CN108881211A - A kind of illegal external connection detection method and device - Google Patents
A kind of illegal external connection detection method and device Download PDFInfo
- Publication number
- CN108881211A CN108881211A CN201810596544.7A CN201810596544A CN108881211A CN 108881211 A CN108881211 A CN 108881211A CN 201810596544 A CN201810596544 A CN 201810596544A CN 108881211 A CN108881211 A CN 108881211A
- Authority
- CN
- China
- Prior art keywords
- external connection
- address
- illegal external
- equipment
- page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The application provides a kind of illegal external connection detection method and device, including:Obtain message;The message got is this equipment message to be sent or the message that this equipment receives;Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list has recorded addressable IP address;If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect whether get page title pre-configuration page title corresponding with the address URL consistent;If consistent, determine that illegal external connection occurs for this equipment.The detection of illegal external connection of terminal equipment may be implemented using method provided by the present application.
Description
Technical field
This application involves computer communication field more particularly to a kind of illegal external connection detection method and device.
Background technique
Illegal external connection refers to that terminal device has accessed the network address for not allowing to access.For example, the terminal of the employee of enterprise
Equipment only allows to work in intranet environment, does not allow computer accessing external network.If the terminal device of employee accesses outer net,
Illegal external connection just occurs for the terminal device.
When illegal external connection occurs for the terminal device of company Intranet, the attack from outer net may illegally be stolen in company
The sensitive data of net, so that company Intranet generates material risk.Therefore, how to detect terminal device whether occur illegal external connection at
For urgent problem to be solved.
Summary of the invention
In view of this, the application provides a kind of detection method and device of illegal external connection, to realize Intranet terminal device
Illegal external connection detection.
Specifically, the application is achieved by the following technical solution:
According to a first aspect of the present application, a kind of illegal external connection detection method is provided, the method is applied to terminal device,
The method includes:
Obtain message;The message got is this equipment message to be sent or the message that this equipment receives;
Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list record
Addressable IP address;
If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect and get the page
Whether title pre-configuration page title corresponding with the address URL is consistent;
If consistent, determine that illegal external connection occurs for this equipment.
Optionally, the page title for obtaining the requested page in the address URL being pre-configured, including:
Send page access request corresponding with the address URL of the pre-configuration;
The page data returned for the page access request is received, the page title of the page data is obtained.
Optionally, after determining that illegal external connection occurs for this terminal device, the method also includes at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event is with including at least the source IP of the message
Location, purpose IP address, source port and destination port handle the offending process path of the message, the corresponding user identifier of this equipment
The time occurred with illegal external connection;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:Xiang Yong
Family shows illegal external connection prompt information;Link when illegal external connection is disconnected, the process that illegal external connection occurs is closed, restarts and originally set
It is standby.
Optionally, the method also includes:
It periodically checks this equipment and whether passes through proxy server and access Internet resources;
If so, executing the combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address,
Proxy IP address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:Xiang Yong
Family shows prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts and originally sets
It is standby.
Optionally, the method also includes:
When getting destination address is the icmp packet for the IP address that white list does not include, the icmp packet is abandoned.
According to a second aspect of the present application, a kind of illegal external connection detection device is provided, described device is applied to terminal device,
Described device includes:
Acquiring unit, for obtaining message;The message got is that this equipment message to be sent or this equipment receive
Message;
Whether first detection unit, source IP address or purpose IP address for detection messages hit the white name of pre-configuration
It is single;The white list has recorded addressable IP address;
Second detection unit obtains the page mark of the requested page in the address URL of pre-configuration if being used for miss
Topic, and detect whether get page title pre-configuration page title corresponding with the address URL consistent;
Determination unit, if determining that illegal external connection occurs for this equipment for consistent.
Optionally, the second detection unit, in the page title for obtaining the requested page in the address URL being pre-configured
When, specifically for sending page access request corresponding with the address URL of the pre-configuration;It receives and is directed to the page access request
The page data of return obtains the page title of the page data.
Optionally, described device further includes:
Processing unit, for executing at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event is with including at least the source IP of the message
Location, purpose IP address, source port and destination port handle the offending process path of the message, the corresponding user identifier of this equipment
The time occurred with illegal external connection;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:Xiang Yong
Family shows illegal external connection prompt information;Link when illegal external connection is disconnected, the process that illegal external connection occurs is closed, restarts and originally set
It is standby.
Optionally, described device further includes:
Whether inspection unit passes through proxy server for periodically checking this equipment and accesses Internet resources;If so,
Execute the combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address,
Proxy IP address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:Xiang Yong
Family shows prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts and originally sets
It is standby.
Optionally, described device further includes:
Discarding unit, for abandoning when getting destination address is the icmp packet for the IP address that white list does not include
The icmp packet.
The application provides a kind of detection method of illegal external connection, the available message of the client installed on terminal device;
Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list has recorded addressable
IP address;If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect and get page
Whether title pre-configuration page title corresponding with the address URL in face is consistent;If consistent, determine that illegal external connection occurs for this equipment.
On the basis of being judged using white list, the further progress judgement of page title is realizing illegal external connection
While detection, it can also be effectively prevented the generation of erroneous judgement, substantially increase the accuracy of illegal external connection detection.
Detailed description of the invention
Fig. 1 is a kind of group-network construction of relevant illegal external connection detection technique shown in one exemplary embodiment of the application
Figure;
Fig. 2 is a kind of network architecture diagram of illegal external connection detection method shown in one exemplary embodiment of the application;
Fig. 3 is a kind of flow chart of illegal external connection detection method shown in one exemplary embodiment of the application;
Fig. 4 is a kind of hardware structure diagram of terminal device shown in one exemplary embodiment of the application;
Fig. 5 is a kind of block diagram of illegal external connection detection device shown in one exemplary embodiment of the application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
It is the group-network construction figure of related illegal external connection detection technique referring to Fig. 1, Fig. 1.
In the technology of the relevant detection illegal external connection, it is configured with Intranet monitoring server in Intranet, is matched in outer net
It is equipped with outer net monitoring server.
When the business website of the terminal access Intranet of Intranet, Intranet monitoring server can be infused the JS code of pre-configuration
Enter into the access data that terminal returns.After terminal receives the access data, which can be downloaded to the terminal
On.JS (literal translation formula scripting language) code attempts access outer net monitoring server.When JS code is accessible to outer net monitoring clothes
Business device, it is determined that illegal external connection occurs for the interior network termination.
However, in the method for above-mentioned detection illegal external connection, on the one hand, due to needing in Intranet and outer net are disposed respectively
Net monitoring server and outer net monitoring server, thus greatly improve the cost of implementation of above-mentioned illegal external connection scheme;It is another
Aspect causes larger pressure to the performance of Intranet monitoring server and outer net monitoring server when the quantity of interior network termination is more
Power.
The application is to be based on C/S (Client/Server, client-server) framework to carry out illegal external connection detection,
In this application, it needs that client is installed on the terminal device of Intranet, while also needing to dispose management server.Network management
Personnel can configure the strategy of illegal external connection on the management server.Client can download the illegal external connection strategy, to Intranet
Terminal carries out illegal external connection detection.
Referring to fig. 2, Fig. 2 is a kind of network architecture of illegal external connection detection method shown in one exemplary embodiment of the application
Figure.
In the group-network construction include at least one terminal device, management server, intranet server and terminal device and
Forwarding device between intranet server.
Client is installed, client can receive the illegal external connection plan that management server issues on each terminal device
Slightly, the message for receiving or sending to terminal device detects, to determine whether terminal device accesses not the net for allowing to access
Network resource.
Network management personnel can carry out the configuration of illegal external connection strategy on the management server, manage after configuration is complete
Server can be by the illegal external connection policy distribution to client.
The management server can be deployed in Intranet, and certain management server can also be deployed in outer net, here
Without specifically defined.
For that can also include turning in the network architecture between intranet server and terminal device and intranet server
Equipment is sent out, the access request etc. for accessing intranet server can be sent to Intranet service by the forwarding device by terminal device
Device, and the data etc. that intranet server returns are received by the forwarding device.
It is a kind of flow chart of illegal external connection detection method shown in one exemplary embodiment of the application referring to Fig. 3, Fig. 3.
Before introducing the illegal external connection detection method of the application, the configuration of lower illegal external connection strategy is first introduced first.
Network management personnel can carry out the configuration of illegal external connection strategy with Telnet management server.For example, network pipe
Reason personnel can log in management server by browser, then configure white list, having recorded at least one in the white list can
The IP address of access.
It should be noted that the address recorded in the white list can be an IP address, it is also possible to multiple IP address,
Multiple IP address of record can be continuous (such as IP address range), be also possible to discontinuous IP address.It here is pair
The IP address of white list record is illustratively illustrated, is not carried out to it specifically defined.
In addition, network management personnel can also in the management server configurating terminal device occur illegal external connection measure.
For example, network management personnel can configure:After illegal external connection occurs for terminal device, terminal device can be sent to management server
Warning information carries out the processing etc. of illegal external connection.
The application provides three functions, the respectively anti-erroneous judgement function of illegal external connection for client, detect whether using
Proxy server accesses the function of Internet resources and whether forbids ping (Packet Internet Groper, the Internet packets
Detector) white list outer network resource function.Network management personnel can configure on the management server whether open it is above-mentioned
Three functions.
After the completion of the configuration of illegal external connection strategy, management server can give the illegal external connection policy distribution to each terminal
The client installed in equipment.Client can recorde the illegal external connection strategy after receiving the illegal external connection strategy.Than
Such as, client can be by the illegal external connection policy update into client driving.Forbid outside ping white list if opened
The function of Internet resources, then by the illegal external connection policy update to WFP (Windows Filter Platform, Windows mistake
Platform is filtered, it is that the API and system service set of support are provided for network filtering application platform) or PF (Packet
Filter, Packet Filtering) firewall driving in.
After the configuration for having introduced above-mentioned illegal external connection strategy, the detection method of illegal external connection is carried out below detailed
Ground explanation.
The client installed on terminal device can execute the inspection that following step 301 carries out illegal external connection to step 304
It surveys.
Step 301:Obtain message.
It should be noted that message that available equipment of client on terminal device is externally sent and the visitor
The available message from other equipment in family end.
Step 302:Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;It is described white
List has recorded addressable IP address.
Step 302 can be completed by the client driver in client.
When realizing, when the message that client driver is got is the message that this equipment is externally sent, client
Driver can detecte the purpose IP address that the message whether is had recorded in the white list.If the report is not recorded in the white list
The purpose IP address of text, it is determined that the purpose IP address miss of the message white list.If recording the message in the white list
Purpose IP address, it is determined that the purpose IP address of the message hits the white list.
When the message that client driver is got comes from the message of other equipment, client driver can
To detect the source IP address for whether having recorded the message in the white list.If the source IP of the message is not recorded in the white list
Location, it is determined that the source IP address miss of the message white list.If recording the source IP address of the message in the white list, really
The source IP address of the fixed message hits the white list.
Step 303:If miss, URL (Uniform Resource Locator, the unified resource of pre-configuration are obtained
Finger URL) the requested page in address page title, and detect get page title pre-configuration corresponding with the address URL
Whether page title is consistent;
Step 304:If consistent, determine that illegal external connection occurs for this equipment.
Step 303 and step 304 can be completed by the client process in client.
In addition, being provided with the corresponding relationship of the address URL and page title in client.
Wherein, page title refers to the character on the page in predeterminable area.For example, when the page is the homepage of Baidu, it should
Page title is " using Baidu.com, you are known that ".
The corresponding relationship can be the corresponding relationship of www.baidu.com Yu " using Baidu.com, you are known that ".
Here it describes for convenience, the address URL in the corresponding relationship of the address URL of configuration and page title is referred to as pre-
The address URL of configuration, the page title in the corresponding relationship are known as the page title being pre-configured.
In the embodiment of the present application, when client driver determines the source IP address or destination IP of the message received
After the white list that address misses are pre-configured, client driver can send a notification message to client process.The notice
Message can carry offending process for handling the message, the source IP address of the message or purpose IP address and transmitting-receiving
The port etc. of the message.
Client process is after receiving the notification message, the requested page in the address URL of the available pre-configuration
Page title.
Specifically, client process can read the address URL of pre-configuration, then send the address URL with the pre-configuration
Corresponding page access request.
After client process receives the page corresponding with the page access request, the available page of client process
The page title in face.Then it is corresponding with the URL of the pre-configuration pre- to can detecte the page title got for client process
Whether the page title of configuration is consistent.If consistent, show that illegal external connection occurs for this equipment, i.e., have accessed outer net resource in violation of rules and regulations.This
When, the message of source IP address or purpose IP address the miss white list can be designated as illegal external connection message.
When client process does not receive the page corresponding with the page access request, or the page title obtained is pre- with this
When the corresponding page title of the URL of configuration is inconsistent, show that illegal external connection does not occur for this equipment.
For example, it is assumed that the corresponding relationship of the URL and page title that are pre-configured be www.baidu.com with " using Baidu.com, you
Be known that " corresponding relationship.When client driving detects that the source IP address of a certain message or purpose IP address miss are white
After list, client driving can send a notification message to client process.
After the client process receives the notification message, client process can read the URL of pre-configuration, i.e.,
www.baidu.com.Then, client process can send page access request corresponding with www.baidu.com.
After client process receives the page for the page access request, the page mark of the available page
Topic.Assuming that the page title got is " using Baidu.com, you are known that ".
Client process can detecte the page mark of the page title got and the corresponding pre-configuration of www.baidu.com
It whether consistent inscribes.In this example, the page title got is " using Baidu.com, you are known that ", the page title of pre-configuration
For " using Baidu.com, you are known that ", due to the page mark of the corresponding pre-configuration of page title and www.baidu.com got
Topic is consistent, so client process can determine that illegal external connection occurs for this terminal device.
It should be noted that only determining whether this equipment occurs illegal external connection sometimes and will appear erroneous judgement with white list
The case where.
Such as, it is assumed that terminal device access Intranet equipment, but the IP address of the Intranet equipment be not configured in it is white
In list, if only judged with white list to carry out illegal external connection, it just will be considered that the terminal device has accessed outer net resource, but its
For real terminal device there is no access outer net resource, this will result in erroneous judgement.
In order to solve this problem, the application using white list detection on the basis of, further by step 303 come into
The anti-erroneous judgement operation of row.The effect of step 303 is when the IP address miss for determining the reception of this terminal device or the message sent
After white list, further check this terminal device this visit whether really access to outer net resource, in other words,
It is exactly further to check whether this terminal device is really connected to outer net.So erroneous judgement can be effectively prevented using step 303
The generation of behavior considerably increases the accuracy of illegal external connection detection.
In addition, in the embodiment of the present application, after client determines that illegal external connection occurs for this terminal device, client can be with
According to one of operation or several combinations below illegal external connection strategy execution:
Illegal external connection event can be generated in client, and the illegal external connection event is uploaded to management server.This is in violation of rules and regulations
External connection event includes at least source IP address, purpose IP address, source port and the destination port of the illegal external connection message, handles the report
The time that the offending process path of text, the corresponding user identifier of this equipment and illegal external connection occur.
Management server can recorde the illegal external connection event, generate illegal external connection database.When network management personnel steps on
After recording the management server, management server can show the violation to be inquired of the network management personnel to network management personnel
External connection event.
In addition, client can also be managed the illegal external connection strategy that server issues, corresponding illegal external connection is executed
Processing.
Illegal external connection processing includes at least following one or several kinds of combination:
1) prompt information is shown to user, such as pop up prompting frame on the screen of terminal device, prompt this terminal of user
Equipment accesses outer net resource in violation of rules and regulations;
2) link when illegal external connection is disconnected;
3) process that illegal external connection occurs is closed;
4) restart this equipment;
5) network of this equipment is cut off.
Certainly, the above-mentioned exemplary illustration only handled illegal external connection can also include other illegal external connections certainly
Treatment measures do not carry out illegal external connection processing specifically defined here.
In addition, in the embodiment of the present application, when client opens the function of forbidding enabling proxy access Internet resources.Visitor
Family end, which can periodically check this terminal device and whether pass through proxy server, accesses Internet resources.
Wherein, so-called to refer to that terminal device be sent to the visit of destination server by proxy server access Internet resources
It asks that request is sent to proxy server, destination server is sent to by proxy server.
For example, terminal device wants access to Baidu's server, user can enable agent functionality on the terminal device, input
The address of proxy server.When terminal device will access Baidu's server, message first can be sent to agency by terminal device
The message is sent to Baidu's server by proxy server by server.
But when the IP address of the proxy server is in above-mentioned white list, client, which just will be considered that, is sent to agency service
The normal message when message of device.But when user accesses outer net resource by proxy server, client thinks the access report
Text is normal message, to can not detect that illegal external connection occurs for terminal device.
In the embodiment of the present application forbid enabling when client opens to improve the accuracy of illegal external connection detection
The function of proxy access Internet resources.Client, which can periodically check this terminal device and whether pass through proxy access network, to be provided
Source.
The method of inspection can include at least following one or several kinds of combination:
1) system registry for checking this terminal device checks whether to open agency's switch by system registry.If
Agency's switch is opened, then shows that this terminal device opens agency to access Internet resources, if not opening agency's switch, table
Bright terminal, which is set, does not open agency.
2) it checks in the configuration file of specified browser with the presence or absence of the configuration file for agency, and if it exists, determine this
Terminal device determines that this terminal device does not enable agency if it does not exist by proxy access Internet resources.Wherein, this is specified
Browser can be red fox browser etc. and can act as agent the browser of configuration.
3) HTTP (the HyperText Transfer that this terminal device is sent out is grabbed by packet catcher
Protocol, hypertext transfer protocol) message, detects whether the HTTP message carries Agent Markup.If carrying, it is determined that this
Terminal accesses Internet resources by proxy server.If not carrying, it is determined that this terminal does not pass through proxy server and accesses net
Network resource.
Internet resources, the executable following behaviour of client are accessed by proxy server when client determines this terminal device
The combination of one or more of work:
1) illegal external connection Agent Events are sent to management server.This terminal can be at least carried in the violation Agent Events to set
Standby IP address, corresponding user identifier of this terminal device etc..
Management server can record IP address, the proxy server that this terminal device is carried in the illegal external connection Agent Events
IP address and port, the corresponding user identifier of this terminal device etc..After network management personnel logs in the management server, pipe
Reason server can show the illegal external connection Agent Events to be inquired of the network management personnel to network management personnel.
2) violation agency processing is carried out, agency's such as reason includes at least following one or several kinds of combination in violation of rules and regulations for this:
Prompt information is shown to user, to prompt this terminal device to open agency;
Cut off the network connection of this terminal device;
Restart this terminal device
Certainly, above-mentioned only to the exemplary illustration of violation agency's processing, it certainly can also include other agencies in violation of rules and regulations
Treatment measures, for example close this terminal device etc., it is specifically defined that processing progress is not acted on behalf of to violation here.
Certainly, in the embodiment of the present application, the entry-into-force time that above-mentioned illegal external connection strategy can also be limited, such as when specified
Between section come into force, come into force or do not come into force when being disconnected with server etc..
Further, since client driving be can not to ICMP (Internet Control Messages Protocol, because
Spy net letter report control protocol) message be made whether hit white list judgement so that certain hackers are attacked by icmp packet
Intranet.So increase the function of forbidding ping outer net in this application, such attack is prevented with this.
In the embodiment of the present application, after client enables the function for the IP address for forbidding ping white list not include,
If this equipment gets destination address or source address is the icmp packet for the IP address that white list does not include, which is reported
Text abandons.
In the embodiment of the present application, when user has unloaded client on terminal device or network management personnel is managing
Illegal external connection strategy is deleted on server, illegal external connection function can be automatically closed in terminal device.If illegal external connection strategy
In configurating terminal device do not come into force offline, then when the network connection of terminal device and management server is obstructed, terminal device can
Illegal external connection function is automatically closed.
The application provides a kind of detection method of illegal external connection, the available message of the client installed on terminal device;
Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list has recorded addressable
IP address;If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect and get page
Whether title pre-configuration page title corresponding with the address URL in face is consistent;If consistent, determine that illegal external connection occurs for this equipment.
On the one hand, on the basis of being judged using white list, the further progress judgement of page title is separated realizing
While advising external connection detection, it can also be effectively prevented the generation of erroneous judgement, substantially increase the accuracy of illegal external connection detection.
On the other hand, after determining that illegal external connection occurs for this terminal device, illegal external connection processing can be carried out automatically, reduced
The damage of illegal external connection behavior.Management server is uploaded at the same time it can also which illegal external connection event will be generated, so that administrative staff
The illegal external connection event can be inquired on the management server, and network management personnel is facilitated to be managed.
The third aspect, the application can be with real-time monitoring acts of agency, and no thoroughfare, and proxy server accesses outer net resource,
To improve the accuracy of illegal external connection detection.
Fourth aspect, the application also open the function for the IP address for forbidding ping white list not include, prevent outer net from setting
It is standby that company Intranet is attacked by icmp packet.
5th aspect, the application use C/S framework, and network management personnel only needs to configure on the management server outer in violation of rules and regulations
Connection is tactful, and the client on each terminal device can execute illegal external connection detection processing etc. automatically, realizes key deployment,
Shorten the time delay detected from the illegal external connection for being deployed to execution.
Referring to fig. 4, the application also provides a kind of hardware architecture diagram of terminal device, which includes:Communication interface
401, processor 402, machine readable storage medium 403 and bus 404;Wherein, communication interface 401, processor 402 and machine can
It reads storage medium 403 and mutual communication is completed by bus 404.Processor 402 is by reading and executing machine readable storage
Machine-executable instruction corresponding with illegal external connection detection control logic, can be performed above-described illegal external connection in medium 403
Detection method.
Machine readable storage medium 403 referred to herein can be any electronics, magnetism, optics or other physical stores
Device may include or store information, such as executable instruction, data, etc..For example, machine readable storage medium can be:
RAM (Radom Access Memory, random access memory), volatile memory, nonvolatile memory, flash memory, storage are driven
Dynamic device (such as hard disk drive), solid state hard disk, any kind of storage dish (such as CD, dvd) or similar storage are situated between
Matter or their combination.
Referring to Fig. 5, figure is a kind of block diagram of illegal external connection detection device shown in one exemplary embodiment of the application.The dress
It sets and can be applied to terminal device, it may include unit as follows.
Acquiring unit 501, for obtaining message;The message got is that this equipment message to be sent or this equipment receive
The message arrived;
Whether first detection unit 502, source IP address or purpose IP address for detection messages hit pre-configuration
White list;The white list has recorded addressable IP address;
Second detection unit 503 obtains the page of the requested page in the address URL of pre-configuration if being used for miss
Title, and detect whether get page title pre-configuration page title corresponding with the address URL consistent;
Determination unit 504, if determining that illegal external connection occurs for this equipment for consistent.
Optionally, the second detection unit 503, in the page mark for obtaining the requested page in the address URL being pre-configured
When topic, specifically for sending page access request corresponding with the address URL of the pre-configuration;It receives and is asked for page acquisition
The page data for asking return obtains the page title of the page data.
Optionally, described device further includes:
Processing unit 505 (is not shown) in Fig. 5, for executing at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event is with including at least the source IP of the message
Location, purpose IP address, source port and destination port handle the offending process path of the message, the corresponding user identifier of this equipment
The time occurred with illegal external connection;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:Xiang Yong
Family shows illegal external connection prompt information;Link when illegal external connection is disconnected, the process that illegal external connection occurs is closed, restarts and originally set
It is standby.
Optionally, described device further includes:
Inspection unit 506 (is not shown) in Fig. 5, for whether periodically checking this equipment by proxy server access
Internet resources;If so, executing the combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address,
Proxy IP address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:Xiang Yong
Family shows prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts and originally sets
It is standby.
Optionally, described device further includes:
Discarding unit 507 (is not shown) in Fig. 5, for being the IP address that white list does not include when getting destination address
When icmp packet, the icmp packet is abandoned.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.
Claims (10)
1. a kind of illegal external connection detection method, which is characterized in that the method is applied to terminal device, the method includes:
Obtain message;The message got is this equipment message to be sent or the message that this equipment receives;
Whether the source IP address or purpose IP address of detection messages hit the white list of pre-configuration;The white list has recorded can
The IP address of access;
If miss, the page title of the requested page in the address URL of pre-configuration is obtained, and detect and get page title
Whether pre-configuration page title corresponding with the address URL is consistent;
If consistent, determine that illegal external connection occurs for this equipment.
2. the method according to claim 1, wherein described obtain the requested page in the address URL being pre-configured
Page title, including:
Send page access request corresponding with the address URL of the pre-configuration;
The page data returned for the page access request is received, the page title of the page data is obtained.
3. the method according to claim 1, wherein when determine this terminal device occur illegal external connection after, it is described
Method further includes at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event include at least the message source IP address,
Purpose IP address, source port and destination port, handle the offending process path of the message, the corresponding user identifier of this equipment and disobey
Advise the time that external connection occurs;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:To user's exhibition
Show illegal external connection prompt information;Cut off the network of this equipment;Disconnect link when illegal external connection;Close occur illegal external connection into
Journey;Restart this equipment.
4. the method according to claim 1, wherein the method also includes:
It periodically checks this equipment and whether passes through proxy server and access Internet resources;
If so, executing the combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address, agency
Server ip address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:To user's exhibition
Show prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts this equipment.
5. the method according to claim 1, wherein the method also includes:
When getting destination address or source address is the icmp packet for the IP address that white list does not include, ICMP report is abandoned
Text.
6. a kind of illegal external connection detection device, which is characterized in that described device is applied to terminal device, and described device includes:
Acquiring unit, for obtaining message;The message got is this equipment message to be sent or the report that this equipment receives
Text;
Whether first detection unit hits the white list of pre-configuration for the source IP address or purpose IP address of detection messages;
The white list has recorded addressable IP address;
Second detection unit obtains the page title of the requested page in the address URL of pre-configuration if being used for miss, and
Whether detection gets page title pre-configuration page title corresponding with the address URL consistent;
Determination unit, if determining that illegal external connection occurs for this equipment for consistent.
7. device according to claim 6, which is characterized in that the second detection unit, with obtaining the URL being pre-configured
When the page title of the requested page in location, asked specifically for sending page acquisition corresponding with the address URL of the pre-configuration
It asks;The page data returned for the page access request is received, the page title of the page data is obtained.
8. device according to claim 6, which is characterized in that described device further includes:
Processing unit, for executing at least one of:
It generates illegal external connection event and uploads management server;The illegal external connection event include at least the message source IP address,
Purpose IP address, source port and destination port, handle the offending process path of the message, the corresponding user identifier of this equipment and disobey
Advise the time that external connection occurs;
Carry out illegal external connection processing;The illegal external connection processing includes at least following one or several kinds of combination:To user's exhibition
Show illegal external connection prompt information;Link when illegal external connection is disconnected, the process that illegal external connection occurs is closed, restarts this equipment.
9. device according to claim 6, which is characterized in that described device further includes:
Whether inspection unit passes through proxy server for periodically checking this equipment and accesses Internet resources;If so, executing
The combination of following one or several kinds of operations:
Illegal external connection Agent Events are issued to management server;The violation Agent Events include at least:Local ip address, agency
Server ip address and port, the corresponding user identifier of this equipment and the time for acting on behalf of generation in violation of rules and regulations;
Carry out violation agency processing;The violation agency processing includes at least following one or several kinds of combination:To user's exhibition
Show prompt information, to prompt this terminal device to open agency;The network connection for cutting off the terminal device, restarts this equipment.
10. device according to claim 6, which is characterized in that described device further includes:
Discarding unit, should for abandoning when getting destination address is the icmp packet for the IP address that white list does not include
Icmp packet.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810596544.7A CN108881211B (en) | 2018-06-11 | 2018-06-11 | Illegal external connection detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810596544.7A CN108881211B (en) | 2018-06-11 | 2018-06-11 | Illegal external connection detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108881211A true CN108881211A (en) | 2018-11-23 |
CN108881211B CN108881211B (en) | 2021-10-08 |
Family
ID=64338663
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810596544.7A Active CN108881211B (en) | 2018-06-11 | 2018-06-11 | Illegal external connection detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108881211B (en) |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109587175A (en) * | 2019-01-11 | 2019-04-05 | 杭州迪普科技股份有限公司 | A kind of illegal external connection processing method and system |
CN110365793A (en) * | 2019-07-30 | 2019-10-22 | 北京华赛在线科技有限公司 | Illegal external connection monitoring method, device, system and storage medium |
CN110417821A (en) * | 2019-09-09 | 2019-11-05 | 北京华赛在线科技有限公司 | A kind of networking detection method and system |
CN110768999A (en) * | 2019-10-31 | 2020-02-07 | 杭州迪普科技股份有限公司 | Method and device for detecting illegal external connection of equipment |
CN111106983A (en) * | 2019-12-27 | 2020-05-05 | 杭州迪普科技股份有限公司 | Method and device for detecting network connectivity |
CN111131163A (en) * | 2019-11-26 | 2020-05-08 | 视联动力信息技术股份有限公司 | Data processing method and device based on video network |
CN111131203A (en) * | 2019-12-12 | 2020-05-08 | 杭州迪普科技股份有限公司 | External connection monitoring method and device |
CN111917702A (en) * | 2020-03-31 | 2020-11-10 | 北京融汇画方科技有限公司 | Non-client-side mode passive checking off-line illegal external connection technology |
CN111917703A (en) * | 2019-05-10 | 2020-11-10 | 阿自倍尔株式会社 | Monitoring device and monitoring method |
CN112333191A (en) * | 2020-11-06 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Illegal network asset detection and access blocking method, device, equipment and medium |
CN112769739A (en) * | 2019-11-05 | 2021-05-07 | 中国移动通信集团安徽有限公司 | Database operation violation processing method, device and equipment |
CN113542264A (en) * | 2021-07-13 | 2021-10-22 | 杭州安恒信息技术股份有限公司 | File transmission control method, device, equipment and readable storage medium |
CN114257404A (en) * | 2021-11-16 | 2022-03-29 | 广东电网有限责任公司 | Abnormal external connection statistic alarm method and device, computer equipment and storage medium |
CN114268481A (en) * | 2021-12-15 | 2022-04-01 | 南方电网数字电网研究院有限公司 | Method, device, equipment and medium for processing illegal external connection information of intranet terminal |
CN114866318A (en) * | 2022-05-05 | 2022-08-05 | 金祺创(北京)技术有限公司 | Threat intelligence correlation analysis method and system based on user key service network security flow |
CN115051867A (en) * | 2022-06-22 | 2022-09-13 | 深信服科技股份有限公司 | Detection method and device for illegal external connection behaviors, electronic equipment and medium |
CN116915503A (en) * | 2023-09-08 | 2023-10-20 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090248840A1 (en) * | 2008-03-28 | 2009-10-01 | Microsoft Corporation | Network topology detection using a server |
CN103441864A (en) * | 2013-08-12 | 2013-12-11 | 江苏华大天益电力科技有限公司 | Method for monitoring illegal external connection of terminal equipment |
CN107426208A (en) * | 2017-07-24 | 2017-12-01 | 郑州云海信息技术有限公司 | A kind of method for monitoring network illegal external connection |
CN107566334A (en) * | 2017-07-17 | 2018-01-09 | 全球能源互联网研究院有限公司 | A kind of distribution terminal safety monitoring method and device realized based on agency |
CN107733706A (en) * | 2017-09-30 | 2018-02-23 | 北京北信源软件股份有限公司 | The illegal external connection monitoring method and system of a kind of no agency |
US20180146001A1 (en) * | 2016-11-22 | 2018-05-24 | Daniel Chien | Network security based on device identifiers and network addresses |
CN108092936A (en) * | 2016-11-22 | 2018-05-29 | 北京计算机技术及应用研究所 | A kind of Host Supervision System based on plug-in architecture |
-
2018
- 2018-06-11 CN CN201810596544.7A patent/CN108881211B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090248840A1 (en) * | 2008-03-28 | 2009-10-01 | Microsoft Corporation | Network topology detection using a server |
CN103441864A (en) * | 2013-08-12 | 2013-12-11 | 江苏华大天益电力科技有限公司 | Method for monitoring illegal external connection of terminal equipment |
US20180146001A1 (en) * | 2016-11-22 | 2018-05-24 | Daniel Chien | Network security based on device identifiers and network addresses |
CN108092936A (en) * | 2016-11-22 | 2018-05-29 | 北京计算机技术及应用研究所 | A kind of Host Supervision System based on plug-in architecture |
CN107566334A (en) * | 2017-07-17 | 2018-01-09 | 全球能源互联网研究院有限公司 | A kind of distribution terminal safety monitoring method and device realized based on agency |
CN107426208A (en) * | 2017-07-24 | 2017-12-01 | 郑州云海信息技术有限公司 | A kind of method for monitoring network illegal external connection |
CN107733706A (en) * | 2017-09-30 | 2018-02-23 | 北京北信源软件股份有限公司 | The illegal external connection monitoring method and system of a kind of no agency |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109587175A (en) * | 2019-01-11 | 2019-04-05 | 杭州迪普科技股份有限公司 | A kind of illegal external connection processing method and system |
CN111917703B (en) * | 2019-05-10 | 2023-05-09 | 阿自倍尔株式会社 | Monitoring device and monitoring method |
CN111917703A (en) * | 2019-05-10 | 2020-11-10 | 阿自倍尔株式会社 | Monitoring device and monitoring method |
CN110365793A (en) * | 2019-07-30 | 2019-10-22 | 北京华赛在线科技有限公司 | Illegal external connection monitoring method, device, system and storage medium |
CN110417821A (en) * | 2019-09-09 | 2019-11-05 | 北京华赛在线科技有限公司 | A kind of networking detection method and system |
CN110417821B (en) * | 2019-09-09 | 2021-11-02 | 北京华赛在线科技有限公司 | Networking detection method and system |
CN110768999A (en) * | 2019-10-31 | 2020-02-07 | 杭州迪普科技股份有限公司 | Method and device for detecting illegal external connection of equipment |
CN112769739A (en) * | 2019-11-05 | 2021-05-07 | 中国移动通信集团安徽有限公司 | Database operation violation processing method, device and equipment |
CN112769739B (en) * | 2019-11-05 | 2023-08-04 | 中国移动通信集团安徽有限公司 | Database operation violation processing method, device and equipment |
CN111131163A (en) * | 2019-11-26 | 2020-05-08 | 视联动力信息技术股份有限公司 | Data processing method and device based on video network |
CN111131203A (en) * | 2019-12-12 | 2020-05-08 | 杭州迪普科技股份有限公司 | External connection monitoring method and device |
CN111131203B (en) * | 2019-12-12 | 2022-06-28 | 杭州迪普科技股份有限公司 | External connection monitoring method and device |
CN111106983A (en) * | 2019-12-27 | 2020-05-05 | 杭州迪普科技股份有限公司 | Method and device for detecting network connectivity |
CN111917702A (en) * | 2020-03-31 | 2020-11-10 | 北京融汇画方科技有限公司 | Non-client-side mode passive checking off-line illegal external connection technology |
CN112333191A (en) * | 2020-11-06 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Illegal network asset detection and access blocking method, device, equipment and medium |
CN113542264B (en) * | 2021-07-13 | 2022-08-26 | 杭州安恒信息技术股份有限公司 | File transmission control method, device and equipment and readable storage medium |
CN113542264A (en) * | 2021-07-13 | 2021-10-22 | 杭州安恒信息技术股份有限公司 | File transmission control method, device, equipment and readable storage medium |
CN114257404A (en) * | 2021-11-16 | 2022-03-29 | 广东电网有限责任公司 | Abnormal external connection statistic alarm method and device, computer equipment and storage medium |
CN114257404B (en) * | 2021-11-16 | 2024-04-30 | 广东电网有限责任公司 | Abnormal external connection statistical alarm method, device, computer equipment and storage medium |
CN114268481A (en) * | 2021-12-15 | 2022-04-01 | 南方电网数字电网研究院有限公司 | Method, device, equipment and medium for processing illegal external connection information of intranet terminal |
CN114866318A (en) * | 2022-05-05 | 2022-08-05 | 金祺创(北京)技术有限公司 | Threat intelligence correlation analysis method and system based on user key service network security flow |
CN115051867A (en) * | 2022-06-22 | 2022-09-13 | 深信服科技股份有限公司 | Detection method and device for illegal external connection behaviors, electronic equipment and medium |
CN115051867B (en) * | 2022-06-22 | 2024-04-09 | 深信服科技股份有限公司 | Illegal external connection behavior detection method and device, electronic equipment and medium |
CN116915503A (en) * | 2023-09-08 | 2023-10-20 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
CN116915503B (en) * | 2023-09-08 | 2023-11-14 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN108881211B (en) | 2021-10-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108881211A (en) | A kind of illegal external connection detection method and device | |
JP6526895B2 (en) | Automatic mitigation of electronic message based security threats | |
EP1805641B1 (en) | A method and device for questioning a plurality of computerized devices | |
US9325725B2 (en) | Automated deployment of protection agents to devices connected to a distributed computer network | |
JP4373779B2 (en) | Stateful distributed event processing and adaptive maintenance | |
US8549639B2 (en) | Method and apparatus for diagnosing and mitigating malicious events in a communication network | |
US20170093917A1 (en) | Centralized management and enforcement of online behavioral tracking policies | |
CN101588247B (en) | For detecting the system and method for the leak of server | |
CN103078835B (en) | For being restricted to the system and method in the path of harmful main frame in computer network | |
CN105659245A (en) | Context-aware network forensics | |
CN105100092B (en) | Client is controlled to access detection method, the device and system of network | |
CN102687480A (en) | Cloud-based firewall system and service | |
US8146146B1 (en) | Method and apparatus for integrated network security alert information retrieval | |
JP2007183773A (en) | Server monitoring program, server monitoring device, server monitoring method | |
US20140075553A1 (en) | Domain name system rebinding attack protection | |
KR101522139B1 (en) | Method for blocking selectively in dns server and change the dns address using proxy | |
JP2011090429A (en) | Integrated monitoring system | |
Ahmed et al. | An automated user transparent approach to log web URLs for forensic analysis | |
TWI761122B (en) | Cyber security protection system and related proactive suspicious domain alert system | |
JP2005057522A (en) | System, method, and program for analyzing influence concerned with network attack | |
CN115827153A (en) | Method, device, equipment and medium for detecting brute force cracking of SSH (secure Shell) service in container | |
Mukhopadhyay et al. | HawkEye solutions: a network intrusion detection system | |
CN116684110A (en) | Domain name server security detection method and device, electronic equipment and storage medium | |
CN116318740A (en) | Method and device for determining malicious domain name | |
Brohi | Managing Vulnerabilities in a Networked System |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |