CN106899612B - Method for automatically detecting ARP spoofing of fake host - Google Patents

Method for automatically detecting ARP spoofing of fake host Download PDF

Info

Publication number
CN106899612B
CN106899612B CN201710213100.6A CN201710213100A CN106899612B CN 106899612 B CN106899612 B CN 106899612B CN 201710213100 A CN201710213100 A CN 201710213100A CN 106899612 B CN106899612 B CN 106899612B
Authority
CN
China
Prior art keywords
arp
arp spoofing
mac
address
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710213100.6A
Other languages
Chinese (zh)
Other versions
CN106899612A (en
Inventor
吉杰
蔡伟鸿
翁楚强
姚佑川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shantou University
Original Assignee
Shantou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shantou University filed Critical Shantou University
Priority to CN201710213100.6A priority Critical patent/CN106899612B/en
Publication of CN106899612A publication Critical patent/CN106899612A/en
Application granted granted Critical
Publication of CN106899612B publication Critical patent/CN106899612B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Abstract

The embodiment of the invention discloses a method for automatically detecting ARP spoofing of a fake host, which comprises a data acquisition method and an ARP spoofing detection method, wherein a data acquisition program automatically and regularly acquires an ARP table of three layers of equipment by using an SNMP protocol and stores the ARP table in a database, the detection method comprises two stages of primary screening and analysis and confirmation, the primary screening acquires records that the number of different IP addresses corresponding to one MAC address in the database is greater than a certain threshold value, then each MAC address of a primary screening result is analyzed and confirmed, and the ARP spoofing is confirmed after special conditions of network equipment such as a router and the like and special conditions of a plurality of virtual machines operated by one computer and the like are eliminated through a white list, the value of an iNetToMediaType is analyzed, the distribution range of the IP addresses and the temporal change rule are analyzed and the like.

Description

Method for automatically detecting ARP spoofing of fake host
Technical Field
The invention relates to the technical field of network communication, in particular to a method for automatically detecting ARP spoofing of a fake host.
Background
ARP is a short name for Address Resolution Protocol, i.e. Address Resolution Protocol, and its function is to provide dynamic mapping between ip (internet Protocol) Address and mac (media Access control) Address. The initial design of the ARP protocol assumes that the hosts and packets in the network are trusted, but this is far from the true, ARP spoofing poses a huge security risk to the network security, many local Area networks (lan) are deeply harmed, some ARP spoofing is caused by viruses, and some are artificially and carefully designed network attacks of illegal interception and malicious impersonation.
Many approaches have been taken to combat ARP spoofing: the method comprises the steps of installing an ARP firewall on a computer, binding MAC-IP addresses in a computer and a gateway in a bidirectional mode, detecting ARP spoofing by a network administrator through network packet capturing, operating a switch to seal a port of the switch after discovering the ARP spoofing, starting DHCP Snooping IP Source Guard (IP Source address protection) and DAI (Dynamic ARP Inspection Dynamic ARP instruction) on network equipment, analyzing an ARP table of a router to detect the ARP spoofing and the like. However, the above methods all have some disadvantages: the ARP firewalls are installed on a user computer and are difficult to manage in a centralized way, the ARP firewalls are not defended by people, and even some ARP firewalls are attacked to resist the attack so as to bring harm to the whole network; the maintenance workload of the bidirectional binding MAC-IP is huge, and the bidirectional binding MAC-IP cannot adapt to more and more notebook computers and WiFi environments; only ARP spoofing which is currently generated can be detected through network packet capturing, ports need to be frequently switched or different port mirror images need to be configured in different network segments monitored in a switching network, the packet capturing analysis workload is large, and higher technical requirements are imposed on a network administrator; the DHCP Snooping, the IP Source Guard and the DAI are enabled to have higher requirements on the whole network environment and switch equipment, many middle and low-end switches (such as Cisco 2960) do not support the DHCP Snooping, and in addition, the IP Source Guard still needs to statically bind the MAC-IP in the network environment with the coexistence of the static IP and the DHCP manually set; besides the DAI, many other methods for preventing ARP spoofing are also "intrusive" to the existing network, require changing network protocols, require changing existing network devices, and are even theoretically perfect and difficult to popularize in reality; some 'non-invasive' methods for detecting fake host ARP spoofing by analyzing ARP tables of routers exist at present, but some of the methods do not store the ARP tables of the routers in a database, other methods lose history records or reduce system performance because a large amount of repeated data is stored because the optimal strategy for storing MAC-IP in the database is not found, and the existing methods can cause misjudgment because special conditions such as MAC addresses of gateways, computers running multiple virtual machines, notebook computers, mobile offices and the like are not eliminated.
Disclosure of Invention
The technical problem to be solved by the embodiments of the present invention is to provide a method for automatically detecting ARP spoofing of a fake host. The invention can be adapted to various network environments and network devices without misjudgment.
In order to solve the above technical problem, an embodiment of the present invention provides a method for automatically detecting ARP spoofing of fake hosts, including a data acquisition method and an ARP spoofing detection method, where the data acquisition method includes, for each acquired MAC-IP record, first querying a latest timestamp whose MAC address is equal to the MAC address in an original record of a database or querying a maximum self-growth field number whose MAC address is equal to the MAC address, then querying a record whose MAC address is equal to the MAC address and whose timestamp is equal to the latest timestamp in the original record or querying a record whose value of a self-growth field is equal to the maximum self-growth field number just queried, if the record exists and whose IP address is equal to the acquired IP address, updating the timestamp of the original record to be the current time, otherwise inserting a new record; the ARP spoofing detection method comprises the steps of detecting different IP address numbers corresponding to the MAC addresses, and adding a suspected ARP spoofing list when the number exceeds a set threshold value.
Further, the ARP spoofing detection method also comprises the step of analyzing and confirming each suspected ARP spoofing which is preliminarily screened, wherein an elimination method is adopted in the confirmation process, and the conditions of MAC addresses of network equipment such as a router and the like, running of a plurality of virtual machines by one computer and the like are eliminated in at least one mode of a white list, an analysis value of an iNetToMediaType, an analysis distribution rule of an IP address and a temporal change rule, so that whether the suspected ARP spoofing exists is finally confirmed.
Furthermore, the threshold value range is 2-10, and the default value is 3.
The embodiment of the invention has the following beneficial effects: the invention can be suitable for various network environments and network equipment, has no invasion to the existing network, can process various complex conditions, avoids generating misjudgment, saves the latest record of the MAC-IP address and keeps the historical change in a database, can meet the subsequent requirements of preliminary screening, analysis, confirmation and query, and can keep good performance of the system because a large number of repeated records are not saved, and a common server can support the automatic detection of the ARP spoofing of a large-scale network consisting of thousands of network equipment (switches and routers) and hundreds of thousands of computers.
Drawings
FIG. 1 is a block diagram of automatic detection of spoofed host ARP spoofing;
FIG. 2 is a schematic diagram of a partial data dictionary of a database;
FIG. 3 is a flow chart of a data collection program collecting ARP tables and saving them to a database;
FIG. 4 is a flow chart of an algorithm for detecting spoofed host ARP spoofing.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings.
The embodiment of the invention discloses a method for automatically detecting ARP spoofing of a fake host, a topological structure diagram is shown in figure 1, the method comprises a data acquisition method and an ARP spoofing detection method, and the detection method comprises primary screening and analysis and confirmation.
1. Data acquisition program
The data acquisition program automatically and regularly acquires an ARP table of three-layer equipment (equipment working on a third layer of a TCP/IP protocol, such as a router, a three-layer switch, a firewall and the like) by using an SNMP protocol and stores the ARP table into a database, wherein the acquisition frequency is less than the expiration time of the ARP table of the equipment (usually 20 minutes by default), otherwise, data may be lost, and the sampling frequency is usually set to be 10 minutes.
There are two main ways for a program to collect an ARP table of a network device: snmp (simple Network management protocol) protocol and cli (command Line interface) command Line. The CLI command line is originally used for a man-machine interaction process, and has a plurality of defects for collecting an ARP table, firstly, the command line mode has poor adaptability to equipment, the types of equipment instructions of different manufacturers are completely different, even if the same equipment needs different instruction sequences to be input when software configuration is different, in addition, the program uses the command line mode to obtain the ARP table, a plurality of steps are required to be executed, the steps comprise connecting to a switch (TELNET/SSH), inputting an account number, inputting a password, entering a configuration mode, executing a command show ip ARP (equipment of Cisco) or disp ARP, analyzing a returned result and the like, particularly, when the number of ARP entries is large, page turning operation is required for a plurality of times, the flow is complex, and the performance is low.
The invention adopts SNMP mode to collect data, the current network equipment supports SNMP protocol, because the collection of ARP table does not relate to private MIB (management Information base), the collection of ARP table of network equipment and the manufacturer model of equipment and software configuration are completely irrelevant. The SNMPv2 provides Get-Bulk primitives that enable data to be obtained in a batch manner, greatly reducing the number of interactions between applications and network devices, improving performance and simplifying programming. According to the original standard RFC1213 ARP table corresponding to MIB is IPNetToMediaTable and new standard RFC4293 is IPNetToPhysicalTable, the invention is explained by the currently commonly used IPNetToMediaTable, one IPNetToMediaTable can contain a plurality of iNetToMediaEntry (OID: 1.3.6.1.2.1.4.22.1), each of which includes the following data items:
1.3.6.1.2.1.4.22.1.1 - ipNetToMediaIfIndex
1.3.6.1.2.1.4.22.1.2 - ipNetToMediaPhysAddress
1.3.6.1.2.1.4.22.1.3 - ipNetToMediaNetAddress
1.3.6.1.2.1.4.22.1.4 –ipNetToMediaType
2. database design
As shown in fig. 2, the core part of the database data dictionary is a basic information table for storing connection parameters and device models of network devices, including fields such as IP addresses, SNMP port numbers, SNMP Community String, etc., and the names and types of the fields in the ARP table refer to the names and types of corresponding items in the MIB, except for the additional addition of fields such as IP and timestamps of the network devices.
3. Data acquisition program database saving algorithm
If every acquired MAC-IP entry is written into the database, the data volume is too large, taking Shantou university as an example, more than ten thousand MAC-IP records are taken out from the router every time, and if the sampling frequency is ten minutes, the data volume in one day exceeds millions, but most of the data are repeated, so that the data are not useful for detecting ARP spoofing and can seriously affect the performance. If only the ARP data collected at the last time is reserved, although the data volume is greatly reduced, and the condition that one MAC corresponds to a plurality of IPs at the current moment can be detected, because the historical change rule of the MAC-IP is not stored, the method is difficult to cope with the intermittent ARP spoofing, the IP normally used by a certain MAC address before the ARP spoofing is initiated cannot be judged, and particularly the follow-up detection algorithm cannot distinguish the complex conditions that one computer runs a plurality of virtual machines and the like through the temporal change rule of the MAC-IP.
Aiming at the problems, the method of the invention calls a database storage process by a data acquisition program, and realizes the business logic of saving MAC-IP to the database in the storage process: judging each MAC-IP entry, firstly inquiring the latest timestamp (or inquiring the maximum self-increment field number of the MAC address) of which the MAC address is equal to in the original record of the database, then inquiring the record (or inquiring the record of which the value of the self-increment field is equal to the maximum self-increment field number just inquired) of which the MAC address is equal to in the original record and the timestamp is equal to the latest timestamp, if the record exists and the IP address is equal to the acquired IP address, updating the timestamp of the original record to be the current time, otherwise, inserting a new record. Therefore, the database can not only store a large number of repeated MAC-IP records, but also store the latest MAC-IP entries and the historical change conditions of the MAC-IP entries. The algorithm flow chart is shown in fig. 3.
The service logic that stores the MAC-IP to the database has the following characteristics: the input and output data volume is very small, but the intermediate process has a service flow and involves more data, for such a scenario, the use of the storage process can greatly reduce the interaction times and the interaction data volume of the program and the database, and the implementation of the service logic in the storage process is much better than the implementation in the client or the application server.
4. Method for detecting false host ARP spoofing
The detection principle is that when ARP spoofing of a spoofed host occurs in a network, a situation that one MAC address (MAC address of an ARP spoofer) corresponds to multiple IP addresses (one is a normally used IP, and the other is a spoofed IP of another host) occurs in an ARP cache table of a three-layer device (usually a router), but not all one MAC corresponds to multiple IPs and is ARP spoofing, and various complex situations need to be eliminated. The detection method disclosed by the invention comprises primary screening and analysis confirmation, and the flow chart is shown in a figure 4.
Theoretically, the MAC address is fixed on the network card (although the operating system can also be modified), and ARP spoofing generally does not change the MAC address, because the purpose of ARP spoofing is to intercept and spoof, it is meaningless to change the MAC address frequently, even if there is theoretically ARP spoofing that changes MAC and IP simultaneously (in reality, there is almost no ARP spoofing), it can be prevented easily by limiting the number of MAC addresses that access the switch port, so detecting ARP spoofing of a spoofed host starts with one MAC address corresponding to multiple IP addresses, and not vice versa.
Because the data acquisition program stores the ARP table of the router in the database, only one SQL statement (utilizing group by and changing clauses) can screen the condition that one MAC address corresponds to a plurality of different IP addresses. A threshold value (the value of the threshold value is between 2 and 10, the default value is 3) needs to be set, the next judgment is carried out when the IP number corresponding to one MAC address is larger than the threshold value, the conditions that a notebook computer is used in a cross-network segment, the IP addresses are normally switched and the like are eliminated, and then each MAC address which is preliminarily screened is analyzed and confirmed.
Firstly, the MAC address of a network device such as a router itself may be a plurality of IP addresses, which are gateway addresses, because one MAC address of the router needs to perform data forwarding between a plurality of network segments (or subnets). There are various processing methods for the MAC address of a network device such as a router: the first is manual white listing and the second is automatic identification. There are two methods for automatic identification: and analyzing the distribution rule and the temporal change rule of the IP address according to the value of the iNetToMediaType. The MAC-IP of the router is static, the router is not dynamically learned through an ARP protocol, the value of ipNetToMediaType is 4 in the MIB, and if static MAC-IP binding is not carried out on the router, the MAC-IP of the router can be judged according to the value of the ipNetToMediaType. Even if the router is subjected to static MAC-IP binding, the MAC address of the router cannot be automatically judged through the iNetToMediaType, and the MAC and ARP spoofing of the router can be distinguished by analyzing the distribution rule and the temporal change rule of the IP address. The behavior mode that one MAC address of the router corresponds to a plurality of IP addresses is obviously different from the common ARP spoofing, because the ARP spoofing can not cross network segments, if the IP belongs to different network segments, the ARP spoofing can be eliminated, different subnets can not be automatically distinguished for the network environment of some divided subnets, the judgment can be carried out according to the temporal change rule of the IP addresses, and the judgment method is the same as the following method for judging a computer which runs a plurality of virtual machines.
If a certain computer is provided with virtual machine software (such as VMware, Hyper-V and the like), a virtual network operates in a bridge mode, and a plurality of virtual machines operate, so that the condition that one MAC address corresponds to a plurality of IPs occurs, because the virtual machine software simulates a plurality of virtual network cards which need to read and write data from a physical network card, the condition that a plurality of IPs correspond to the same physical MAC is avoided, and the condition is more and must be distinguished along with the popularization of virtualization.
Generally, an ordinary computer only runs one or two virtual machines, the situation is eliminated by setting a threshold value, and for few extreme situations, the situation can be distinguished by analyzing the temporal change rule of an IP address. Although one MAC of a computer running multiple virtual machines corresponds to multiple IPs, the corresponding relation is very regular, when a certain moment corresponds to multiple different IPs, the next moment always corresponds to the IPs, and the corresponding relation of multiple MAC-IPs appears in an ARP table of a database in a circulating way. The MAC-IP of the multiple virtual machines changes slowly along with time, only the virtual machines are added or deleted, and the shutdown time exceeds the ARP expiration time, but real ARP deception exists, the number of corresponding IP of the MAC is very large (more than 10), the temporal change of the MAC-IP is frequent and disordered, and the temporal change rule of the IP addresses can be obviously distinguished.
The invention has the following advantages:
1. the method can be suitable for various network environments and network equipment, and has no invasion to the existing network.
The technical means is as follows: and using an SNMP protocol to regularly acquire an ARP table of the router and store the ARP table in a database, and detecting ARP spoofing of a fake host by analyzing the corresponding relation of the MAC-IP addresses.
2. The latest record of the MAC-IP address is stored in the database, the historical change is also kept, the subsequent preliminary screening, analysis and confirmation query requirements can be met, a large number of repeated records are not stored in the database, the system performance is good, and one common server can support the automatic detection of the ARP spoofing of a fake host of a large network consisting of thousands of network devices (switches and routers) and hundreds of thousands of computers.
The technical means is as follows: the data acquisition program calls a database storage process, and the storage process realizes the business logic of storing the MAC-IP into the database: judging each MAC-IP entry, firstly inquiring the latest timestamp (or inquiring the maximum self-increment field number of the MAC address) of which the MAC address is equal to in the original record of the database, then inquiring the record (or inquiring the record of which the value of the self-increment field is equal to the maximum self-increment field number just inquired) of which the MAC address is equal to in the original record and the timestamp is equal to the latest timestamp, if the record exists and the IP address is equal to the acquired IP address, updating the timestamp of the original record to be the current time, otherwise, inserting a new record.
3. Can process various complex conditions without generating misjudgment
The technical means is as follows: the ARP spoofing of the fake host is detected by two steps of primary screening and analysis and confirmation, the primary screening analyzes records that the number of different IP addresses corresponding to one MAC address is larger than a certain threshold value, and normal conditions of cross-network-segment use, IP address switching and the like of the notebook computer are eliminated by setting the threshold value. In the analyzing and confirming step, the MAC addresses of network equipment such as a router and the like and the complex conditions that one computer runs a plurality of virtual machines and the like are eliminated in a white list mode, an IPNetToMediaType value mode is analyzed, an IP address distribution rule and a temporal change rule are analyzed and the like.
While the invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not to be limited to the disclosed embodiment, but on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (2)

1. A method for automatically detecting ARP spoofing of a fake host is characterized by comprising a data acquisition method and an ARP spoofing detection method, the data acquisition method comprises the steps of firstly inquiring the maximum timestamp or the maximum self-increment number of the MAC address in the original record of the database for each acquired MAC-IP record, then querying the original record for a record with a MAC address equal to the MAC address and a timestamp equal to the latest timestamp or querying the record with a value of the self-growth field equal to the maximum self-growth field number just queried, if the record exists and the IP address of the record is equal to the acquired IP address, the timestamp of the original record is updated to be the current time, otherwise, a new record is inserted, the ARP spoofing detection method comprises the steps of detecting different IP address numbers corresponding to each MAC address, and adding a suspected ARP spoofing list when the number exceeds a set threshold value.
2. The method according to claim 1, wherein the ARP spoofing detection method further comprises analyzing and confirming each suspected ARP spoofing preliminarily screened, and the confirmation process adopts an exclusion method to exclude the MAC address of the network device itself and the situation that one computer runs a plurality of virtual machines, and finally confirm whether the ARP spoofing is present or not, by at least one of white list, MAC-IP address mapping type analysis, IP address distribution rule analysis and temporal change rule analysis.
CN201710213100.6A 2017-04-01 2017-04-01 Method for automatically detecting ARP spoofing of fake host Active CN106899612B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710213100.6A CN106899612B (en) 2017-04-01 2017-04-01 Method for automatically detecting ARP spoofing of fake host

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710213100.6A CN106899612B (en) 2017-04-01 2017-04-01 Method for automatically detecting ARP spoofing of fake host

Publications (2)

Publication Number Publication Date
CN106899612A CN106899612A (en) 2017-06-27
CN106899612B true CN106899612B (en) 2020-01-24

Family

ID=59192723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710213100.6A Active CN106899612B (en) 2017-04-01 2017-04-01 Method for automatically detecting ARP spoofing of fake host

Country Status (1)

Country Link
CN (1) CN106899612B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107294989B (en) * 2017-07-04 2020-02-11 杭州迪普科技股份有限公司 Method and device for preventing ARP gateway spoofing
CN110380975A (en) * 2019-07-08 2019-10-25 重庆城市管理职业学院 A kind of router based on wireless security strategy
CN110661799B (en) * 2019-09-24 2020-11-20 北京安信天行科技有限公司 ARP (Address resolution protocol) deception behavior detection method and system
CN110912928B (en) * 2019-12-11 2022-01-28 百度在线网络技术(北京)有限公司 Firewall implementation method and device and electronic equipment
CN112491888A (en) * 2020-11-27 2021-03-12 深圳万物安全科技有限公司 Method and system for preventing equipment from being falsely used
CN113132385B (en) * 2021-04-20 2022-06-21 广州锦行网络科技有限公司 Method and device for preventing gateway ARP spoofing
CN116880319B (en) * 2023-08-04 2024-04-09 浙江齐安信息科技有限公司 Method, system, terminal and medium for identifying upper computer in industrial control system

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282244B (en) * 2008-05-09 2010-12-01 浙江大学 Method for detecting instruction based on SPM
CN101494562B (en) * 2009-03-18 2011-06-29 杭州华三通信技术有限公司 Maintenance method for terminal list item of network equipment and network equipment
CN103051597A (en) * 2011-10-14 2013-04-17 国家纳米技术与工程研究院 Method for realizing address resolution protocol (ARP) deception detection on switch
CN103856435A (en) * 2012-11-28 2014-06-11 中兴通讯股份有限公司 Address resolution protocol cache and caching method
CN103974380B (en) * 2013-01-24 2018-05-15 新华三技术有限公司 A kind of method and device of terminal access position keep-alive
CN103957171B (en) * 2014-05-20 2017-05-31 刘建兵 Connection control method and system based on intelligent exchange physical port and MAC Address
JP2016158011A (en) * 2015-02-23 2016-09-01 ルネサスエレクトロニクス株式会社 Distribution control device, data distribution system, distribution control method and program
CN105939332B (en) * 2016-03-03 2019-09-17 杭州迪普科技股份有限公司 Defend the method and device of ARP attack message
CN106027491B (en) * 2016-04-29 2019-06-11 天津赞普科技股份有限公司 Separated links formula communication processing method and system based on isolation IP address
CN106209837A (en) * 2016-07-08 2016-12-07 珠海市魅族科技有限公司 ARP cheat detecting method and system

Also Published As

Publication number Publication date
CN106899612A (en) 2017-06-27

Similar Documents

Publication Publication Date Title
CN106899612B (en) Method for automatically detecting ARP spoofing of fake host
US9438616B2 (en) Network asset information management
EP3297248B1 (en) System and method for generating rules for attack detection feedback system
Masoud et al. On preventing ARP poisoning attack utilizing Software Defined Network (SDN) paradigm
US8797876B2 (en) Identification of underutilized network devices
JP2009504104A (en) System and method for realizing adaptive security by dynamically learning network environment
AU2009200102A1 (en) Method and apparatus for inspecting inter-layer address binding protocols
US11671405B2 (en) Dynamic filter generation and distribution within computer networks
CN110247899B (en) System and method for detecting and relieving ARP attack based on SDN cloud environment
WO2018116123A1 (en) Protecting against unauthorized access to iot devices
CN110581850A (en) Gene detection method based on network flow
Ubaid et al. Mitigating address spoofing attacks in hybrid SDN
CN111541670A (en) Novel dynamic honeypot system
Zhang et al. CMD: A convincing mechanism for MITM detection in SDN
CN113382010B (en) Large-scale network security defense system based on cooperative intrusion detection
CN113014602B (en) Industrial network defense method and system based on optimal communication path
CN111865950B (en) Mimicry network tester and testing method
CN107508840A (en) A kind of method that monitoring DNS domain name based on DNS Proxy is attacked
CN112003862B (en) Terminal safety protection method, device, system and storage medium
US20220141242A1 (en) System and method for protection of an ics network by an hmi server therein
KR101772292B1 (en) Software Defined Network based Network Flooding Attack Detection/Protection Method and System
US7995595B1 (en) Method for efficiently detecting node addresses
CN109450918B (en) IoT (Internet of things) equipment safety protection system based on software defined network
WO2024020962A1 (en) Method, apparatus and system for covert path discovering and computer-readable storage medium
Numan et al. Detection and mitigation of ARP storm attacks using software defined networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant