CN107465702A

CN107465702A - Method for early warning and device based on wireless network invasion

Info

Publication number: CN107465702A
Application number: CN201710944307.0A
Authority: CN
Inventors: 柴坤哲; 曹鸿健; 王永涛; 杨卿
Original assignee: Beijing Qihoo Technology Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2017-09-30
Filing date: 2017-09-30
Publication date: 2017-12-12
Anticipated expiration: 2037-09-30
Also published as: CN107465702B

Abstract

The invention discloses a kind of method for early warning and device based on wireless network invasion, this method includes：Obtain network traffic information caused by the electronic equipment of invasion wireless network；Analyzed for the network traffic information, the network access behavior of the electronic equipment is determined according to analysis result；Judge whether the network access behavior of the electronic equipment meets default early warning rule, if so, then generating the attack early warning signal for early warning.As can be seen here, the present invention can determine whether early warning by network traffic information according to caused by the electronic equipment of the invasion wireless network got, targetedly be protected with realization.

Description

Method for early warning and device based on wireless network invasion

Technical field

The present invention relates to network communication technology field, and in particular to a kind of method for early warning and dress based on wireless network invasion Put.

Background technology

With the continuous development of the communication technology, internet has incorporated the every aspect of life.However, hacking technique is made For the derivative of internet development, also become all-pervasive, threaten network security increasingly seriously.

For by taking wireless network as an example, although wireless network has won increasing use with its conveniently accessible advantage Family.But realize that the event of assault is also increasingly occurred frequently by invading wireless network.Therefore, occur various Mean of defense tackles the invasion of hacker.In traditional defense mechanism, mainly by strengthening the security of wireless network in itself To realize defence, for example, the password of wireless network to be reset to the content for being not easy to crack；And for example, in network insertion link, strengthen For the checking of access device, to prevent malice access of illegality equipment etc..

But it is as follows to have found that aforesaid way of the prior art is at least present during the present invention is realized by inventor Problem：Existing mode mainly realized by passive defense measures before invasion, i.e.,：Wireless network is attempted access in electronic equipment Before network, raise obstacles to obstruct the malice of illegal electronic equipment to access.But once defence failure, invades wireless network Electronic equipment can implement malicious act wantonly, and the electronic equipment that existing mode can not then be directed to invasion wireless network is carried out Effective early warning.

The content of the invention

In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on State the method for early warning and device based on wireless network invasion of problem.

According to one aspect of the present invention, there is provided a kind of method for early warning based on wireless network invasion, including：

Obtain network traffic information caused by the electronic equipment of invasion wireless network；

Analyzed for the network traffic information, the network access row of the electronic equipment is determined according to analysis result For；

Judge whether the network access behavior of the electronic equipment meets default early warning rule, be used for if so, then generating The attack early warning signal of early warning.

According to another aspect of the present invention, there is provided a kind of prior-warning device based on wireless network invasion, including：

Acquisition module, suitable for obtaining network traffic information caused by the electronic equipment of invasion wireless network；

Analysis module, suitable for being analyzed for the network traffic information, determine that the electronics is set according to analysis result Standby network access behavior；

Whether warning module, the network access behavior suitable for judging the electronic equipment meet default early warning rule, if It is then to generate the attack early warning signal for early warning.

According to a further aspect of the invention, there is provided a kind of electronic equipment, including：Processor, memory, communication interface And communication bus, the processor, the memory and the communication interface complete mutual lead to by the communication bus Letter；

The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device above-mentioned Operation corresponding to method for early warning based on wireless network invasion.

According to a further aspect of the invention, there is provided a kind of computer-readable storage medium, be stored with the storage medium An at least executable instruction, the executable instruction make computing device above-mentioned the method for early warning based on wireless network invasion is corresponding Operation.

Provided by the invention based in the method for early warning and device of wireless network invasion, first, invasion wireless network is obtained Network traffic information caused by the electronic equipment of network；Then, analyzed for the network traffic information, it is true according to analysis result Determine the network access behavior of electronic equipment；Finally, judge whether the network access behavior of electronic equipment meets default pre- police regulations Then, if so, then generating the attack early warning signal for early warning.As can be seen here, the present invention can be wireless according to the invasion got Network traffic information caused by the electronic equipment of network determines whether early warning, is targetedly protected with realizing.

Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.

Brief description of the drawings

By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings：

Fig. 1 shows the flow chart for the method for early warning based on wireless network invasion that one embodiment of the invention provides；

Fig. 2 shows a kind of structure chart of wireless network intrusion detection system；

Fig. 3 shows the structural representation of the multilayer loop in wireless network intrusion detection system；

Fig. 4 shows the structure chart for the prior-warning device based on wireless network invasion that one embodiment of the invention provides；

Fig. 5 shows the structural representation of the electronic equipment provided according to one embodiment of the invention.

Embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.

Fig. 1 shows a kind of flow for method for early warning based on wireless network invasion that one embodiment of the invention provides Figure.As shown in figure 1, this method comprises the following steps：

Step S110：Obtain network traffic information caused by the electronic equipment of invasion wireless network.

Specifically, when including multiple default equipment in wireless network, in order to obtain exactly electronic equipment with it is each pre- If caused network traffic information between equipment, in this step, nothing is directed to after obtaining electronic equipment invasion wireless network respectively Point to point network flow information caused by each default equipment in gauze network, and the point to point network flow information is supplied to Corresponding default equipment；Wherein, each default equipment accesses wireless network in a manner of bridging.Wherein, mentioned in the present embodiment Default equipment can be the various kinds of equipment such as intrusion detection module.

Step S120：Analyzed for the network traffic information, the network for determining electronic equipment according to analysis result is visited Ask behavior.

By analyzing network traffic information, it can determine which webpage electronic equipment opens, which have sent The disparate networks such as network access request access behavior, so as to speculate the motivation of electronic equipment.Wherein, network traffics letter is analyzed The specific implementation of breath can flexibly be selected by those skilled in the art, and the present invention is not limited this.In addition, network access row To include but is not limited to following behavior：The behavior that is scanned using scanning tools, for presetting equipment send access request Behavior etc..

Step S130：It is determined that current network safety grade, the early warning that selection matches with current network safety grade Rule.

Wherein, this step is an optional step, when default early warning rule is only a kind of, can also omit this step Suddenly.

For example, in the present embodiment, network safety grade can be divided into advanced, intermediate, rudimentary three kinds, accordingly in advance Ground, network security that system is presently in etc. can be determined according to information such as the tasks or the environment of operation that system currently performs Level, and then select the early warning rule to match with current network safety grade.

Step S140：Judge whether the network access behavior of the electronic equipment meets default early warning rule, if so, then giving birth to Into the attack early warning signal for early warning.

Wherein, default early warning rule can include at least one in following rule：

The rule of early warning is carried out when monitoring and implementing scanning behavior by presetting scanning tools；

The rule of early warning is carried out when monitoring to implement the behavior of exploratory connection for the default equipment in wireless network； And

The rule of early warning is carried out when monitoring the behavior for the default equipment successful connection in wireless network.

Above-mentioned several rules both can be used alone, and can also be used in combination.Also, above-mentioned several rules can divide Network safety grade that Dui Yingyu be not different.Correspondingly, in this step, it is pre- according to corresponding to current network safety grade Police regulations then determine whether the network access behavior of electronic equipment meets default early warning rule, if so, then generating for early warning Attack early warning signal.

Further optionally, in order to get the more information of electronic equipment, the electricity of invasion wireless network is obtained in the present invention Caused by sub- equipment the step of network traffic information after, can further include step：The net according to caused by electronic equipment Network flow information, the website visiting request that electronic equipment is sent is intercepted, is inserted in the website visiting request intercepted for visiting Ask the default access script of default website；The access result data corresponding with default website is received, according to the access number of results According to the device attribute information for determining electronic equipment.Correspondingly, after the step of generating the attack early warning signal for early warning, enter One step includes step：According to the device attribute Information locating electronic equipment.Wherein, default website can be default social network Stand, correspondingly, social account information and encrypted message of user etc. may be included by accessing result data.

As can be seen here, the present invention network traffics can believe according to caused by the electronic equipment for invading wireless network got Cease to determine whether early warning, targetedly protected with realizing.

For the ease of understanding the present invention, Fig. 2 shows a kind of specific wireless network intrusion detection system provided by the invention The structural representation of system, correspondingly, the method for early warning based on wireless network invasion in the present invention can be based on the system and realize.Such as Shown in Fig. 2, the system includes：Radio access module 21, network transmission module 22, the first intrusion detection module 23 and second Intrusion detection module 24.Wherein, the quantity of the second intrusion detection module 24 shown in Fig. 2 is multiple that in actual conditions, second enters The quantity for invading detection module 24 may also be only one.Also, in the other embodiments of the present invention, the first intrusion detection module 23 quantity can also be multiple.

In the present embodiment, wireless network intrusion detection system is mainly used in luring that attacker accesses into, monitors and records and attacks The facility information for the person of hitting and attack, correspondingly, it is possible to achieve targetedly defensive measure, can also implement when necessary Alarm, attacker can also be directed to and carry out tracing etc..Therefore, the wireless network intrusion detection system in the present embodiment also may be used To be interpreted as the honey pot system realized by Honeypot Techniques, the honey pot system can realize multiple functions.Introducing separately below should The concrete structure and operation principle of modules in system：

First, radio access module

The outermost layer of system is radio access module 21.Radio access module 21 is suitable to monitor whether exist by default Network hole invades the electronic equipment of wireless network；When monitoring result for be when, obtain the electronic equipment device identification and The equipment access information corresponding with the device identification；Optionally, can also be analyzed for the equipment access information, according to Analysis result positions to the electronic equipment.As can be seen here, radio access module 21 is main possesses both sides function：One side Face, network hole is actively set, to lure that attacker accesses into；On the other hand, once finding that the electronics of access wireless network is set Device identification that is standby then recording the electronic equipment and equipment access information.

First, the specific implementation that network hole is set is introduced：Specifically, radio access module 21 is default wireless Network hole is set in access device, wireless network is accessed for the electronic equipment of outside.Wherein, radio reception device can be All kinds of access points that can be used in accessing wireless network such as router.Specifically, can be by opening nothing when network hole is set The various ways such as the line network port, and/or reduction wireless network password are realized.Wherein, network hole is it can be appreciated that trap, It is mainly used in inveigling attacker's access.The present invention is not limited the specific implementation for setting network hole.

Then, the device identification of recorded electronic equipment and the specific implementation of equipment access information are introduced.Wherein, if Standby mark can be the various information for being capable of one electronic equipment of unique mark, in order in subsequent process according to device identification The relevant information of the electronic equipment is tracked.Equipment access information refers to：The process of wireless network can be accessed in equipment In get with the device-dependent information.Correspondingly, the record of radio access module 21 connects the implementor name of the wireless network The equipment access information such as title, IP address, MAC Address, so as to the physical location of seat offence person, attacker one is set to access wireless network Network is at monitored state.Optionally, in order to force attacker to reveal more information, in the present embodiment, wireless access Module 21 is obtaining the device identification of the electronic equipment and during the equipment access information corresponding with the device identification, can be with Preset web further is pushed to electronic equipment, the electronic equipment is obtained and result is accessed caused by preset web, according to visit Ask the equipment access information that result determines the electronic equipment.Wherein, preset web includes：The social network logged in by social account Page or other need by personal information and the page logged in, correspondingly, the equipment access information of electronic equipment further comprises： The social account information that result determines is accessed according to caused by for social webpage, for example, microblog account and encrypted message, QQ accounts Number and encrypted message etc..In addition, during electronic equipment accesses webpage, others can also further be got and set Standby access information, for example, browser version, operating system version, device screen resolution ratio and browser plug-in information etc. are set Standby access information.Radio access module 21 associates the equipment access information of the electronic equipment with the device identification of the electronic equipment Store in default equipment access table, in case subsequent query.

As can be seen here, radio access module is mainly used in luring that attacker accesses and obtains corresponding equipment access information into, To realize the functions such as positioning or early warning.

2nd, network transmission module

The secondary outer layer of system is network transmission module 22.Network transmission module 22 is suitable to obtain electronic equipment access wireless network Caused network traffic information after network, and after being supplied to the first intrusion detection module 23 to carry out the network traffic information got Continuous analysis.In addition, network transmission module 22 is further adapted for determining that electronic equipment accesses caused network traffic information after wireless network In whether include the network traffics triggered by the access behavior for meeting default early warning rule, if so, then generating attack early warning signal. When it is implemented, network transmission module 22 obtains network traffic information caused by the electronic equipment of invasion wireless network；For this Network traffic information is analyzed, and the network access behavior of electronic equipment is determined according to analysis result；Judge the electronic equipment Whether network access behavior meets default early warning rule, if so, then generating the attack early warning signal for early warning.

Wherein, network transmission module mainly obtains the net after electronic equipment accesses wireless network by modes such as network packet capturings Network flow information.In addition, inventor has found during the present invention is realized：Traditional network packet capturing mode can only get electricity Sub- equipment by the flow of wireless network access external website, and can not get electronic equipment with it is each inside wireless network Flow between equipment.For example, in the present embodiment, due to including the first intrusion detection module and multiple the in wireless network Multiple default equipment such as two intrusion detection modules, therefore, each intrusion detection is directed in order to more accurately obtain electronic equipment Network traffic information caused by module, in the present embodiment, by each first intrusion detection module and the second intrusion detection mould Block accesses wireless network in a manner of bridging, and correspondingly, network transmission module obtains pin after electronic equipment invasion wireless network respectively To each default equipment in wireless network (i.e.：First intrusion detection module and the second intrusion detection module) caused by point pair Spot net flow information, and the point to point network flow information is supplied to corresponding default equipment.For example, for getting Electronic equipment accesses the network traffic information of the first intrusion detection module, and the subnetwork flow information is supplied into the first invasion Detection module carries out subsequent analysis processing.As can be seen here, the present invention by bridge joint mode can be accurately obtained electronic equipment with Point-to-point flow information between each intrusion detection module, consequently facilitating determining that electronic equipment is directed to each intrusion detection respectively The network behavior that module is implemented.

By analyzing the above-mentioned network traffic information got, can know electronic equipment network access behavior (for example, The webpage quantity of opening and web page address etc.).Optionally, in the present embodiment, network transmission module can also be according to default Early warning rule determines whether the network access behavior triggering pre-warning signal for electronic equipment, so as to realize forewarning function.Early warning Rule includes the early warning rule of multiple network safety grades, and correspondingly, network transmission module first has to determine current network peace Congruent level, then, the early warning rule that selection matches with current network safety grade.For example, can be by network safety grade It is divided into three safe classes：High safety grade, middle safe class and lower security grade, correspondingly, respectively every kind of safety etc. Early warning rule corresponding to level setting.System operation personnel can set network safety grade according to the demand of current business.Accordingly Ground, early warning rule can include at least one in following three kinds of rules：

The first early warning rule is：The rule of early warning are carried out when monitoring and implementing scanning behavior by presetting scanning tools Then.Wherein, network transmission module can obtain the scanning tools that hacker commonly uses in advance, and the scanning tools storage got is arrived In hack tool list, once monitor that electronic equipment utilizes the scanning tools in hack tool list according to network traffic information The behavior for implementing scanning then carries out early warning.Wherein, the scanning tools stored in hack tool list can include：NMAP、 SQLMAP, WVS etc..Second of early warning rule be：When the default equipment for monitoring to be directed in wireless network implements exploratory connection Behavior when carry out early warning rule.The rule can be applied in the network settings of high safety grade, by the rule, as long as hair The behavior for now attempting a connection to the default equipment such as intrusion detection module then carries out early warning.The third early warning rule is：When monitoring pin The rule of early warning is carried out during to the behavior of the default equipment successful connection in wireless network.The rule can be applied to middle safe class Or in the network settings of lower security grade, by the rule, early warning is just carried out when being only found the behavior of successful connection.For example, Early warning is then triggered when detecting the access request for the triggering of intrusion detection module.

As can be seen here, transport network layer can monitor the network traffic information in network-wide basis, and be entered according to monitoring result Row early warning, with the security of lifting system.Wherein, early warning rule can flexibly be set by those skilled in the art, and the present invention is to this Do not limit.

Optionally, in order to get the more information of electronic equipment, in the present embodiment, network transmission module can also enter One step implements following operate：The network traffic information according to caused by electronic equipment, intercept the website visiting that electronic equipment is sent and ask Ask, the default access script for access preset website is inserted in the website visiting request intercepted；Receive and default website Corresponding access result data, the device attribute information of electronic equipment is determined according to the access result data.Correspondingly, network Transport module can also be further according to device attribute Information locating electronic equipment.When it is implemented, first, pre-set and wait to block The type of the website visiting request cut, for example, could be arranged to be intercepted for the access request of the searching class websites such as Baidu Deng.Then, the default access script for access preset website is inserted in the website visiting request intercepted.Wherein, this is pre- If accessing script to be responsible for generating and safeguarded by the first intrusion detection module, network transmission module need to only call the script. The default script that accesses can be realized by JS scripts or URL network address, for accessing the net of the social types such as Renren Network, microblogging Stand.Finally, the access result data corresponding with default website is received, setting for electronic equipment is determined according to the access result data Standby attribute information, wherein it is determined that the operation of device attribute information can be realized by the first intrusion detection module, correspondingly, network passes The access result data that the default website received is fed back is sent to the first intrusion detection module by defeated module, for the first invasion Detection module combines the device attribute information that the access result data determines electronic equipment.As can be seen here, network transmission module exists Following functions are mainly realized in said process：On the one hand, sent instead of user to the server of default website for default net The access request stood；On the other hand, the access result returned instead of user's the reception server.Therefore, network transmission module can be with Access preset website and access result is obtained in the case where the user of the electronic equipment of invasion wireless network knows nothing, and then Obtain the relevant information of electronic equipment.Wherein, device attribute information and the main distinction of equipment access information are：The two is obtained Opportunity and acquisition main body it is different.Specifically, equipment access information is obtained in access phase by radio access module, and is set Standby attribute information is then when electronic equipment is penetrated into wireless network and accesses the first intrusion detection module, by the first intrusion detection Module obtains, for reflecting the attribute information of equipment.In actual conditions, the content of equipment access information and device attribute information can Intersected with existing.

3rd, the first intrusion detection module

First intrusion detection module is located between transport network layer and the second intrusion detection module, for analyzing network transmission The network traffic information that module provides, the device attribute information of electronic equipment is determined according to analysis result.When it is implemented, first Intrusion detection module can be realized by a variety of implementations, for example, can using Honeypot Techniques by virtual machine or sandbox come real It is existing.Honeypot Techniques are substantially a kind of technologies cheated to attacker, by arranging that some are used as the main frame of bait, network Service or information, lure that attacker implements to attack to them into, so as to be captured and analyzed to attack, understanding is attacked Instrument used in the person of hitting and method, thus it is speculated that attack intension and motivation, defender can be allowed clearly to understand what itself was faced Security threat, and strengthen by technology and management means the security protection ability of real system.In the present embodiment, first enters Invade detection module for web types honey jar (i.e.：Service type honey jar), also, the interactivity of the first intrusion detection module enters less than second Detection module is invaded, accordingly it is also possible to which the first intrusion detection module is referred to as into the low interactivity intrusion detection module of Web types.Below In, for convenience, the first intrusion detection module is referred to as the low interactivity honey jar of Web types.

The low interactivity honey jar of Web types can obtain network traffic information caused by the electronic equipment of invasion wireless network； Analyzed for the network traffic information, according to analysis result determine electronic equipment device identification and with the device identification Corresponding device attribute information.Optionally, the low interactivity honey jar of Web types can also be set according to device attribute infomation detection electronics Standby positional information, to be positioned or to be traced to the source to electronic equipment.As can be seen here, the low interactivity honey jar of Web types is mainly used in Further collect the information of attacker.Specifically, the device attribute information for being available for collecting includes but is not limited to：Browser version, Operating system version, device screen resolution ratio, browser plug-in information, social account information, device-fingerprint, plugin information, when Area's information, GPU information and equipment language message etc..

In addition, for the ease of collecting more information, the low interactivity honey jar of Web types is further used for：Previously generate for visiting Ask the default access script of default website；Wherein, preset and access the website that script is used to insert the electronic equipment transmission intercepted In access request.Correspondingly, the low interactivity honey jar of Web types according to analysis result determine electronic equipment device identification and with this During the corresponding device attribute information of device identification, determined with reference to the access result data corresponding with default website got The device attribute information of electronic equipment.Wherein, default website includes：Social network sites logged in by social account etc., this is default Accessing script can be realized by JS scripts or URL network address, for accessing the default website such as Renren Network, microblogging.Correspondingly, electronics The device attribute information of equipment includes：The social account information that result determines is accessed according to caused by for social network sites.Also It is to say, the low interactivity honey jar of Web types is responsible for safeguarding default access script, so that network transmission module calls；Also, Web types are low Interactivity honey jar is further used for analyzing the obtained network traffic information of network transmission module and accesses result data etc., so as to Determine the device attribute information of electronic equipment.As can be seen here, the phase of the low interactivity honey jar of Web types and network transmission module is passed through Mutually coordinate, automatic access preset website and relevant information can be obtained in the case where the user of electronic equipment has no to discover, More valuable information are provided for follow-up attacker's positioning and the operation such as trace to the source.

4th, the second intrusion detection module

Second intrusion detection module is located at the innermost layer of whole system, for obtaining the behavior characteristic information of electronic equipment, When it is determined that behavior characteristic information meets preset alarm rule, intrusion alarm signal is generated.When it is implemented, the second intrusion detection Module can also be realized by a variety of implementations, for example, can be realized using Honeypot Techniques by virtual machine or sandbox.At this In embodiment, the interactivity of the second intrusion detection module is higher than the first intrusion detection module, accordingly it is also possible to which the second invasion is examined Survey module and be referred to as high interactivity intrusion detection module.In addition, the second intrusion detection module both can apply to Windows systems, Linux system can also be applied to, correspondingly, the species of the second intrusion detection module can be divided into two kinds, be Windows respectively The high interactivity honey jar of type and the high interactivity honey jar of Linux types.In the present embodiment, mainly with the high interactivity honey jar of Windows types Exemplified by be introduced.

Specifically, the behavior characteristic information for the electronic equipment that the high interactivity honey jar of Windows types is got can include more Kind, correspondingly, preset alarm rule can also include multiple rule：

The first rule is：Determine whether behavior characteristic information matches with the malicious commands stored in default blacklist, if It is then to generate intrusion alarm signal (being also behavior intrusion alarm signal).Specifically, the high interactivity honey jar monitoring of Windows types Every behavior of system activity and electronic equipment, if monitoring, electronic equipment performs the malice life stored in default blacklist When making, then intrusion alarm signal is triggered.Wherein, blacklist is preset to be used to store every attack life that predetermined hacker commonly uses Order.Table 1, table 2 and table 3 show the schematic diagram of the part malicious commands stored in blacklist.

Table 1

Table 2

Sequentially	Order	Perform number	Option
				1	dir	903
2	Net view	226
				3	ping	196
4	Net use	193
				5	type	118
6	Net user	74
				7	Net localgroup	35
8	Net group	19
				9	Net config	16
10	Net share	11
				11	dsquery	6
12	csvde	5	/f/q
				13	nbtstat	5	-a
14	Net session	3
				15	nltest	3	/dclist
16	wevtutil	2

Table 3

Second of rule be：, will be with behaviour by the file record that electronic device is crossed into default operation file list Make the file in listed files and the file record for presetting incidence relation be present into default apocrypha list, pass through to monitor and grasp Make the file in listed files and apocrypha list and (be also file intrusion alarm to determine whether to generate intrusion alarm signal Signal).For example, when monitoring that the file in apocrypha list is performed, file intrusion alarm signal is generated.The rule Stain tracer technique can be referred to as, main thought is：Continue to monitor and follow the trail of the All Files relevant with electronic equipment, and It was found that doubtful situations alarm.

For example, each generic operation such as the establishment of file, modification, deletion can be monitored, these files are all set as electronics The standby file record operated is into default operation file list.As can be seen here, operation file list is set for recorded electronic The standby All Files directly operated, action type include polytype.In addition, further determine that with operation file list The file of default incidence relation be present in file.Wherein, the file that default incidence relation be present includes but is not limited to：With operation file The file of bundle relation be present in the file in list.For example, if electronic equipment is while establishment file A, further create File A bundled files A ' has been built, correspondingly, file A recorded in operation file list, file A ' be recorded into suspicious text In part list.Also, in subsequent process, persistently it is monitored for operation file list and apocrypha list.Once Monitor that the file in apocrypha list is performed, alarm at once.That is, electricity during file in operation file list The file that sub- equipment directly operates, and to be then electronic equipment not yet operate the file in apocrypha list or not yet directly operation The file of (possible indirect operation or implicit operation).This two class file is respectively stored in different lists, is easy to according to every The characteristics of kind file is respectively that it sets different monitoring mode and type of alarm.For example, why electronic equipment will create bundle File is tied up, its purpose is often that generally, bundled files are not present in table in order to which the monitoring evaded for operation file list operates In plane system, not real file, only exist in internal memory, therefore, there is stronger disguise, still, once such is literary Part is carried out, and system can be damaged.Therefore, in the present embodiment by the associated with list such as bundled files, hidden file Solely storage is easy to implement the partial document monitoring of stronger control and monitoring, to prevent from applying evil in fact into apocrypha list Meaning behavior.

In addition, the high interactivity honey jar of Windows types can also further monitoring process establishment, and to suspicious process Monitor.dll (dynamic link library for being used for monitoring process) is injected, to track process behavior.Moreover, it is also possible to process is set Blacklist, for example, nonsystematic level process is all included in process blacklist, each process in process blacklist is held Continuous monitoring, alarm is triggered if the establishment for finding dangerous process operates.In addition, the high interactivity honey jar of Windows types can be with Registry operations are monitored, in order to find hazardous act.

In addition, each high interactivity honey jar of Windows types can also carry out daily record, the processing of warning message, also, may be used also With the communication realized and between the first intrusion detection module or the high interactivity honey jar of other Windows types, to realize whole system Linkage processing.Therefore, radio access module is further adapted for：By the equipment access information of electronic equipment and setting for electronic equipment Standby mark associated storage；And first intrusion detection module be further adapted for：The device attribute information of electronic equipment is set with electronics Standby device identification associated storage；Then the second intrusion detection module is further adapted for：When it is determined that behavior characteristic information meet it is default Alarm behavior rule when, obtain and analyze and the equipment access information of the device identification associated storage of the electronic equipment and set Standby attribute information etc..That is, in the present system, relevant information that each module is got for electronic equipment (including set Standby access information, device attribute information and behavior characteristic information etc.) device identification associated storage all with the electronic equipment, phase Ying Di, modules can get the full detail with the device identification associated storage by device identification.I.e.：Each module The information of itself determination can not only be got, additionally it is possible to the information of other modules determination is got, so as to realize being total to for information Enjoy.Correspondingly, the first intrusion detection module and/or the second intrusion detection module can also be further adapted for：According to electronic equipment Equipment access information, device attribute information and/or behavior characteristic information determine the user mark corresponding with electronic equipment with And user's characteristic information, to be traced to the source according to user's mark and user's characteristic information.

As can be seen here, the first intrusion detection module and/or the second intrusion detection module are mainly used in leaving to attacker prominent Cut, attacker is set to have an opportunity to sign in in system；Then, the system activity of attacker is recorded, hazardous act is alarmed, And the sample corresponding to malicious act is captured, to be analyzed using sandbox technology.

In addition, the system substantial use of multilayer loop to realize the overall monitor to invading equipment, Fig. 3, which is shown, is The structural representation of multilayer loop in system.As shown in figure 3, the system is divided into shellring from outside to inside, positioned at outermost ring 3 Mainly it is made up of radio access module, the ring 2 positioned at centre is mainly by the first intrusion detection module composition, positioned at the ring of innermost layer 1 mainly by the second intrusion detection module composition.Network transmission module is between ring 3 and ring 2.As can be seen here, the system passes through The design method of multilayer loop lures that attacker penetrates into by ring into, and reveals more information；Also, the information being collected into each ring can With the inquiry that links.

In addition, the first intrusion detection module and the second intrusion detection module in ring 2 and ring 3 are to be provided with true behaviour Make the virtual machine of system, in order to preferably collect information.Also, in order to prevent the electronic equipment of invasion from penetrating honey jar mechanism, The fingerprint feature information of virtual machine is managed by running on the pre-set programs plug-in unit of system layer；Wherein, fingerprint feature information Including：Network interface card information, registry information and/or key value information etc..Wherein, fingerprint feature information belongs to the one of environmental characteristic information Kind.Also, the view plug-ins run on system layer, it runs the authority for other processes that authority is more than in electronic equipment, therefore, It is possible to prevente effectively from other processes access the fingerprint feature information of virtual machine.

When it is implemented, for the virtualized environment to the first intrusion detection module and the second intrusion detection inside modules Protected, to prevent electronic equipment from penetrating, the first intrusion detection module and/or the second intrusion detection module can also be further Perform following operate：When monitoring the access request message of environmental characteristic information for accessing virtualized environment, intercepting should Access request message；It is determined that the access result data corresponding with the access request message, and determine to access the number of result data According to type；The prevention policies that inquiry matches with accessing the data type of result data, according to the prevention policies inquired to this Access request message carries out protective treatment.

In particular it is required that the access request message institute for predefining the environmental characteristic information for accessing virtualized environment is right The application programming interfaces (API) answered, hooking function is set for these application programming interfaces；Wherein, hooking function is used to monitor The access request message triggered by application programming interfaces.Wherein, the environmental characteristic information of virtualized environment includes and system ring The related all features in border, it may for example comprise the fingerprint feature information of above-mentioned virtual machine.It is determined that for accessing virtualized environment Environmental characteristic information access request message corresponding to application programming interfaces when, can monitor invasion virtualized environment electricity Sub- equipment is directed to the access behavior that virtualized environment is sent, and the ring for accessing the virtualized environment is determined according to access behavior The access request message of border characteristic information.For example, due to invading the electronic equipment of virtualized environment often consciously Obtain virtualized environment environmental characteristic information, so as to determine current system environments whether be by Honeypot Techniques realize void Planization environment, then can be from once electronic equipment finds that current system environments is the virtualized environment realized by Honeypot Techniques Open current environment.Therefore, by monitoring the access behavior of electronic equipment, it can determine that electronic equipment is usually used in obtaining virtualization ring API corresponding to the access request message of the environmental characteristic information in border, and be monitored for these API.For example, in this implementation In example, find that electronic equipment typically passes through following several means when detecting virtual machine by the access behavior for monitoring electronic equipment Realize：Detect the particular CPU instruction in performing environment, the specific registration table information in detection performing environment and configuration information, inspection Survey performing environment in specific process and service, detection performing environment in file system and specific hardware information (MAC Address, Hard disk), detection performing environment in memory features, detect performing environment configuration (hard disk size, memory size, CPU core number Deng).Further, since the intrusion detection module in the present embodiment can also be realized by sandbox, therefore, by monitoring electronic equipment Access behavior find that typically passing through following several means during electronic equipment detection sandbox realizes：Detect performing environment in whether There is specific User Activity (such as mouse movement, access some network address etc.), Sleep is performed again for a period of time, circulation delay is held Capable, detection hook Hook (including：User Hook, kernel Hook etc.), detection network connectivty, detection user's name, only in spy Execution, the detection time of fixing the date, which accelerate, terminates analysis tool performs, detection browser record, operation program, the program installed Deng.Also, electronic equipment would generally realize that the detection of virtual machine and sandbox operates using multimedia combination, therefore, this Embodiment determines access request message corresponding to aforesaid operations and its right by monitoring the aforesaid operations of electronic equipment in advance The API answered, correspondingly, hooking function is set at the API, disappeared to intercept and capture and handle the access request sent by the API Breath.

For the access request message intercepted, it is determined that the access result data corresponding with the access request message, and It is determined that access the data type of result data；The prevention policies that inquiry matches with accessing the data type of result data, according to The prevention policies inquired carry out protective treatment to the access request message.In the present embodiment, in advance by access request message Corresponding access result data is divided into primary sources type and secondary sources type.

Wherein, primary sources type includes：The number being provided simultaneously with virtualized environment and in non-virtualized environment According to corresponding type.For example, either virtualized environment or non-virtualized environment, are required for possessing network interface card information and registration Table information, therefore, using the access result data corresponding to the category information as primary sources type.Due to the data of the type It is all existing in all environment, therefore, it is necessary to electronic equipment backward reference result, otherwise can causes electronic equipment user Suspection.On the other hand, the present embodiment including with the prevention policies of primary sources type matching of setting：It is directed to the first kind in advance The access result data of data type set corresponding to pseudo- result data, when intercepting the access knot for primary sources type During the access request message that fruit data are sent, the access number of results with primary sources type is returned for the access request message According to corresponding pseudo- result data.That is, for the access result data of primary sources type, the data are predefined Numerical value whether can reveal the feature of virtualized environment, if so, then for the data set corresponding to pseudo- result data, and to electricity Pseudo- result data corresponding to sub- equipment return.For example, for physical network card, although virtualized environment and non-virtualized environment All possess physical network card, still, network cards feature in two kinds of environment may be different, on the other hand, for the access result data of network interface card, Corresponding pseudo- result data (i.e. the data consistent with non-virtualized environment) is set for it, once electronic equipment requests network interface card number According to, then can receive corresponding to pseudo- result data so that electronic equipment can not penetrate virtualized environment.

Secondary sources type includes：The data for possessing in virtualized environment and not possessing in non-virtualized environment Corresponding type.Because the data of the type are existed only in virtualized environment, therefore, once returned to electronic equipment Corresponding data can then make electronic equipment penetrate virtualized environment.Therefore, set in the present embodiment with secondary sources type The prevention policies to match include：When the access request that the access result data intercepted for secondary sources type is sent disappears During breath, null message is returned for the access request message.That is, the access request corresponding to for secondary sources type Message not returns to response results, so that electronic equipment can not get the data for identifying virtualized environment feature.Thus It can be seen that the virtualized environment in the present embodiment includes：Virtualized environment by virtual machine construction, and/or the void by sandbox construction Planization environment.Either which type of virtualized environment, protection can be realized by two kinds of above-mentioned strategies.

In addition, the protection of virtualized environment can also be accomplished by the following way in the present embodiment：(1) utilize and increase income Hardware virtualization software, source code compiling are removed or change virtual machine particular fingerprint information, make the Malware in electronic equipment examine Dendrometry is imitated；(2) change sandbox hardware configuration makes it (can also optionally be returned more like a real machine by Hook modes False configuration information)；(3) normal configuration system, popular software is installed, to increase fascination；(4) analog subscriber normal operating (mouse is clicked on, network access), to prevent from being penetrated by electronic equipment；(5) detection time is suitably increased；(6) it is non-to fall some by Hook Normal operating (is restarted, shut down)；(7) corresponding confrontation is done for Hook detections；(8) by way of other can evade detection Configure virtual network environment etc..

As can be seen here, the first intrusion detection module in the system and the second intrusion detection module can be to virtualized environments It is hidden, to prevent from identifying honey jar environment by electronic equipment, so as to the availability of lifting system.

In addition, the system can also be attacked against each other according to information realization hacker's portrait function that modules are collected into realizing The positioning for the person of hitting.Correspondingly, the system further performs following operate：When detecting the electronic equipment of invasion wireless network, Record the equipment access information (function that i.e. above-mentioned radio access module is realized) of the electronic equipment；Obtain the electronic equipment production Raw network traffic information, the device attribute information of electronic equipment and relative with electronic equipment is determined according to network traffic information The customer attribute information answered；Set by the equipment access information of electronic equipment, the device attribute information of electronic equipment and with electronics Standby corresponding customer attribute information is associated analysis, and the attack user corresponding with electronic equipment is determined according to analysis result Information；Wherein, user profile is attacked to be used for seat offence person and/or detect the position of electronic equipment.Wherein, equipment access information And the specific intension and acquisition modes of device attribute information have hereinbefore been described by, here is omitted.With electronics The corresponding customer attribute information of equipment is primarily referred to as the personal behavior information related to attacker, and the partial information can both lead to The determination of device attribute information is crossed, can also be determined according to the behavior characteristic information being mentioned above.In the present embodiment, user belongs to Property information can include subscriber identity information, such as including：Social account information, attack tool information, remote control Trojan are reached the standard grade Address information and the login password information at back door.That is, in the present embodiment, can be by equipment category mentioned above The information related to user behavior is isolated as customer attribute information in property information.

In order to make it easy to understand, below by taking device-fingerprint category information as an example, several frequently seen device attribute information is enumerated, specifically Including：IP address, geographical position, network identity, device-fingerprint, operating system, browser etc..In addition, device attribute is believed Breath (User Agent, can also be used by WebRTC (Web Real-Time Communication, webpage real-time Communication for Power), UA Family act on behalf of), draw (Canvas), resolution ratio (including：Size, color 16/24), plug-in unit, time zone, language (language), GPU The auxiliary such as (Graphics Processing Unit, graphics processor), AudioContext determines.Specifically, utilize WebRTC agreements can obtain the IP address of intranet and extranet, even if having VPN (Virtual Private Network, Virtual Private Network Network) it can also get.Browser version and operating system version can interpolate that by UA.In addition, when drawing Canvas pictures, Same Canvas draws code, the picture feature drawn in different machines and browser be it is identical and unique, Based on this characteristic, the present invention only need to extract simplest CRC (Cyclic Redundancy Code, CRC) value Can be with unique mark and one electronic equipment of tracking and its corresponding user.By the resolution ratio for obtaining attacker's electronic equipment As subsidiary conditions, the uniqueness of electronic equipment can be more accurately determined.Also, by obtaining attacker's electronic equipment Plug-in unit judges the software of attacker's installation and as subsidiary conditions, can more accurately determine the uniqueness of electronic equipment. Also, by obtaining the time zone of attacker's electronic equipment, the country belonging to attacker is can interpolate that, and be used as assistant strip Part determines the uniqueness of electronic equipment.By obtaining the GPU models of attacker's electronic equipment, subsidiary conditions can be used as true Determine the uniqueness of electronic equipment.In addition, on language (i.e. language) mentioned above, current browser institute is not limited to The language used, but all language supported including system, such as simplified Chinese character, traditional Chinese, English.Inventor is realizing Found in the process of the present invention, not ready-made calling interface obtains the language message of system in the prior art, to understand Certainly this problem, following manner is taken in the present embodiment：It is required that the user of electronic equipment is write in the page with all language Two words, if system supports the language, then just can normally write out；If it does not, what is shown is exactly square frame, lead to The language of system support can be obtained by crossing this method, and then the language auxiliary supported by system determines the unique of electronic equipment Property and the identity information of electronic equipment user.When it is implemented, it can intercept what electronic equipment was sent by hooking function Preset instructions, and realize that the operation logic of writing determines that system is supported by various language respectively by what is set in hooking function Language.As can be seen here, the device attribute information in the present embodiment can include plurality of kinds of contents, also, partial information therein It can be also used for auxiliary and determine customer attribute information.

Several frequently seen customer attribute information is described below：

First, customer attribute information includes subscriber identity information.E.g., including got by mode mentioned above User account information.Wherein, user account information includes account and the corresponding encrypted message that user registers in major website.Remove Outside user account information, the other kinds information that can reflect user identity can also be included.

Secondly, customer attribute information also includes user behavior information, and the user behavior information is mainly used in determining attacker Attack tool and attacking wayses.Specifically, the attack tool and attacking wayses that use of capture attacker, the spy in extracting tool Sign, such as：URL, IP, the MD5 of sample, the address of reaching the standard grade of remote control Trojan, the login password etc. at back door；Determined by features described above Whether two attackers are same person, also, can also determine the grade of attacker.For example, same attacker, its is each The sample downloaded after logging in is identical, and therefore, the MD5 of sample is inevitable also identical.Also, same attacker, its remote control wood The login password at reach the standard grade address and the back door of horse is inevitable also identical.Correspondingly, one can uniquely be determined by above- mentioned information Individual attacker.

After above-mentioned equipment access information, device attribute information and customer attribute information is obtained, by above- mentioned information Analysis is associated, the attack user profile corresponding with the electronic equipment is determined according to analysis result.So-called association analysis, it is Finger is analyzed after according to device identification, above-mentioned every terms of information is associated.Because the equipment of same user accesses letter Device identification all same corresponding to breath, device attribute information and customer attribute information, therefore, it can be incited somebody to action by device identification The every terms of information of same user is interrelated, and using the result obtained after association as attack user profile.

Next, after the attack user profile corresponding with electronic equipment is determined according to analysis result, further set Put the attack user corresponding with attack user profile to identify, using attack user profile with attacking user's mark as a data Associated storage is recorded into default attack user list.Here, attack user's mark and the difference of device identification is：Equipment Mark is mainly used in uniquely determining an electronic equipment, and therefore, the hardware characteristics of device identification and electronic equipment are interrelated, For example, the hardware characteristics such as the video card of an electronic equipment, resolution ratio, network interface card are constant, therefore, device identification is mainly used in marking Know an electronic equipment in itself.However, attack user's mark is mainly used in uniquely determining an attacker, it is generally the case that Used electronic equipment is identical during each attack of one attacker, therefore, it is generally the case that device identification is used with attack The effect of family mark can be substituted for each other.But, however not excluded that it is some in particular cases, it is used during each attack of attacker Electronic equipment is different, and now, device identification and the intension of attack user's mark and effect are then completely different.Popular says, attack User's mark is interrelated with the customer attribute information of attacker, for example, the social account information of same attacker is constant , and the attacking wayses of same attacker and attack tool are changeless, therefore, attack user's mark is mainly used in marking Know an attacker in itself.

When it is implemented, can be using equipment access information and device attribute information as one-to-one with device identification Information, one-to-one information is identified using customer attribute information as with attack user.Correspondingly, the side in the present invention is passed through Formula, it can not only uniquely determine an electronic equipment, additionally it is possible to an attacker is uniquely determined, so as to can both realize pair The positioning of electronic equipment, the information to attacker and lookup can also be realized.

Correspondingly, when determining the attack user profile corresponding with electronic equipment according to analysis result, further inquiry Whether the data record to match with analysis result is included in the attack user list；If so, the number is updated according to analysis result According to record.Specifically, respectively for every data record in attack user list, determine in the data record whether comprising with Item of information value identical item of information in analysis result；If so, judge the title and/or quantity of the value identical item of information Whether preset matching rule is met, if so, determining that the data record matches with analysis result.It can be passed through by this kind of mode Attack user list and store the information of each attacker, and positioned and inquired about for attacker, so as to the peace of lifting system Quan Xing.

In summary, by system provided by the invention, it can lure that attacker enters honey jar, and exposure relevant information into. Modules in system collect many information in a manner of successively progressive, also, these information can link inquiry.Should System is also supported to carry out attack alarm by modes such as short message or mails.Moreover, it is also possible to by seat offence person position and Prevent the modes such as attack and realize emergency processing.In addition, the system can also by check attack logs realize trace to the source, The purpose of forensics analysis.

In addition, the second intrusion detection module of the system in the present embodiment is by taking the high interactivity honey jar of Windows types as an example It is introduced, substantially, the second intrusion detection module in the system can also be the high interactivity honey jar of Linux types.

In summary, the method for early warning based on wireless network invasion in the present invention can be by the network transmission in said system Module is realized, certainly, in other modules (such as radio access module, first/second intrusion detection module) in said system The function of realization can also be applied in the method for early warning based on wireless network invasion in the present invention.Correspondingly, on this The detail in the method for early warning based on wireless network invasion in invention can refer to the description of appropriate section in said system.

Fig. 4 shows a kind of structure for prior-warning device based on wireless network invasion that another embodiment of the present invention provides Schematic diagram, as shown in figure 4, the device includes：

Acquisition module 41, suitable for obtaining network traffic information caused by the electronic equipment of invasion wireless network；

Analysis module 42, suitable for being analyzed for the network traffic information, the electronics is determined according to analysis result The network access behavior of equipment；

Whether warning module 43, the network access behavior suitable for judging the electronic equipment meet default early warning rule, If so, then generate the attack early warning signal for early warning.

Optionally, the early warning rule includes the early warning rule of multiple network safety grades, then the warning module enters one Walk and be used for：

It is determined that current network safety grade, the early warning rule that selection matches with current network safety grade.

Optionally, the default early warning rule includes at least one in following rule：

The rule of early warning is carried out when monitoring to implement the behavior of exploratory connection for the default equipment in wireless network；

Optionally, the acquisition module is particularly adapted to：

The each default equipment being directed in the wireless network after the electronic equipment invasion wireless network is obtained respectively to produce Raw point to point network flow information, and the point to point network flow information is supplied to corresponding default equipment；Wherein, respectively Individual default equipment accesses the wireless network in a manner of bridging.

Optionally, described device further comprises：

Locating module 44, suitable for the network traffic information according to caused by electronic equipment, intercept what the electronic equipment was sent Website visiting is asked, and the default access script for access preset website is inserted in the website visiting request intercepted；Receive The access result data corresponding with the default website, the equipment that the electronic equipment is determined according to the access result data Attribute information；According to electronic equipment described in the device attribute Information locating.

Wherein, the device can be realized by the network transmission module in said system.

A kind of nonvolatile computer storage media is provided according to one embodiment of the invention, the computer storage is situated between Matter is stored with an at least executable instruction, the computer executable instructions can perform in above-mentioned any means embodiment based on nothing The method for early warning of line network intrusions.

Fig. 5 shows the structural representation of the electronic equipment provided according to one embodiment of the invention, of the invention specific real Specific implementation of the example not to electronic equipment is applied to limit.

As shown in figure 5, the electronic equipment can include：Processor (processor) 502, communication interface (Communications Interface) 504, memory (memory) 506 and communication bus 508.

Wherein：Processor 502, communication interface 504 and memory 506 complete mutual lead to by communication bus 508 Letter.

Communication interface 504, for being communicated with the network element of miscellaneous equipment such as client or other servers etc..

Processor 502, for configuration processor 510, it can specifically perform the correlation in above-mentioned performance test methods embodiment Step.

Specifically, program 510 can include program code, and the program code includes computer-managed instruction.

Processor 502 is probably central processor CPU, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or it is arranged to implement the integrated electricity of one or more of the embodiment of the present invention Road.The one or more processors that electronic equipment includes, can be same type of processor, such as one or more CPU；Also may be used To be different types of processor, such as one or more CPU and one or more ASIC.

Memory 506, for depositing program 510.Memory 506 may include high-speed RAM memory, it is also possible to also include Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.

Program 510 specifically can be used for so that processor 502 performs following operation：

Wherein, the early warning rule includes the early warning rule of multiple network safety grades, then program 510 specifically can be used for So that processor 502 performs following operation：It is determined that current network safety grade, selection and current network safety grade phase The early warning rule matched somebody with somebody.

Wherein, the default early warning rule includes at least one in following rule：

Program 510 specifically can be used for so that processor 502 performs following operation：The electronic equipment invasion is obtained respectively Point to point network flow information caused by each default equipment in the wireless network is directed to after wireless network, and by the point Default equipment corresponding to being supplied to spot net flow information；Wherein, each default equipment is accessed described wireless in a manner of bridging Network.

Program 510 specifically can be used for so that processor 502 performs following operation：The network flow according to caused by electronic equipment Information is measured, the website visiting request that the electronic equipment is sent is intercepted, is inserted in the website visiting request intercepted for visiting Ask the default access script of default website；

The access result data corresponding with the default website is received, the electricity is determined according to the access result data The device attribute information of sub- equipment；

Then it is described generate for early warning attack early warning signal the step of after, further comprise：According to the equipment category Property electronic equipment described in Information locating.

Network hole is set in default radio reception device, wireless network is accessed for the electronic equipment of outside；

Wherein, the network hole is accomplished by the following way：Open wireless network port, and/or reduction wireless network Password.

Preset web is pushed to the electronic equipment, the electronic equipment is obtained and is accessed caused by the preset web As a result, the equipment access information of the electronic equipment is determined according to the access result.

Wherein, the preset web includes：The equipment of the social webpage, the then electronic equipment that are logged in by social account Access information includes：The social account information that result determines is accessed according to caused by for social webpage.

Wherein, the equipment access information includes at least one of the following：It is device name, IP address, MAC Address, clear Look at device version, operating system version, device screen resolution ratio and browser plug-in information.

Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.

In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself Separate embodiments all as the present invention.

Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation Replace.

In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments Including some features rather than further feature, but the combination of the feature of different embodiments means to be in the scope of the present invention Within and form different embodiments.For example, in the following claims, embodiment claimed it is any it One mode can use in any combination.

The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) realize some or all portions in device according to embodiments of the present invention The some or all functions of part.The present invention is also implemented as the part or complete for performing method as described herein The equipment or program of device (for example, computer program and computer program product) in portion.Such program for realizing the present invention It can store on a computer-readable medium, or can have the form of one or more signal.Such signal can be with Download and obtain from internet website, either provide on carrier signal or provided in the form of any other.

It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

The invention discloses a kind of method for early warning based on wireless network invasion of A1., including：

A2. the method according to A1, wherein, the early warning rule includes the early warning rule of multiple network safety grades, Before then whether the network access behavior for judging the electronic equipment meets the step of default early warning rule, further wrap Include：

A3. the method according to A1 or 2, wherein, the default early warning rule includes at least one in following rule It is individual：

A4. according to any described methods of A1-3, wherein, net caused by the electronic equipment for obtaining invasion wireless network The step of network flow information, specifically includes：

A5. the method according to A1, wherein, network traffics caused by the electronic equipment for obtaining invasion wireless network After the step of information, further comprise：

The network traffic information according to caused by electronic equipment, the website visiting request that the electronic equipment is sent is intercepted, The default access script for access preset website is inserted in the website visiting request intercepted；

B6. a kind of prior-warning device based on wireless network invasion, including：

B7. the device according to B6, wherein, the early warning rule includes the early warning rule of multiple network safety grades, Then the warning module is further used for：

B8. the device according to B6 or 7, wherein, the default early warning rule includes at least one in following rule It is individual：

B9. according to any described devices of B6-8, wherein, the acquisition module is particularly adapted to：

B10. the device according to B6, wherein, described device further comprises：

Locating module, suitable for the network traffic information according to caused by electronic equipment, intercept the net that the electronic equipment is sent Stand access request, the default access script for access preset website is inserted in the website visiting request intercepted；Receive with The corresponding access result data in the default website, the equipment category of the electronic equipment is determined according to the access result data Property information；According to electronic equipment described in the device attribute Information locating.

Claims

1. a kind of method for early warning based on wireless network invasion, including：

Analyzed for the network traffic information, the network access behavior of the electronic equipment is determined according to analysis result；

Judge whether the network access behavior of the electronic equipment meets default early warning rule, if so, then generating for early warning Attack early warning signal.

2. according to the method for claim 1, wherein, the early warning rule includes the pre- police regulations of multiple network safety grades Then, then before whether the network access behavior for judging the electronic equipment meets the step of default early warning rule, one is entered Step includes：

3. method according to claim 1 or 2, wherein, the default early warning rule is included in following rule at least One：

4. according to any described methods of claim 1-3, wherein, caused by the electronic equipment for obtaining invasion wireless network The step of network traffic information, specifically includes：

The electronic equipment is obtained respectively to invade after wireless network for caused by each default equipment in the wireless network Point to point network flow information, and the point to point network flow information is supplied to corresponding default equipment；Wherein, it is each pre- If equipment accesses the wireless network in a manner of bridging.

5. according to the method for claim 1, wherein, network flow caused by the electronic equipment of wireless network is invaded in the acquisition After the step of measuring information, further comprise：

The network traffic information according to caused by electronic equipment, the website visiting request that the electronic equipment is sent is intercepted, is being intercepted To website visiting request in insert the default access script for access preset website；

The access result data corresponding with the default website is received, determines that the electronics is set according to the access result data Standby device attribute information；

Then it is described generate for early warning attack early warning signal the step of after, further comprise：Believed according to the device attribute Breath positions the electronic equipment.

6. a kind of prior-warning device based on wireless network invasion, including：

Analysis module, suitable for being analyzed for the network traffic information, the electronic equipment is determined according to analysis result Network access behavior；

Warning module, whether the network access behavior suitable for judging the electronic equipment meets default early warning rule, if so, then Generate the attack early warning signal for early warning.

7. device according to claim 6, wherein, the early warning rule includes the pre- police regulations of multiple network safety grades Then, then the warning module is further used for：

8. the device according to claim 6 or 7, wherein, the default early warning rule is included in following rule at least One：

9. a kind of electronic equipment, including：Processor, memory, communication interface and communication bus, the processor, the storage Device and the communication interface complete mutual communication by the communication bus；

The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device such as right will Ask operation corresponding to the method for early warning based on wireless network invasion any one of 1-5.

10. a kind of computer-readable storage medium, an at least executable instruction, the executable instruction are stored with the storage medium Make operation corresponding to the method for early warning based on wireless network invasion of the computing device as any one of claim 1-5.