CN107579997A - Wireless network intrusion detection system - Google Patents
Wireless network intrusion detection system Download PDFInfo
- Publication number
- CN107579997A CN107579997A CN201710945013.XA CN201710945013A CN107579997A CN 107579997 A CN107579997 A CN 107579997A CN 201710945013 A CN201710945013 A CN 201710945013A CN 107579997 A CN107579997 A CN 107579997A
- Authority
- CN
- China
- Prior art keywords
- information
- electronic equipment
- intrusion detection
- detection module
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a kind of wireless network intrusion detection system, including:Radio access module, suitable for when detecting the electronic equipment by default network hole access wireless network, recording device identification and the equipment access information of the electronic equipment;Network transmission module, suitable for caused network traffic information after acquisition electronic equipment access wireless network, and the network traffic information got is supplied to the first intrusion detection module;First intrusion detection module, suitable for analyzing the network traffic information of network transmission module offer, the device attribute information of electronic equipment is determined according to analysis result;Second intrusion detection module, suitable for obtaining the behavior characteristic information of electronic equipment, when it is determined that behavior characteristic information meets preset alarm rule, generate intrusion alarm signal.The electronic equipment which can be directed to after invasion is protected, additionally it is possible to is got the information of invasion equipment, in order to seat offence person, analytical attack gimmick and is implemented targetedly to protect.
Description
Technical field
The present invention relates to network communication technology field, and in particular to a kind of wireless network intrusion detection system.
Background technology
With the continuous development of the communication technology, internet has incorporated the every aspect of life.However, hacking technique is made
For the derivative of internet development, also become all-pervasive, threaten network security increasingly seriously.
For by taking wireless network as an example, although wireless network has won increasing use with its conveniently accessible advantage
Family.But realize that the event of assault is also increasingly occurred frequently by invading wireless network.Therefore, occur various
Mean of defense tackles the invasion of hacker.In traditional defense mechanism, mainly by strengthening the security of wireless network in itself
To realize defence, for example, the password of wireless network to be reset to the content for being not easy to crack;And for example, in network insertion link, strengthen
For the checking of access device, to prevent malice access of illegality equipment etc..
But it is as follows to have found that aforesaid way of the prior art is at least present during the present invention is realized by inventor
Problem:Existing mode mainly realized by passive defense measures before invasion, i.e.,:Wireless network is attempted access in electronic equipment
Before network, raise obstacles to obstruct the malice of illegal electronic equipment to access.But once defence failure, invades wireless network
Electronic equipment can implement malicious act wantonly, and existing mode can not then be directed to the electronic equipment after invasion wireless network
It is on the defensive.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
State the wireless network intrusion detection system of problem.
According to one aspect of the present invention, there is provided a kind of wireless network intrusion detection system, including:Wireless access mould
Block, network transmission module, the first intrusion detection module and the second intrusion detection module;Wherein,
Radio access module, suitable for detect by default network hole access wireless network electronic equipment when,
Record device identification and the equipment access information of the electronic equipment;
Network transmission module, suitable for caused network traffic information after the acquisition electronic equipment access wireless network, and
The network traffic information got is supplied to the first intrusion detection module;
First intrusion detection module, the network traffic information provided suitable for analyzing the network transmission module, according to analysis
As a result the device attribute information of the electronic equipment is determined;
Second intrusion detection module, suitable for obtaining the behavior characteristic information of the electronic equipment, when it is determined that the behavior is special
When reference breath meets preset alarm rule, intrusion alarm signal is generated.
Alternatively, the radio access module is particularly adapted to:By the equipment access information of the electronic equipment and the electricity
The device identification associated storage of sub- equipment;
And the first intrusion detection module is particularly adapted to:By the device attribute information of the electronic equipment and the electronics
The device identification associated storage of equipment;
Then the second intrusion detection module is further adapted for:When it is determined that the behavior characteristic information meets default alarm
During rule of conduct, obtain and analyze the equipment access information and equipment category with the device identification associated storage of the electronic equipment
Property information.
Alternatively, the quantity of the first intrusion detection module and/or the second intrusion detection module is multiple, and each the
One intrusion detection module and/or the second intrusion detection module are connected in a manner of bridging with the network transmission module;
Then the network transmission module is particularly adapted to:Obtain and distinguish pin after analyzing the electronic equipment access wireless network
To point to point network flow information caused by each first intrusion detection module and/or the second intrusion detection module.
Alternatively, the radio access module is particularly adapted to:Preset web is pushed to the electronic equipment, obtains the electricity
Sub- equipment accesses result caused by the preset web, is obtained according to the access result and records setting for the electronic equipment
Standby mark and equipment access information.
Alternatively, the network transmission module is further adapted for:
According to caused network traffic information after electronic equipment access wireless network, intercept the electronic equipment and send
Website visiting request;
Inserted in the website visiting request that the electronic equipment intercepted is sent for the default of access preset website
Access script;
The access result data of the default website feedback is received, the access result data of the default website feedback is carried
The first intrusion detection module is supplied, so that the first intrusion detection module is with reference to described in determining the access result data
The device attribute information of electronic equipment.
Alternatively, the network transmission module is further adapted for:Produced after determining the electronic equipment access wireless network
Network traffic information in whether include the network traffics triggered by the access behavior for meeting default early warning rule, if so, then giving birth to
Into attack early warning signal;
Wherein, the default early warning rule includes the early warning rule of multiple safe classes.
Alternatively, the first intrusion detection module and/or the second intrusion detection module are further adapted for:
According to the determination of the equipment access information of the electronic equipment, device attribute information and/or behavior characteristic information and institute
Electronic equipment corresponding user's mark and user's characteristic information are stated, to believe according to user mark and user characteristics
Breath is traced to the source.
Alternatively, the second intrusion detection module is particularly adapted to:
Determine whether the behavior characteristic information matches with the malicious commands stored in default blacklist, if so, then generating
Intrusion alarm signal;And/or
, will be with the operation file by the file record that the electronic device is crossed into default operation file list
There is the file record of default incidence relation into default apocrypha list in the file in list, by monitoring the operation
File in listed files and the apocrypha list determines whether to generate the intrusion alarm signal.
Alternatively, the first intrusion detection module and/or the second intrusion detection module are to be provided with true operation
The virtual machine of system, also, the fingerprint feature information of the virtual machine is carried out by running on the pre-set programs plug-in unit of system layer
Management;Wherein, the fingerprint feature information includes:Network interface card information, registry information and/or key value information.
Alternatively, the first intrusion detection module includes:The low interactivity intrusion detection module of Web types, described second enters
Invading detection module includes:The high interactivity intrusion detection module of Windows types, and/or the high interactivity intrusion detection mould of Linux types
Block.
In wireless network intrusion detection system provided by the invention, first, the network reserved by radio access module
Leak lures that attacker accesses into, the equipment access information of recorded electronic equipment, and obtains electronic equipment by network transmission module
Caused network traffic information after access;Then, the first intrusion detection module determines that electronics is set by analyzing network traffic information
Standby device attribute information;Finally, the second intrusion detection module obtains the behavior characteristic information of electronic equipment, according to behavioural characteristic
Information determines whether to alarm.As can be seen here, the modules in the system can obtain the equipment access letter of invasion equipment successively
Breath, device attribute information and behavior characteristic information, so as to complete detection and record the relevant information of invasion equipment, and must
Will when carry out alarming protection.Which can not only be protected effectively for the electronic equipment after invasion, and can be obtained
The information of invasion equipment is got, in order to seat offence person, analytical attack gimmick and implements targetedly to protect.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of structure chart for wireless network intrusion detection system that the embodiment of the present invention one provides;
Fig. 2 shows a kind of structure chart for wireless network intrusion detection system that the embodiment of the present invention two provides;
Fig. 3 shows the structural representation of the multilayer loop in wireless network intrusion detection system.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
The embodiments of the invention provide a kind of wireless network intrusion detection system, at least can solve the problem that traditional cyber-defence
Mode can not be directed to the technical problem that the electronic equipment after invasion is protected.
Embodiment one,
Fig. 1 shows a kind of structure chart for wireless network intrusion detection system that the embodiment of the present invention one provides.Such as Fig. 1 institutes
Show, the system includes:Radio access module 11, network transmission module 12, the first intrusion detection module 13 and the second invasion inspection
Survey module 14.
Wherein, radio access module 11, suitable for detecting the electronics that wireless network is accessed by default network hole
During equipment, device identification and the equipment access information of the electronic equipment are recorded.Specifically, radio access module is mainly used in luring
Attacker is accessed, and records the equipment access information of attacker.Wherein, equipment access information refers to:It can be accessed in equipment
Got during wireless network with the device-dependent information, for example, device name, IP address, MAC Address, browsing
Device version, operating system version, device screen resolution ratio and browser plug-in information etc..
Network transmission module 12, suitable for caused network traffic information after acquisition electronic equipment access wireless network, and will
The network traffic information got is supplied to the first intrusion detection module.Wherein, network transmission module is mainly used in passing through network
The modes such as packet capturing obtain the network traffic information after electronic equipment access wireless network.By network traffic information, can know
The network access behavior (for example, the webpage quantity opened and web page address etc.) of electronic equipment.Optionally, network transmission module is also
It can be determined whether to trigger pre-warning signal according to network access behavior, so as to realize forewarning function.
First intrusion detection module 13, the network traffic information provided suitable for analysis network transmission module, is tied according to analysis
Fruit determines the device attribute information of electronic equipment.Wherein, the first intrusion detection module can be the void realized by Honeypot Techniques
Plan machine or sandbox etc., as long as the purpose of the device attribute information of detection invasion equipment can be realized.Wherein, device attribute is believed
Breath is primarily referred to as:Can be analyzed by the network traffic information of equipment draw with the device-dependent information, for example, equipment refers to
Line, plugin information, time-zone information, GPU information and equipment language message etc..
Second intrusion detection module 14, suitable for obtaining the behavior characteristic information of electronic equipment, when it is determined that behavior characteristic information
When meeting preset alarm rule, intrusion alarm signal is generated.Wherein, the second intrusion detection module can also be to pass through Honeypot Techniques
Virtual machine or sandbox of realization etc., as long as the purpose of the behavior characteristic information of detection invasion equipment can be realized.Wherein, OK
The formulation mode of the specific intension and preset alarm rule that are characterized information can flexibly be set by those skilled in the art.Example
Such as, it can detect whether electronic equipment implements hacker's row by pre-setting for storing the blacklist of hacker's commonly used command
For;And for example, it can also determine it is all whether electronic equipment implements by monitoring file that electronic equipment directly or indirectly operates
Such as distort system file or inject the malicious operation of malicious file etc.
As can be seen here, the modules in the system can obtain equipment access information, the equipment category of invasion equipment successively
Property information and behavior characteristic information, so as to complete detection and record the relevant information of invasion equipment, and reported when necessary
Alert protection.Which can not only be protected effectively for the electronic equipment after invasion, and can be got invasion and be set
Standby information, in order to seat offence person, analytical attack gimmick and implement targetedly to protect.
Embodiment two,
Fig. 2 shows a kind of structural representation for specific wireless network intrusion detection system that the embodiment of the present invention two provides
Figure.As shown in Fig. 2 the system includes:Radio access module 21, network transmission module 22, the first intrusion detection module 23 and
Second intrusion detection module 24.Wherein, the quantity of the second intrusion detection module 24 shown in Fig. 2 is multiple, in actual conditions, the
The quantity of two intrusion detection modules 24 may also be only one.Also, in the other embodiments of the present invention, the first intrusion detection
The quantity of module 23 can also be multiple.
In the present embodiment, wireless network intrusion detection system is mainly used in luring that attacker accesses into, monitors and records and attacks
The facility information for the person of hitting and attack, correspondingly, it is possible to achieve targetedly defensive measure, can also implement when necessary
Alarm, attacker can also be directed to and carry out tracing etc..Therefore, the wireless network intrusion detection system in the present embodiment also may be used
To be interpreted as the honey pot system realized by Honeypot Techniques, the honey pot system can realize multiple functions.Introducing separately below should
The concrete structure and operation principle of modules in system:
First, radio access module
The outermost layer of system is radio access module 21.Radio access module 21 is suitable to monitor whether exist by default
Network hole invades the electronic equipment of wireless network;When monitoring result for be when, obtain the electronic equipment device identification and
The equipment access information corresponding with the device identification;Optionally, can also be analyzed for the equipment access information, according to
Analysis result positions to the electronic equipment.As can be seen here, radio access module 21 is main possesses both sides function:One side
Face, network hole is actively set, to lure that attacker accesses into;On the other hand, once finding that the electronics of access wireless network is set
Device identification that is standby then recording the electronic equipment and equipment access information.
First, the specific implementation that network hole is set is introduced:Specifically, radio access module 21 is default wireless
Network hole is set in access device, wireless network is accessed for the electronic equipment of outside.Wherein, radio reception device can be
All kinds of access points that can be used in accessing wireless network such as router.Specifically, can be by opening nothing when network hole is set
The various ways such as the line network port, and/or reduction wireless network password are realized.Wherein, network hole is it can be appreciated that trap,
It is mainly used in inveigling attacker's access.The present invention is not limited the specific implementation for setting network hole.
Then, the device identification of recorded electronic equipment and the specific implementation of equipment access information are introduced.Wherein, if
Standby mark can be the various information for being capable of one electronic equipment of unique mark, in order in subsequent process according to device identification
The relevant information of the electronic equipment is tracked.Equipment access information refers to:The process of wireless network can be accessed in equipment
In get with the device-dependent information.Correspondingly, the record of radio access module 21 connects the implementor name of the wireless network
The equipment access information such as title, IP address, MAC Address, so as to the physical location of seat offence person, attacker one is set to access wireless network
Network is at monitored state.Optionally, in order to force attacker to reveal more information, in the present embodiment, wireless access
Module 21 is obtaining the device identification of the electronic equipment and during the equipment access information corresponding with the device identification, can be with
Preset web further is pushed to electronic equipment, the electronic equipment is obtained and result is accessed caused by preset web, according to visit
Ask the equipment access information that result determines the electronic equipment.Wherein, preset web includes:The social network logged in by social account
Page or other need by personal information and the page logged in, correspondingly, the equipment access information of electronic equipment further comprises:
The social account information that result determines is accessed according to caused by for social webpage, for example, microblog account and encrypted message, QQ
Account and encrypted message etc..In addition, during electronic equipment accesses webpage, others can also further be got
Equipment access information, for example, browser version, operating system version, device screen resolution ratio and browser plug-in information etc.
Equipment access information.Radio access module 21 closes the device identification of the equipment access information of the electronic equipment and the electronic equipment
Connection storage is accessed in table to default equipment, in case subsequent query.
As can be seen here, radio access module is mainly used in luring that attacker accesses and obtains corresponding equipment access information into,
To realize the functions such as positioning or early warning.
2nd, network transmission module
The secondary outer layer of system is network transmission module 22.Network transmission module 22 is suitable to obtain electronic equipment access wireless network
Caused network traffic information after network, and after being supplied to the first intrusion detection module 23 to carry out the network traffic information got
Continuous analysis.In addition, network transmission module 22 is further adapted for determining that electronic equipment accesses caused network traffic information after wireless network
In whether include the network traffics triggered by the access behavior for meeting default early warning rule, if so, then generating attack early warning signal.
When it is implemented, network transmission module 22 obtains network traffic information caused by the electronic equipment of invasion wireless network;For this
Network traffic information is analyzed, and the network access behavior of electronic equipment is determined according to analysis result;Judge the electronic equipment
Whether network access behavior meets default early warning rule, if so, then generating the attack early warning signal for early warning.
Wherein, network transmission module mainly obtains the net after electronic equipment accesses wireless network by modes such as network packet capturings
Network flow information.In addition, inventor has found during the present invention is realized:Traditional network packet capturing mode can only get electricity
Sub- equipment by the flow of wireless network access external website, and can not get electronic equipment with it is each inside wireless network
Flow between equipment.For example, in the present embodiment, due to including the first intrusion detection module and multiple the in wireless network
Multiple default equipment such as two intrusion detection modules, therefore, each intrusion detection is directed in order to more accurately obtain electronic equipment
Network traffic information caused by module, in the present embodiment, by each first intrusion detection module and the second intrusion detection mould
Block accesses wireless network in a manner of bridging, and correspondingly, network transmission module obtains pin after electronic equipment invasion wireless network respectively
To each default equipment in wireless network (i.e.:First intrusion detection module and the second intrusion detection module) caused by point pair
Spot net flow information, and the point to point network flow information is supplied to corresponding default equipment.For example, for getting
Electronic equipment accesses the network traffic information of the first intrusion detection module, and the subnetwork flow information is supplied into the first invasion
Detection module carries out subsequent analysis processing.As can be seen here, the present invention by bridge joint mode can be accurately obtained electronic equipment with
Point-to-point flow information between each intrusion detection module, consequently facilitating determining that electronic equipment is directed to each intrusion detection respectively
The network behavior that module is implemented.
By analyzing the above-mentioned network traffic information got, can know electronic equipment network access behavior (for example,
The webpage quantity of opening and web page address etc.).Optionally, in the present embodiment, network transmission module can also be according to default
Early warning rule determines whether the network access behavior triggering pre-warning signal for electronic equipment, so as to realize forewarning function.Early warning
Rule includes the early warning rule of multiple network safety grades, and correspondingly, network transmission module first has to determine current network peace
Congruent level, then, the early warning rule that selection matches with current network safety grade.For example, can be by network safety grade
It is divided into three safe classes:High safety grade, middle safe class and lower security grade, correspondingly, respectively every kind of safety etc.
Early warning rule corresponding to level setting.System operation personnel can set network safety grade according to the demand of current business.Accordingly
Ground, early warning rule can include at least one in following three kinds of rules:
The first early warning rule is:The rule of early warning are carried out when monitoring and implementing scanning behavior by presetting scanning tools
Then.Wherein, network transmission module can obtain the scanning tools that hacker commonly uses in advance, and the scanning tools storage got is arrived
In hack tool list, once monitor that electronic equipment utilizes the scanning tools in hack tool list according to network traffic information
The behavior for implementing scanning then carries out early warning.Wherein, the scanning tools stored in hack tool list can include:NMAP、
SQLMAP, WVS etc..Second of early warning rule be:When the default equipment for monitoring to be directed in wireless network implements exploratory connection
Behavior when carry out early warning rule.The rule can be applied in the network settings of high safety grade, by the rule, as long as hair
The behavior for now attempting a connection to the default equipment such as intrusion detection module then carries out early warning.The third early warning rule is:When monitoring pin
The rule of early warning is carried out during to the behavior of the default equipment successful connection in wireless network.The rule can be applied to middle safe class
Or in the network settings of lower security grade, by the rule, early warning is just carried out when being only found the behavior of successful connection.For example,
Early warning is then triggered when detecting the access request for the triggering of intrusion detection module.
As can be seen here, transport network layer can monitor the network traffic information in network-wide basis, and be entered according to monitoring result
Row early warning, with the security of lifting system.Wherein, early warning rule can flexibly be set by those skilled in the art, and the present invention is to this
Do not limit.
Optionally, in order to get the more information of electronic equipment, in the present embodiment, network transmission module can also enter
One step implements following operate:The network traffic information according to caused by electronic equipment, intercept the website visiting that electronic equipment is sent and ask
Ask, the default access script for access preset website is inserted in the website visiting request intercepted;Receive and default website
Corresponding access result data, the device attribute information of electronic equipment is determined according to the access result data.Correspondingly, network
Transport module can also be further according to device attribute Information locating electronic equipment.When it is implemented, first, pre-set and wait to block
The type of the website visiting request cut, for example, could be arranged to be intercepted for the access request of the searching class websites such as Baidu
Deng.Then, the default access script for access preset website is inserted in the website visiting request intercepted.Wherein, this is pre-
If accessing script to be responsible for generating and safeguarded by the first intrusion detection module, network transmission module need to only call the script.
The default script that accesses can be realized by JS scripts or URL network address, for accessing the net of the social types such as Renren Network, microblogging
Stand.Finally, the access result data corresponding with default website is received, setting for electronic equipment is determined according to the access result data
Standby attribute information, wherein it is determined that the operation of device attribute information can be realized by the first intrusion detection module, correspondingly, network passes
The access result data that the default website received is fed back is sent to the first intrusion detection module by defeated module, for the first invasion
Detection module combines the device attribute information that the access result data determines electronic equipment.As can be seen here, network transmission module exists
Following functions are mainly realized in said process:On the one hand, sent instead of user to the server of default website for default net
The access request stood;On the other hand, the access result returned instead of user's the reception server.Therefore, network transmission module can be with
Access preset website and access result is obtained in the case where the user of the electronic equipment of invasion wireless network knows nothing, and then
Obtain the relevant information of electronic equipment.Wherein, device attribute information and the main distinction of equipment access information are:The two is obtained
Opportunity and acquisition main body it is different.Specifically, equipment access information is obtained in access phase by radio access module, and is set
Standby attribute information is then when electronic equipment is penetrated into wireless network and accesses the first intrusion detection module, by the first intrusion detection
Module obtains, for reflecting the attribute information of equipment.In actual conditions, the content of equipment access information and device attribute information can
Intersected with existing.
3rd, the first intrusion detection module
First intrusion detection module is located between transport network layer and the second intrusion detection module, for analyzing network transmission
The network traffic information that module provides, the device attribute information of electronic equipment is determined according to analysis result.When it is implemented, first
Intrusion detection module can be realized by a variety of implementations, for example, can using Honeypot Techniques by virtual machine or sandbox come real
It is existing.Honeypot Techniques are substantially a kind of technologies cheated to attacker, by arranging that some are used as the main frame of bait, network
Service or information, lure that attacker implements to attack to them into, so as to be captured and analyzed to attack, understanding is attacked
Instrument used in the person of hitting and method, thus it is speculated that attack intension and motivation, defender can be allowed clearly to understand what itself was faced
Security threat, and strengthen by technology and management means the security protection ability of real system.In the present embodiment, first enters
Invade detection module for web types honey jar (i.e.:Service type honey jar), also, the interactivity of the first intrusion detection module enters less than second
Detection module is invaded, accordingly it is also possible to which the first intrusion detection module is referred to as into the low interactivity intrusion detection module of Web types.Below
In, for convenience, the first intrusion detection module is referred to as the low interactivity honey jar of Web types.
The low interactivity honey jar of Web types can obtain network traffic information caused by the electronic equipment of invasion wireless network;
Analyzed for the network traffic information, according to analysis result determine electronic equipment device identification and with the device identification
Corresponding device attribute information.Optionally, the low interactivity honey jar of Web types can also be set according to device attribute infomation detection electronics
Standby positional information, to be positioned or to be traced to the source to electronic equipment.As can be seen here, the low interactivity honey jar of Web types is mainly used in
Further collect the information of attacker.Specifically, the device attribute information for being available for collecting includes but is not limited to:Browser version,
Operating system version, device screen resolution ratio, browser plug-in information, social account information, device-fingerprint, plugin information, when
Area's information, GPU information and equipment language message etc..
In addition, for the ease of collecting more information, the low interactivity honey jar of Web types is further used for:Previously generate for visiting
Ask the default access script of default website;Wherein, preset and access the website that script is used to insert the electronic equipment transmission intercepted
In access request.Correspondingly, the low interactivity honey jar of Web types according to analysis result determine electronic equipment device identification and with this
During the corresponding device attribute information of device identification, determined with reference to the access result data corresponding with default website got
The device attribute information of electronic equipment.Wherein, default website includes:Social network sites logged in by social account etc., this is default
Accessing script can be realized by JS scripts or URL network address, for accessing the default website such as Renren Network, microblogging.Correspondingly, electronics
The device attribute information of equipment includes:The social account information that result determines is accessed according to caused by for social network sites.Also
It is to say, the low interactivity honey jar of Web types is responsible for safeguarding default access script, so that network transmission module calls;Also, Web types are low
Interactivity honey jar is further used for analyzing the obtained network traffic information of network transmission module and accesses result data etc., so as to
Determine the device attribute information of electronic equipment.As can be seen here, the phase of the low interactivity honey jar of Web types and network transmission module is passed through
Mutually coordinate, automatic access preset website and relevant information can be obtained in the case where the user of electronic equipment has no to discover,
More valuable information are provided for follow-up attacker's positioning and the operation such as trace to the source.
4th, the second intrusion detection module
Second intrusion detection module is located at the innermost layer of whole system, for obtaining the behavior characteristic information of electronic equipment,
When it is determined that behavior characteristic information meets preset alarm rule, intrusion alarm signal is generated.When it is implemented, the second intrusion detection
Module can also be realized by a variety of implementations, for example, can be realized using Honeypot Techniques by virtual machine or sandbox.At this
In embodiment, the interactivity of the second intrusion detection module is higher than the first intrusion detection module, accordingly it is also possible to which the second invasion is examined
Survey module and be referred to as high interactivity intrusion detection module.In addition, the second intrusion detection module both can apply to Windows systems,
Linux system can also be applied to, correspondingly, the species of the second intrusion detection module can be divided into two kinds, be Windows respectively
The high interactivity honey jar of type and the high interactivity honey jar of Linux types.In the present embodiment, mainly with the high interactivity honey jar of Windows types
Exemplified by be introduced.
Specifically, the behavior characteristic information for the electronic equipment that the high interactivity honey jar of Windows types is got can include more
Kind, correspondingly, preset alarm rule can also include multiple rule:
The first rule is:Determine whether behavior characteristic information matches with the malicious commands stored in default blacklist, if
It is then to generate intrusion alarm signal (being also behavior intrusion alarm signal).Specifically, the high interactivity honey jar monitoring of Windows types
Every behavior of system activity and electronic equipment, if monitoring, electronic equipment performs the malice life stored in default blacklist
When making, then intrusion alarm signal is triggered.Wherein, blacklist is preset to be used to store every attack life that predetermined hacker commonly uses
Order.Table 1, table 2 and table 3 show the schematic diagram of the part malicious commands stored in blacklist.
Table 1
Sequentially | Order | Perform number | Option |
1 | tasklist | 119 | /s/v |
2 | ver | 92 | |
3 | ipconfig | 58 | /all |
4 | Net time | 30 | |
5 | systeminfo | 24 | |
6 | netstat | 22 | -ano |
7 | qprocess | 15 | |
8 | query | 14 | user |
9 | whoami | 14 | /all |
10 | Net start | 10 | |
11 | nslookup | 4 | |
12 | fsutil | 3 | Fsinfo drives |
13 | time | 2 | /t |
14 | set | 1 |
Table 2
Sequentially | Order | Perform number | Option |
1 | dir | 903 | |
2 | Net view | 226 | |
3 | ping | 196 | |
4 | Net use | 193 | |
5 | type | 118 | |
6 | Net user | 74 | |
7 | Net localgroup | 35 | |
8 | Net group | 19 | |
9 | Net config | 16 | |
10 | Net share | 11 | |
11 | dsquery | 6 | |
12 | csvde | 5 | /f/q |
13 | nbtstat | 5 | -a |
14 | Net session | 3 | |
15 | nltest | 3 | /dclist |
16 | wevtutil | 2 |
Table 3
Sequentially | Order | Perform number | Option |
1 | at | 98 | |
2 | reg | 29 | Add export query |
3 | wmic | 24 | |
4 | Netsh advfirewall | 4 | |
5 | sc | 4 | Qc query |
6 | wusa | 2 |
Second of rule be:, will be with behaviour by the file record that electronic device is crossed into default operation file list
Make the file in listed files and the file record for presetting incidence relation be present into default apocrypha list, pass through to monitor and grasp
Make the file in listed files and apocrypha list and (be also file intrusion alarm to determine whether to generate intrusion alarm signal
Signal).For example, when monitoring that the file in apocrypha list is performed, file intrusion alarm signal is generated.The rule
Stain tracer technique can be referred to as, main thought is:Continue to monitor and follow the trail of the All Files relevant with electronic equipment, and
It was found that doubtful situations alarm.
For example, each generic operation such as the establishment of file, modification, deletion can be monitored, these files are all set as electronics
The standby file record operated is into default operation file list.As can be seen here, operation file list is set for recorded electronic
The standby All Files directly operated, action type include polytype.In addition, further determine that with operation file list
The file of default incidence relation be present in file.Wherein, the file that default incidence relation be present includes but is not limited to:With operation file
The file of bundle relation be present in the file in list.For example, if electronic equipment is while establishment file A, further create
File A bundled files A ' has been built, correspondingly, file A recorded in operation file list, file A ' be recorded into suspicious text
In part list.Also, in subsequent process, persistently it is monitored for operation file list and apocrypha list.Once
Monitor that the file in apocrypha list is performed, alarm at once.That is, electricity during file in operation file list
The file that sub- equipment directly operates, and to be then electronic equipment not yet operate the file in apocrypha list or not yet directly operation
The file of (possible indirect operation or implicit operation).This two class file is respectively stored in different lists, is easy to according to every
The characteristics of kind file is respectively that it sets different monitoring mode and type of alarm.For example, why electronic equipment will create bundle
File is tied up, its purpose is often that generally, bundled files are not present in table in order to which the monitoring evaded for operation file list operates
In plane system, not real file, only exist in internal memory, therefore, there is stronger disguise, still, once such is literary
Part is carried out, and system can be damaged.Therefore, in the present embodiment by the associated with list such as bundled files, hidden file
Solely storage is easy to implement the partial document monitoring of stronger control and monitoring, to prevent from applying evil in fact into apocrypha list
Meaning behavior.
In addition, the high interactivity honey jar of Windows types can also further monitoring process establishment, and to suspicious process
Monitor.dll (dynamic link library for being used for monitoring process) is injected, to track process behavior.Moreover, it is also possible to process is set
Blacklist, for example, nonsystematic level process is all included in process blacklist, each process in process blacklist is held
Continuous monitoring, alarm is triggered if the establishment for finding dangerous process operates.In addition, the high interactivity honey jar of Windows types can be with
Registry operations are monitored, in order to find hazardous act.
In addition, each high interactivity honey jar of Windows types can also carry out daily record, the processing of warning message, also, may be used also
With the communication realized and between the first intrusion detection module or the high interactivity honey jar of other Windows types, to realize whole system
Linkage processing.Therefore, radio access module is further adapted for:By the equipment access information of electronic equipment and setting for electronic equipment
Standby mark associated storage;And first intrusion detection module be further adapted for:The device attribute information of electronic equipment is set with electronics
Standby device identification associated storage;Then the second intrusion detection module is further adapted for:When it is determined that behavior characteristic information meet it is default
Alarm behavior rule when, obtain and analyze and the equipment access information of the device identification associated storage of the electronic equipment and set
Standby attribute information etc..That is, in the present system, relevant information that each module is got for electronic equipment (including set
Standby access information, device attribute information and behavior characteristic information etc.) device identification associated storage all with the electronic equipment, phase
Ying Di, modules can get the full detail with the device identification associated storage by device identification.I.e.:Each module
The information of itself determination can not only be got, additionally it is possible to the information of other modules determination is got, so as to realize being total to for information
Enjoy.Correspondingly, the first intrusion detection module and/or the second intrusion detection module can also be further adapted for:According to electronic equipment
Equipment access information, device attribute information and/or behavior characteristic information determine the user mark corresponding with electronic equipment with
And user's characteristic information, to be traced to the source according to user's mark and user's characteristic information.
As can be seen here, the first intrusion detection module and/or the second intrusion detection module are mainly used in leaving to attacker prominent
Cut, attacker is set to have an opportunity to sign in in system;Then, the system activity of attacker is recorded, hazardous act is alarmed,
And the sample corresponding to malicious act is captured, to be analyzed using sandbox technology.
In addition, the system substantial use of multilayer loop to realize the overall monitor to invading equipment, Fig. 3, which is shown, is
The structural representation of multilayer loop in system.As shown in figure 3, the system is divided into shellring from outside to inside, positioned at outermost ring 3
Mainly it is made up of radio access module, the ring 2 positioned at centre is mainly by the first intrusion detection module composition, positioned at the ring of innermost layer
1 mainly by the second intrusion detection module composition.Network transmission module is between ring 3 and ring 2.As can be seen here, the system passes through
The design method of multilayer loop lures that attacker penetrates into by ring into, and reveals more information;Also, the information being collected into each ring can
With the inquiry that links.
In addition, the first intrusion detection module and the second intrusion detection module in ring 2 and ring 3 are to be provided with true behaviour
Make the virtual machine of system, in order to preferably collect information.Also, in order to prevent the electronic equipment of invasion from penetrating honey jar mechanism,
The fingerprint feature information of virtual machine is managed by running on the pre-set programs plug-in unit of system layer;Wherein, fingerprint feature information
Including:Network interface card information, registry information and/or key value information etc..Wherein, fingerprint feature information belongs to the one of environmental characteristic information
Kind.Also, the view plug-ins run on system layer, it runs the authority for other processes that authority is more than in electronic equipment, therefore,
It is possible to prevente effectively from other processes access the fingerprint feature information of virtual machine.
When it is implemented, for the virtualized environment to the first intrusion detection module and the second intrusion detection inside modules
Protected, to prevent electronic equipment from penetrating, the first intrusion detection module and/or the second intrusion detection module can also be further
Perform following operate:When monitoring the access request message of environmental characteristic information for accessing virtualized environment, intercepting should
Access request message;It is determined that the access result data corresponding with the access request message, and determine to access the number of result data
According to type;The prevention policies that inquiry matches with accessing the data type of result data, according to the prevention policies inquired to this
Access request message carries out protective treatment.
In particular it is required that the access request message institute for predefining the environmental characteristic information for accessing virtualized environment is right
The application programming interfaces (API) answered, hooking function is set for these application programming interfaces;Wherein, hooking function is used to monitor
The access request message triggered by application programming interfaces.Wherein, the environmental characteristic information of virtualized environment includes and system ring
The related all features in border, it may for example comprise the fingerprint feature information of above-mentioned virtual machine.It is determined that for accessing virtualized environment
Environmental characteristic information access request message corresponding to application programming interfaces when, can monitor invasion virtualized environment electricity
Sub- equipment is directed to the access behavior that virtualized environment is sent, and the ring for accessing the virtualized environment is determined according to access behavior
The access request message of border characteristic information.For example, due to invading the electronic equipment of virtualized environment often consciously
Obtain virtualized environment environmental characteristic information, so as to determine current system environments whether be by Honeypot Techniques realize void
Planization environment, then can be from once electronic equipment finds that current system environments is the virtualized environment realized by Honeypot Techniques
Open current environment.Therefore, by monitoring the access behavior of electronic equipment, it can determine that electronic equipment is usually used in obtaining virtualization ring
API corresponding to the access request message of the environmental characteristic information in border, and be monitored for these API.For example, in this implementation
In example, find that electronic equipment typically passes through following several means when detecting virtual machine by the access behavior for monitoring electronic equipment
Realize:Detect the particular CPU instruction in performing environment, the specific registration table information in detection performing environment and configuration information, inspection
Survey performing environment in specific process and service, detection performing environment in file system and specific hardware information (MAC Address,
Hard disk), detection performing environment in memory features, detect performing environment configuration (hard disk size, memory size, CPU core number
Deng).Further, since the intrusion detection module in the present embodiment can also be realized by sandbox, therefore, by monitoring electronic equipment
Access behavior find that typically passing through following several means during electronic equipment detection sandbox realizes:Detect performing environment in whether
There is specific User Activity (such as mouse movement, access some network address etc.), Sleep is performed again for a period of time, circulation delay is held
Capable, detection hook Hook (including:User Hook, kernel Hook etc.), detection network connectivty, detection user's name, only in spy
Execution, the detection time of fixing the date, which accelerate, terminates analysis tool performs, detection browser record, operation program, the program installed
Deng.Also, electronic equipment would generally realize that the detection of virtual machine and sandbox operates using multimedia combination, therefore, this
Embodiment determines access request message corresponding to aforesaid operations and its right by monitoring the aforesaid operations of electronic equipment in advance
The API answered, correspondingly, hooking function is set at the API, disappeared to intercept and capture and handle the access request sent by the API
Breath.
For the access request message intercepted, it is determined that the access result data corresponding with the access request message, and
It is determined that access the data type of result data;The prevention policies that inquiry matches with accessing the data type of result data, according to
The prevention policies inquired carry out protective treatment to the access request message.In the present embodiment, in advance by access request message
Corresponding access result data is divided into primary sources type and secondary sources type.
Wherein, primary sources type includes:The number being provided simultaneously with virtualized environment and in non-virtualized environment
According to corresponding type.For example, either virtualized environment or non-virtualized environment, are required for possessing network interface card information and registration
Table information, therefore, using the access result data corresponding to the category information as primary sources type.Due to the data of the type
It is all existing in all environment, therefore, it is necessary to electronic equipment backward reference result, otherwise can causes electronic equipment user
Suspection.On the other hand, the present embodiment including with the prevention policies of primary sources type matching of setting:It is directed to the first kind in advance
The access result data of data type set corresponding to pseudo- result data, when intercepting the access knot for primary sources type
During the access request message that fruit data are sent, the access number of results with primary sources type is returned for the access request message
According to corresponding pseudo- result data.That is, for the access result data of primary sources type, the data are predefined
Numerical value whether can reveal the feature of virtualized environment, if so, then for the data set corresponding to pseudo- result data, and to electricity
Pseudo- result data corresponding to sub- equipment return.For example, for physical network card, although virtualized environment and non-virtualized environment
All possess physical network card, still, network cards feature in two kinds of environment may be different, on the other hand, for the access result data of network interface card,
Corresponding pseudo- result data (i.e. the data consistent with non-virtualized environment) is set for it, once electronic equipment requests network interface card number
According to, then can receive corresponding to pseudo- result data so that electronic equipment can not penetrate virtualized environment.
Secondary sources type includes:The data for possessing in virtualized environment and not possessing in non-virtualized environment
Corresponding type.Because the data of the type are existed only in virtualized environment, therefore, once returned to electronic equipment
Corresponding data can then make electronic equipment penetrate virtualized environment.Therefore, set in the present embodiment with secondary sources type
The prevention policies to match include:When the access request that the access result data intercepted for secondary sources type is sent disappears
During breath, null message is returned for the access request message.That is, the access request corresponding to for secondary sources type
Message not returns to response results, so that electronic equipment can not get the data for identifying virtualized environment feature.Thus
It can be seen that the virtualized environment in the present embodiment includes:Virtualized environment by virtual machine construction, and/or the void by sandbox construction
Planization environment.Either which type of virtualized environment, protection can be realized by two kinds of above-mentioned strategies.
In addition, the protection of virtualized environment can also be accomplished by the following way in the present embodiment:(1) utilize and open
Source hardware virtualization software, source code compiling are removed or change virtual machine particular fingerprint information, make the Malware in electronic equipment
Detection failure;(2) change sandbox hardware configuration makes it (can also optionally be returned more like a real machine by Hook modes
Return false configuration information);(3) normal configuration system, popular software is installed, to increase fascination;(4) analog subscriber normal operating
(mouse is clicked on, network access), to prevent from being penetrated by electronic equipment;(5) detection time is suitably increased;(6) it is non-to fall some by Hook
Normal operating (is restarted, shut down);(7) corresponding confrontation is done for Hook detections;(8) side of detection can be evaded by other
Formula configuration virtual network environment etc..
As can be seen here, the first intrusion detection module in the system and the second intrusion detection module can be to virtualized environments
It is hidden, to prevent from identifying honey jar environment by electronic equipment, so as to the availability of lifting system.
In addition, the system can also be attacked against each other according to information realization hacker's portrait function that modules are collected into realizing
The positioning for the person of hitting.Correspondingly, the system further performs following operate:When detecting the electronic equipment of invasion wireless network,
Record the equipment access information (function that i.e. above-mentioned radio access module is realized) of the electronic equipment;Obtain the electronic equipment production
Raw network traffic information, the device attribute information of electronic equipment and relative with electronic equipment is determined according to network traffic information
The customer attribute information answered;Set by the equipment access information of electronic equipment, the device attribute information of electronic equipment and with electronics
Standby corresponding customer attribute information is associated analysis, and the attack user corresponding with electronic equipment is determined according to analysis result
Information;Wherein, user profile is attacked to be used for seat offence person and/or detect the position of electronic equipment.Wherein, equipment access information
And the specific intension and acquisition modes of device attribute information have hereinbefore been described by, here is omitted.With electronics
The corresponding customer attribute information of equipment is primarily referred to as the personal behavior information related to attacker, and the partial information can both lead to
The determination of device attribute information is crossed, can also be determined according to the behavior characteristic information being mentioned above.In the present embodiment, user belongs to
Property information can include subscriber identity information, such as including:Social account information, attack tool information, remote control Trojan are reached the standard grade
Address information and the login password information at back door.That is, in the present embodiment, can be by equipment category mentioned above
The information related to user behavior is isolated as customer attribute information in property information.
In order to make it easy to understand, below by taking device-fingerprint category information as an example, several frequently seen device attribute information is enumerated, specifically
Including:IP address, geographical position, network identity, device-fingerprint, operating system, browser etc..In addition, device attribute is believed
Breath (User Agent, can also be used by WebRTC (Web Real-Time Communication, webpage real-time Communication for Power), UA
Family act on behalf of), draw (Canvas), resolution ratio (including:Size, color 16/24), plug-in unit, time zone, language (language), GPU
The auxiliary such as (Graphics Processing Unit, graphics processor), AudioContext determines.Specifically, utilize
WebRTC agreements can obtain the IP address of intranet and extranet, even if having VPN (Virtual Private Network, Virtual Private Network
Network) it can also get.Browser version and operating system version can interpolate that by UA.In addition, when drawing Canvas pictures,
Same Canvas draws code, the picture feature drawn in different machines and browser be it is identical and unique,
Based on this characteristic, the present invention only need to extract simplest CRC (Cyclic Redundancy Code, CRC) value
Can be with unique mark and one electronic equipment of tracking and its corresponding user.By the resolution ratio for obtaining attacker's electronic equipment
As subsidiary conditions, the uniqueness of electronic equipment can be more accurately determined.Also, by obtaining attacker's electronic equipment
Plug-in unit judges the software of attacker's installation and as subsidiary conditions, can more accurately determine the uniqueness of electronic equipment.
Also, by obtaining the time zone of attacker's electronic equipment, the country belonging to attacker is can interpolate that, and be used as assistant strip
Part determines the uniqueness of electronic equipment.By obtaining the GPU models of attacker's electronic equipment, subsidiary conditions can be used as true
Determine the uniqueness of electronic equipment.In addition, on language (i.e. language) mentioned above, current browser institute is not limited to
The language used, but all language supported including system, such as simplified Chinese character, traditional Chinese, English.Inventor is realizing
Found in the process of the present invention, not ready-made calling interface obtains the language message of system in the prior art, to understand
Certainly this problem, following manner is taken in the present embodiment:It is required that the user of electronic equipment is write in the page with all language
Two words, if system supports the language, then just can normally write out;If it does not, what is shown is exactly square frame, lead to
The language of system support can be obtained by crossing this method, and then the language auxiliary supported by system determines the unique of electronic equipment
Property and the identity information of electronic equipment user.When it is implemented, it can intercept what electronic equipment was sent by hooking function
Preset instructions, and realize that the operation logic of writing determines that system is supported by various language respectively by what is set in hooking function
Language.As can be seen here, the device attribute information in the present embodiment can include plurality of kinds of contents, also, partial information therein
It can be also used for auxiliary and determine customer attribute information.
Several frequently seen customer attribute information is described below:
First, customer attribute information includes subscriber identity information.E.g., including got by mode mentioned above
User account information.Wherein, user account information includes account and the corresponding encrypted message that user registers in major website.Remove
Outside user account information, the other kinds information that can reflect user identity can also be included.
Secondly, customer attribute information also includes user behavior information, and the user behavior information is mainly used in determining attacker
Attack tool and attacking wayses.Specifically, the attack tool and attacking wayses that use of capture attacker, the spy in extracting tool
Sign, such as:URL, IP, the MD5 of sample, the address of reaching the standard grade of remote control Trojan, the login password etc. at back door;Determined by features described above
Whether two attackers are same person, also, can also determine the grade of attacker.For example, same attacker, its is each
The sample downloaded after logging in is identical, and therefore, the MD5 of sample is inevitable also identical.Also, same attacker, its remote control wood
The login password at reach the standard grade address and the back door of horse is inevitable also identical.Correspondingly, one can uniquely be determined by above- mentioned information
Individual attacker.
After above-mentioned equipment access information, device attribute information and customer attribute information is obtained, by above- mentioned information
Analysis is associated, the attack user profile corresponding with the electronic equipment is determined according to analysis result.So-called association analysis, it is
Finger is analyzed after according to device identification, above-mentioned every terms of information is associated.Because the equipment of same user accesses letter
Device identification all same corresponding to breath, device attribute information and customer attribute information, therefore, it can be incited somebody to action by device identification
The every terms of information of same user is interrelated, and using the result obtained after association as attack user profile.
Next, after the attack user profile corresponding with electronic equipment is determined according to analysis result, further set
Put the attack user corresponding with attack user profile to identify, using attack user profile with attacking user's mark as a data
Associated storage is recorded into default attack user list.Here, attack user's mark and the difference of device identification is:Equipment
Mark is mainly used in uniquely determining an electronic equipment, and therefore, the hardware characteristics of device identification and electronic equipment are interrelated,
For example, the hardware characteristics such as the video card of an electronic equipment, resolution ratio, network interface card are constant, therefore, device identification is mainly used in marking
Know an electronic equipment in itself.However, attack user's mark is mainly used in uniquely determining an attacker, it is generally the case that
Used electronic equipment is identical during each attack of one attacker, therefore, it is generally the case that device identification is used with attack
The effect of family mark can be substituted for each other.But, however not excluded that it is some in particular cases, it is used during each attack of attacker
Electronic equipment is different, and now, device identification and the intension of attack user's mark and effect are then completely different.Popular says, attack
User's mark is interrelated with the customer attribute information of attacker, for example, the social account information of same attacker is constant
, and the attacking wayses of same attacker and attack tool are changeless, therefore, attack user's mark is mainly used in marking
Know an attacker in itself.
When it is implemented, can be using equipment access information and device attribute information as one-to-one with device identification
Information, one-to-one information is identified using customer attribute information as with attack user.Correspondingly, the side in the present invention is passed through
Formula, it can not only uniquely determine an electronic equipment, additionally it is possible to an attacker is uniquely determined, so as to can both realize pair
The positioning of electronic equipment, the information to attacker and lookup can also be realized.
Correspondingly, when determining the attack user profile corresponding with electronic equipment according to analysis result, further inquiry
Whether the data record to match with analysis result is included in the attack user list;If so, the number is updated according to analysis result
According to record.Specifically, respectively for every data record in attack user list, determine in the data record whether comprising with
Item of information value identical item of information in analysis result;If so, judge the title and/or quantity of the value identical item of information
Whether preset matching rule is met, if so, determining that the data record matches with analysis result.It can be passed through by this kind of mode
Attack user list and store the information of each attacker, and positioned and inquired about for attacker, so as to the peace of lifting system
Quan Xing.
In summary, by system provided by the invention, it can lure that attacker enters honey jar, and exposure relevant information into.
Modules in system collect many information in a manner of successively progressive, also, these information can link inquiry.Should
System is also supported to carry out attack alarm by modes such as short message or mails.Moreover, it is also possible to by seat offence person position and
Prevent the modes such as attack and realize emergency processing.In addition, the system can also by check attack logs realize trace to the source,
The purpose of forensics analysis.
In addition, the second intrusion detection module of the system in the present embodiment is by taking the high interactivity honey jar of Windows types as an example
It is introduced, substantially, the second intrusion detection module in the system can also be the high interactivity honey jar of Linux types.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments
Including some features rather than further feature, but the combination of the feature of different embodiments means to be in the scope of the present invention
Within and form different embodiments.For example, in the following claims, embodiment claimed it is any it
One mode can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) realize some or all portions in device according to embodiments of the present invention
The some or all functions of part.The present invention is also implemented as the part or complete for performing method as described herein
The equipment or program of device (for example, computer program and computer program product) in portion.Such program for realizing the present invention
It can store on a computer-readable medium, or can have the form of one or more signal.Such signal can be with
Download and obtain from internet website, either provide on carrier signal or provided in the form of any other.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
Claims (10)
1. a kind of wireless network intrusion detection system, including:Radio access module, network transmission module, the first intrusion detection mould
Block and the second intrusion detection module;Wherein,
Radio access module, suitable for when detecting the electronic equipment by default network hole access wireless network, recording
The device identification of the electronic equipment and equipment access information;
Network transmission module, suitable for caused network traffic information after the acquisition electronic equipment access wireless network, and it will obtain
The network traffic information got is supplied to the first intrusion detection module;
First intrusion detection module, the network traffic information provided suitable for analyzing the network transmission module, according to analysis result
Determine the device attribute information of the electronic equipment;
Second intrusion detection module, suitable for obtaining the behavior characteristic information of the electronic equipment, when it is determined that the behavioural characteristic is believed
When breath meets preset alarm rule, intrusion alarm signal is generated.
2. system according to claim 1, wherein, the radio access module is particularly adapted to:By the electronic equipment
The device identification associated storage of equipment access information and the electronic equipment;
And the first intrusion detection module is particularly adapted to:By the device attribute information of the electronic equipment and the electronic equipment
Device identification associated storage;
Then the second intrusion detection module is further adapted for:When it is determined that the behavior characteristic information meets default alarm behavior
When regular, obtain and analyze and the equipment access information of the device identification associated storage of the electronic equipment and device attribute letter
Breath.
3. system according to claim 1 or 2, wherein, the first intrusion detection module and/or the second intrusion detection mould
The quantity of block to be multiple, and each first intrusion detection module and/or the second intrusion detection module in a manner of bridging with the net
Network transport module is connected;
Then the network transmission module is particularly adapted to:Obtain and be directed to respectively respectively after analyzing the electronic equipment access wireless network
Point to point network flow information caused by individual first intrusion detection module and/or the second intrusion detection module.
4. according to any described systems of claim 1-3, wherein, the radio access module is particularly adapted to:To the electronics
Equipment pushes preset web, obtains the electronic equipment and result is accessed caused by the preset web, according to the access
As a result obtain and record device identification and the equipment access information of the electronic equipment.
5. according to any described systems of claim 1-4, wherein, the network transmission module is further adapted for:
According to caused network traffic information after electronic equipment access wireless network, the net that the electronic equipment is sent is intercepted
Stand access request;
The default access for access preset website is inserted in the website visiting request that the electronic equipment intercepted is sent
Script;
The access result data of the default website feedback is received, the access result data of the default website feedback is supplied to
The first intrusion detection module, so that the first intrusion detection module determines the electronics with reference to the access result data
The device attribute information of equipment.
6. according to any described systems of claim 1-5, wherein, the network transmission module is further adapted for:It is it is determined that described
Whether access row by meet default early warning rule is included after electronic equipment access wireless network in caused network traffic information
For the network traffics of triggering, if so, then generating attack early warning signal;
Wherein, the default early warning rule includes the early warning rule of multiple safe classes.
7. according to any described systems of claim 1-6, wherein, the first intrusion detection module and/or described second enter
Detection module is invaded to be further adapted for:
Determined and the electricity according to the equipment access information of the electronic equipment, device attribute information and/or behavior characteristic information
Sub- equipment corresponding user's mark and user's characteristic information, to be entered according to user mark and user's characteristic information
Row is traced to the source.
8. according to any described systems of claim 1-7, wherein, the second intrusion detection module is particularly adapted to:
Determine whether the behavior characteristic information matches with the malicious commands stored in default blacklist, if so, then generation invasion
Alarm signal;And/or
, will be with the operation file list by the file record that the electronic device is crossed into default operation file list
In file the file record of default incidence relation be present into default apocrypha list, by monitoring the operation file
File in list and the apocrypha list determines whether to generate the intrusion alarm signal.
9. according to any described systems of claim 1-8, wherein, the first intrusion detection module and/or described second enter
It is the virtual machine for being provided with real system to invade detection module, also, the fingerprint feature information of the virtual machine passes through operation
It is managed in the pre-set programs plug-in unit of system layer;Wherein, the fingerprint feature information includes:Network interface card information, registry information
And/or key value information.
10. according to any described systems of claim 1-9, wherein, the first intrusion detection module includes:The low friendship of Web types
Mutual property intrusion detection module, the second intrusion detection module include:The high interactivity intrusion detection module of Windows types, and/or
The high interactivity intrusion detection module of Linux types.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710945013.XA CN107579997A (en) | 2017-09-30 | 2017-09-30 | Wireless network intrusion detection system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710945013.XA CN107579997A (en) | 2017-09-30 | 2017-09-30 | Wireless network intrusion detection system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107579997A true CN107579997A (en) | 2018-01-12 |
Family
ID=61036583
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710945013.XA Pending CN107579997A (en) | 2017-09-30 | 2017-09-30 | Wireless network intrusion detection system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107579997A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109784945A (en) * | 2018-12-27 | 2019-05-21 | 广州安食通信息科技有限公司 | Foodstuff traceability method, system and storage medium based on big data and block chain |
CN110198300A (en) * | 2019-03-13 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of honey jar operation system fingerprint concealment method and device |
CN111083159A (en) * | 2019-12-27 | 2020-04-28 | 北京安天网络安全技术有限公司 | Intrusion detection method and device, electronic equipment and storage medium |
CN111130948A (en) * | 2019-12-30 | 2020-05-08 | 迈普通信技术股份有限公司 | Network quality detection method and device |
CN111314276A (en) * | 2019-11-09 | 2020-06-19 | 北京长亭未来科技有限公司 | Method, device and system for detecting multiple attack behaviors |
CN111540183A (en) * | 2020-05-11 | 2020-08-14 | 苏州求臻智能科技有限公司 | Patrol robot safety region intrusion early warning method based on wireless signal analysis |
CN111885007A (en) * | 2020-06-30 | 2020-11-03 | 北京长亭未来科技有限公司 | Information tracing method, device, system and storage medium |
WO2022082870A1 (en) * | 2020-10-23 | 2022-04-28 | 苏州聚慧邦信息科技有限公司 | Information security detection method and apparatus based on office device, and computer device |
CN114465789A (en) * | 2022-01-21 | 2022-05-10 | 成都全景智能科技有限公司 | Analysis method, device and equipment for network rubbing equipment and storage medium |
CN114629970A (en) * | 2022-01-14 | 2022-06-14 | 华信咨询设计研究院有限公司 | TCP/IP flow reduction method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080104700A1 (en) * | 2006-10-31 | 2008-05-01 | Peter Fagone | Method and apparatus for providing automatic generation of webpages |
CN102790778A (en) * | 2012-08-22 | 2012-11-21 | 常州大学 | DDos (distributed denial of service) attack defensive system based on network trap |
CN102833268A (en) * | 2012-09-17 | 2012-12-19 | 福建星网锐捷网络有限公司 | Method, equipment and system for resisting wireless network flooding attack |
CN104486765A (en) * | 2014-12-22 | 2015-04-01 | 上海斐讯数据通信技术有限公司 | Wireless intrusion detecting system and detecting method |
-
2017
- 2017-09-30 CN CN201710945013.XA patent/CN107579997A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080104700A1 (en) * | 2006-10-31 | 2008-05-01 | Peter Fagone | Method and apparatus for providing automatic generation of webpages |
CN102790778A (en) * | 2012-08-22 | 2012-11-21 | 常州大学 | DDos (distributed denial of service) attack defensive system based on network trap |
CN102833268A (en) * | 2012-09-17 | 2012-12-19 | 福建星网锐捷网络有限公司 | Method, equipment and system for resisting wireless network flooding attack |
CN104486765A (en) * | 2014-12-22 | 2015-04-01 | 上海斐讯数据通信技术有限公司 | Wireless intrusion detecting system and detecting method |
Non-Patent Citations (1)
Title |
---|
朱参世等: "基于蜜罐的入侵检测系统模型研究", 《微计算机信息》 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109784945A (en) * | 2018-12-27 | 2019-05-21 | 广州安食通信息科技有限公司 | Foodstuff traceability method, system and storage medium based on big data and block chain |
CN110198300A (en) * | 2019-03-13 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of honey jar operation system fingerprint concealment method and device |
CN110198300B (en) * | 2019-03-13 | 2022-01-14 | 腾讯科技(深圳)有限公司 | Honeypot operating system fingerprint hiding method and device |
CN111314276A (en) * | 2019-11-09 | 2020-06-19 | 北京长亭未来科技有限公司 | Method, device and system for detecting multiple attack behaviors |
CN111083159A (en) * | 2019-12-27 | 2020-04-28 | 北京安天网络安全技术有限公司 | Intrusion detection method and device, electronic equipment and storage medium |
CN111130948A (en) * | 2019-12-30 | 2020-05-08 | 迈普通信技术股份有限公司 | Network quality detection method and device |
CN111540183A (en) * | 2020-05-11 | 2020-08-14 | 苏州求臻智能科技有限公司 | Patrol robot safety region intrusion early warning method based on wireless signal analysis |
CN111885007A (en) * | 2020-06-30 | 2020-11-03 | 北京长亭未来科技有限公司 | Information tracing method, device, system and storage medium |
WO2022082870A1 (en) * | 2020-10-23 | 2022-04-28 | 苏州聚慧邦信息科技有限公司 | Information security detection method and apparatus based on office device, and computer device |
CN114629970A (en) * | 2022-01-14 | 2022-06-14 | 华信咨询设计研究院有限公司 | TCP/IP flow reduction method |
CN114465789A (en) * | 2022-01-21 | 2022-05-10 | 成都全景智能科技有限公司 | Analysis method, device and equipment for network rubbing equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107612924A (en) | Attacker's localization method and device based on wireless network invasion | |
CN107579997A (en) | Wireless network intrusion detection system | |
US9509714B2 (en) | Web page and web browser protection against malicious injections | |
US9712560B2 (en) | Web page and web browser protection against malicious injections | |
US9773109B2 (en) | Alternate files returned for suspicious processes in a compromised computer network | |
US10454950B1 (en) | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks | |
Nikiforakis et al. | Privaricator: Deceiving fingerprinters with little white lies | |
US10587647B1 (en) | Technique for malware detection capability comparison of network security devices | |
US9501639B2 (en) | Methods, systems, and media for baiting inside attackers | |
CN103634306B (en) | The safety detection method and safety detection server of network data | |
CN107465702A (en) | Method for early warning and device based on wireless network invasion | |
CN101820419B (en) | Method for automatically positioning webpage Trojan mount point in Trojan linked webpage | |
CN107566401A (en) | The means of defence and device of virtualized environment | |
CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
US7941854B2 (en) | Method and system for responding to a computer intrusion | |
CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
CN105491053A (en) | Web malicious code detection method and system | |
CN108768989A (en) | It is a kind of using the APT attack defense methods of mimicry technology, system | |
CN107509200A (en) | Equipment localization method and device based on wireless network invasion | |
CN104378255B (en) | The detection method and device of web malicious users | |
CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
CN108989294A (en) | A kind of method and system for the malicious user accurately identifying website visiting | |
CN104967628A (en) | Deceiving method of protecting web application safety | |
CN111625821A (en) | Application attack detection system based on cloud platform | |
CN116340943A (en) | Application program protection method, device, equipment, storage medium and program product |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180112 |