CN107566320A - A kind of network kidnaps detection method, device and network system - Google Patents
A kind of network kidnaps detection method, device and network system Download PDFInfo
- Publication number
- CN107566320A CN107566320A CN201610509488.XA CN201610509488A CN107566320A CN 107566320 A CN107566320 A CN 107566320A CN 201610509488 A CN201610509488 A CN 201610509488A CN 107566320 A CN107566320 A CN 107566320A
- Authority
- CN
- China
- Prior art keywords
- network
- address
- source
- port
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a kind of network to kidnap detection method, device and network system, is related to communication technical field, method therein includes:Gather the netflow data bag that routing device is sent in objective network;Obtain the routing iinformation of routing device in objective network;Judge whether netflow data bag is abnormal network data according to routing iinformation;If netflow data bag is abnormal network data, whether the routing device for determining to send abnormal network data based on abduction judgment rule is holding equipment of being robbed.The method, apparatus and network system of the present invention, detection method is kidnapped using multistage network, whether collection netflow data Preliminary detection first there is Abnormal network traffic, the traffic policy function of the network equipment is recycled to carry out real-time traffic statistics and carry out packet capturing analysis in real time using the image feature of network equipment port, network can be accurately positioned and kidnap point, and the Efficiency and accuracy of detection can be improved, reduce computing cost and improve Consumer's Experience.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of network to kidnap detection method, device
With network system.
Background technology
Network kidnaps the request of the usually monitoring users in customer access network, some when matching
During specified conditions, return to one in the forward direction user of destination server and redirect response, redirect user
The purpose network address accessed to other network address rather than user.The webpage redirected is probably fishing website,
Or include wooden horse, bullet frame advertisement etc..As shown in figure 1, P is provided with Metropolitan Area Network (MAN)
11st, 12, the access request of user equipment 13,14 is sent to P 11,12, and from
P 11,12 receives the network response data returned.Disposed on the side of P 12
The equipment 15 of one bypass, equipment 15, which gathers spectral fluxes information and monitored, all flows through key road
By the flow of device 12.The light splitting collection position of equipment 15 can be divided in Metropolitan Area Network (MAN) egress router
It can also be divided in P, gather user's surfing flow information, if DNS is exported
It is User DN S solicited messages to be divided then gather, if RADIUS outlets then gather be
User's RADIUS request information.
Equipment 15 carries out specially treated according to certain rule or strategy for some requests.Work as user
When P 12 is flowed through in the request that equipment 14 is sent, if Transmission Control Protocol, then
Equipment 15 according to the seq and ack of the request, as response wrap, and passes through key road by generation data
User equipment 14 is sent to by device 12.If udp protocol, then equipment 15 directly generates number
According to as bag is responded, user equipment 14 is sent to.Because the response bag that equipment 15 generates compares user
The normal bag that the server end that equipment 14 accesses is sent is sent in advance, therefore works as real server
, can be by the message as mistake without being received when end data sends over.What equipment 15 was sent
False data bag commonly 302 redirects instruction, and guiding client jumps to new link, such as
Advertisement etc., influence the usage experience of user and economic loss may be brought to user.
The content of the invention
In view of this, the invention solves a technical problem be to provide a kind of network and kidnap detection
Method, apparatus and network system.
According to an aspect of the present invention, there is provided a kind of network kidnaps detection method, including:Collection
The netflow data bag that routing device is sent in objective network;Obtain and route in the objective network
The routing iinformation of equipment;Judge whether the netflow data bag is different according to the routing iinformation
Normal network data;If the netflow data bag is abnormal network data, sentenced based on abduction
Whether the routing device that disconnected rule determines to send the abnormal network data is holding equipment of being robbed.
Alternatively, it is described to judge whether the netflow data bag is different according to the routing iinformation
Normal network data includes:Source address information is extracted from the netflow data bag;Obtain and send
The route table items of the routing device of the netflow data bag;By the source address information with it is described
Source address in route table items matches, if source address identical route table items can not be matched,
It is abnormal network data then to determine the netflow data bag.
Alternatively, the source address information of being extracted from the netflow data bag includes:From institute
State and source IP address and source port number are extracted in netflow data bag;It is described to believe the source address
Breath with the routing table match including:Before the source IP address or the source IP address
Sew, source port number is carried out with the source address in the route table items or source address prefix, source port number
Matching.
Alternatively, based on the routing device for kidnapping the judgment rule determination transmission abnormal network data
Whether it is that holding equipment of being robbed includes:It is determined that send routing device and the end of the abnormal network data
Mouthful;Count the number with the abnormal network data with same source information that the port is sent
According to the flow of bag;When the flow is more than default flow threshold, it is determined that the port is quilt
Kidnap the abduction port of equipment.
Alternatively, when the flow is less than default flow threshold, then capture the port and send
There is the packet of same source information with the abnormal network data, and obtained from packet
Access network address and target is taken to redirect network address;Record is redirected according to network address and determines that the target redirects network address
Whether it is to redirect network address safely, if it is not, then determining that the port is the abduction end of holding equipment of being robbed
Mouthful.
Alternatively, when the flow is less than default flow threshold, then capture the port and send
There is the packet of same source information with the abnormal network data, and obtained from packet
Take domain name and IP address;Pair of domain name and the IP address is determined according to the domain name rule of correspondence
Should be related to it is whether correct, if it is not, then determining that the port is the abduction port of holding equipment of being robbed.
According to another aspect of the present invention, there is provided a kind of network kidnaps detection means, including:Data
Acquisition module, for gathering the netflow data bag that routing device is sent in objective network;Route
Acquisition module, for obtaining the routing iinformation of routing device in the objective network;It is abnormal to determine mould
Block, for judging whether the netflow data bag is abnormal network number according to the routing iinformation
According to;Locating module is kidnapped, if being abnormal network data for the netflow data bag,
Whether the routing device for determining to send the abnormal network data based on abduction judgment rule is to be held as a hostage
Equipment.
Alternatively, the abnormal determining module, including:Source address extraction unit, for from described
Source address information is extracted in netflow data bag;Route table items determining unit, sent for obtaining
The route table items of the routing device of the netflow data bag, route table items matching unit, are used for
The source address information and the source address in the route table items are matched, if can not match
Source address identical route table items, it is determined that the netflow data bag is abnormal network data.
Alternatively, the source address extraction unit, for being extracted from the netflow data bag
Source IP address and source port number;The route table items matching unit, for by the source IP address
Or the prefix of the source IP address, source port number are with the source address in the route table items or source
Location prefix, source port number are matched.
Alternatively, the abduction locating module, including:Equipment determining unit, for determining to send
The routing device of the abnormal network data and port;Traffic statistics unit, for counting the end
The flow for the packet with the abnormal network data with same source information that mouth is sent;End
Mouth positioning unit, for when the flow is more than default flow threshold, it is determined that the port
For the abduction port for holding equipment of being robbed.
Alternatively, the abduction locating module, including:Data grabber unit is redirected, for working as
When stating flow and being less than default flow threshold, then it is sending with the abnormal network to capture the port
Data have the packet of same source information, and are obtained from packet and access network address and target
Redirect network address;Data detecting unit is redirected, determines that the target is jumped for redirecting record according to network address
Turn whether network address is to redirect network address safely, if it is not, then determining that the port is holding equipment of being robbed
Kidnap port.
Alternatively, the abduction locating module, including:Domain name data placement unit, for working as
When stating flow and being less than default flow threshold, then it is sending with the abnormal network to capture the port
Data have the packet of same source information, and from packet with obtaining domain name and IP
Location;Domain name data detection unit, for determining domain name and the IP according to the domain name rule of correspondence
Whether the corresponding relation of address is correct, if it is not, then determining that the port is the misfortune of holding equipment of being robbed
Hold port.
According to another aspect of the invention, there is provided a kind of network system, including network as described above
Kidnap detection means.
The network of the present invention kidnaps detection method, device and network system, is kidnapped using multistage network
Detection method, netflow data is gathered first and detects whether abnormal, the recycling network equipment occur
Traffic policy function carry out real-time traffic statistics and real using the image feature of network equipment port
Shi Jinhang packet capturings are analyzed, and can be accurately positioned network abduction point and be reached monitoring and prevent network and kidnap
Effect.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will
The required accompanying drawing used in embodiment or description of the prior art is briefly described, it is aobvious and easy
Insight, drawings in the following description are only some embodiments of the present invention, common for this area
, without having to pay creative labor, can also be according to these accompanying drawings for technical staff
Obtain other accompanying drawings.
Fig. 1 is the network topological diagram of the prior art for including holding equipment of being robbed;
Fig. 2 is that the flow of the one embodiment for kidnapping detection method according to the network of the present invention is illustrated
Figure;
Fig. 3 is that the module of the one embodiment for kidnapping detection means according to the network of the present invention is illustrated
Figure;
Fig. 4 is that the abnormal determination in one embodiment of detection means is kidnapped according to the network of the present invention
The module diagram of module;
Fig. 5 is that the abduction kidnapped according to the network of the present invention in one embodiment of detection means positions
The module diagram of module.
Embodiment
The present invention is described more fully with reference to the accompanying drawings, wherein illustrating the example of the present invention
Property embodiment.Below in conjunction with the accompanying drawing in the embodiment of the present invention, to the skill in the embodiment of the present invention
Art scheme is clearly and completely described, it is clear that described embodiment is only the present invention one
Section Example, rather than whole embodiments.It is general based on the embodiment in the present invention, this area
The every other embodiment that logical technical staff is obtained under the premise of creative work is not made, all
Belong to the scope of protection of the invention.With reference to each figure and embodiment to technical scheme
Carry out many descriptions.
Fig. 2 is that the flow of the one embodiment for kidnapping detection method according to the network of the present invention is illustrated
Figure, as shown in Figure 2:
Step 201, the netflow data bag that routing device is sent in objective network is gathered.
NetFlow is a kind of data exchange ways, there is provided the session level view of network traffics, record
The information of each TCP/IP affairs.Netflow systems include detector and collector, detector
For monitoring network data, collector is collected the data that detector transmits, can adopted by collector
Collect the netflow data bag that the routing device in objective network is sent.Objective network can be metropolitan area
Net, provincial net, whole nation net etc., routing device can be edge router, core router etc..
Step 202, the routing iinformation of routing device in objective network is obtained.
Routing iinformation in objective network can be configured in advance, and routing iinformation can be route
Routing table in equipment etc., routing iinformation can be obtained from OSS.In usual the whole network
IP address is divided and distributed, and can determine which net is this IP address belong to by IP address
Network or area.
Step 203, judge whether netflow data bag is abnormal network number according to routing iinformation
According to.
The netflow data bag of collection can be stored in netflow data storehouse, used
Initial data is organized into normalized data by NetFlow preprocess methods.Sentenced according to routing iinformation
Whether the data in disconnected netflow data storehouse are abnormal network data.
Step 204, if netflow data bag is abnormal network data, judged based on kidnapping
Whether the routing device that rule determines to send abnormal network data is holding equipment of being robbed.
Network in above-described embodiment kidnaps detection method, and router device in a network is switched on
NetFlow detection functions, collection netflow data bag is simultaneously analyzed, preliminary to judge
Whether netflow data bag is abnormal data bag, and further determines that holding equipment of being robbed.
For example, open NetFlow and send to acquisition system, in Cisco GSR routers
The configuration order example that Netflow is opened on GigabitEthernet10/0 ports is as follows:
ip flow-export source Loopback0;
ip flow-export destination*.*.*.61 9995;
ip flow-sampling-mode packet-interval 100;
interface GigabitEthernet10/0;
ip route-cache flow sampled。
The Netflow data for being flowed into GigabitEthernet10/0 are sent to by the configuration
NetFlow collector * .*.*.61, using sampled patterns, sampling interval 100:1.
Source address information is extracted from netflow data bag, obtains and sends netflow data bag
The route table items of routing device.Source address information and the source address in route table items are matched, such as
Fruit can not match source address identical route table items, it is determined that netflow data bag is abnormal net
Network data.
Netflow data include source IP address, purpose IP address, source port, destination
Mouth, protocol type, bag quantity, byte number etc..The extraction source IP from netflow data bag
Location and source port number, by the prefix of source IP address or source IP address, source port number and route table items
In source address or source address prefix, source port number matched.
For example, collecting the edge router B that A is saved in core net sends netflow data
Bag, gets the configuration informations such as edge router B routing table and routing link.From
Source IP address and source port number are extracted in netflow data bag, by the prefix of source IP address and source
Port numbers are matched with the source address prefix in edge router B routing table, source port number,
When the match is successful, it is determined that be abnormal network data.For example, sent from edge router B
Netflow data bag in the source IP address that extracts the IP address of distribution, edge road are saved for D
There is no the prefix of the IP address of D provinces distribution by the source address prefix of device B route table items, then have
Be probably miscellaneous equipment generation false data bag and be sent to edge router B.
When it is determined that there is abnormal network data, can be opened on routing device real-time traffic count into
One step is confirmed, must remove statistics strategy after statistics.It is determined that send abnormal network number
According to routing device and port, statistics port send there is same source with abnormal network data
The flow of the packet of information, when flow is more than default flow threshold, it is determined that this port is
It is robbed the abduction port of holding equipment.
For example, determine that edge router B have received false network data, false network data
Source address is the IP address that D saves distribution, statistics edge router B each port send with
D saves the flow that the IP address distributed has the packet of same source information.When edge is route
When device B C-terminal mouth flow is more than default flow threshold, it is determined that C-terminal mouth sets to be held as a hostage
Standby abduction port, i.e. miscellaneous equipment send false data by edge router B C-terminal mouth
Bag, then edge router B is is robbed holding equipment, and C-terminal mouth is the abduction port of holding equipment of being robbed.
When flow is more than default flow threshold, it can directly determine that port is holding equipment of being robbed
Kidnap port.And flow then needs to further determine that, and adopt when being less than default flow threshold
Used in the mode of routing device Port Mirroring packet capturing, be accurately positioned network kidnap point and reach monitoring and
Prevent the effect that network is kidnapped.
For false network data, dns address and main website can be monitored, such as
Www.baidu.com, www.qq.com, www.163.com etc..When flow is less than default
During flow threshold, then capture port transmission has same source information with abnormal network data
Packet, and acquisition accesses network address from packet and target redirects network address.Note is redirected according to network address
Record determines that target redirects whether network address is to redirect network address safely, if it is not, then determining port to be robbed
The abduction port of holding equipment.
For example, obtaining current access network address in current network address access instruction and target redirects net
Location, record can be redirected according to network address and determines that the safety of current access network address redirects network address.Network address
Redirect record can according to the configuration of operator, or by history access data counted and
It is determined that network address redirect be provided with record it is corresponding with accessing network address it is safe redirect network address, or jump
Turn the white list of network address.Record is redirected according to network address and determines that safety redirects network address, and then according to safety
Redirect network address and judge that target redirects whether network address is held as a hostage, can find to kidnap immediately.
In one embodiment, when flow is less than default flow threshold, then capture port and send
There is the packet of same source information with abnormal network data, and domain is obtained from packet
Name and IP address.Whether just the corresponding relation of domain name and IP address is determined according to the domain name rule of correspondence
Really, if it is not, then determining that port is the abduction port of holding equipment of being robbed.
For example, abc.com is a TLD, can there are second level domain, three under TLD
Level domain name, if news.abc.com is a second level domain.DNS(Domain Name
System, computer domain name system) it is made up of resolver and name server, domain name service
Device refers to preserve the domain name of All hosts and corresponding IP address in the network, and has domain name
Be converted to the server of IP address function.By DNS people can be made more easily to access interconnection
Net, without spending, remember can be by IP address digit string that machine is directly read.
The correct corresponding relation of domain name and IP address is provided with the domain name rule of correspondence.Domain name and IP
The correct corresponding relation of address can be counted by historical data to it, can also be by operator
It is configured.Domain name and IP address are obtained from packet, judges whether its corresponding relation occurs
In the domain name rule of correspondence, if it is not, then can be concluded that the web page access of user receives DNS
Kidnap, i.e., miscellaneous equipment imitates dns server and returns to a wrong analysis result, domain name solution
Analyse abnormal, user is had access to other webpages.
Network in above-described embodiment kidnaps detection method, is carried out just using NetFlow functions are opened
Step judges whether exception occur, recycles the Traffic policy traffic policies of the network equipment and enters
Row Port mirror mirror images packet capturing analysis carries out navigating to abduction point, can be accurately positioned network misfortune
Hold a little and have the function that to monitor and prevent network and kidnap, and the efficiency of detection and accurate can be improved
Degree.
Include as shown in figure 3, the present invention provides a kind of network abduction detection means 30:Data are adopted
Collect module 31, route acquisition module 32, abnormal determining module 33 and kidnap locating module 34.Number
The netflow data bag that routing device is sent in objective network is gathered according to acquisition module 31.Route
Acquisition module 32 obtains the routing iinformation of routing device in objective network.Abnormal determining module 33
Judge whether netflow data bag is abnormal network data according to routing iinformation.If NetFlow numbers
It is abnormal network data according to bag, then kidnaps locating module 34 and determine to send based on judgment rule is kidnapped
Whether the routing device of abnormal network data is holding equipment of being robbed.
As shown in figure 4, abnormal determining module 33 includes:Source address extraction unit 331, routing table
Item determining unit 332 and route table items matching unit 333.Source address extraction unit 331 from
Source address information is extracted in netflow data bag.Route table items determining unit 332, which obtains, to be sent
The route table items of the routing device of netflow data bag, route table items matching unit 333 is by source
Location information matches with the source address in route table items, if source address identical road can not be matched
By list item, it is determined that netflow data bag is abnormal network data.
Source address extraction unit 331 extracts source IP address and source port from netflow data bag
Number.Route table items matching unit 333 is by the prefix of source IP address or source IP address, source port number
Matched with the source address in route table items or source address prefix, source port number.
As shown in figure 5, kidnapping locating module 34 includes:Equipment determining unit 341, traffic statistics
Unit 342, port locations unit 343, redirect data grabber unit 344, redirect Data Detection list
Member 345, domain name data placement unit 346 and domain name data detection unit 347.
Equipment determining unit 341 determines to send routing device and the port of abnormal network data.Flow
Statistic unit 342 counts the number with abnormal network data with same source information that port is sent
According to the flow of bag.Port locations unit 343 is when flow is more than default flow threshold, it is determined that
Port is the abduction port of holding equipment of being robbed.
Data grabber unit 344 is redirected when flow is less than default flow threshold, then captures port
What is sent has the packet of same source information with abnormal network data, and is obtained from packet
Access network address and target is taken to redirect network address.Redirect data detecting unit 345 and record is redirected according to network address
Determine that target redirects whether network address is to redirect network address safely, if it is not, then determining port to be held as a hostage
The abduction port of equipment.
Domain name data placement unit 346 then captures port when flow is less than default flow threshold
What is sent has the packet of same source information with abnormal network data, and is obtained from packet
Take domain name and IP address.Domain name data detection unit 347 determines domain name according to the domain name rule of correspondence
It is whether correct with the corresponding relation of IP address, if it is not, then determining that port is holding equipment of being robbed
Kidnap port.
In one embodiment, the present invention provides a kind of network system, including network abduction as above
Detection means.
The network provided in above-described embodiment kidnaps detection method, device and network system, using more
Level network kidnaps detection method, gathers netflow data first and detects whether abnormal network stream occur
Amount, primarily determines that false data, recycles the traffic policy function of the network equipment to carry out real-time traffic
Count and carry out packet capturing analysis in real time using the image feature of network equipment port, can accurately determine
Position network kidnaps point and has the function that to monitor and prevent network and kidnaps, and can improve the effect of detection
Rate and accuracy, reduce computing cost and improve Consumer's Experience.
The method and system of the present invention may be achieved in many ways.For example, can be by soft
Part, hardware, firmware or software, hardware, firmware any combinations come realize the present invention side
Method and system.The said sequence of the step of for method is of the invention merely to illustrate
The step of method, is not limited to order described in detail above, unless specifically stated otherwise.
In addition, in certain embodiments, the present invention can be also embodied as recording journey in the recording medium
Sequence, these programs include being used for the machine readable instructions for realizing the method according to the invention.Cause
And the record that the present invention also covering storage is used to perform the program of the method according to the invention is situated between
Matter.
Description of the invention provides for the sake of example and description, and is not exhaustively
Or limit the invention to disclosed form.Common skill of many modifications and variations for this area
It is obvious for art personnel.Selection and description embodiment are to more preferably illustrate the principle of the present invention
And practical application, and make one of ordinary skill in the art it will be appreciated that the present invention is suitable so as to design
In the various embodiments with various modifications of special-purpose.
Claims (13)
1. a kind of network kidnaps detection method, it is characterised in that including:
Gather the netflow data bag that routing device is sent in objective network;
Obtain the routing iinformation of routing device in the objective network;
Judge whether the netflow data bag is abnormal network data according to the routing iinformation;
If the netflow data bag is abnormal network data, based on kidnapping, judgment rule is true
Whether the routing device for sending the abnormal network data surely is holding equipment of being robbed.
2. the method as described in claim 1, it is characterised in that described to be believed according to the route
Breath judges whether the netflow data bag is that abnormal network data include:
Source address information is extracted from the netflow data bag;
Obtain the route table items for the routing device for sending the netflow data bag;
The source address information and the source address in the route table items are matched, if can not
It is fitted on source address identical route table items, it is determined that the netflow data bag is abnormal network number
According to.
3. method as claimed in claim 2, it is characterised in that described from the NetFlow
Source address information is extracted in packet to be included:
Source IP address and source port number are extracted from the netflow data bag;
It is described by the source address information and the routing table match including:
By the prefix of the source IP address or the source IP address, source port number and the routing table
Source address or source address prefix, source port number in are matched.
4. method as claimed in claim 2 or claim 3, it is characterised in that judge rule based on kidnapping
Whether the routing device for then determining to send the abnormal network data is that holding equipment of being robbed includes:
It is determined that send routing device and the port of the abnormal network data;
Count the number with the abnormal network data with same source information that the port is sent
According to the flow of bag;
When the flow is more than default flow threshold, it is determined that the port is holding equipment of being robbed
Abduction port.
5. method as claimed in claim 4, it is characterised in that including:
When the flow is less than default flow threshold, then capture that the port sends with it is described
Abnormal network data have the packet of same source information, and are obtained from packet and access net
Location and target redirect network address;
Record is redirected according to network address and determines that the target redirects whether network address is to redirect network address safely, such as
Fruit is no, it is determined that the port is the abduction port of holding equipment of being robbed.
6. method as claimed in claim 4, it is characterised in that including:
When the flow is less than default flow threshold, then capture that the port sends with it is described
Abnormal network data have a packet of same source information, and obtain from packet domain name and
IP address;
Whether just the corresponding relation of domain name and the IP address is determined according to the domain name rule of correspondence
Really, if it is not, then determining that the port is the abduction port of holding equipment of being robbed.
7. a kind of network kidnaps detection means, it is characterised in that including:
Data acquisition module, for gathering the netflow data that routing device is sent in objective network
Bag;
Route acquisition module, for obtaining the routing iinformation of routing device in the objective network;
Abnormal determining module, for judging that the netflow data bag is according to the routing iinformation
No is abnormal network data;
Locating module is kidnapped, if being abnormal network data for the netflow data bag,
Whether the routing device for determining to send the abnormal network data based on abduction judgment rule is to be held as a hostage
Equipment.
8. device as claimed in claim 7, it is characterised in that:
The abnormal determining module, including:
Source address extraction unit, for extracting source address information from the netflow data bag;
Route table items determining unit, the routing device of the netflow data bag is sent for obtaining
Route table items,
Route table items matching unit, for by the source in the source address information and the route table items
Addresses match, if source address identical route table items can not be matched, it is determined that described
Netflow data bag is abnormal network data.
9. device as claimed in claim 8, it is characterised in that:
The source address extraction unit, for the extraction source IP from the netflow data bag
Location and source port number;
The route table items matching unit, for by the source IP address or the source IP address
Prefix, source port number and the source address in the route table items or source address prefix, source port number are entered
Row matching.
10. device as claimed in claim 8 or 9, it is characterised in that:
The abduction locating module, including:
Equipment determining unit, for determining routing device and the end of the transmission abnormal network data
Mouthful;
Traffic statistics unit, for counting having with the abnormal network data for the port transmission
The flow of the packet of same source information;
Port locations unit, for when the flow is more than default flow threshold, it is determined that institute
It is the abduction port of holding equipment of being robbed to state port.
11. method as claimed in claim 10, it is characterised in that:
The abduction locating module, including:
Data grabber unit is redirected, for when the flow is less than default flow threshold, then grabbing
The packet with the abnormal network data with same source information for taking the port to send,
And acquisition accesses network address from packet and target redirects network address;
Data detecting unit is redirected, determines that the target redirects network address for redirecting record according to network address
Whether it is to redirect network address safely, if it is not, then determining that the port is the abduction end of holding equipment of being robbed
Mouthful.
12. device as claimed in claim 11, it is characterised in that:
The abduction locating module, including:
Domain name data placement unit, for when the flow is less than default flow threshold, then grabbing
The packet with the abnormal network data with same source information for taking the port to send,
And domain name and IP address are obtained from packet;
Domain name data detection unit, for determining domain name and the IP according to the domain name rule of correspondence
Whether the corresponding relation of address is correct, if it is not, then determining that the port is the misfortune of holding equipment of being robbed
Hold port.
A kind of 13. network system, it is characterised in that:
Detection means is kidnapped including the network as described in any one of claim 7 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610509488.XA CN107566320B (en) | 2016-06-30 | 2016-06-30 | Network hijacking detection method, device and network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610509488.XA CN107566320B (en) | 2016-06-30 | 2016-06-30 | Network hijacking detection method, device and network system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107566320A true CN107566320A (en) | 2018-01-09 |
| CN107566320B CN107566320B (en) | 2020-05-26 |
Family
ID=60968832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610509488.XA Active CN107566320B (en) | 2016-06-30 | 2016-06-30 | Network hijacking detection method, device and network system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107566320B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108920589A (en) * | 2018-06-26 | 2018-11-30 | 百度在线网络技术(北京)有限公司 | Browsing kidnaps recognition methods, device, server and storage medium |
| CN109639793A (en) * | 2018-12-10 | 2019-04-16 | 广东浪潮大数据研究有限公司 | A kind of cluster NAS system monitoring method, device, equipment and medium |
| WO2019136954A1 (en) * | 2018-01-15 | 2019-07-18 | 深圳市联软科技股份有限公司 | Method for detecting network compliance, apparatus, device and medium |
| CN112287252A (en) * | 2020-10-26 | 2021-01-29 | 平安科技(深圳)有限公司 | Website domain name hijacking detection method, device, equipment and storage medium |
| CN112398699A (en) * | 2020-12-01 | 2021-02-23 | 杭州迪普科技股份有限公司 | Network traffic packet capturing method, device and equipment |
| CN114006803A (en) * | 2021-09-29 | 2022-02-01 | 中盈优创资讯科技有限公司 | Burst alarm method of netflow based on AS and prefix |
| CN114124464A (en) * | 2021-10-27 | 2022-03-01 | 中盈优创资讯科技有限公司 | Automatic unsealing method and device for hijacked route |
| CN115021984A (en) * | 2022-05-23 | 2022-09-06 | 绿盟科技集团股份有限公司 | Network security detection method and device, electronic equipment and storage medium |
| CN115664833A (en) * | 2022-11-03 | 2023-01-31 | 天津大学 | Network hijacking detection method based on local area network security equipment |
| CN116346774A (en) * | 2023-02-16 | 2023-06-27 | 北京有元科技有限公司 | Network flow data query system based on DNS (Domain name System) route |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1897541A (en) * | 2005-07-15 | 2007-01-17 | 华为技术有限公司 | Method for realizing network sampling |
| CN101562534A (en) * | 2009-05-26 | 2009-10-21 | 中山大学 | Network behavior analytic system |
| CN101848160A (en) * | 2010-05-26 | 2010-09-29 | 钱叶魁 | Method for detecting and classifying all-network flow abnormity on line |
| CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
| CN105100061A (en) * | 2015-06-19 | 2015-11-25 | 小米科技有限责任公司 | Method and device for detecting hijacking of website |
| CN105429975A (en) * | 2015-11-11 | 2016-03-23 | 上海斐讯数据通信技术有限公司 | Data safety defense system and method based on cloud terminal, and cloud terminal safety system |
-
2016
- 2016-06-30 CN CN201610509488.XA patent/CN107566320B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1897541A (en) * | 2005-07-15 | 2007-01-17 | 华为技术有限公司 | Method for realizing network sampling |
| CN101562534A (en) * | 2009-05-26 | 2009-10-21 | 中山大学 | Network behavior analytic system |
| CN101848160A (en) * | 2010-05-26 | 2010-09-29 | 钱叶魁 | Method for detecting and classifying all-network flow abnormity on line |
| CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
| CN105100061A (en) * | 2015-06-19 | 2015-11-25 | 小米科技有限责任公司 | Method and device for detecting hijacking of website |
| CN105429975A (en) * | 2015-11-11 | 2016-03-23 | 上海斐讯数据通信技术有限公司 | Data safety defense system and method based on cloud terminal, and cloud terminal safety system |
Non-Patent Citations (3)
| Title |
|---|
| WUSOFTIGER: "使用NetFlow分析网络异常流量", 《百度文库》 * |
| 杨波,王凯: "一种分光劫持干扰的定位处理方法", 《信息安全与技术》 * |
| 蒋琰: "基于Netflow的网络数据流量分析与异常检测系统的研究与实现", 《中国优秀博硕士学位论文全文数据库 (硕士) 信息科技辑》 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019136954A1 (en) * | 2018-01-15 | 2019-07-18 | 深圳市联软科技股份有限公司 | Method for detecting network compliance, apparatus, device and medium |
| CN108920589A (en) * | 2018-06-26 | 2018-11-30 | 百度在线网络技术(北京)有限公司 | Browsing kidnaps recognition methods, device, server and storage medium |
| CN109639793A (en) * | 2018-12-10 | 2019-04-16 | 广东浪潮大数据研究有限公司 | A kind of cluster NAS system monitoring method, device, equipment and medium |
| CN112287252A (en) * | 2020-10-26 | 2021-01-29 | 平安科技(深圳)有限公司 | Website domain name hijacking detection method, device, equipment and storage medium |
| CN112287252B (en) * | 2020-10-26 | 2023-07-21 | 平安科技(深圳)有限公司 | Method, device, equipment and storage medium for detecting website domain name hijacking |
| CN112398699B (en) * | 2020-12-01 | 2022-11-25 | 杭州迪普科技股份有限公司 | Network traffic packet capturing method, device and equipment |
| CN112398699A (en) * | 2020-12-01 | 2021-02-23 | 杭州迪普科技股份有限公司 | Network traffic packet capturing method, device and equipment |
| CN114006803A (en) * | 2021-09-29 | 2022-02-01 | 中盈优创资讯科技有限公司 | Burst alarm method of netflow based on AS and prefix |
| CN114006803B (en) * | 2021-09-29 | 2024-01-05 | 中盈优创资讯科技有限公司 | Burst alarm method of netflow flow based on AS and prefix |
| CN114124464A (en) * | 2021-10-27 | 2022-03-01 | 中盈优创资讯科技有限公司 | Automatic unsealing method and device for hijacked route |
| CN114124464B (en) * | 2021-10-27 | 2023-08-08 | 中盈优创资讯科技有限公司 | Automatic unpacking method and device for hijacked route |
| CN115021984A (en) * | 2022-05-23 | 2022-09-06 | 绿盟科技集团股份有限公司 | Network security detection method and device, electronic equipment and storage medium |
| CN115021984B (en) * | 2022-05-23 | 2024-02-13 | 绿盟科技集团股份有限公司 | Network security detection method and device, electronic equipment and storage medium |
| CN115664833A (en) * | 2022-11-03 | 2023-01-31 | 天津大学 | Network hijacking detection method based on local area network security equipment |
| CN115664833B (en) * | 2022-11-03 | 2024-04-02 | 天津大学 | Network hijacking detection method based on local area network safety equipment |
| CN116346774A (en) * | 2023-02-16 | 2023-06-27 | 北京有元科技有限公司 | Network flow data query system based on DNS (Domain name System) route |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107566320B (en) | 2020-05-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107566320A (en) | A kind of network kidnaps detection method, device and network system | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| KR101010302B1 (en) | Security management system and method of irc and http botnet | |
| CN103442008B (en) | A kind of routing safety detecting system and detection method | |
| US8307441B2 (en) | Log-based traceback system and method using centroid decomposition technique | |
| CN108063765B (en) | SDN system suitable for solving network security | |
| JP4556981B2 (en) | Network monitoring apparatus and network monitoring method | |
| CN101247217B (en) | Method, unit and system for preventing address resolution protocol flux attack | |
| CN108429761B (en) | DDoS attack detection and defense method for resource adaptation analysis server in intelligent cooperative network | |
| CN108701187A (en) | Mixed hardware software distribution threat analysis | |
| US20140047543A1 (en) | Apparatus and method for detecting http botnet based on densities of web transactions | |
| CN109951459A (en) | A kind of ARP spoofing attack detection method based on local area network | |
| CN107888605A (en) | A kind of Internet of Things cloud platform traffic security analysis method and system | |
| CN107948199A (en) | A kind of method and device being used for quickly detecting to terminal shared access | |
| CN110225062A (en) | A kind of method and apparatus monitoring network attack | |
| CN102984003A (en) | Network access detection system and network access detection method | |
| CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
| CN104486320A (en) | Intranet sensitive information disclosure evidence collection system and method based on honeynet technology | |
| CN105812324B (en) | The method, apparatus and system of IDC information security management | |
| CN101159636A (en) | System and method for detecting illegal access | |
| KR102211503B1 (en) | Harmful ip determining method | |
| KR20030057269A (en) | IP Public ownership flag detection system and the method | |
| WO2017070965A1 (en) | Data processing method based on software defined network and related device | |
| CN102957581A (en) | Network access detection system and network access detection method | |
| CN109040137A (en) | For detecting the method, apparatus and electronic equipment of man-in-the-middle attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |