CN106899612A - A kind of method of automatic detection personation host A RP deceptions - Google Patents

A kind of method of automatic detection personation host A RP deceptions Download PDF

Info

Publication number
CN106899612A
CN106899612A CN201710213100.6A CN201710213100A CN106899612A CN 106899612 A CN106899612 A CN 106899612A CN 201710213100 A CN201710213100 A CN 201710213100A CN 106899612 A CN106899612 A CN 106899612A
Authority
CN
China
Prior art keywords
arp
mac address
address
record
mac
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710213100.6A
Other languages
Chinese (zh)
Other versions
CN106899612B (en
Inventor
吉杰
蔡伟鸿
翁楚强
姚佑川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shantou University
Original Assignee
Shantou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shantou University filed Critical Shantou University
Priority to CN201710213100.6A priority Critical patent/CN106899612B/en
Publication of CN106899612A publication Critical patent/CN106899612A/en
Application granted granted Critical
Publication of CN106899612B publication Critical patent/CN106899612B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Abstract

The embodiment of the invention discloses a kind of method of automatic detection personation host A RP deceptions,Including collecting method and ARP cheat detecting methods,Data acquisition program obtains the ARP table of three-layer equipment and is saved in database using snmp protocol self-timing,Detection method includes preliminary screening and is analyzed to identify two stages,Preliminary screening obtains record of the corresponding different IP addresses number of MAC Address more than certain threshold value in database,Then each MAC Address to results of preliminary screening is analyzed confirmation,By white list,Analyze the value of ipNetToMediaType,The technological means such as the distribution and tense Changing Pattern of analyzing IP address,Exclude the network equipment MAC Address such as router in itself,One computer just confirms that it is ARP deceptions after running the special circumstances such as multiple virtual machines.

Description

A kind of method of automatic detection personation host A RP deceptions
Technical field
The present invention relates to network communication technology field, more particularly to the method that a kind of automatic detection personation host A RP is cheated.
Background technology
ARP is the abbreviation of Address Resolution Protocol, both address resolution protocol, and the function of ARP is in IP (Internet Protocol)Dynamic mapping is provided between address and MAC (Media Access Control) address.ARP is assisted The main frame and packet discussed in the original intention hypothesis network of design are all believable, but the fact is far from this way, ARP deceptions are to network Safety causes huge potential safety hazard, and many local network LANs (Local Area Network) are all deeply hurt, some ARP deceptions Virus is caused, and also some are the network attacks of artificial well-designed illegal monitoring and malice personation.
Many methods are taken in order to tackle ARP deception people:It is included in computer and ARP fire walls is installed, in computer Binding MAC-IP address two-way with gateway, network manager detects that ARP is cheated by network packet capturing, is operated after finding ARP deceptions Interchanger closes its port, and DHCP Snooping are enabled in the network equipment(DHCP is monitored)IP Source Guard(IP sources ground Protect location)And DAI(Dynamic ARP checks Dynamic ARP Inspection), analyze the ARP table detection ARP deceptions of router Deng.But the above method has some shortcomings:ARP fire walls are installed on the user computer to be difficult to manage concentratedly, ARP fire walls The not anti-people of the root of fangji, in addition some ARP fire walls with attack come to attack resistance so that bringing harm to whole network;Two-way binding The maintenance workload of MAC-IP is huge, and does not adapt to increasing notebook computer and WiFi environment;By network Packet capturing is only able to detect current occurent ARP deceptions, and the different network segments are monitored in exchange network needs frequent switching end Mouth configures different Port Mirroring, and packet capturing analysis workload is very big and has comparing technology high to want to network manager Ask;Enabling DHCP Snooping, IP Source Guard and DAI has comparing high whole network environment and switch device Requirement, the interchanger of many low and middle-ends(Such as Cisco2960)Do not support, static IP and DHCP are set simultaneously artificial in addition IP Source Guard still need static binding MAC-IP in the network environment deposited;Also have in addition to DAI many other The method for taking precautions against ARP deceptions also all has " invasive ", it is necessary to change procotol, it is necessary to change existing to existing network The network equipment, even if these methods are very perfect in theory to be still difficult to promote in reality;Now with some " Noninvasives " The ARP table by analyzing router detect the method that personation host A RP is cheated, but some do not preserve road in these methods By the ARP table of device to database, other methods are saved in the optimal strategy of database due to not finding MAC-IP and cause Lose historical record or cause systematic function to decline because saving a large amount of repeated datas, and existing method is not due to having Exclude the special circumstances such as MAC Address, the computer of operation multi-dummy machine, the laptop carrying office of gateway and can cause to miss Sentence.
The content of the invention
Embodiment of the present invention technical problem to be solved is, there is provided a kind of automatic detection personation host A RP deceptions Method.The present invention is adaptable to various network environments and the network equipment and will not judge by accident.
In order to solve the above-mentioned technical problem, a kind of automatic detection personation host A RP deceptions be the embodiment of the invention provides Method, including collecting method and ARP cheat detecting methods, the collecting method include each for collecting MAC-IP is recorded, and newest timestamp or inquiry that MAC Address in the original record of database is equal to the MAC Address are inquired about first MAC Address is equal to the maximum self-propagation field number of the MAC Address, then inquires about MAC Address in original record and is equal to the MAC The value of record or inquiry self-propagation field that address and timestamp are equal to newest timestamp is equal to the maximum for inquiring just now The record of self-propagation field number, original note is updated if the record is present and its IP address is equal to the IP address for collecting The timestamp of record is current time, otherwise inserts a new record;The ARP cheat detecting methods are included to MAC Address correspondence Different IP addresses number detected, doubtful ARP deception list is added when it exceedes setting threshold values.
Further, the ARP cheat detecting methods also include being carried out for each doubtful ARP deception of preliminary screening It is analyzed to identify, confirmation process uses exclusive method, by white list, the analysis value of ipNetToMediaType, analyzing IP address At least one mode in the regularity of distribution and tense Changing Pattern, exclude the network equipment such as router MAC Address in itself, one Situations such as computer operation multiple virtual machine, whether ARP is cheated finally to confirm it.
Further, the threshold values span is 2-10, and default value is 3.
Implement the embodiment of the present invention, have the advantages that:The present invention can adapt in various network environments and network Equipment, does not have " invasive " to existing network, can process various complex situations, and avoids producing erroneous judgement, in database both The state-of-the-art record for preserving MAC-IP addresses retains historical variations again, can either meet follow-up preliminary screening, be analyzed to identify inquiry Demand, and because without substantial amounts of repetition record is preserved, the property retention of system is good, and a common server can just be propped up Hold by the thousands of network equipments(Interchanger and router), hundreds thousand of computers composition catenet personation main frame The automatic detection of ARP deceptions.
Brief description of the drawings
Fig. 1 is the structure chart of automatic detection personation host A RP deceptions;
Fig. 2 is the schematic diagram of the partial data dictionary of database;
Fig. 3 is data acquisition program collection ARP table and is saved in the flow chart of database;
Fig. 4 is the flow chart that detection personation host A RP cheats algorithm.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, the present invention is made further below in conjunction with accompanying drawing Describe in detail.
The present invention implements to disclose a kind of method of automatic detection personation host A RP deceptions, topology diagram such as Fig. 1 institutes Show, including collecting method and ARP cheat detecting method two parts, detection method is including preliminary screening and is analyzed to identify.
1. data acquisition program
Data acquisition program obtains three-layer equipment using snmp protocol self-timing(Router, three-tier switch, fire wall etc. It is operated in the equipment of ICP/IP protocol third layer)ARP table and be saved in database, frequency acquisition is less than device A RP tables Expired time(Generally acquiescence is 20 minutes), data may be otherwise lost, it is 10 minutes generally to set sample frequency.
The ARP table of the programmed acquisition network equipment mainly has two ways:SNMP(Simple Network Management Protocol)Agreement and CLI(Command Line Interface)Order line.CLI command row is originally used for man-machine interaction Journey, has many shortcomings for gathering ARP table, and command line mode first is poor to the adaptability of equipment, and the equipment of different manufacturers refers to Make type entirely different, even same equipment needs the command sequence of input to be also not quite similar when software merit rating is different, In addition program command line mode obtains ARP table and needs to perform many steps, including is connected to interchanger(TELNET/SSH), it is defeated Enter account, input password, into configuration mode, the order show ip arp of ARP are checked in execution(The equipment of Cisco)Or Result etc. that disp arp (Huawei's equipment), parsing are returned, needs very multiple turning over particularly when arp entry is more Page operations, flow is complicated and performance is low.
Present invention gathered data by the way of SNMP, the current network equipment all supports snmp protocol, due to collection ARP Table is not related to Proprietary MIB(Management Information Base), the ARP table of the network equipment is gathered by snmp protocol Manufacturer's model and software merit rating with equipment is completely irrelevant.SNMPv2 provides Get-Bulk primitive, can be with the side of batch Formula obtains data, greatly reduces the interaction times of application program and the network equipment, improves performance and simplifies programming.According to The corresponding MIB of original standard RFC1213 ARP tables is ipNetToMediaTable and new standard RFC4293 is IpNetToPhysicalTable, the present invention is illustrated with currently widely used ipNetToMediaTable, one IpNetToMediaTable can include multiple ipNetToMediaEntry( OID:1.3.6.1.2.1.4.22.1), it is each Individual ipNetToMediaEntry includes data below:
1.3.6.1.2.1.4.22.1.1 - ipNetToMediaIfIndex
1.3.6.1.2.1.4.22.1.2 - ipNetToMediaPhysAddress
1.3.6.1.2.1.4.22.1.3 - ipNetToMediaNetAddress
1.3.6.1.2.1.4.22.1.4 –ipNetToMediaType
2. database design
The core of database data dictionary as shown in Fig. 2 equipment Basic Information Table preserve the network equipment Connecting quantity and Unit type, the field such as including IP address, SNMP port numbers, SNMP Community String, the field name of ARP table and Type simply additionally increases the fields such as network appliance IP, timestamp with reference to the title and type of MIB respective items.
3. data acquisition program preserves the algorithm of database
If each the MAC-IP entry write into Databasce for collecting every time, data volume is too big, is with University Of Shantou Example, probably takes out more than 10,000 bar MAC-IP records, it is assumed that sample frequency is ten minutes, and the data volume of a day is just from router every time More than million, but it is all to repeat that these data are most, and use is had no for detection ARP deceptions, can be had a strong impact on the contrary Performance.If only retaining the last ARP data for collecting, although greatly reduce data volume, and may also detect that One situation of MAC correspondence multiples IP of current time, but because not preserving the historical variations rule of MAC-IP, it is difficult to tackle ARP deceptions off and on, cannot also judge certain MAC Address normal IP for using before ARP deceptions are initiated, particularly subsequently Detection algorithm cannot distinguish that a computer runs the complex situations such as multi-dummy machine by the tense Changing Pattern of MAC-IP.
For problem above, way of the invention is that data acquisition program calls database store process, in storing process In realize the service logic that MAC-IP is saved in database:Each MAC-IP entry is judged, data are inquired about first MAC Address is equal to the newest timestamp of the MAC Address in the original record in storehouse(Or inquiry MAC Address is equal to the MAC Address most Big self-propagation field number), then inquire about in original record that MAC is equal to the MAC Address and timestamp is equal to the newest time The record of stamp(Or the value of inquiry self-propagation field is equal to the record of the maximum self-propagation field number for inquiring just now)If, The record is present and its IP address is current time equal to the timestamp that the IP address for collecting then updates original record, otherwise One new record of insertion.The record of a large amount of MAC-IP for repeating neither is preserved so in database, can be preserved again newest MAC-IP entries, and the historical variations situation of MAC-IP entries can be preserved.Algorithm flow chart is as shown in Figure 3.
Preserve MAC-IP to the service logic of database have such the characteristics of:Input, the data volume for exporting are few, but in Between process have an operation flow and the data that are related to are relatively more, for such scene, can be big using storing process The big interaction times and interaction data amount for reducing program and database, realize service logic than in client in storing process Or realize that performance is much better in the application server.
4. the method that detection personation host A RP is cheated
Cleaning Principle is when the ARP for occurring personation main frame in network is cheated, in three-layer equipment(Typically router)ARP Cache table occurs a MAC Address(The MAC Address of ARP trickers)Correspondence multiple IP address(One is the normal IP for using, Other are the IP for palming off other main frame)Situation, but not all MAC correspondences multiple IP is ARP deceptions, is also wanted Exclude various complex situations.Detection method disclosed by the invention includes preliminary screening and is analyzed to identify, shown in flow chart 4.
MAC Address is solidificated on network interface card in theory(Although operating system can also be changed), and ARP deceptions MAC Address will not typically be changed because ARP deception purpose be in order to intercept with it is counterfeit, frequently change MAC Address it is not intentional Justice, even if there is the ARP deceptions for changing MAC and IP simultaneously in theory(Be there's almost no in reality), it is also possible to connect by limitation The MAC Address number for entering switch ports themselves is easily prevented, so the ARP of detection personation main frame is cheated from a MAC ground Location correspondence multiple IP address is started with rather than opposite.
Because the ARP table of router is saved in database by data acquisition program, as long as a SQL statement(Utilize Group by and having clause)A situation for MAC Address correspondence multiple different IP addresses can just be filtered out.Here Need to set a threshold value(Between 2-10, default value takes 3 to threshold value value), when the corresponding IP numbers of MAC Address are more than this Individual threshold value just carries out next step judgement, and the feelings such as notebook computer and the normal switching of IP address are used this eliminates cross-network segment Condition, then each MAC Address to preliminary screening be analyzed confirmation.
The network equipment such as router MAC Address in itself first occurs during for multiple IP address, these IP ground Location is exactly gateway address, because a MAC Address of router needs to carry out multiple network segments(Or subnet)Between number According to forwarding.There are various processing methods for the MAC Address of the network equipments such as router:The first is manually to be listed in white name Single, second is automatic identification.Automatic identification has two methods:Value and analyzing IP address according to ipNetToMediaType The regularity of distribution and tense Changing Pattern.The router MAC-IP of its own is static, is not by ARP protocol dynamic learning , it is 4 that ipNetToMediaType values are shown as in MIB, if not carrying out static MAC-IP bindings in router, according to The value of ipNetToMediaType is it may determine that go out router MAC-IP in itself.Even if having carried out static MAC- in router IP binds, it is impossible to go out the MAC Address of router by ipNetToMediaType automatic decisions, it is also possible to by analyzing IP address The regularity of distribution and tense Changing Pattern, the MAC and ARP of router deception are distinguished.One MAC Address pair of router The behavior pattern and general ARP deceptions for answering multiple IP address have dramatically different, because ARP deceptions are unable to cross-network segment, if these It is ARP deceptions that IP adheres to the different network segments separately and can just exclude, and automatic distinguishing is difficult to not for the network environment of some subnet divisions Same subnet, can be judged according to the tense Changing Pattern of IP address, and determination methods and following judgements run multi-dummy machine Computer it is the same.
If certain computer is mounted with software virtual machine(Such as VMware, Hyper-V etc.), virtual network operates in bridge Pattern is connect, and runs multiple virtual machines and a situation of MAC Address correspondence multiple IP just occurs, reason is software virtual machine Multiple Microsoft Loopback Adapters are simulated, these Microsoft Loopback Adapters also will read and write data from physical network card, thus be not fee from multiple IP , with a physics MAC, with the popularization of virtualization, such case can be more and more, it is necessary to distinguished for correspondence.
In general a common computer only runs one or two virtual machine, and this feelings have been eliminated by setting threshold value Condition, for only a few extreme case, can be distinguished by by the tense Changing Pattern of analyzing IP address.Operation multi-dummy machine Although one MAC of computer can correspond to multiple IP, corresponding relation is very regular, when some moment MAC correspondence Multiple difference IP, next moment often still corresponds to these IP, the right of multiple MAC-IP is shown as in the ARP table of database Should be related to that circulation occurs.The MAC-IP of multi-dummy machine is changed over time slowly, when only increasing, deleting virtual machine, shutdown Between just occur more than arp aging time, and real ARP deceptions, not only MAC correspondences IP numbers are very more(More than 10), and MAC-IP tense change be it is frequent and rambling, just can be with significant difference by the tense Changing Pattern of IP address.
The invention has the advantages that:
1st, can adapt to, in various network environments and the network equipment, there is no existing network " invasive ".
Technological means:Using snmp protocol timing acquiring router ARP table and be saved in database, by analyzing MAC- The corresponding relation of IP address palms off the ARP deceptions of main frame to detect.
2nd, the state-of-the-art record of MAC-IP addresses had not only been preserved in database but also had retained historical variations, can either met follow-up Preliminary screening, be analyzed to identify query demand, and database do not preserve it is substantial amounts of repeat to record, the performance of system very well, one The common server of platform can be just supported by the thousands of network equipments(Interchanger and router), hundreds thousand of computers compositions The automatic detection of the personation host A RP deceptions of catenet.
Technological means:Data acquisition program calls database store process, storing process to realize MAC-IP and be saved in number According to the service logic in storehouse:Each MAC-IP entry is judged, MAC Address in the original record of database is inquired about first and is equal to The newest timestamp of the MAC Address(Or inquiry MAC Address is equal to the maximum self-propagation field number of the MAC Address), so The record that MAC in original record is equal to newest timestamp equal to the MAC Address and timestamp is inquired about afterwards(Or inquiry self-propagation The value of field is equal to the record of the maximum self-propagation field number for inquiring just now)If the record is present and its IP address It is current time equal to the timestamp that the IP address for collecting then updates original record, otherwise inserts a new record.
3rd, various complex situations can be processed, erroneous judgement will not be produced
Technological means:The ARP deceptions of detection personation main frame are divided into preliminary screening and are analyzed to identify two steps, preliminary screening assay The corresponding different IP addresses number of one MAC Address eliminates notebook computer more than the record of certain threshold value by setting threshold value The normal conditions such as cross-network segment is used, IP address switching.Step is analyzed to identify to pass through white list, analyze ipNetToMediaType's The modes such as value, the regularity of distribution of analyzing IP address and tense Changing Pattern, exclude the network equipments such as router MAC ground in itself Location, a computer run the complex situations such as multiple virtual machines.
Above disclosed is only a kind of preferred embodiment of the invention, can not limit the power of the present invention with this certainly Sharp scope, therefore the equivalent variations made according to the claims in the present invention, still belong to the scope that the present invention is covered.

Claims (3)

1. a kind of method that automatic detection personation host A RP is cheated, it is characterised in that cheated including collecting method and ARP Detection method, the collecting method includes each MAC-IP records for collecting, and database is inquired about first original In record MAC Address be equal to the MAC Address newest timestamp or inquiry MAC Address be equal to the MAC Address it is maximum from Increase field number, then inquire about that MAC Address in original record is equal to the MAC Address and timestamp is equal to newest timestamp The value of record or inquiry self-propagation field is equal to the record of the maximum self-propagation field number for inquiring just now, if the record In the presence of and its IP address be equal to the IP address that collects then to update the timestamp of original record be current time, otherwise insert one Bar new record;The ARP cheat detecting methods include detecting the corresponding different IP addresses number of each MAC Address, when it Doubtful ARP deceptions list is added during more than setting threshold values.
2. the method that automatic detection personation host A RP according to claim 1 is cheated, it is characterised in that the ARP deceptions Detection method also includes being analyzed confirmation for each doubtful ARP deception of preliminary screening, and confirmation process uses exclusive method, By in white list, the analysis value of ipNetToMediaType, the regularity of distribution of analyzing IP address and tense Changing Pattern extremely A kind of few mode, it is final to confirm situations such as exclude the network equipment MAC Address in itself, computer operation multiple virtual machines Whether ARP is cheated for it.
3. the method that automatic detection personation host A RP according to claim 2 is cheated, it is characterised in that the threshold values takes Value scope is 2-10.
CN201710213100.6A 2017-04-01 2017-04-01 Method for automatically detecting ARP spoofing of fake host Active CN106899612B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710213100.6A CN106899612B (en) 2017-04-01 2017-04-01 Method for automatically detecting ARP spoofing of fake host

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710213100.6A CN106899612B (en) 2017-04-01 2017-04-01 Method for automatically detecting ARP spoofing of fake host

Publications (2)

Publication Number Publication Date
CN106899612A true CN106899612A (en) 2017-06-27
CN106899612B CN106899612B (en) 2020-01-24

Family

ID=59192723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710213100.6A Active CN106899612B (en) 2017-04-01 2017-04-01 Method for automatically detecting ARP spoofing of fake host

Country Status (1)

Country Link
CN (1) CN106899612B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107294989A (en) * 2017-07-04 2017-10-24 杭州迪普科技股份有限公司 A kind of method and device of anti-ARP gateways deception
CN110380975A (en) * 2019-07-08 2019-10-25 重庆城市管理职业学院 A kind of router based on wireless security strategy
CN110661799A (en) * 2019-09-24 2020-01-07 北京安信天行科技有限公司 ARP (Address resolution protocol) deception behavior detection method and system
CN110912928A (en) * 2019-12-11 2020-03-24 百度在线网络技术(北京)有限公司 Firewall implementation method and device and electronic equipment
CN112491888A (en) * 2020-11-27 2021-03-12 深圳万物安全科技有限公司 Method and system for preventing equipment from being falsely used
CN113132385A (en) * 2021-04-20 2021-07-16 广州锦行网络科技有限公司 Method and device for preventing gateway ARP spoofing
CN116880319A (en) * 2023-08-04 2023-10-13 浙江齐安信息科技有限公司 Method, system, terminal and medium for identifying upper computer in industrial control system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282244A (en) * 2008-05-09 2008-10-08 浙江大学 Method for detecting instruction based on SPM
CN101494562A (en) * 2009-03-18 2009-07-29 杭州华三通信技术有限公司 Maintenance method for terminal list item of network equipment and network equipment
CN103051597A (en) * 2011-10-14 2013-04-17 国家纳米技术与工程研究院 Method for realizing address resolution protocol (ARP) deception detection on switch
CN103856435A (en) * 2012-11-28 2014-06-11 中兴通讯股份有限公司 Address resolution protocol cache and caching method
CN103957171A (en) * 2014-05-20 2014-07-30 刘建兵 Access control method and system based on physical interface and MAC addresses of intelligent exchanger
US20150326526A1 (en) * 2013-01-24 2015-11-12 Hangzhou H3C Technologies Co., Ltd. Keeping a terminal access location record alive
US20160248727A1 (en) * 2015-02-23 2016-08-25 Renesas Electronics Corporation Delivery control device, data delivery system, delivery control method, and non-transitory computer readable medium storing delivery control program
CN105939332A (en) * 2016-03-03 2016-09-14 杭州迪普科技有限公司 Method and device for preventing ARP attack message
CN106027491A (en) * 2016-04-29 2016-10-12 天津赞普科技股份有限公司 Independent link type communication processing method and system based on isolated IP (Internet Protocol) address
CN106209837A (en) * 2016-07-08 2016-12-07 珠海市魅族科技有限公司 ARP cheat detecting method and system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282244A (en) * 2008-05-09 2008-10-08 浙江大学 Method for detecting instruction based on SPM
CN101494562A (en) * 2009-03-18 2009-07-29 杭州华三通信技术有限公司 Maintenance method for terminal list item of network equipment and network equipment
CN103051597A (en) * 2011-10-14 2013-04-17 国家纳米技术与工程研究院 Method for realizing address resolution protocol (ARP) deception detection on switch
CN103856435A (en) * 2012-11-28 2014-06-11 中兴通讯股份有限公司 Address resolution protocol cache and caching method
US20150326526A1 (en) * 2013-01-24 2015-11-12 Hangzhou H3C Technologies Co., Ltd. Keeping a terminal access location record alive
CN103957171A (en) * 2014-05-20 2014-07-30 刘建兵 Access control method and system based on physical interface and MAC addresses of intelligent exchanger
US20160248727A1 (en) * 2015-02-23 2016-08-25 Renesas Electronics Corporation Delivery control device, data delivery system, delivery control method, and non-transitory computer readable medium storing delivery control program
CN105939332A (en) * 2016-03-03 2016-09-14 杭州迪普科技有限公司 Method and device for preventing ARP attack message
CN106027491A (en) * 2016-04-29 2016-10-12 天津赞普科技股份有限公司 Independent link type communication processing method and system based on isolated IP (Internet Protocol) address
CN106209837A (en) * 2016-07-08 2016-12-07 珠海市魅族科技有限公司 ARP cheat detecting method and system

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107294989A (en) * 2017-07-04 2017-10-24 杭州迪普科技股份有限公司 A kind of method and device of anti-ARP gateways deception
CN107294989B (en) * 2017-07-04 2020-02-11 杭州迪普科技股份有限公司 Method and device for preventing ARP gateway spoofing
CN110380975A (en) * 2019-07-08 2019-10-25 重庆城市管理职业学院 A kind of router based on wireless security strategy
CN110661799A (en) * 2019-09-24 2020-01-07 北京安信天行科技有限公司 ARP (Address resolution protocol) deception behavior detection method and system
CN110912928A (en) * 2019-12-11 2020-03-24 百度在线网络技术(北京)有限公司 Firewall implementation method and device and electronic equipment
CN110912928B (en) * 2019-12-11 2022-01-28 百度在线网络技术(北京)有限公司 Firewall implementation method and device and electronic equipment
CN112491888A (en) * 2020-11-27 2021-03-12 深圳万物安全科技有限公司 Method and system for preventing equipment from being falsely used
CN113132385A (en) * 2021-04-20 2021-07-16 广州锦行网络科技有限公司 Method and device for preventing gateway ARP spoofing
CN116880319A (en) * 2023-08-04 2023-10-13 浙江齐安信息科技有限公司 Method, system, terminal and medium for identifying upper computer in industrial control system
CN116880319B (en) * 2023-08-04 2024-04-09 浙江齐安信息科技有限公司 Method, system, terminal and medium for identifying upper computer in industrial control system

Also Published As

Publication number Publication date
CN106899612B (en) 2020-01-24

Similar Documents

Publication Publication Date Title
CN106899612A (en) A kind of method of automatic detection personation host A RP deceptions
CN110168499B (en) Executing context-rich attribute-based services on a host
US9137118B2 (en) Management server and management method
US7051369B1 (en) System for monitoring network for cracker attack
US8200798B2 (en) Address security in a routed access network
US7710898B2 (en) Method and apparatus for automatic verification of a zone configuration of a plurality of network switches
US8144618B2 (en) Method and apparatus for automatic verification of a zone configuration and network access control construct for a plurality of network switches
US8595339B2 (en) Network management apparatus and method
US8799466B2 (en) Method and apparatus for automatic verification of a network access control construct for a network switch
EP3905622A1 (en) Botnet detection method and system, and storage medium
US20080196103A1 (en) Method for analyzing abnormal network behaviors and isolating computer virus attacks
CN108206792B (en) Topological structure discovery method and device of switch
CN107222462A (en) A kind of LAN internals attack being automatically positioned of source, partition method
JP5613237B2 (en) Identification of idle network devices
WO2020118377A1 (en) Apparatus and process for monitoring network behaviour of internet-of-things (iot) devices
US7409445B2 (en) Method for facilitating monitoring and simultaneously analyzing of network events of multiple hosts via a single network interface
AU2016262640A1 (en) Node de-duplication in a network monitoring system
CN103957171B (en) Connection control method and system based on intelligent exchange physical port and MAC Address
CN108540387A (en) Method for network access control and device
US7733800B2 (en) Method and mechanism for identifying an unmanaged switch in a network
KR100825257B1 (en) Detail processing method of abnormal traffic data
CN110995738B (en) Violent cracking behavior identification method and device, electronic equipment and readable storage medium
CN107295020A (en) A kind of processing method and processing device of attack of address resolution protocol
CN112448847B (en) Method and device for determining network asset location information
CN106657087B (en) Method for realizing industrial firewall dynamically tracked by Ethernet/Ip protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant