CN108881211A - A kind of illegal external connection detection method and device - Google Patents

A kind of illegal external connection detection method and device Download PDF

Info

Publication number
CN108881211A
CN108881211A CN201810596544.7A CN201810596544A CN108881211A CN 108881211 A CN108881211 A CN 108881211A CN 201810596544 A CN201810596544 A CN 201810596544A CN 108881211 A CN108881211 A CN 108881211A
Authority
CN
China
Prior art keywords
external connection
address
illegal external
equipment
page
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810596544.7A
Other languages
Chinese (zh)
Other versions
CN108881211B (en
Inventor
罗治华
白彦芳
张克彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HANGZHOU INFOGO TECH CO LTD
Original Assignee
HANGZHOU INFOGO TECH CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by HANGZHOU INFOGO TECH CO LTD filed Critical HANGZHOU INFOGO TECH CO LTD
Priority to CN201810596544.7A priority Critical patent/CN108881211B/en
Publication of CN108881211A publication Critical patent/CN108881211A/en
Application granted granted Critical
Publication of CN108881211B publication Critical patent/CN108881211B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The application provides a kind of illegal external connection detection method and device, including:Obtain message;The message got is this equipment message to be sent or the message that this equipment receives;Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list has recorded addressable IP address;If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect whether get page title pre-configuration page title corresponding with the address URL consistent;If consistent, determine that illegal external connection occurs for this equipment.The detection of illegal external connection of terminal equipment may be implemented using method provided by the present application.

Description

A kind of illegal external connection detection method and device
Technical field
This application involves computer communication field more particularly to a kind of illegal external connection detection method and device.
Background technique
Illegal external connection refers to that terminal device has accessed the network address for not allowing to access.For example, the terminal of the employee of enterprise Equipment only allows to work in intranet environment, does not allow computer accessing external network.If the terminal device of employee accesses outer net, Illegal external connection just occurs for the terminal device.
When illegal external connection occurs for the terminal device of company Intranet, the attack from outer net may illegally be stolen in company The sensitive data of net, so that company Intranet generates material risk.Therefore, how to detect terminal device whether occur illegal external connection at For urgent problem to be solved.
Summary of the invention
In view of this, the application provides a kind of detection method and device of illegal external connection, to realize Intranet terminal device Illegal external connection detection.
Specifically, the application is achieved by the following technical solution:
According to a first aspect of the present application, a kind of illegal external connection detection method is provided, the method is applied to terminal device, The method includes:
Obtain message;The message got is this equipment message to be sent or the message that this equipment receives;
Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list record Addressable IP address;
If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect and get the page Whether title pre-configuration page title corresponding with the address URL is consistent;
If consistent, determine that illegal external connection occurs for this equipment.
Optionally, the page title for obtaining the requested page in the address URL being pre-configured, including:
Send page access request corresponding with the address URL of the pre-configuration;
The page data returned for the page access request is received, the page title of the page data is obtained.
Optionally, after determining that illegal external connection occurs for this terminal device, the method also includes at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event is with including at least the source IP of the message Location, purpose IP address, source port and destination port handle the offending process path of the message, the corresponding user identifier of this equipment The time occurred with illegal external connection;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:Xiang Yong Family shows illegal external connection prompt information;Link when illegal external connection is disconnected, the process that illegal external connection occurs is closed, restarts and originally set It is standby.
Optionally, the method also includes:
It periodically checks this equipment and whether passes through proxy server and access Internet resources;
If so, executing the combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address, Proxy IP address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:Xiang Yong Family shows prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts and originally sets It is standby.
Optionally, the method also includes:
When getting destination address is the icmp packet for the IP address that white list does not include, the icmp packet is abandoned.
According to a second aspect of the present application, a kind of illegal external connection detection device is provided, described device is applied to terminal device, Described device includes:
Acquiring unit, for obtaining message;The message got is that this equipment message to be sent or this equipment receive Message;
Whether first detection unit, source IP address or purpose IP address for detection messages hit the white name of pre-configuration It is single;The white list has recorded addressable IP address;
Second detection unit obtains the page mark of the requested page in the address URL of pre-configuration if being used for miss Topic, and detect whether get page title pre-configuration page title corresponding with the address URL consistent;
Determination unit, if determining that illegal external connection occurs for this equipment for consistent.
Optionally, the second detection unit, in the page title for obtaining the requested page in the address URL being pre-configured When, specifically for sending page access request corresponding with the address URL of the pre-configuration;It receives and is directed to the page access request The page data of return obtains the page title of the page data.
Optionally, described device further includes:
Processing unit, for executing at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event is with including at least the source IP of the message Location, purpose IP address, source port and destination port handle the offending process path of the message, the corresponding user identifier of this equipment The time occurred with illegal external connection;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:Xiang Yong Family shows illegal external connection prompt information;Link when illegal external connection is disconnected, the process that illegal external connection occurs is closed, restarts and originally set It is standby.
Optionally, described device further includes:
Whether inspection unit passes through proxy server for periodically checking this equipment and accesses Internet resources;If so, Execute the combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address, Proxy IP address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:Xiang Yong Family shows prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts and originally sets It is standby.
Optionally, described device further includes:
Discarding unit, for abandoning when getting destination address is the icmp packet for the IP address that white list does not include The icmp packet.
The application provides a kind of detection method of illegal external connection, the available message of the client installed on terminal device; Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list has recorded addressable IP address;If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect and get page Whether title pre-configuration page title corresponding with the address URL in face is consistent;If consistent, determine that illegal external connection occurs for this equipment.
On the basis of being judged using white list, the further progress judgement of page title is realizing illegal external connection While detection, it can also be effectively prevented the generation of erroneous judgement, substantially increase the accuracy of illegal external connection detection.
Detailed description of the invention
Fig. 1 is a kind of group-network construction of relevant illegal external connection detection technique shown in one exemplary embodiment of the application Figure;
Fig. 2 is a kind of network architecture diagram of illegal external connection detection method shown in one exemplary embodiment of the application;
Fig. 3 is a kind of flow chart of illegal external connection detection method shown in one exemplary embodiment of the application;
Fig. 4 is a kind of hardware structure diagram of terminal device shown in one exemplary embodiment of the application;
Fig. 5 is a kind of block diagram of illegal external connection detection device shown in one exemplary embodiment of the application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application. It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
It is the group-network construction figure of related illegal external connection detection technique referring to Fig. 1, Fig. 1.
In the technology of the relevant detection illegal external connection, it is configured with Intranet monitoring server in Intranet, is matched in outer net It is equipped with outer net monitoring server.
When the business website of the terminal access Intranet of Intranet, Intranet monitoring server can be infused the JS code of pre-configuration Enter into the access data that terminal returns.After terminal receives the access data, which can be downloaded to the terminal On.JS (literal translation formula scripting language) code attempts access outer net monitoring server.When JS code is accessible to outer net monitoring clothes Business device, it is determined that illegal external connection occurs for the interior network termination.
However, in the method for above-mentioned detection illegal external connection, on the one hand, due to needing in Intranet and outer net are disposed respectively Net monitoring server and outer net monitoring server, thus greatly improve the cost of implementation of above-mentioned illegal external connection scheme;It is another Aspect causes larger pressure to the performance of Intranet monitoring server and outer net monitoring server when the quantity of interior network termination is more Power.
The application is to be based on C/S (Client/Server, client-server) framework to carry out illegal external connection detection, In this application, it needs that client is installed on the terminal device of Intranet, while also needing to dispose management server.Network management Personnel can configure the strategy of illegal external connection on the management server.Client can download the illegal external connection strategy, to Intranet Terminal carries out illegal external connection detection.
Referring to fig. 2, Fig. 2 is a kind of network architecture of illegal external connection detection method shown in one exemplary embodiment of the application Figure.
In the group-network construction include at least one terminal device, management server, intranet server and terminal device and Forwarding device between intranet server.
Client is installed, client can receive the illegal external connection plan that management server issues on each terminal device Slightly, the message for receiving or sending to terminal device detects, to determine whether terminal device accesses not the net for allowing to access Network resource.
Network management personnel can carry out the configuration of illegal external connection strategy on the management server, manage after configuration is complete Server can be by the illegal external connection policy distribution to client.
The management server can be deployed in Intranet, and certain management server can also be deployed in outer net, here Without specifically defined.
For that can also include turning in the network architecture between intranet server and terminal device and intranet server Equipment is sent out, the access request etc. for accessing intranet server can be sent to Intranet service by the forwarding device by terminal device Device, and the data etc. that intranet server returns are received by the forwarding device.
It is a kind of flow chart of illegal external connection detection method shown in one exemplary embodiment of the application referring to Fig. 3, Fig. 3.
Before introducing the illegal external connection detection method of the application, the configuration of lower illegal external connection strategy is first introduced first.
Network management personnel can carry out the configuration of illegal external connection strategy with Telnet management server.For example, network pipe Reason personnel can log in management server by browser, then configure white list, having recorded at least one in the white list can The IP address of access.
It should be noted that the address recorded in the white list can be an IP address, it is also possible to multiple IP address, Multiple IP address of record can be continuous (such as IP address range), be also possible to discontinuous IP address.It here is pair The IP address of white list record is illustratively illustrated, is not carried out to it specifically defined.
In addition, network management personnel can also in the management server configurating terminal device occur illegal external connection measure. For example, network management personnel can configure:After illegal external connection occurs for terminal device, terminal device can be sent to management server Warning information carries out the processing etc. of illegal external connection.
The application provides three functions, the respectively anti-erroneous judgement function of illegal external connection for client, detect whether using Proxy server accesses the function of Internet resources and whether forbids ping (Packet Internet Groper, the Internet packets Detector) white list outer network resource function.Network management personnel can configure on the management server whether open it is above-mentioned Three functions.
After the completion of the configuration of illegal external connection strategy, management server can give the illegal external connection policy distribution to each terminal The client installed in equipment.Client can recorde the illegal external connection strategy after receiving the illegal external connection strategy.Than Such as, client can be by the illegal external connection policy update into client driving.Forbid outside ping white list if opened The function of Internet resources, then by the illegal external connection policy update to WFP (Windows Filter Platform, Windows mistake Platform is filtered, it is that the API and system service set of support are provided for network filtering application platform) or PF (Packet Filter, Packet Filtering) firewall driving in.
After the configuration for having introduced above-mentioned illegal external connection strategy, the detection method of illegal external connection is carried out below detailed Ground explanation.
The client installed on terminal device can execute the inspection that following step 301 carries out illegal external connection to step 304 It surveys.
Step 301:Obtain message.
It should be noted that message that available equipment of client on terminal device is externally sent and the visitor The available message from other equipment in family end.
Step 302:Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;It is described white List has recorded addressable IP address.
Step 302 can be completed by the client driver in client.
When realizing, when the message that client driver is got is the message that this equipment is externally sent, client Driver can detecte the purpose IP address that the message whether is had recorded in the white list.If the report is not recorded in the white list The purpose IP address of text, it is determined that the purpose IP address miss of the message white list.If recording the message in the white list Purpose IP address, it is determined that the purpose IP address of the message hits the white list.
When the message that client driver is got comes from the message of other equipment, client driver can To detect the source IP address for whether having recorded the message in the white list.If the source IP of the message is not recorded in the white list Location, it is determined that the source IP address miss of the message white list.If recording the source IP address of the message in the white list, really The source IP address of the fixed message hits the white list.
Step 303:If miss, URL (Uniform Resource Locator, the unified resource of pre-configuration are obtained Finger URL) the requested page in address page title, and detect get page title pre-configuration corresponding with the address URL Whether page title is consistent;
Step 304:If consistent, determine that illegal external connection occurs for this equipment.
Step 303 and step 304 can be completed by the client process in client.
In addition, being provided with the corresponding relationship of the address URL and page title in client.
Wherein, page title refers to the character on the page in predeterminable area.For example, when the page is the homepage of Baidu, it should Page title is " using Baidu.com, you are known that ".
The corresponding relationship can be the corresponding relationship of www.baidu.com Yu " using Baidu.com, you are known that ".
Here it describes for convenience, the address URL in the corresponding relationship of the address URL of configuration and page title is referred to as pre- The address URL of configuration, the page title in the corresponding relationship are known as the page title being pre-configured.
In the embodiment of the present application, when client driver determines the source IP address or destination IP of the message received After the white list that address misses are pre-configured, client driver can send a notification message to client process.The notice Message can carry offending process for handling the message, the source IP address of the message or purpose IP address and transmitting-receiving The port etc. of the message.
Client process is after receiving the notification message, the requested page in the address URL of the available pre-configuration Page title.
Specifically, client process can read the address URL of pre-configuration, then send the address URL with the pre-configuration Corresponding page access request.
After client process receives the page corresponding with the page access request, the available page of client process The page title in face.Then it is corresponding with the URL of the pre-configuration pre- to can detecte the page title got for client process Whether the page title of configuration is consistent.If consistent, show that illegal external connection occurs for this equipment, i.e., have accessed outer net resource in violation of rules and regulations.This When, the message of source IP address or purpose IP address the miss white list can be designated as illegal external connection message.
When client process does not receive the page corresponding with the page access request, or the page title obtained is pre- with this When the corresponding page title of the URL of configuration is inconsistent, show that illegal external connection does not occur for this equipment.
For example, it is assumed that the corresponding relationship of the URL and page title that are pre-configured be www.baidu.com with " using Baidu.com, you Be known that " corresponding relationship.When client driving detects that the source IP address of a certain message or purpose IP address miss are white After list, client driving can send a notification message to client process.
After the client process receives the notification message, client process can read the URL of pre-configuration, i.e., www.baidu.com.Then, client process can send page access request corresponding with www.baidu.com.
After client process receives the page for the page access request, the page mark of the available page Topic.Assuming that the page title got is " using Baidu.com, you are known that ".
Client process can detecte the page mark of the page title got and the corresponding pre-configuration of www.baidu.com It whether consistent inscribes.In this example, the page title got is " using Baidu.com, you are known that ", the page title of pre-configuration For " using Baidu.com, you are known that ", due to the page mark of the corresponding pre-configuration of page title and www.baidu.com got Topic is consistent, so client process can determine that illegal external connection occurs for this terminal device.
It should be noted that only determining whether this equipment occurs illegal external connection sometimes and will appear erroneous judgement with white list The case where.
Such as, it is assumed that terminal device access Intranet equipment, but the IP address of the Intranet equipment be not configured in it is white In list, if only judged with white list to carry out illegal external connection, it just will be considered that the terminal device has accessed outer net resource, but its For real terminal device there is no access outer net resource, this will result in erroneous judgement.
In order to solve this problem, the application using white list detection on the basis of, further by step 303 come into The anti-erroneous judgement operation of row.The effect of step 303 is when the IP address miss for determining the reception of this terminal device or the message sent After white list, further check this terminal device this visit whether really access to outer net resource, in other words, It is exactly further to check whether this terminal device is really connected to outer net.So erroneous judgement can be effectively prevented using step 303 The generation of behavior considerably increases the accuracy of illegal external connection detection.
In addition, in the embodiment of the present application, after client determines that illegal external connection occurs for this terminal device, client can be with According to one of operation or several combinations below illegal external connection strategy execution:
Illegal external connection event can be generated in client, and the illegal external connection event is uploaded to management server.This is in violation of rules and regulations External connection event includes at least source IP address, purpose IP address, source port and the destination port of the illegal external connection message, handles the report The time that the offending process path of text, the corresponding user identifier of this equipment and illegal external connection occur.
Management server can recorde the illegal external connection event, generate illegal external connection database.When network management personnel steps on After recording the management server, management server can show the violation to be inquired of the network management personnel to network management personnel External connection event.
In addition, client can also be managed the illegal external connection strategy that server issues, corresponding illegal external connection is executed Processing.
Illegal external connection processing includes at least following one or several kinds of combination:
1) prompt information is shown to user, such as pop up prompting frame on the screen of terminal device, prompt this terminal of user Equipment accesses outer net resource in violation of rules and regulations;
2) link when illegal external connection is disconnected;
3) process that illegal external connection occurs is closed;
4) restart this equipment;
5) network of this equipment is cut off.
Certainly, the above-mentioned exemplary illustration only handled illegal external connection can also include other illegal external connections certainly Treatment measures do not carry out illegal external connection processing specifically defined here.
In addition, in the embodiment of the present application, when client opens the function of forbidding enabling proxy access Internet resources.Visitor Family end, which can periodically check this terminal device and whether pass through proxy server, accesses Internet resources.
Wherein, so-called to refer to that terminal device be sent to the visit of destination server by proxy server access Internet resources It asks that request is sent to proxy server, destination server is sent to by proxy server.
For example, terminal device wants access to Baidu's server, user can enable agent functionality on the terminal device, input The address of proxy server.When terminal device will access Baidu's server, message first can be sent to agency by terminal device The message is sent to Baidu's server by proxy server by server.
But when the IP address of the proxy server is in above-mentioned white list, client, which just will be considered that, is sent to agency service The normal message when message of device.But when user accesses outer net resource by proxy server, client thinks the access report Text is normal message, to can not detect that illegal external connection occurs for terminal device.
In the embodiment of the present application forbid enabling when client opens to improve the accuracy of illegal external connection detection The function of proxy access Internet resources.Client, which can periodically check this terminal device and whether pass through proxy access network, to be provided Source.
The method of inspection can include at least following one or several kinds of combination:
1) system registry for checking this terminal device checks whether to open agency's switch by system registry.If Agency's switch is opened, then shows that this terminal device opens agency to access Internet resources, if not opening agency's switch, table Bright terminal, which is set, does not open agency.
2) it checks in the configuration file of specified browser with the presence or absence of the configuration file for agency, and if it exists, determine this Terminal device determines that this terminal device does not enable agency if it does not exist by proxy access Internet resources.Wherein, this is specified Browser can be red fox browser etc. and can act as agent the browser of configuration.
3) HTTP (the HyperText Transfer that this terminal device is sent out is grabbed by packet catcher Protocol, hypertext transfer protocol) message, detects whether the HTTP message carries Agent Markup.If carrying, it is determined that this Terminal accesses Internet resources by proxy server.If not carrying, it is determined that this terminal does not pass through proxy server and accesses net Network resource.
Internet resources, the executable following behaviour of client are accessed by proxy server when client determines this terminal device The combination of one or more of work:
1) illegal external connection Agent Events are sent to management server.This terminal can be at least carried in the violation Agent Events to set Standby IP address, corresponding user identifier of this terminal device etc..
Management server can record IP address, the proxy server that this terminal device is carried in the illegal external connection Agent Events IP address and port, the corresponding user identifier of this terminal device etc..After network management personnel logs in the management server, pipe Reason server can show the illegal external connection Agent Events to be inquired of the network management personnel to network management personnel.
2) violation agency processing is carried out, agency's such as reason includes at least following one or several kinds of combination in violation of rules and regulations for this:
Prompt information is shown to user, to prompt this terminal device to open agency;
Cut off the network connection of this terminal device;
Restart this terminal device
Certainly, above-mentioned only to the exemplary illustration of violation agency's processing, it certainly can also include other agencies in violation of rules and regulations Treatment measures, for example close this terminal device etc., it is specifically defined that processing progress is not acted on behalf of to violation here.
Certainly, in the embodiment of the present application, the entry-into-force time that above-mentioned illegal external connection strategy can also be limited, such as when specified Between section come into force, come into force or do not come into force when being disconnected with server etc..
Further, since client driving be can not to ICMP (Internet Control Messages Protocol, because Spy net letter report control protocol) message be made whether hit white list judgement so that certain hackers are attacked by icmp packet Intranet.So increase the function of forbidding ping outer net in this application, such attack is prevented with this.
In the embodiment of the present application, after client enables the function for the IP address for forbidding ping white list not include, If this equipment gets destination address or source address is the icmp packet for the IP address that white list does not include, which is reported Text abandons.
In the embodiment of the present application, when user has unloaded client on terminal device or network management personnel is managing Illegal external connection strategy is deleted on server, illegal external connection function can be automatically closed in terminal device.If illegal external connection strategy In configurating terminal device do not come into force offline, then when the network connection of terminal device and management server is obstructed, terminal device can Illegal external connection function is automatically closed.
The application provides a kind of detection method of illegal external connection, the available message of the client installed on terminal device; Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list has recorded addressable IP address;If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect and get page Whether title pre-configuration page title corresponding with the address URL in face is consistent;If consistent, determine that illegal external connection occurs for this equipment.
On the one hand, on the basis of being judged using white list, the further progress judgement of page title is separated realizing While advising external connection detection, it can also be effectively prevented the generation of erroneous judgement, substantially increase the accuracy of illegal external connection detection.
On the other hand, after determining that illegal external connection occurs for this terminal device, illegal external connection processing can be carried out automatically, reduced The damage of illegal external connection behavior.Management server is uploaded at the same time it can also which illegal external connection event will be generated, so that administrative staff The illegal external connection event can be inquired on the management server, and network management personnel is facilitated to be managed.
The third aspect, the application can be with real-time monitoring acts of agency, and no thoroughfare, and proxy server accesses outer net resource, To improve the accuracy of illegal external connection detection.
Fourth aspect, the application also open the function for the IP address for forbidding ping white list not include, prevent outer net from setting It is standby that company Intranet is attacked by icmp packet.
5th aspect, the application use C/S framework, and network management personnel only needs to configure on the management server outer in violation of rules and regulations Connection is tactful, and the client on each terminal device can execute illegal external connection detection processing etc. automatically, realizes key deployment, Shorten the time delay detected from the illegal external connection for being deployed to execution.
Referring to fig. 4, the application also provides a kind of hardware architecture diagram of terminal device, which includes:Communication interface 401, processor 402, machine readable storage medium 403 and bus 404;Wherein, communication interface 401, processor 402 and machine can It reads storage medium 403 and mutual communication is completed by bus 404.Processor 402 is by reading and executing machine readable storage Machine-executable instruction corresponding with illegal external connection detection control logic, can be performed above-described illegal external connection in medium 403 Detection method.
Machine readable storage medium 403 referred to herein can be any electronics, magnetism, optics or other physical stores Device may include or store information, such as executable instruction, data, etc..For example, machine readable storage medium can be: RAM (Radom Access Memory, random access memory), volatile memory, nonvolatile memory, flash memory, storage are driven Dynamic device (such as hard disk drive), solid state hard disk, any kind of storage dish (such as CD, dvd) or similar storage are situated between Matter or their combination.
Referring to Fig. 5, figure is a kind of block diagram of illegal external connection detection device shown in one exemplary embodiment of the application.The dress It sets and can be applied to terminal device, it may include unit as follows.
Acquiring unit 501, for obtaining message;The message got is that this equipment message to be sent or this equipment receive The message arrived;
Whether first detection unit 502, source IP address or purpose IP address for detection messages hit pre-configuration White list;The white list has recorded addressable IP address;
Second detection unit 503 obtains the page of the requested page in the address URL of pre-configuration if being used for miss Title, and detect whether get page title pre-configuration page title corresponding with the address URL consistent;
Determination unit 504, if determining that illegal external connection occurs for this equipment for consistent.
Optionally, the second detection unit 503, in the page mark for obtaining the requested page in the address URL being pre-configured When topic, specifically for sending page access request corresponding with the address URL of the pre-configuration;It receives and is asked for page acquisition The page data for asking return obtains the page title of the page data.
Optionally, described device further includes:
Processing unit 505 (is not shown) in Fig. 5, for executing at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event is with including at least the source IP of the message Location, purpose IP address, source port and destination port handle the offending process path of the message, the corresponding user identifier of this equipment The time occurred with illegal external connection;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:Xiang Yong Family shows illegal external connection prompt information;Link when illegal external connection is disconnected, the process that illegal external connection occurs is closed, restarts and originally set It is standby.
Optionally, described device further includes:
Inspection unit 506 (is not shown) in Fig. 5, for whether periodically checking this equipment by proxy server access Internet resources;If so, executing the combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address, Proxy IP address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:Xiang Yong Family shows prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts and originally sets It is standby.
Optionally, described device further includes:
Discarding unit 507 (is not shown) in Fig. 5, for being the IP address that white list does not include when getting destination address When icmp packet, the icmp packet is abandoned.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying Out in the case where creative work, it can understand and implement.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims (10)

1. a kind of illegal external connection detection method, which is characterized in that the method is applied to terminal device, the method includes:
Obtain message;The message got is this equipment message to be sent or the message that this equipment receives;
Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list has recorded can The IP address of access;
If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect and get page title Whether pre-configuration page title corresponding with the address URL is consistent;
If consistent, determine that illegal external connection occurs for this equipment.
2. the method according to claim 1, wherein described obtain the requested page in the address URL being pre-configured Page title, including:
Send page access request corresponding with the address URL of the pre-configuration;
The page data returned for the page access request is received, the page title of the page data is obtained.
3. the method according to claim 1, wherein when determine this terminal device occur illegal external connection after, it is described Method further includes at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event include at least the message source IP address, Purpose IP address, source port and destination port, handle the offending process path of the message, the corresponding user identifier of this equipment and disobey Advise the time that external connection occurs;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:To user's exhibition Show illegal external connection prompt information;Cut off the network of this equipment;Disconnect link when illegal external connection;Close occur illegal external connection into Journey;Restart this equipment.
4. the method according to claim 1, wherein the method also includes:
It periodically checks this equipment and whether passes through proxy server and access Internet resources;
If so, executing the combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address, agency Server ip address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:To user's exhibition Show prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts this equipment.
5. the method according to claim 1, wherein the method also includes:
When getting destination address or source address is the icmp packet for the IP address that white list does not include, ICMP report is abandoned Text.
6. a kind of illegal external connection detection device, which is characterized in that described device is applied to terminal device, and described device includes:
Acquiring unit, for obtaining message;The message got is this equipment message to be sent or the report that this equipment receives Text;
Whether first detection unit hits the white list of pre-configuration for the source IP address or purpose IP address of detection messages; The white list has recorded addressable IP address;
Second detection unit obtains the page title of the requested page in the address URL of pre-configuration if being used for miss, and Whether detection gets page title pre-configuration page title corresponding with the address URL consistent;
Determination unit, if determining that illegal external connection occurs for this equipment for consistent.
7. device according to claim 6, which is characterized in that the second detection unit, with obtaining the URL being pre-configured When the page title of the requested page in location, asked specifically for sending page acquisition corresponding with the address URL of the pre-configuration It asks;The page data returned for the page access request is received, the page title of the page data is obtained.
8. device according to claim 6, which is characterized in that described device further includes:
Processing unit, for executing at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event include at least the message source IP address, Purpose IP address, source port and destination port, handle the offending process path of the message, the corresponding user identifier of this equipment and disobey Advise the time that external connection occurs;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:To user's exhibition Show illegal external connection prompt information;Link when illegal external connection is disconnected, the process that illegal external connection occurs is closed, restarts this equipment.
9. device according to claim 6, which is characterized in that described device further includes:
Whether inspection unit passes through proxy server for periodically checking this equipment and accesses Internet resources;If so, executing The combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address, agency Server ip address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:To user's exhibition Show prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts this equipment.
10. device according to claim 6, which is characterized in that described device further includes:
Discarding unit, should for abandoning when getting destination address is the icmp packet for the IP address that white list does not include Icmp packet.
CN201810596544.7A 2018-06-11 2018-06-11 Illegal external connection detection method and device Active CN108881211B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810596544.7A CN108881211B (en) 2018-06-11 2018-06-11 Illegal external connection detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810596544.7A CN108881211B (en) 2018-06-11 2018-06-11 Illegal external connection detection method and device

Publications (2)

Publication Number Publication Date
CN108881211A true CN108881211A (en) 2018-11-23
CN108881211B CN108881211B (en) 2021-10-08

Family

ID=64338663

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810596544.7A Active CN108881211B (en) 2018-06-11 2018-06-11 Illegal external connection detection method and device

Country Status (1)

Country Link
CN (1) CN108881211B (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587175A (en) * 2019-01-11 2019-04-05 杭州迪普科技股份有限公司 A kind of illegal external connection processing method and system
CN110365793A (en) * 2019-07-30 2019-10-22 北京华赛在线科技有限公司 Illegal external connection monitoring method, device, system and storage medium
CN110417821A (en) * 2019-09-09 2019-11-05 北京华赛在线科技有限公司 A kind of networking detection method and system
CN110768999A (en) * 2019-10-31 2020-02-07 杭州迪普科技股份有限公司 Method and device for detecting illegal external connection of equipment
CN111106983A (en) * 2019-12-27 2020-05-05 杭州迪普科技股份有限公司 Method and device for detecting network connectivity
CN111131163A (en) * 2019-11-26 2020-05-08 视联动力信息技术股份有限公司 Data processing method and device based on video network
CN111131203A (en) * 2019-12-12 2020-05-08 杭州迪普科技股份有限公司 External connection monitoring method and device
CN111917702A (en) * 2020-03-31 2020-11-10 北京融汇画方科技有限公司 Non-client-side mode passive checking off-line illegal external connection technology
CN111917703A (en) * 2019-05-10 2020-11-10 阿自倍尔株式会社 Monitoring device and monitoring method
CN112333191A (en) * 2020-11-06 2021-02-05 杭州安恒信息技术股份有限公司 Illegal network asset detection and access blocking method, device, equipment and medium
CN112769739A (en) * 2019-11-05 2021-05-07 中国移动通信集团安徽有限公司 Database operation violation processing method, device and equipment
CN113542264A (en) * 2021-07-13 2021-10-22 杭州安恒信息技术股份有限公司 File transmission control method, device, equipment and readable storage medium
CN114257404A (en) * 2021-11-16 2022-03-29 广东电网有限责任公司 Abnormal external connection statistic alarm method and device, computer equipment and storage medium
CN114268481A (en) * 2021-12-15 2022-04-01 南方电网数字电网研究院有限公司 Method, device, equipment and medium for processing illegal external connection information of intranet terminal
CN114866318A (en) * 2022-05-05 2022-08-05 金祺创(北京)技术有限公司 Threat intelligence correlation analysis method and system based on user key service network security flow
CN115051867A (en) * 2022-06-22 2022-09-13 深信服科技股份有限公司 Detection method and device for illegal external connection behaviors, electronic equipment and medium
CN116915503A (en) * 2023-09-08 2023-10-20 成都卓拙科技有限公司 Illegal external connection detection method and device, storage medium and electronic equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090248840A1 (en) * 2008-03-28 2009-10-01 Microsoft Corporation Network topology detection using a server
CN103441864A (en) * 2013-08-12 2013-12-11 江苏华大天益电力科技有限公司 Method for monitoring illegal external connection of terminal equipment
CN107426208A (en) * 2017-07-24 2017-12-01 郑州云海信息技术有限公司 A kind of method for monitoring network illegal external connection
CN107566334A (en) * 2017-07-17 2018-01-09 全球能源互联网研究院有限公司 A kind of distribution terminal safety monitoring method and device realized based on agency
CN107733706A (en) * 2017-09-30 2018-02-23 北京北信源软件股份有限公司 The illegal external connection monitoring method and system of a kind of no agency
US20180146001A1 (en) * 2016-11-22 2018-05-24 Daniel Chien Network security based on device identifiers and network addresses
CN108092936A (en) * 2016-11-22 2018-05-29 北京计算机技术及应用研究所 A kind of Host Supervision System based on plug-in architecture

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090248840A1 (en) * 2008-03-28 2009-10-01 Microsoft Corporation Network topology detection using a server
CN103441864A (en) * 2013-08-12 2013-12-11 江苏华大天益电力科技有限公司 Method for monitoring illegal external connection of terminal equipment
US20180146001A1 (en) * 2016-11-22 2018-05-24 Daniel Chien Network security based on device identifiers and network addresses
CN108092936A (en) * 2016-11-22 2018-05-29 北京计算机技术及应用研究所 A kind of Host Supervision System based on plug-in architecture
CN107566334A (en) * 2017-07-17 2018-01-09 全球能源互联网研究院有限公司 A kind of distribution terminal safety monitoring method and device realized based on agency
CN107426208A (en) * 2017-07-24 2017-12-01 郑州云海信息技术有限公司 A kind of method for monitoring network illegal external connection
CN107733706A (en) * 2017-09-30 2018-02-23 北京北信源软件股份有限公司 The illegal external connection monitoring method and system of a kind of no agency

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587175A (en) * 2019-01-11 2019-04-05 杭州迪普科技股份有限公司 A kind of illegal external connection processing method and system
CN111917703B (en) * 2019-05-10 2023-05-09 阿自倍尔株式会社 Monitoring device and monitoring method
CN111917703A (en) * 2019-05-10 2020-11-10 阿自倍尔株式会社 Monitoring device and monitoring method
CN110365793A (en) * 2019-07-30 2019-10-22 北京华赛在线科技有限公司 Illegal external connection monitoring method, device, system and storage medium
CN110417821A (en) * 2019-09-09 2019-11-05 北京华赛在线科技有限公司 A kind of networking detection method and system
CN110417821B (en) * 2019-09-09 2021-11-02 北京华赛在线科技有限公司 Networking detection method and system
CN110768999A (en) * 2019-10-31 2020-02-07 杭州迪普科技股份有限公司 Method and device for detecting illegal external connection of equipment
CN112769739A (en) * 2019-11-05 2021-05-07 中国移动通信集团安徽有限公司 Database operation violation processing method, device and equipment
CN112769739B (en) * 2019-11-05 2023-08-04 中国移动通信集团安徽有限公司 Database operation violation processing method, device and equipment
CN111131163A (en) * 2019-11-26 2020-05-08 视联动力信息技术股份有限公司 Data processing method and device based on video network
CN111131203A (en) * 2019-12-12 2020-05-08 杭州迪普科技股份有限公司 External connection monitoring method and device
CN111131203B (en) * 2019-12-12 2022-06-28 杭州迪普科技股份有限公司 External connection monitoring method and device
CN111106983A (en) * 2019-12-27 2020-05-05 杭州迪普科技股份有限公司 Method and device for detecting network connectivity
CN111917702A (en) * 2020-03-31 2020-11-10 北京融汇画方科技有限公司 Non-client-side mode passive checking off-line illegal external connection technology
CN112333191A (en) * 2020-11-06 2021-02-05 杭州安恒信息技术股份有限公司 Illegal network asset detection and access blocking method, device, equipment and medium
CN113542264B (en) * 2021-07-13 2022-08-26 杭州安恒信息技术股份有限公司 File transmission control method, device and equipment and readable storage medium
CN113542264A (en) * 2021-07-13 2021-10-22 杭州安恒信息技术股份有限公司 File transmission control method, device, equipment and readable storage medium
CN114257404A (en) * 2021-11-16 2022-03-29 广东电网有限责任公司 Abnormal external connection statistic alarm method and device, computer equipment and storage medium
CN114257404B (en) * 2021-11-16 2024-04-30 广东电网有限责任公司 Abnormal external connection statistical alarm method, device, computer equipment and storage medium
CN114268481A (en) * 2021-12-15 2022-04-01 南方电网数字电网研究院有限公司 Method, device, equipment and medium for processing illegal external connection information of intranet terminal
CN114866318A (en) * 2022-05-05 2022-08-05 金祺创(北京)技术有限公司 Threat intelligence correlation analysis method and system based on user key service network security flow
CN115051867A (en) * 2022-06-22 2022-09-13 深信服科技股份有限公司 Detection method and device for illegal external connection behaviors, electronic equipment and medium
CN115051867B (en) * 2022-06-22 2024-04-09 深信服科技股份有限公司 Illegal external connection behavior detection method and device, electronic equipment and medium
CN116915503A (en) * 2023-09-08 2023-10-20 成都卓拙科技有限公司 Illegal external connection detection method and device, storage medium and electronic equipment
CN116915503B (en) * 2023-09-08 2023-11-14 成都卓拙科技有限公司 Illegal external connection detection method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN108881211B (en) 2021-10-08

Similar Documents

Publication Publication Date Title
CN108881211A (en) A kind of illegal external connection detection method and device
JP6526895B2 (en) Automatic mitigation of electronic message based security threats
EP1805641B1 (en) A method and device for questioning a plurality of computerized devices
US9325725B2 (en) Automated deployment of protection agents to devices connected to a distributed computer network
JP4373779B2 (en) Stateful distributed event processing and adaptive maintenance
US8549639B2 (en) Method and apparatus for diagnosing and mitigating malicious events in a communication network
US20170093917A1 (en) Centralized management and enforcement of online behavioral tracking policies
CN101588247B (en) For detecting the system and method for the leak of server
CN103078835B (en) For being restricted to the system and method in the path of harmful main frame in computer network
CN105659245A (en) Context-aware network forensics
CN105100092B (en) Client is controlled to access detection method, the device and system of network
CN102687480A (en) Cloud-based firewall system and service
US8146146B1 (en) Method and apparatus for integrated network security alert information retrieval
JP2007183773A (en) Server monitoring program, server monitoring device, server monitoring method
US20140075553A1 (en) Domain name system rebinding attack protection
KR101522139B1 (en) Method for blocking selectively in dns server and change the dns address using proxy
JP2011090429A (en) Integrated monitoring system
Ahmed et al. An automated user transparent approach to log web URLs for forensic analysis
TWI761122B (en) Cyber security protection system and related proactive suspicious domain alert system
JP2005057522A (en) System, method, and program for analyzing influence concerned with network attack
CN115827153A (en) Method, device, equipment and medium for detecting brute force cracking of SSH (secure Shell) service in container
Mukhopadhyay et al. HawkEye solutions: a network intrusion detection system
CN116684110A (en) Domain name server security detection method and device, electronic equipment and storage medium
CN116318740A (en) Method and device for determining malicious domain name
Brohi Managing Vulnerabilities in a Networked System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant