CN106899612A - A kind of method of automatic detection personation host A RP deceptions - Google Patents
A kind of method of automatic detection personation host A RP deceptions Download PDFInfo
- Publication number
- CN106899612A CN106899612A CN201710213100.6A CN201710213100A CN106899612A CN 106899612 A CN106899612 A CN 106899612A CN 201710213100 A CN201710213100 A CN 201710213100A CN 106899612 A CN106899612 A CN 106899612A
- Authority
- CN
- China
- Prior art keywords
- arp
- mac address
- address
- record
- mac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
Abstract
The embodiment of the invention discloses a kind of method of automatic detection personation host A RP deceptions,Including collecting method and ARP cheat detecting methods,Data acquisition program obtains the ARP table of three-layer equipment and is saved in database using snmp protocol self-timing,Detection method includes preliminary screening and is analyzed to identify two stages,Preliminary screening obtains record of the corresponding different IP addresses number of MAC Address more than certain threshold value in database,Then each MAC Address to results of preliminary screening is analyzed confirmation,By white list,Analyze the value of ipNetToMediaType,The technological means such as the distribution and tense Changing Pattern of analyzing IP address,Exclude the network equipment MAC Address such as router in itself,One computer just confirms that it is ARP deceptions after running the special circumstances such as multiple virtual machines.
Description
Technical field
The present invention relates to network communication technology field, more particularly to the method that a kind of automatic detection personation host A RP is cheated.
Background technology
ARP is the abbreviation of Address Resolution Protocol, both address resolution protocol, and the function of ARP is in IP
(Internet Protocol)Dynamic mapping is provided between address and MAC (Media Access Control) address.ARP is assisted
The main frame and packet discussed in the original intention hypothesis network of design are all believable, but the fact is far from this way, ARP deceptions are to network
Safety causes huge potential safety hazard, and many local network LANs (Local Area Network) are all deeply hurt, some ARP deceptions
Virus is caused, and also some are the network attacks of artificial well-designed illegal monitoring and malice personation.
Many methods are taken in order to tackle ARP deception people:It is included in computer and ARP fire walls is installed, in computer
Binding MAC-IP address two-way with gateway, network manager detects that ARP is cheated by network packet capturing, is operated after finding ARP deceptions
Interchanger closes its port, and DHCP Snooping are enabled in the network equipment(DHCP is monitored)IP Source Guard(IP sources ground
Protect location)And DAI(Dynamic ARP checks Dynamic ARP Inspection), analyze the ARP table detection ARP deceptions of router
Deng.But the above method has some shortcomings:ARP fire walls are installed on the user computer to be difficult to manage concentratedly, ARP fire walls
The not anti-people of the root of fangji, in addition some ARP fire walls with attack come to attack resistance so that bringing harm to whole network;Two-way binding
The maintenance workload of MAC-IP is huge, and does not adapt to increasing notebook computer and WiFi environment;By network
Packet capturing is only able to detect current occurent ARP deceptions, and the different network segments are monitored in exchange network needs frequent switching end
Mouth configures different Port Mirroring, and packet capturing analysis workload is very big and has comparing technology high to want to network manager
Ask;Enabling DHCP Snooping, IP Source Guard and DAI has comparing high whole network environment and switch device
Requirement, the interchanger of many low and middle-ends(Such as Cisco2960)Do not support, static IP and DHCP are set simultaneously artificial in addition
IP Source Guard still need static binding MAC-IP in the network environment deposited;Also have in addition to DAI many other
The method for taking precautions against ARP deceptions also all has " invasive ", it is necessary to change procotol, it is necessary to change existing to existing network
The network equipment, even if these methods are very perfect in theory to be still difficult to promote in reality;Now with some " Noninvasives "
The ARP table by analyzing router detect the method that personation host A RP is cheated, but some do not preserve road in these methods
By the ARP table of device to database, other methods are saved in the optimal strategy of database due to not finding MAC-IP and cause
Lose historical record or cause systematic function to decline because saving a large amount of repeated datas, and existing method is not due to having
Exclude the special circumstances such as MAC Address, the computer of operation multi-dummy machine, the laptop carrying office of gateway and can cause to miss
Sentence.
The content of the invention
Embodiment of the present invention technical problem to be solved is, there is provided a kind of automatic detection personation host A RP deceptions
Method.The present invention is adaptable to various network environments and the network equipment and will not judge by accident.
In order to solve the above-mentioned technical problem, a kind of automatic detection personation host A RP deceptions be the embodiment of the invention provides
Method, including collecting method and ARP cheat detecting methods, the collecting method include each for collecting
MAC-IP is recorded, and newest timestamp or inquiry that MAC Address in the original record of database is equal to the MAC Address are inquired about first
MAC Address is equal to the maximum self-propagation field number of the MAC Address, then inquires about MAC Address in original record and is equal to the MAC
The value of record or inquiry self-propagation field that address and timestamp are equal to newest timestamp is equal to the maximum for inquiring just now
The record of self-propagation field number, original note is updated if the record is present and its IP address is equal to the IP address for collecting
The timestamp of record is current time, otherwise inserts a new record;The ARP cheat detecting methods are included to MAC Address correspondence
Different IP addresses number detected, doubtful ARP deception list is added when it exceedes setting threshold values.
Further, the ARP cheat detecting methods also include being carried out for each doubtful ARP deception of preliminary screening
It is analyzed to identify, confirmation process uses exclusive method, by white list, the analysis value of ipNetToMediaType, analyzing IP address
At least one mode in the regularity of distribution and tense Changing Pattern, exclude the network equipment such as router MAC Address in itself, one
Situations such as computer operation multiple virtual machine, whether ARP is cheated finally to confirm it.
Further, the threshold values span is 2-10, and default value is 3.
Implement the embodiment of the present invention, have the advantages that:The present invention can adapt in various network environments and network
Equipment, does not have " invasive " to existing network, can process various complex situations, and avoids producing erroneous judgement, in database both
The state-of-the-art record for preserving MAC-IP addresses retains historical variations again, can either meet follow-up preliminary screening, be analyzed to identify inquiry
Demand, and because without substantial amounts of repetition record is preserved, the property retention of system is good, and a common server can just be propped up
Hold by the thousands of network equipments(Interchanger and router), hundreds thousand of computers composition catenet personation main frame
The automatic detection of ARP deceptions.
Brief description of the drawings
Fig. 1 is the structure chart of automatic detection personation host A RP deceptions;
Fig. 2 is the schematic diagram of the partial data dictionary of database;
Fig. 3 is data acquisition program collection ARP table and is saved in the flow chart of database;
Fig. 4 is the flow chart that detection personation host A RP cheats algorithm.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, the present invention is made further below in conjunction with accompanying drawing
Describe in detail.
The present invention implements to disclose a kind of method of automatic detection personation host A RP deceptions, topology diagram such as Fig. 1 institutes
Show, including collecting method and ARP cheat detecting method two parts, detection method is including preliminary screening and is analyzed to identify.
1. data acquisition program
Data acquisition program obtains three-layer equipment using snmp protocol self-timing(Router, three-tier switch, fire wall etc.
It is operated in the equipment of ICP/IP protocol third layer)ARP table and be saved in database, frequency acquisition is less than device A RP tables
Expired time(Generally acquiescence is 20 minutes), data may be otherwise lost, it is 10 minutes generally to set sample frequency.
The ARP table of the programmed acquisition network equipment mainly has two ways:SNMP(Simple Network Management
Protocol)Agreement and CLI(Command Line Interface)Order line.CLI command row is originally used for man-machine interaction
Journey, has many shortcomings for gathering ARP table, and command line mode first is poor to the adaptability of equipment, and the equipment of different manufacturers refers to
Make type entirely different, even same equipment needs the command sequence of input to be also not quite similar when software merit rating is different,
In addition program command line mode obtains ARP table and needs to perform many steps, including is connected to interchanger(TELNET/SSH), it is defeated
Enter account, input password, into configuration mode, the order show ip arp of ARP are checked in execution(The equipment of Cisco)Or
Result etc. that disp arp (Huawei's equipment), parsing are returned, needs very multiple turning over particularly when arp entry is more
Page operations, flow is complicated and performance is low.
Present invention gathered data by the way of SNMP, the current network equipment all supports snmp protocol, due to collection ARP
Table is not related to Proprietary MIB(Management Information Base), the ARP table of the network equipment is gathered by snmp protocol
Manufacturer's model and software merit rating with equipment is completely irrelevant.SNMPv2 provides Get-Bulk primitive, can be with the side of batch
Formula obtains data, greatly reduces the interaction times of application program and the network equipment, improves performance and simplifies programming.According to
The corresponding MIB of original standard RFC1213 ARP tables is ipNetToMediaTable and new standard RFC4293 is
IpNetToPhysicalTable, the present invention is illustrated with currently widely used ipNetToMediaTable, one
IpNetToMediaTable can include multiple ipNetToMediaEntry( OID:1.3.6.1.2.1.4.22.1), it is each
Individual ipNetToMediaEntry includes data below:
1.3.6.1.2.1.4.22.1.1 - ipNetToMediaIfIndex
1.3.6.1.2.1.4.22.1.2 - ipNetToMediaPhysAddress
1.3.6.1.2.1.4.22.1.3 - ipNetToMediaNetAddress
1.3.6.1.2.1.4.22.1.4 –ipNetToMediaType
2. database design
The core of database data dictionary as shown in Fig. 2 equipment Basic Information Table preserve the network equipment Connecting quantity and
Unit type, the field such as including IP address, SNMP port numbers, SNMP Community String, the field name of ARP table and
Type simply additionally increases the fields such as network appliance IP, timestamp with reference to the title and type of MIB respective items.
3. data acquisition program preserves the algorithm of database
If each the MAC-IP entry write into Databasce for collecting every time, data volume is too big, is with University Of Shantou
Example, probably takes out more than 10,000 bar MAC-IP records, it is assumed that sample frequency is ten minutes, and the data volume of a day is just from router every time
More than million, but it is all to repeat that these data are most, and use is had no for detection ARP deceptions, can be had a strong impact on the contrary
Performance.If only retaining the last ARP data for collecting, although greatly reduce data volume, and may also detect that
One situation of MAC correspondence multiples IP of current time, but because not preserving the historical variations rule of MAC-IP, it is difficult to tackle
ARP deceptions off and on, cannot also judge certain MAC Address normal IP for using before ARP deceptions are initiated, particularly subsequently
Detection algorithm cannot distinguish that a computer runs the complex situations such as multi-dummy machine by the tense Changing Pattern of MAC-IP.
For problem above, way of the invention is that data acquisition program calls database store process, in storing process
In realize the service logic that MAC-IP is saved in database:Each MAC-IP entry is judged, data are inquired about first
MAC Address is equal to the newest timestamp of the MAC Address in the original record in storehouse(Or inquiry MAC Address is equal to the MAC Address most
Big self-propagation field number), then inquire about in original record that MAC is equal to the MAC Address and timestamp is equal to the newest time
The record of stamp(Or the value of inquiry self-propagation field is equal to the record of the maximum self-propagation field number for inquiring just now)If,
The record is present and its IP address is current time equal to the timestamp that the IP address for collecting then updates original record, otherwise
One new record of insertion.The record of a large amount of MAC-IP for repeating neither is preserved so in database, can be preserved again newest
MAC-IP entries, and the historical variations situation of MAC-IP entries can be preserved.Algorithm flow chart is as shown in Figure 3.
Preserve MAC-IP to the service logic of database have such the characteristics of:Input, the data volume for exporting are few, but in
Between process have an operation flow and the data that are related to are relatively more, for such scene, can be big using storing process
The big interaction times and interaction data amount for reducing program and database, realize service logic than in client in storing process
Or realize that performance is much better in the application server.
4. the method that detection personation host A RP is cheated
Cleaning Principle is when the ARP for occurring personation main frame in network is cheated, in three-layer equipment(Typically router)ARP
Cache table occurs a MAC Address(The MAC Address of ARP trickers)Correspondence multiple IP address(One is the normal IP for using,
Other are the IP for palming off other main frame)Situation, but not all MAC correspondences multiple IP is ARP deceptions, is also wanted
Exclude various complex situations.Detection method disclosed by the invention includes preliminary screening and is analyzed to identify, shown in flow chart 4.
MAC Address is solidificated on network interface card in theory(Although operating system can also be changed), and ARP deceptions
MAC Address will not typically be changed because ARP deception purpose be in order to intercept with it is counterfeit, frequently change MAC Address it is not intentional
Justice, even if there is the ARP deceptions for changing MAC and IP simultaneously in theory(Be there's almost no in reality), it is also possible to connect by limitation
The MAC Address number for entering switch ports themselves is easily prevented, so the ARP of detection personation main frame is cheated from a MAC ground
Location correspondence multiple IP address is started with rather than opposite.
Because the ARP table of router is saved in database by data acquisition program, as long as a SQL statement(Utilize
Group by and having clause)A situation for MAC Address correspondence multiple different IP addresses can just be filtered out.Here
Need to set a threshold value(Between 2-10, default value takes 3 to threshold value value), when the corresponding IP numbers of MAC Address are more than this
Individual threshold value just carries out next step judgement, and the feelings such as notebook computer and the normal switching of IP address are used this eliminates cross-network segment
Condition, then each MAC Address to preliminary screening be analyzed confirmation.
The network equipment such as router MAC Address in itself first occurs during for multiple IP address, these IP ground
Location is exactly gateway address, because a MAC Address of router needs to carry out multiple network segments(Or subnet)Between number
According to forwarding.There are various processing methods for the MAC Address of the network equipments such as router:The first is manually to be listed in white name
Single, second is automatic identification.Automatic identification has two methods:Value and analyzing IP address according to ipNetToMediaType
The regularity of distribution and tense Changing Pattern.The router MAC-IP of its own is static, is not by ARP protocol dynamic learning
, it is 4 that ipNetToMediaType values are shown as in MIB, if not carrying out static MAC-IP bindings in router, according to
The value of ipNetToMediaType is it may determine that go out router MAC-IP in itself.Even if having carried out static MAC- in router
IP binds, it is impossible to go out the MAC Address of router by ipNetToMediaType automatic decisions, it is also possible to by analyzing IP address
The regularity of distribution and tense Changing Pattern, the MAC and ARP of router deception are distinguished.One MAC Address pair of router
The behavior pattern and general ARP deceptions for answering multiple IP address have dramatically different, because ARP deceptions are unable to cross-network segment, if these
It is ARP deceptions that IP adheres to the different network segments separately and can just exclude, and automatic distinguishing is difficult to not for the network environment of some subnet divisions
Same subnet, can be judged according to the tense Changing Pattern of IP address, and determination methods and following judgements run multi-dummy machine
Computer it is the same.
If certain computer is mounted with software virtual machine(Such as VMware, Hyper-V etc.), virtual network operates in bridge
Pattern is connect, and runs multiple virtual machines and a situation of MAC Address correspondence multiple IP just occurs, reason is software virtual machine
Multiple Microsoft Loopback Adapters are simulated, these Microsoft Loopback Adapters also will read and write data from physical network card, thus be not fee from multiple IP
, with a physics MAC, with the popularization of virtualization, such case can be more and more, it is necessary to distinguished for correspondence.
In general a common computer only runs one or two virtual machine, and this feelings have been eliminated by setting threshold value
Condition, for only a few extreme case, can be distinguished by by the tense Changing Pattern of analyzing IP address.Operation multi-dummy machine
Although one MAC of computer can correspond to multiple IP, corresponding relation is very regular, when some moment MAC correspondence
Multiple difference IP, next moment often still corresponds to these IP, the right of multiple MAC-IP is shown as in the ARP table of database
Should be related to that circulation occurs.The MAC-IP of multi-dummy machine is changed over time slowly, when only increasing, deleting virtual machine, shutdown
Between just occur more than arp aging time, and real ARP deceptions, not only MAC correspondences IP numbers are very more(More than 10), and
MAC-IP tense change be it is frequent and rambling, just can be with significant difference by the tense Changing Pattern of IP address.
The invention has the advantages that:
1st, can adapt to, in various network environments and the network equipment, there is no existing network " invasive ".
Technological means:Using snmp protocol timing acquiring router ARP table and be saved in database, by analyzing MAC-
The corresponding relation of IP address palms off the ARP deceptions of main frame to detect.
2nd, the state-of-the-art record of MAC-IP addresses had not only been preserved in database but also had retained historical variations, can either met follow-up
Preliminary screening, be analyzed to identify query demand, and database do not preserve it is substantial amounts of repeat to record, the performance of system very well, one
The common server of platform can be just supported by the thousands of network equipments(Interchanger and router), hundreds thousand of computers compositions
The automatic detection of the personation host A RP deceptions of catenet.
Technological means:Data acquisition program calls database store process, storing process to realize MAC-IP and be saved in number
According to the service logic in storehouse:Each MAC-IP entry is judged, MAC Address in the original record of database is inquired about first and is equal to
The newest timestamp of the MAC Address(Or inquiry MAC Address is equal to the maximum self-propagation field number of the MAC Address), so
The record that MAC in original record is equal to newest timestamp equal to the MAC Address and timestamp is inquired about afterwards(Or inquiry self-propagation
The value of field is equal to the record of the maximum self-propagation field number for inquiring just now)If the record is present and its IP address
It is current time equal to the timestamp that the IP address for collecting then updates original record, otherwise inserts a new record.
3rd, various complex situations can be processed, erroneous judgement will not be produced
Technological means:The ARP deceptions of detection personation main frame are divided into preliminary screening and are analyzed to identify two steps, preliminary screening assay
The corresponding different IP addresses number of one MAC Address eliminates notebook computer more than the record of certain threshold value by setting threshold value
The normal conditions such as cross-network segment is used, IP address switching.Step is analyzed to identify to pass through white list, analyze ipNetToMediaType's
The modes such as value, the regularity of distribution of analyzing IP address and tense Changing Pattern, exclude the network equipments such as router MAC ground in itself
Location, a computer run the complex situations such as multiple virtual machines.
Above disclosed is only a kind of preferred embodiment of the invention, can not limit the power of the present invention with this certainly
Sharp scope, therefore the equivalent variations made according to the claims in the present invention, still belong to the scope that the present invention is covered.
Claims (3)
1. a kind of method that automatic detection personation host A RP is cheated, it is characterised in that cheated including collecting method and ARP
Detection method, the collecting method includes each MAC-IP records for collecting, and database is inquired about first original
In record MAC Address be equal to the MAC Address newest timestamp or inquiry MAC Address be equal to the MAC Address it is maximum from
Increase field number, then inquire about that MAC Address in original record is equal to the MAC Address and timestamp is equal to newest timestamp
The value of record or inquiry self-propagation field is equal to the record of the maximum self-propagation field number for inquiring just now, if the record
In the presence of and its IP address be equal to the IP address that collects then to update the timestamp of original record be current time, otherwise insert one
Bar new record;The ARP cheat detecting methods include detecting the corresponding different IP addresses number of each MAC Address, when it
Doubtful ARP deceptions list is added during more than setting threshold values.
2. the method that automatic detection personation host A RP according to claim 1 is cheated, it is characterised in that the ARP deceptions
Detection method also includes being analyzed confirmation for each doubtful ARP deception of preliminary screening, and confirmation process uses exclusive method,
By in white list, the analysis value of ipNetToMediaType, the regularity of distribution of analyzing IP address and tense Changing Pattern extremely
A kind of few mode, it is final to confirm situations such as exclude the network equipment MAC Address in itself, computer operation multiple virtual machines
Whether ARP is cheated for it.
3. the method that automatic detection personation host A RP according to claim 2 is cheated, it is characterised in that the threshold values takes
Value scope is 2-10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710213100.6A CN106899612B (en) | 2017-04-01 | 2017-04-01 | Method for automatically detecting ARP spoofing of fake host |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710213100.6A CN106899612B (en) | 2017-04-01 | 2017-04-01 | Method for automatically detecting ARP spoofing of fake host |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106899612A true CN106899612A (en) | 2017-06-27 |
CN106899612B CN106899612B (en) | 2020-01-24 |
Family
ID=59192723
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710213100.6A Active CN106899612B (en) | 2017-04-01 | 2017-04-01 | Method for automatically detecting ARP spoofing of fake host |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106899612B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107294989A (en) * | 2017-07-04 | 2017-10-24 | 杭州迪普科技股份有限公司 | A kind of method and device of anti-ARP gateways deception |
CN110380975A (en) * | 2019-07-08 | 2019-10-25 | 重庆城市管理职业学院 | A kind of router based on wireless security strategy |
CN110661799A (en) * | 2019-09-24 | 2020-01-07 | 北京安信天行科技有限公司 | ARP (Address resolution protocol) deception behavior detection method and system |
CN110912928A (en) * | 2019-12-11 | 2020-03-24 | 百度在线网络技术(北京)有限公司 | Firewall implementation method and device and electronic equipment |
CN112491888A (en) * | 2020-11-27 | 2021-03-12 | 深圳万物安全科技有限公司 | Method and system for preventing equipment from being falsely used |
CN113132385A (en) * | 2021-04-20 | 2021-07-16 | 广州锦行网络科技有限公司 | Method and device for preventing gateway ARP spoofing |
CN116880319A (en) * | 2023-08-04 | 2023-10-13 | 浙江齐安信息科技有限公司 | Method, system, terminal and medium for identifying upper computer in industrial control system |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101282244A (en) * | 2008-05-09 | 2008-10-08 | 浙江大学 | Method for detecting instruction based on SPM |
CN101494562A (en) * | 2009-03-18 | 2009-07-29 | 杭州华三通信技术有限公司 | Maintenance method for terminal list item of network equipment and network equipment |
CN103051597A (en) * | 2011-10-14 | 2013-04-17 | 国家纳米技术与工程研究院 | Method for realizing address resolution protocol (ARP) deception detection on switch |
CN103856435A (en) * | 2012-11-28 | 2014-06-11 | 中兴通讯股份有限公司 | Address resolution protocol cache and caching method |
CN103957171A (en) * | 2014-05-20 | 2014-07-30 | 刘建兵 | Access control method and system based on physical interface and MAC addresses of intelligent exchanger |
US20150326526A1 (en) * | 2013-01-24 | 2015-11-12 | Hangzhou H3C Technologies Co., Ltd. | Keeping a terminal access location record alive |
US20160248727A1 (en) * | 2015-02-23 | 2016-08-25 | Renesas Electronics Corporation | Delivery control device, data delivery system, delivery control method, and non-transitory computer readable medium storing delivery control program |
CN105939332A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for preventing ARP attack message |
CN106027491A (en) * | 2016-04-29 | 2016-10-12 | 天津赞普科技股份有限公司 | Independent link type communication processing method and system based on isolated IP (Internet Protocol) address |
CN106209837A (en) * | 2016-07-08 | 2016-12-07 | 珠海市魅族科技有限公司 | ARP cheat detecting method and system |
-
2017
- 2017-04-01 CN CN201710213100.6A patent/CN106899612B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101282244A (en) * | 2008-05-09 | 2008-10-08 | 浙江大学 | Method for detecting instruction based on SPM |
CN101494562A (en) * | 2009-03-18 | 2009-07-29 | 杭州华三通信技术有限公司 | Maintenance method for terminal list item of network equipment and network equipment |
CN103051597A (en) * | 2011-10-14 | 2013-04-17 | 国家纳米技术与工程研究院 | Method for realizing address resolution protocol (ARP) deception detection on switch |
CN103856435A (en) * | 2012-11-28 | 2014-06-11 | 中兴通讯股份有限公司 | Address resolution protocol cache and caching method |
US20150326526A1 (en) * | 2013-01-24 | 2015-11-12 | Hangzhou H3C Technologies Co., Ltd. | Keeping a terminal access location record alive |
CN103957171A (en) * | 2014-05-20 | 2014-07-30 | 刘建兵 | Access control method and system based on physical interface and MAC addresses of intelligent exchanger |
US20160248727A1 (en) * | 2015-02-23 | 2016-08-25 | Renesas Electronics Corporation | Delivery control device, data delivery system, delivery control method, and non-transitory computer readable medium storing delivery control program |
CN105939332A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for preventing ARP attack message |
CN106027491A (en) * | 2016-04-29 | 2016-10-12 | 天津赞普科技股份有限公司 | Independent link type communication processing method and system based on isolated IP (Internet Protocol) address |
CN106209837A (en) * | 2016-07-08 | 2016-12-07 | 珠海市魅族科技有限公司 | ARP cheat detecting method and system |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107294989A (en) * | 2017-07-04 | 2017-10-24 | 杭州迪普科技股份有限公司 | A kind of method and device of anti-ARP gateways deception |
CN107294989B (en) * | 2017-07-04 | 2020-02-11 | 杭州迪普科技股份有限公司 | Method and device for preventing ARP gateway spoofing |
CN110380975A (en) * | 2019-07-08 | 2019-10-25 | 重庆城市管理职业学院 | A kind of router based on wireless security strategy |
CN110661799A (en) * | 2019-09-24 | 2020-01-07 | 北京安信天行科技有限公司 | ARP (Address resolution protocol) deception behavior detection method and system |
CN110912928A (en) * | 2019-12-11 | 2020-03-24 | 百度在线网络技术(北京)有限公司 | Firewall implementation method and device and electronic equipment |
CN110912928B (en) * | 2019-12-11 | 2022-01-28 | 百度在线网络技术(北京)有限公司 | Firewall implementation method and device and electronic equipment |
CN112491888A (en) * | 2020-11-27 | 2021-03-12 | 深圳万物安全科技有限公司 | Method and system for preventing equipment from being falsely used |
CN113132385A (en) * | 2021-04-20 | 2021-07-16 | 广州锦行网络科技有限公司 | Method and device for preventing gateway ARP spoofing |
CN116880319A (en) * | 2023-08-04 | 2023-10-13 | 浙江齐安信息科技有限公司 | Method, system, terminal and medium for identifying upper computer in industrial control system |
CN116880319B (en) * | 2023-08-04 | 2024-04-09 | 浙江齐安信息科技有限公司 | Method, system, terminal and medium for identifying upper computer in industrial control system |
Also Published As
Publication number | Publication date |
---|---|
CN106899612B (en) | 2020-01-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106899612A (en) | A kind of method of automatic detection personation host A RP deceptions | |
CN110168499B (en) | Executing context-rich attribute-based services on a host | |
US9137118B2 (en) | Management server and management method | |
US7051369B1 (en) | System for monitoring network for cracker attack | |
US8200798B2 (en) | Address security in a routed access network | |
US7710898B2 (en) | Method and apparatus for automatic verification of a zone configuration of a plurality of network switches | |
US8144618B2 (en) | Method and apparatus for automatic verification of a zone configuration and network access control construct for a plurality of network switches | |
US8595339B2 (en) | Network management apparatus and method | |
US8799466B2 (en) | Method and apparatus for automatic verification of a network access control construct for a network switch | |
EP3905622A1 (en) | Botnet detection method and system, and storage medium | |
US20080196103A1 (en) | Method for analyzing abnormal network behaviors and isolating computer virus attacks | |
CN108206792B (en) | Topological structure discovery method and device of switch | |
CN107222462A (en) | A kind of LAN internals attack being automatically positioned of source, partition method | |
JP5613237B2 (en) | Identification of idle network devices | |
WO2020118377A1 (en) | Apparatus and process for monitoring network behaviour of internet-of-things (iot) devices | |
US7409445B2 (en) | Method for facilitating monitoring and simultaneously analyzing of network events of multiple hosts via a single network interface | |
AU2016262640A1 (en) | Node de-duplication in a network monitoring system | |
CN103957171B (en) | Connection control method and system based on intelligent exchange physical port and MAC Address | |
CN108540387A (en) | Method for network access control and device | |
US7733800B2 (en) | Method and mechanism for identifying an unmanaged switch in a network | |
KR100825257B1 (en) | Detail processing method of abnormal traffic data | |
CN110995738B (en) | Violent cracking behavior identification method and device, electronic equipment and readable storage medium | |
CN107295020A (en) | A kind of processing method and processing device of attack of address resolution protocol | |
CN112448847B (en) | Method and device for determining network asset location information | |
CN106657087B (en) | Method for realizing industrial firewall dynamically tracked by Ethernet/Ip protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |