target ip address is corresponding in false response information construct TCPSYN+ACK false response packet.
7. the false response system according to any one of claim 2-6, it is characterized in that, also including log unit (18), described log unit (18) is connected to described false response unit, and according to false response unit, the response results of request data package is generated log information.
8. the false response method based on dynamic mapping, it is characterised in that comprise the following steps:
(1), IP address range according to default carried out false response, the mac address range of false response can be carried out, can carry out the port range of false response and each port carries out the probability of false response and can carry out the OS Type of false response and generate some false response information with version scope, every false response information includes false IP address, false false MAC Address corresponding to IP address, false false port corresponding to IP address and false dummy operations system type corresponding to IP address and version, and dynamically revise described false response information according to default interval;
(2), in the following manner to association requests packet respond, generate corresponding false response packet:
(2-1), for ARP request packet, first the target ip address in ARP request packet is extracted, target ip address is inquired about in the false response information that step (1) generates, if inquire about less than, then by this ARP request data packet discarding, if can inquire, then according to the false response information structuring ARP false response packet including this target ip address inquired;
(2-2), for ICMP request data package, first the target ip address in ICMP request data package is extracted, target ip address is inquired about in the false response information that step (1) generates, if inquire about less than, then this ICMP request data package is abandoned, if can inquire, then according to the false response information structuring ICMP false response packet including this target ip address inquired;
(2-3), for TCPSYN request data package, first the target ip address in TCPSYN request data package and target port are extracted, target ip address is inquired about in the false response information that step (1) generates, if inquire about less than, then this TCPSYN request data package is abandoned, if can inquire, then whether inquiry target port is included in the port of false response information including target ip address inquired further, if do not comprised, then this TCPSYN request data package is abandoned, if comprised, according to the false response information structuring TCPSYN+ACK false response packet including this target ip address and target port inquired;
(3), log information is generated according to the response results of all kinds of request data package.
9. a network safety system, it is characterized in that, including: the false response system described in packet pretreatment unit (19) and any one of claim 1-7, whether described packet pretreatment unit (19) is connected in described false response system the input of false response unit, suspicious for decision request packet and suspicious request data package is supplied to described false response unit carries out false response.
10. a network security defence method, it is characterised in that comprise the following steps:
(1), the request data package accessing network is carried out dubiety judgement, if the number of the request data package with identical source IP address sent in certain time period exceedes a certain threshold value, then judge that this request data package is suspicious request data package, otherwise judge that this request data package is normal request data package;
(2), for suspicious request data package step (1) belonging to of judging, the false response method described in claim 8, suspicious request data package is carried out false response log information by generating false response packet;
(3), for what step (1) judged belong to normal request data package, then directly let pass.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610042150.8A CN105721442B (en) | 2016-01-22 | 2016-01-22 | Based on dynamic mapping false response system, method and network safety system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610042150.8A CN105721442B (en) | 2016-01-22 | 2016-01-22 | Based on dynamic mapping false response system, method and network safety system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105721442A true CN105721442A (en) | 2016-06-29 |
| CN105721442B CN105721442B (en) | 2019-03-22 |
Family
ID=56155003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610042150.8A Active CN105721442B (en) | 2016-01-22 | 2016-01-22 | Based on dynamic mapping false response system, method and network safety system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105721442B (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106657053A (en) * | 2016-12-19 | 2017-05-10 | 中国人民解放军国防信息学院 | Network security defense method based on side state migration |
| CN107343011A (en) * | 2017-09-04 | 2017-11-10 | 北京经纬信安科技有限公司 | A kind of endogenous intimidation defense equipment based on dynamic object defence |
| CN109347881A (en) * | 2018-11-30 | 2019-02-15 | 东软集团股份有限公司 | Network protection method, apparatus, equipment and storage medium based on network cheating |
| CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
| CN109582830A (en) * | 2018-12-20 | 2019-04-05 | 郑州云海信息技术有限公司 | A kind of generation method and device of port list |
| CN109951368A (en) * | 2019-05-07 | 2019-06-28 | 百度在线网络技术(北京)有限公司 | Anti-scanning method, device, equipment and the storage medium of controller LAN |
| CN109995750A (en) * | 2019-01-17 | 2019-07-09 | 上海谋乐网络科技有限公司 | The defence method and electronic equipment of network attack |
| WO2019179375A1 (en) * | 2018-03-19 | 2019-09-26 | 华为技术有限公司 | Method and device for defending network attack |
| CN111131169A (en) * | 2019-11-30 | 2020-05-08 | 中国人民解放军战略支援部队信息工程大学 | Switching network-oriented dynamic ID hiding method |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| CN111786940A (en) * | 2020-05-07 | 2020-10-16 | 宁波小遛共享信息科技有限公司 | Data processing method and device |
| CN111835694A (en) * | 2019-04-23 | 2020-10-27 | 张长河 | Network security vulnerability defense system based on dynamic camouflage |
| CN112087413A (en) * | 2019-06-14 | 2020-12-15 | 张长河 | Network attack intelligent dynamic protection and trapping system and method based on active detection |
| CN112688900A (en) * | 2019-10-18 | 2021-04-20 | 张长河 | Local area network safety protection system and method for preventing ARP spoofing and network scanning |
| CN113141347A (en) * | 2021-03-16 | 2021-07-20 | 中国科学院信息工程研究所 | Social work information protection method and device, electronic equipment and storage medium |
| CN114244543A (en) * | 2020-09-08 | 2022-03-25 | 中国移动通信集团河北有限公司 | Network security defense method and device, computing equipment and computer storage medium |
| CN114465795A (en) * | 2022-01-27 | 2022-05-10 | 杭州默安科技有限公司 | Method and system for interfering network scanner |
| CN114500118A (en) * | 2022-04-15 | 2022-05-13 | 远江盛邦(北京)网络安全科技股份有限公司 | Method and device for hiding satellite network topology |
| CN114666300A (en) * | 2022-05-20 | 2022-06-24 | 杭州海康威视数字技术股份有限公司 | Multitask-based bidirectional connection blocking method and device and electronic equipment |
| CN115314466A (en) * | 2022-05-06 | 2022-11-08 | 保升(中国)科技实业有限公司 | Operation and maintenance perception technology based on IP/E1 network |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101669347A (en) * | 2007-04-23 | 2010-03-10 | 国际商业机器公司 | Method and apparatus for detecting port scans with fake source address |
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
| CN104869120A (en) * | 2015-05-22 | 2015-08-26 | 中国人民解放军信息工程大学 | Active hiding method of router identity characteristic information |
| CN104883410A (en) * | 2015-05-21 | 2015-09-02 | 深圳颐和网络科技有限公司 | Network transmission method and network transmission device |
-
2016
- 2016-01-22 CN CN201610042150.8A patent/CN105721442B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101669347A (en) * | 2007-04-23 | 2010-03-10 | 国际商业机器公司 | Method and apparatus for detecting port scans with fake source address |
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
| CN104883410A (en) * | 2015-05-21 | 2015-09-02 | 深圳颐和网络科技有限公司 | Network transmission method and network transmission device |
| CN104869120A (en) * | 2015-05-22 | 2015-08-26 | 中国人民解放军信息工程大学 | Active hiding method of router identity characteristic information |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106657053B (en) * | 2016-12-19 | 2019-11-08 | 中国人民解放军国防信息学院 | A kind of network security defence method based on end state transition |
| CN106657053A (en) * | 2016-12-19 | 2017-05-10 | 中国人民解放军国防信息学院 | Network security defense method based on side state migration |
| CN107343011A (en) * | 2017-09-04 | 2017-11-10 | 北京经纬信安科技有限公司 | A kind of endogenous intimidation defense equipment based on dynamic object defence |
| US11570212B2 (en) | 2018-03-19 | 2023-01-31 | Huawei Technologies Co., Ltd. | Method and apparatus for defending against network attack |
| WO2019179375A1 (en) * | 2018-03-19 | 2019-09-26 | 华为技术有限公司 | Method and device for defending network attack |
| CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
| CN109347881A (en) * | 2018-11-30 | 2019-02-15 | 东软集团股份有限公司 | Network protection method, apparatus, equipment and storage medium based on network cheating |
| CN109347881B (en) * | 2018-11-30 | 2021-11-23 | 东软集团股份有限公司 | Network protection method, device, equipment and storage medium based on network spoofing |
| CN109582830A (en) * | 2018-12-20 | 2019-04-05 | 郑州云海信息技术有限公司 | A kind of generation method and device of port list |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| CN109995750A (en) * | 2019-01-17 | 2019-07-09 | 上海谋乐网络科技有限公司 | The defence method and electronic equipment of network attack |
| CN109995750B (en) * | 2019-01-17 | 2021-07-23 | 上海谋乐网络科技有限公司 | Network attack defense method and electronic equipment |
| CN111835694B (en) * | 2019-04-23 | 2023-04-07 | 张长河 | Network security vulnerability defense system based on dynamic camouflage |
| CN111835694A (en) * | 2019-04-23 | 2020-10-27 | 张长河 | Network security vulnerability defense system based on dynamic camouflage |
| CN109951368A (en) * | 2019-05-07 | 2019-06-28 | 百度在线网络技术(北京)有限公司 | Anti-scanning method, device, equipment and the storage medium of controller LAN |
| CN109951368B (en) * | 2019-05-07 | 2021-07-30 | 百度在线网络技术(北京)有限公司 | Anti-scanning method, device, equipment and storage medium for controller local area network |
| CN112087413B (en) * | 2019-06-14 | 2023-01-31 | 张长河 | Network attack intelligent dynamic protection and trapping system and method based on active detection |
| CN112087413A (en) * | 2019-06-14 | 2020-12-15 | 张长河 | Network attack intelligent dynamic protection and trapping system and method based on active detection |
| CN112688900A (en) * | 2019-10-18 | 2021-04-20 | 张长河 | Local area network safety protection system and method for preventing ARP spoofing and network scanning |
| CN112688900B (en) * | 2019-10-18 | 2022-10-11 | 张长河 | Local area network safety protection system and method for preventing ARP spoofing and network scanning |
| CN111131169A (en) * | 2019-11-30 | 2020-05-08 | 中国人民解放军战略支援部队信息工程大学 | Switching network-oriented dynamic ID hiding method |
| CN111786940A (en) * | 2020-05-07 | 2020-10-16 | 宁波小遛共享信息科技有限公司 | Data processing method and device |
| CN114244543A (en) * | 2020-09-08 | 2022-03-25 | 中国移动通信集团河北有限公司 | Network security defense method and device, computing equipment and computer storage medium |
| CN113141347B (en) * | 2021-03-16 | 2022-06-10 | 中国科学院信息工程研究所 | Social work information protection method and device, electronic equipment and storage medium |
| CN113141347A (en) * | 2021-03-16 | 2021-07-20 | 中国科学院信息工程研究所 | Social work information protection method and device, electronic equipment and storage medium |
| CN114465795A (en) * | 2022-01-27 | 2022-05-10 | 杭州默安科技有限公司 | Method and system for interfering network scanner |
| CN114465795B (en) * | 2022-01-27 | 2024-03-29 | 杭州默安科技有限公司 | Method and system for interfering network scanner |
| CN114500118A (en) * | 2022-04-15 | 2022-05-13 | 远江盛邦(北京)网络安全科技股份有限公司 | Method and device for hiding satellite network topology |
| CN115314466A (en) * | 2022-05-06 | 2022-11-08 | 保升(中国)科技实业有限公司 | Operation and maintenance perception technology based on IP/E1 network |
| CN114666300A (en) * | 2022-05-20 | 2022-06-24 | 杭州海康威视数字技术股份有限公司 | Multitask-based bidirectional connection blocking method and device and electronic equipment |
| CN114666300B (en) * | 2022-05-20 | 2022-09-02 | 杭州海康威视数字技术股份有限公司 | Multitask-based bidirectional connection blocking method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105721442B (en) | 2019-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105721442A (en) | Spurious response system and method based on dynamic variation and network security system and method | |
| Nadler et al. | Detection of malicious and low throughput data exfiltration over the DNS protocol | |
| Passerini et al. | Fluxor: Detecting and monitoring fast-flux service networks | |
| US9438616B2 (en) | Network asset information management | |
| Fachkha et al. | Fingerprinting internet DNS amplification DDoS activities | |
| US10642906B2 (en) | Detection of coordinated cyber-attacks | |
| Khan et al. | Applying data mining techniques in cyber crimes | |
| CN101621428A (en) | Botnet detection method, botnet detection system and related equipment | |
| Fraunholz et al. | YAAS-On the Attribution of Honeypot Data. | |
| Bou-Harb et al. | Behavioral analytics for inferring large-scale orchestrated probing events | |
| CN111510463B (en) | Abnormal behavior recognition system | |
| Ishikura et al. | Cache-property-aware features for dns tunneling detection | |
| CN113783886A (en) | Intelligent operation and maintenance method and system for power grid based on intelligence and data | |
| CN113132335A (en) | Virtual transformation system and method, network security system and method | |
| Arzhakov et al. | Analysis of current internet wide scan effectiveness | |
| Manasrah et al. | Detecting botnet activities based on abnormal DNS traffic | |
| Xuanzhen et al. | Application of passive DNS in cyber security | |
| Lysenko et al. | Technique for Cyberattacks Detection Based on DNS Traffic Analysis. | |
| Chikohora et al. | A study on the impact of network vulnerability scanners on network security | |
| Wijayanto et al. | Network Forensics Against Address Resolution Protocol Spoofing Attacks Using Trigger, Acquire, Analysis, Report, Action Method | |
| Honda et al. | Detection of novel-type brute force attacks used ephemeral springboard ips as camouflage | |
| Mishra et al. | Anomaly-based detection of system-level threats and statistical analysis | |
| Lysenko et al. | Botnet Detection Approach Based on DNS. | |
| Osako et al. | Proactive Defense model based on Cyber threat analysis | |
| Raich et al. | Overview of passive attacks in cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20170320 Address after: Chaoyang District City, Jiuxianqiao, 100016 Beijing Road No. 14 Building 5 floor room 98112 Applicant after: Beijing Weida Information Technology Co., Ltd. Address before: 710065 Shaanxi Province, Xi'an Yanta District Jinye road green waters B building room 1902 Applicant before: Geng Tongtong |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |