CN107566320B - Network hijacking detection method, device and network system - Google Patents
Network hijacking detection method, device and network system Download PDFInfo
- Publication number
- CN107566320B CN107566320B CN201610509488.XA CN201610509488A CN107566320B CN 107566320 B CN107566320 B CN 107566320B CN 201610509488 A CN201610509488 A CN 201610509488A CN 107566320 B CN107566320 B CN 107566320B
- Authority
- CN
- China
- Prior art keywords
- port
- data
- network
- routing
- netflow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a network hijacking detection method, a device and a network system, relating to the technical field of communication, wherein the method comprises the following steps: acquiring a NetFlow data packet sent by routing equipment in a target network; acquiring routing information of routing equipment in a target network; judging whether the NetFlow data packet is abnormal network data or not according to the routing information; and if the NetFlow data packet is abnormal network data, determining whether the routing equipment sending the abnormal network data is hijacked equipment or not based on the hijacking judgment rule. The method, the device and the network system adopt a multi-stage network hijack detection method, firstly collect NetFlow data to preliminarily detect whether abnormal network flow occurs, then utilize the flow strategy function of the network equipment to carry out real-time flow statistics and utilize the mirror image function of the network equipment port to carry out packet capture analysis in real time, can accurately position a network hijack point, can improve the detection efficiency and accuracy, reduces the calculation cost and improves the user experience.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a network system for detecting network hijacking.
Background
Network hijacking is usually to monitor the user's request when the user accesses the network, and when some specific conditions are matched, a jump response is returned to the user before the target server, so that the user jumps to other websites instead of the destination website accessed by the user. The webpage that is jumped may be a phishing website or contain trojans, pop-up advertisements, etc. As shown in fig. 1, the metro network is provided with backbone routers 11 and 12, and access requests of user equipments 13 and 14 are transmitted to the backbone routers 11 and 12, and returned network response data is received from the backbone routers 11 and 12. A bypass device 15 is deployed beside the backbone router 12, and the device 15 collects the split light traffic information and monitors all the traffic flowing through the backbone router 12. The light splitting and collecting position of the device 15 may be light splitting at an exit router of a metropolitan area network or a backbone router, and collects user internet traffic information, if the user internet traffic information is DNS exit light splitting, the collected user DNS request information is collected, and if the user internet traffic information is RADIUS exit, the collected user RADIUS request information is collected.
The device 15 performs special handling of certain requests according to a certain law or policy. When a request sent from the user equipment 14 flows through the backbone router 12, if it is the TCP protocol, the device 15 generates data as a response packet based on the seq and ack of the request, and sends the response packet to the user equipment 14 through the backbone router 12. In case of the UDP protocol, the device 15 directly generates data as a response packet to be transmitted to the user equipment 14. Since the response packet generated by the device 15 is sent earlier than the normal packet sent by the server accessed by the user device 14, the data sent by the server is not accepted as an error message when the actual server data is sent. The false data packet sent by the device 15 is often a 302 jump instruction, which directs the client to jump to a new link, such as an advertisement, etc., affecting the user experience and possibly causing economic loss to the user.
Disclosure of Invention
In view of the above, a technical problem to be solved by the present invention is to provide a method, an apparatus and a network system for detecting network hijacking.
According to an aspect of the present invention, there is provided a network hijacking detection method, including: acquiring a NetFlow data packet sent by routing equipment in a target network; acquiring the routing information of the routing equipment in the target network; judging whether the NetFlow data packet is abnormal network data or not according to the routing information; and if the NetFlow data packet is abnormal network data, determining whether the routing equipment sending the abnormal network data is hijacked equipment or not based on a hijacking judgment rule.
Optionally, the determining, according to the routing information, whether the NetFlow packet is abnormal network data includes: extracting source address information from the NetFlow packet; acquiring a routing table item of routing equipment for sending the NetFlow data packet; and matching the source address information with the source address in the routing table entry, and if the routing table entry with the same source address cannot be matched, determining that the NetFlow data packet is abnormal network data.
Optionally, the extracting source address information from the NetFlow packet includes: extracting a source IP address and a source port number from the NetFlow packet; said matching the source address information with the routing table comprises: and matching the source IP address or the prefix and the source port number of the source IP address with the source address or the source address prefix and the source port number in the routing table entry.
Optionally, determining whether the routing device sending the abnormal network data is a hijacked device based on a hijacking judgment rule includes: determining routing equipment and a port for sending the abnormal network data; counting the flow of a data packet which is sent by the port and has the same source address information with the abnormal network data; and when the flow is greater than a preset flow threshold value, determining that the port is a hijack port of the hijacked equipment.
Optionally, when the flow is smaller than a preset flow threshold, capturing a data packet which is sent by the port and has the same source address information as the abnormal network data, and acquiring an access website and a target jump website from the data packet; and determining whether the target jump website is a safe jump website according to the website jump record, and if not, determining that the port is a hijack port of the hijacked device.
Optionally, when the flow is smaller than a preset flow threshold, capturing a data packet which is sent by the port and has the same source address information as the abnormal network data, and acquiring a domain name and an IP address from the data packet; and determining whether the corresponding relation between the domain name and the IP address is correct or not according to a domain name corresponding rule, and if not, determining that the port is a hijack port of the hijacked equipment.
According to another aspect of the present invention, there is provided a network hijacking detecting apparatus, including: the data acquisition module is used for acquiring a NetFlow data packet sent by the routing equipment in the target network; a route obtaining module, configured to obtain route information of a routing device in the target network; an anomaly determination module, configured to determine whether the NetFlow packet is abnormal network data according to the routing information; and the hijacking positioning module is used for determining whether the routing equipment sending the abnormal network data is the hijacked equipment or not based on a hijacking judgment rule if the NetFlow data packet is the abnormal network data.
Optionally, the abnormality determining module includes: a source address extracting unit, configured to extract source address information from the NetFlow packet; and the routing table item matching unit is used for matching the source address information with the source address in the routing table item, and if the routing table item with the same source address cannot be matched, the NetFlow data packet is determined to be abnormal network data.
Optionally, the source address extracting unit is configured to extract a source IP address and a source port number from the NetFlow packet; the routing table matching unit is configured to match the source IP address or the prefix and the source port number of the source IP address with the source address or the source address prefix and the source port number in the routing table.
Optionally, the hijacking location module includes: the device determining unit is used for determining the routing device and the port for sending the abnormal network data; the flow statistic unit is used for counting the flow of a data packet which is sent by the port and has the same source address information with the abnormal network data; and the port positioning unit is used for determining that the port is a hijack port of the hijacked equipment when the flow is greater than a preset flow threshold value.
Optionally, the hijacking location module includes: the skip data capturing unit is used for capturing a data packet which is sent by the port and has the same source address information with the abnormal network data when the flow is smaller than a preset flow threshold value, and acquiring an access website and a target skip website from the data packet; and the jump data detection unit is used for determining whether the target jump website is a safe jump website according to the website jump record, and if not, determining that the port is a hijacking port of the hijacked equipment.
Optionally, the hijacking location module includes: the domain name data capturing unit is used for capturing a data packet which is sent by the port and has the same source address information with the abnormal network data when the flow is smaller than a preset flow threshold value, and acquiring a domain name and an IP address from the data packet; and the domain name data detection unit is used for determining whether the corresponding relation between the domain name and the IP address is correct or not according to a domain name corresponding rule, and if not, determining that the port is a hijacking port of the hijacked equipment.
According to still another aspect of the present invention, there is provided a network system including the network hijacking detecting apparatus as described above.
The invention relates to a network hijacking detection method, a device and a network system, which adopt a multi-stage network hijacking detection method, firstly collect NetFlow data to detect whether abnormity occurs, then use the flow strategy function of network equipment to carry out real-time flow statistics and use the mirror image function of a network equipment port to carry out packet capture analysis in real time, can accurately position a network hijacking point and achieve the effects of monitoring and preventing network hijacking.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a prior art network topology diagram including a hijacked device;
FIG. 2 is a flowchart illustrating a network hijacking detection method according to an embodiment of the present invention;
FIG. 3 is a block diagram of an embodiment of a network hijacking detection device according to the present invention;
FIG. 4 is a block diagram of an anomaly determination module in an embodiment of a network hijacking detection device according to the present invention;
fig. 5 is a block diagram of a hijacking location module in an embodiment of the network hijacking detection device according to the invention.
Detailed Description
The present invention now will be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. The technical solution of the present invention is described in various aspects below with reference to various figures and embodiments.
Fig. 2 is a flowchart illustrating an embodiment of a network hijacking detection method according to the present invention, as shown in fig. 2:
NetFlow is a data exchange mode, provides a session level view of network flow, and records information of each TCP/IP transaction. The Netflow system comprises a detector and a collector, wherein the detector is used for monitoring network data, the collector collects the data transmitted by the detector, and Netflow data packets transmitted by the routing equipment in the target network can be collected by the collector. The target network can be a metropolitan area network, a provincial network, a national network and the like, and the routing equipment can be an edge router, a core router and the like.
The routing information in the target network may be configured in advance, the routing information may be a routing table or the like on the routing device, and the routing information may be acquired from the operation support system. IP addresses in the entire network are usually divided and assigned, and it is possible to determine to which network or area the IP address belongs.
And step 203, judging whether the NetFlow data packet is abnormal network data or not according to the routing information.
The acquired NetFlow data packet can be stored in a NetFlow database, and the original data is arranged into the normalized data by adopting a NetFlow preprocessing method. And judging whether the data in the NetFlow database is abnormal network data or not according to the routing information.
And step 204, if the NetFlow data packet is abnormal network data, determining whether the routing equipment sending the abnormal network data is hijacked equipment or not based on a hijacking judgment rule.
In the network hijacking detection method in the embodiment, the NetFlow detection function is started in the router devices in the network, the NetFlow data packets are collected and analyzed, whether the NetFlow data packets are abnormal data packets or not is preliminarily judged, and the hijacked devices are further determined.
For example, turning on NetFlow and sending it to the acquisition system, an example of a configuration command to turn on NetFlow on the Cisco GSR router gigabit ethernet10/0 port is as follows:
ip flow-export source Loopback0;
ip flow-export destination*.*.*.61 9995;
ip flow-sampling-mode packet-interval 100;
interface GigabitEthernet10/0;
ip route-cache flow sampled。
netflow data flowing into gigabit ethernet10/0 is sent to Netflow collector 61 using sampled mode with a sampling interval of 100:1 by this configuration.
And extracting the source address information from the NetFlow data packet, and acquiring the routing table entry of the routing equipment sending the NetFlow data packet. And matching the source address information with the source address in the routing table entry, and if the routing table entry with the same source address cannot be matched, determining that the NetFlow data packet is abnormal network data.
Netflow data includes active IP address, destination IP address, source port, destination port, protocol type, number of packets, number of bytes, etc. And extracting the source IP address and the source port number from the NetFlow data packet, and matching the source IP address or the prefix and the source port number of the source IP address with the source address or the prefix and the source port number of the source address in the routing table entry.
For example, it is collected that the edge router B in the core network of province a sends a NetFlow packet, and configuration information such as a routing table and a routing link of the edge router B is acquired. And extracting the source IP address and the source port number from the NetFlow data packet, matching the prefix and the source port number of the source IP address with the source address prefix and the source port number in the routing table of the edge router B, and determining the source IP address and the source port number as abnormal network data when the source IP address prefix and the source port number are not successfully matched. For example, the source IP address extracted from the NetFlow packet sent by the edge router B is an IP address allocated by D province, and the source address prefix of the routing table entry of the edge router B does not have the prefix of the IP address allocated by D province, and thus it may be a false packet generated by another device and sent to the edge router B.
When abnormal network data is determined, real-time traffic statistics can be started on the routing equipment for further confirmation, and a statistical strategy must be removed after the statistics is finished. Determining a routing device and a port for sending abnormal network data, counting the flow of a data packet which is sent by the port and has the same source address information with the abnormal network data, and determining the port as a hijack port of the hijacked device when the flow is greater than a preset flow threshold.
For example, it is determined that the edge router B receives false network data, the source address of the false network data is the IP address allocated by province D, and the traffic of a packet sent by each port of the edge router B and having the same source address information as the IP address allocated by province D is counted. When the flow of the port C of the edge router B is larger than a preset flow threshold value, the port C is determined to be a hijack port of the hijacked device, namely other devices send false data packets through the port C of the edge router B, the edge router B is the hijacked device, and the port C is the hijack port of the hijacked device.
When the flow is larger than the preset flow threshold, the port can be directly determined as the hijack port of the hijacked device. When the flow is smaller than the preset flow threshold, further determination is needed, and a mode of packet capturing at a port of the routing equipment by mirror image is adopted, so that a network hijack point is accurately positioned, and the functions of monitoring and preventing network hijack are achieved.
DNS addresses and primary web sites may be monitored for false network data, such as www.baidu.com, www.qq.com, www.163.com, and the like. And when the flow is smaller than a preset flow threshold value, capturing a data packet which is sent by the port and has the same source address information with the abnormal network data, and acquiring an access website and a target jump website from the data packet. And determining whether the target jumping website is a safe jumping website according to the website jumping record, and if not, determining that the port is a hijacking port of the hijacked device.
For example, the current visited website and the target jump website in the current website visiting instruction are obtained, and the safe jump website of the current visited website can be determined according to the website jump record. The website jump record can be determined according to the configuration of an operator or through statistics of historical access data, and a safe jump website corresponding to the access website or a white list of the jump website is set in the website jump record. And determining the safe jump website according to the website jump record, and judging whether the target jump website is hijacked or not according to the safe jump website, so that the hijacked can be immediately found.
In one embodiment, when the traffic is smaller than a preset traffic threshold, a data packet which is sent by a port and has the same source address information as the abnormal network data is captured, and a domain name and an IP address are obtained from the data packet. And determining whether the corresponding relation between the domain name and the IP address is correct or not according to the domain name corresponding rule, and if not, determining that the port is the hijack port of the hijacked device.
Com is a top-level domain name, which may be followed by a second-level domain name, a third-level domain name, such as news. The DNS (Domain Name System, computer Domain Name System) is composed of a resolver and a Domain Name server, and the Domain Name server refers to a server that stores Domain names and corresponding IP addresses of all hosts in the network and has a function of converting Domain names into IP addresses. Through the DNS, people can more conveniently access the internet without remembering the IP address number string that can be read directly by the machine.
The domain name corresponding rule is provided with a correct corresponding relation between the domain name and the IP address. The correct corresponding relation between the domain name and the IP address can be counted by historical data, or can be set by an operator. And acquiring the domain name and the IP address from the data packet, judging whether the corresponding relation of the domain name and the IP address appears in the domain name corresponding rule, if not, judging that the webpage access of the user is subjected to DNS hijacking, namely other equipment imitates a DNS server to return an incorrect resolution result, and the domain name resolution is abnormal, so that the user can access other webpages.
In the network hijacking detection method in the embodiment, the NetFlow function is started to preliminarily judge whether the abnormality occurs, and then Traffic policy of the network equipment and Port mirror image packet capture analysis are utilized to locate the hijacking point, so that the network hijacking point can be accurately located, the effects of monitoring and preventing network hijacking are achieved, and the detection efficiency and accuracy can be improved.
As shown in fig. 3, the present invention provides a network hijacking detecting device 30, which includes: a data acquisition module 31, a route acquisition module 32, an anomaly determination module 33 and a hijacking positioning module 34. The data acquisition module 31 acquires a NetFlow data packet sent by a routing device in the target network. The route acquisition module 32 acquires the routing information of the routing device in the target network. The anomaly determination module 33 determines whether the NetFlow packet is anomalous network data according to the routing information. If the NetFlow data packet is abnormal network data, the hijacking positioning module 34 determines whether the routing device sending the abnormal network data is a hijacked device based on the hijacking judgment rule.
As shown in fig. 4, the abnormality determination module 33 includes: a source address extraction unit 331, a routing table entry determination unit 332, and a routing table entry matching unit 333. The source address extracting unit 331 extracts source address information from the NetFlow packet. The routing table entry determining unit 332 obtains a routing table entry of a routing device that sends the NetFlow packet, the routing table entry matching unit 333 matches the source address information with the source address in the routing table entry, and if the routing table entry with the same source address cannot be matched, the NetFlow packet is determined to be abnormal network data.
The source address extracting unit 331 extracts a source IP address and a source port number from the NetFlow packet. The routing table entry matching unit 333 matches the source IP address or the prefix and the source port number of the source IP address with the source address or the source address prefix and the source port number in the routing table entry.
As shown in fig. 5, the hijack location module 34 includes: a device determination unit 341, a traffic statistics unit 342, a port location unit 343, a hop data fetch unit 344, a hop data detection unit 345, a domain name data fetch unit 346, and a domain name data detection unit 347.
The device determining unit 341 determines a routing device and a port that transmit abnormal network data. The traffic statistic unit 342 counts the traffic of a packet having the same source address information as the abnormal network data and sent by the port. When the flow rate is greater than the preset flow rate threshold, the port locating unit 343 determines that the port is a hijacking port of the hijacked device.
When the traffic is smaller than the preset traffic threshold, the skip data capturing unit 344 captures a data packet sent by the port and having the same source address information as the abnormal network data, and acquires the access website and the target skip website from the data packet. The jump data detection unit 345 determines whether the target jump website is a safe jump website according to the website jump record, and if not, determines that the port is a hijacking port of the hijacked device.
When the traffic is smaller than the preset traffic threshold, the domain name data capturing unit 346 captures a data packet which is sent by the port and has the same source address information as the abnormal network data, and acquires a domain name and an IP address from the data packet. The domain name data detection unit 347 determines whether the correspondence between the domain name and the IP address is correct according to the domain name correspondence rule, and if not, determines that the port is a hijacked port of the hijacked device.
In one embodiment, the invention provides a network system, which comprises the network hijacking detection device.
The network hijacking detection method, the device and the network system provided by the embodiment adopt a multi-stage network hijacking detection method, firstly collect NetFlow data to detect whether abnormal network flow occurs or not, preliminarily determine false data, then carry out real-time flow statistics by using a flow strategy function of network equipment and carry out packet capture analysis in real time by using a mirror image function of a port of the network equipment, can accurately position a network hijacking point, achieve the effects of monitoring and preventing network hijacking, can improve the detection efficiency and accuracy, reduce the calculation overhead and improve the user experience.
The method and system of the present invention may be implemented in a number of ways. For example, the methods and systems of the present invention may be implemented in software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (7)
1. A network hijacking detection method is characterized by comprising the following steps:
acquiring a NetFlow data packet sent by routing equipment in a target network;
acquiring the routing information of the routing equipment in the target network;
judging whether the NetFlow data packet is abnormal network data or not according to the routing information;
extracting source address information from the NetFlow data packet; acquiring a routing table item of routing equipment for sending the NetFlow data packet; matching the source address information with a source address in the routing table entry, and if the routing table entry with the same source address cannot be matched, determining that the NetFlow data packet is abnormal network data;
if the NetFlow data packet is abnormal network data, determining whether the routing equipment sending the abnormal network data is hijacked equipment or not based on a hijacking judgment rule;
determining a routing device and a port for sending the abnormal network data; counting the flow of a data packet which is sent by the port and has the same source address information with the abnormal network data; when the flow is larger than a preset flow threshold value, determining that the port is a hijack port of the hijacked equipment; when the flow is smaller than a preset flow threshold value, capturing a data packet which is sent by the port and has the same source address information with the abnormal network data, and acquiring a domain name and an IP address from the data packet; and determining whether the corresponding relation between the domain name and the IP address is correct or not according to a domain name corresponding rule, and if not, determining that the port is a hijack port of the hijacked equipment.
2. The method of claim 1, wherein the extracting source address information from the NetFlow packet comprises:
extracting a source IP address and a source port number from the NetFlow packet;
said matching the source address information with the routing table comprises:
and matching the source IP address or the prefix and the source port number of the source IP address with the source address or the source address prefix and the source port number in the routing table entry.
3. The method of claim 2, comprising:
when the flow is smaller than a preset flow threshold value, capturing a data packet which is sent by the port and has the same source address information with the abnormal network data, and acquiring an access website and a target jump website from the data packet;
and determining whether the target jump website is a safe jump website according to the website jump record, and if not, determining that the port is a hijack port of the hijacked device.
4. A network hijacking detection device, comprising:
the data acquisition module is used for acquiring a NetFlow data packet sent by the routing equipment in the target network;
a route obtaining module, configured to obtain route information of a routing device in the target network;
an anomaly determination module, configured to determine whether the NetFlow packet is abnormal network data according to the routing information;
wherein the anomaly determination module comprises:
a source address extracting unit, configured to extract source address information from the NetFlow packet;
a routing table entry determining unit, configured to obtain a routing table entry of a routing device that sends the NetFlow packet,
a routing table item matching unit, configured to match the source address information with a source address in the routing table item, and if a routing table item with the same source address cannot be matched, determine that the NetFlow packet is abnormal network data;
the hijacking positioning module is used for determining whether the routing equipment sending the abnormal network data is the hijacked equipment or not based on a hijacking judgment rule if the NetFlow data packet is the abnormal network data;
wherein, the hijack positioning module comprises:
the device determining unit is used for determining the routing device and the port for sending the abnormal network data;
the flow statistic unit is used for counting the flow of a data packet which is sent by the port and has the same source address information with the abnormal network data;
the port positioning unit is used for determining that the port is a hijack port of the hijacked equipment when the flow is greater than a preset flow threshold;
the domain name data capturing unit is used for capturing a data packet which is sent by the port and has the same source address information with the abnormal network data when the flow is smaller than a preset flow threshold value, and acquiring a domain name and an IP address from the data packet;
and the domain name data detection unit is used for determining whether the corresponding relation between the domain name and the IP address is correct or not according to a domain name corresponding rule, and if not, determining that the port is a hijacking port of the hijacked equipment.
5. The apparatus of claim 4, wherein:
the source address extracting unit is used for extracting a source IP address and a source port number from the NetFlow data packet;
the routing table matching unit is configured to match the source IP address or the prefix and the source port number of the source IP address with the source address or the source address prefix and the source port number in the routing table.
6. The apparatus of claim 5, wherein:
the hijack positioning module comprises:
the skip data capturing unit is used for capturing a data packet which is sent by the port and has the same source address information with the abnormal network data when the flow is smaller than a preset flow threshold value, and acquiring an access website and a target skip website from the data packet;
and the jump data detection unit is used for determining whether the target jump website is a safe jump website according to the website jump record, and if not, determining that the port is a hijacking port of the hijacked equipment.
7. A network system, characterized by:
comprising a network hijacking detection device as claimed in any one of claims 4 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610509488.XA CN107566320B (en) | 2016-06-30 | 2016-06-30 | Network hijacking detection method, device and network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610509488.XA CN107566320B (en) | 2016-06-30 | 2016-06-30 | Network hijacking detection method, device and network system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107566320A CN107566320A (en) | 2018-01-09 |
| CN107566320B true CN107566320B (en) | 2020-05-26 |
Family
ID=60968832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610509488.XA Active CN107566320B (en) | 2016-06-30 | 2016-06-30 | Network hijacking detection method, device and network system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107566320B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108322452A (en) * | 2018-01-15 | 2018-07-24 | 深圳市联软科技股份有限公司 | Network closes rule detection method, device, equipment and medium |
| CN108920589B (en) * | 2018-06-26 | 2021-08-10 | 百度在线网络技术(北京)有限公司 | Browsing hijacking identification method, device, server and storage medium |
| CN109639793A (en) * | 2018-12-10 | 2019-04-16 | 广东浪潮大数据研究有限公司 | A kind of cluster NAS system monitoring method, device, equipment and medium |
| CN112287252B (en) * | 2020-10-26 | 2023-07-21 | 平安科技(深圳)有限公司 | Method, device, equipment and storage medium for detecting website domain name hijacking |
| CN112398699B (en) * | 2020-12-01 | 2022-11-25 | 杭州迪普科技股份有限公司 | Network traffic packet capturing method, device and equipment |
| CN114006803B (en) * | 2021-09-29 | 2024-01-05 | 中盈优创资讯科技有限公司 | Burst alarm method of netflow flow based on AS and prefix |
| CN114124464B (en) * | 2021-10-27 | 2023-08-08 | 中盈优创资讯科技有限公司 | Automatic unpacking method and device for hijacked route |
| CN115021984B (en) * | 2022-05-23 | 2024-02-13 | 绿盟科技集团股份有限公司 | Network security detection method and device, electronic equipment and storage medium |
| CN115664833B (en) * | 2022-11-03 | 2024-04-02 | 天津大学 | Network hijacking detection method based on local area network safety equipment |
| CN116346774A (en) * | 2023-02-16 | 2023-06-27 | 北京有元科技有限公司 | Network flow data query system based on DNS (Domain name System) route |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1897541A (en) * | 2005-07-15 | 2007-01-17 | 华为技术有限公司 | Method for realizing network sampling |
| CN101562534A (en) * | 2009-05-26 | 2009-10-21 | 中山大学 | Network behavior analytic system |
| CN101848160A (en) * | 2010-05-26 | 2010-09-29 | 钱叶魁 | Method for detecting and classifying all-network flow abnormity on line |
| CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
| CN105100061A (en) * | 2015-06-19 | 2015-11-25 | 小米科技有限责任公司 | Method and device for detecting hijacking of website |
| CN105429975A (en) * | 2015-11-11 | 2016-03-23 | 上海斐讯数据通信技术有限公司 | Data safety defense system and method based on cloud terminal, and cloud terminal safety system |
-
2016
- 2016-06-30 CN CN201610509488.XA patent/CN107566320B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1897541A (en) * | 2005-07-15 | 2007-01-17 | 华为技术有限公司 | Method for realizing network sampling |
| CN101562534A (en) * | 2009-05-26 | 2009-10-21 | 中山大学 | Network behavior analytic system |
| CN101848160A (en) * | 2010-05-26 | 2010-09-29 | 钱叶魁 | Method for detecting and classifying all-network flow abnormity on line |
| CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
| CN105100061A (en) * | 2015-06-19 | 2015-11-25 | 小米科技有限责任公司 | Method and device for detecting hijacking of website |
| CN105429975A (en) * | 2015-11-11 | 2016-03-23 | 上海斐讯数据通信技术有限公司 | Data safety defense system and method based on cloud terminal, and cloud terminal safety system |
Non-Patent Citations (3)
| Title |
|---|
| 一种分光劫持干扰的定位处理方法;杨波,王凯;《信息安全与技术》;20151231;正文第2节 * |
| 使用NetFlow分析网络异常流量;wusoftiger;《百度文库》;20101214;全文 * |
| 基于Netflow的网络数据流量分析与异常检测系统的研究与实现;蒋琰;《中国优秀博硕士学位论文全文数据库 (硕士) 信息科技辑》;20060815;正文第4.2、4.3节,第5.2、5.3节,图4.3、5.1 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107566320A (en) | 2018-01-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107566320B (en) | Network hijacking detection method, device and network system | |
| CN109962903B (en) | Home gateway security monitoring method, device, system and medium | |
| US8635697B2 (en) | Method and system for operating system identification in a network based security monitoring solution | |
| CN106657001B (en) | Botnet detection method based on Netflow and DNS log | |
| KR101424490B1 (en) | Reverse access detecting system and method based on latency | |
| US8422386B2 (en) | Abnormal traffic detection apparatus, abnormal traffic detection method and abnormal traffic detection program | |
| US8904524B1 (en) | Detection of fast flux networks | |
| EP2403187A1 (en) | Method, apparatus and system for botnet host detection | |
| US20090282478A1 (en) | Method and apparatus for processing network attack | |
| KR20140088340A (en) | APPARATUS AND METHOD FOR PROCESSING DDoS IN A OPENFLOW SWITCH | |
| CN110166480B (en) | Data packet analysis method and device | |
| CN107770132A (en) | A kind of method and device detected to algorithm generation domain name | |
| US20170118129A1 (en) | Identifying ip traffic from multiple hosts behind a network address translation device | |
| CN110750785B (en) | Detection method and device for scanning behavior of host port | |
| CN105577669B (en) | A kind of method and device of the false source attack of identification | |
| EP3242240B1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
| CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
| JP2012038213A (en) | Determination device, determination method, and computer program | |
| US20170353486A1 (en) | Method and System For Augmenting Network Traffic Flow Reports | |
| CN107018116B (en) | Method, device and server for monitoring network traffic | |
| CN113765912A (en) | Distributed firewall device and detection method thereof | |
| CN111131180B (en) | Distributed deployed HTTP POST (hyper text transport protocol) interception method in large-scale cloud environment | |
| JP3892322B2 (en) | Unauthorized access route analysis system and unauthorized access route analysis method | |
| KR101292887B1 (en) | Apparatus and method of monitoring packet stream in router using checking packet identity | |
| KR101603692B1 (en) | Method of identifying terminals and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |