CN108881211B - Illegal external connection detection method and device - Google Patents
Illegal external connection detection method and device Download PDFInfo
- Publication number
- CN108881211B CN108881211B CN201810596544.7A CN201810596544A CN108881211B CN 108881211 B CN108881211 B CN 108881211B CN 201810596544 A CN201810596544 A CN 201810596544A CN 108881211 B CN108881211 B CN 108881211B
- Authority
- CN
- China
- Prior art keywords
- external connection
- address
- message
- equipment
- illegal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a violation external connection detection method and device, comprising the following steps: acquiring a message; the obtained message is a message to be sent by the equipment or a message received by the equipment; detecting whether a source IP address or a destination IP address of the message hits a pre-configured white list; the white list records accessible IP addresses; if not, acquiring a page title of a page requested by the pre-configured URL address, and detecting whether the acquired page title is consistent with the pre-configured page title corresponding to the URL address; and if so, determining that the illegal external connection occurs in the equipment. The method provided by the application can be used for detecting the illegal external connection of the terminal equipment.
Description
Technical Field
The present application relates to the field of computer communications, and in particular, to a method and an apparatus for detecting an illegal external connection.
Background
The illegal external connection refers to that the terminal equipment accesses a network address which is not allowed to be accessed. For example, the end devices of employees of a business are only allowed to work in an intranet environment and are not allowed to access a computer to an extranet. If the terminal equipment of the staff accesses the extranet, illegal extranet occurs to the terminal equipment.
When the terminal equipment of the internal network of the company has illegal external connection, the attack from the external network can illegally steal the sensitive data of the internal network of the company, so that the internal network of the company generates great risk. Therefore, how to detect whether the terminal device has the violation of external connection becomes an urgent problem to be solved.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for detecting an illegal external connection, so as to implement detection of an illegal external connection of an intranet terminal device.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, there is provided an illegal external connection detection method, which is applied to a terminal device, and includes:
acquiring a message; the obtained message is a message to be sent by the equipment or a message received by the equipment;
detecting whether a source IP address or a destination IP address of the message hits a pre-configured white list; the white list records accessible IP addresses;
if not, acquiring a page title of a page requested by the pre-configured URL address, and detecting whether the acquired page title is consistent with the pre-configured page title corresponding to the URL address;
and if so, determining that the illegal external connection occurs in the equipment.
Optionally, the obtaining a page title of a page requested by the preconfigured URL address includes:
sending a page acquisition request corresponding to the pre-configured URL address;
and receiving page data returned by aiming at the page acquisition request, and acquiring a page title of the page data.
Optionally, after it is determined that the terminal device has an illegal external connection, the method further includes at least one of the following steps:
generating an illegal external connection event and uploading the illegal external connection event to a management server; the illegal external connection event at least comprises a source IP address, a destination IP address, a source port and a destination port of the message, an illegal process path of the message, a user identification corresponding to the equipment and the time of the illegal external connection;
carrying out illegal external connection treatment; the violation external processing at least comprises one or a combination of the following steps: displaying violation external connection prompt information to a user; and disconnecting the link when the illegal external connection is broken, closing the process of the illegal external connection, and restarting the equipment.
Optionally, the method further includes:
periodically checking whether the equipment accesses network resources through a proxy server;
if so, one or a combination of the following operations is performed:
sending out an illegal external connection agent event to a management server; the violation proxy event includes at least: the local IP address, the proxy server IP address and port, the user identification corresponding to the equipment and the time of the illegal proxy;
carrying out violation proxy processing; the violation agent processing at least comprises one or a combination of the following steps: displaying prompt information to a user to prompt that the terminal equipment starts an agent; and cutting off the network connection of the terminal equipment and restarting the equipment.
Optionally, the method further includes:
and when the ICMP message of which the destination address is the IP address not contained in the white list is acquired, discarding the ICMP message.
According to a second aspect of the present application, there is provided an illegal external connection detection device, which is applied to a terminal device, and includes:
an obtaining unit, configured to obtain a message; the obtained message is a message to be sent by the equipment or a message received by the equipment;
the first detection unit is used for detecting whether the source IP address or the destination IP address of the message hits a pre-configured white list or not; the white list records accessible IP addresses;
the second detection unit is used for acquiring a page title of a page requested by the pre-configured URL address if the page title is not hit, and detecting whether the acquired page title is consistent with the pre-configured page title corresponding to the URL address;
and the determining unit is used for determining that the illegal external connection occurs in the equipment if the equipment is consistent with the equipment.
Optionally, the second detecting unit is specifically configured to send a page obtaining request corresponding to the preconfigured URL address when obtaining a page title of a page requested by the preconfigured URL address; and receiving page data returned by aiming at the page acquisition request, and acquiring a page title of the page data.
Optionally, the apparatus further comprises:
a processing unit to perform at least one of:
generating an illegal external connection event and uploading the illegal external connection event to a management server; the illegal external connection event at least comprises a source IP address, a destination IP address, a source port and a destination port of the message, an illegal process path of the message, a user identification corresponding to the equipment and the time of the illegal external connection;
carrying out illegal external connection treatment; the violation external processing at least comprises one or a combination of the following steps: displaying violation external connection prompt information to a user; and disconnecting the link when the illegal external connection is broken, closing the process of the illegal external connection, and restarting the equipment.
Optionally, the apparatus further comprises:
a checking unit, for periodically checking whether the device accesses the network resource through the proxy server; if so, one or a combination of the following operations is performed:
sending out an illegal external connection agent event to a management server; the violation proxy event includes at least: the local IP address, the proxy server IP address and port, the user identification corresponding to the equipment and the time of the illegal proxy;
carrying out violation proxy processing; the violation agent processing at least comprises one or a combination of the following steps: displaying prompt information to a user to prompt that the terminal equipment starts an agent; and cutting off the network connection of the terminal equipment and restarting the equipment.
Optionally, the apparatus further comprises:
and the discarding unit is used for discarding the ICMP message when the ICMP message of which the destination address is the IP address not included in the white list is acquired.
The application provides a detection method for illegal external connection, wherein a client installed on a terminal device can acquire a message; detecting whether a source IP address or a destination IP address of the message hits a pre-configured white list; the white list records accessible IP addresses; if not, acquiring a page title of a page requested by the pre-configured URL address, and detecting whether the acquired page title is consistent with the pre-configured page title corresponding to the URL address; and if so, determining that the illegal external connection occurs in the equipment.
On the basis of adopting the white list to judge, the page title is further judged, the illegal external connection detection is realized, meanwhile, the occurrence of misjudgment can be effectively prevented, and the accuracy of the illegal external connection detection is greatly improved.
Drawings
FIG. 1 is a networking architecture diagram illustrating one related violation inlining detection technique according to an exemplary embodiment of the present application;
fig. 2 is a network architecture diagram illustrating an illegal external connection detection method according to an exemplary embodiment of the present application;
FIG. 3 is a flow chart illustrating a method for violation external connection detection according to an exemplary embodiment of the present application;
fig. 4 is a hardware configuration diagram of a terminal device according to an exemplary embodiment of the present application;
fig. 5 is a block diagram of an illegal external connection detection device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Referring to fig. 1, fig. 1 is a diagram of a networking architecture for a related violation external detection technique.
In the related technology for detecting the illegal external connection, an intranet monitoring server is disposed in an intranet, and an extranet monitoring server is disposed in an extranet.
When the terminal of the intranet accesses the service website of the intranet, the intranet monitoring server may inject the preconfigured JS code into the access data returned to the terminal. When the terminal receives the access data, the JS code is downloaded to the terminal. JS (transliterated scripting language) code attempts to access an extranet monitoring server. And when the JS code can access the external network monitoring server, determining that the internal network terminal has illegal external connection.
However, in the method for detecting the illegal external connection, on one hand, the intranet monitoring server and the extranet monitoring server need to be respectively deployed in the intranet and the extranet, so that the implementation cost of the illegal external connection scheme is greatly increased; on the other hand, when the number of the intranet terminals is large, a large pressure is applied to the performance of the intranet monitoring server and the performance of the extranet monitoring server.
The method is based on a C/S (Client/Server) architecture to detect the illegal external connection, and in the method, a Client needs to be installed on terminal equipment of an intranet, and a management Server needs to be deployed. A network administrator may configure a policy for violating an external connection on a management server. The client can download the illegal external connection strategy and carry out illegal external connection detection on the internal network terminal.
Referring to fig. 2, fig. 2 is a network architecture diagram illustrating an illegal external connection detection method according to an exemplary embodiment of the present application.
The networking architecture comprises at least one terminal device, a management server, an intranet server and forwarding equipment between the terminal device and the intranet server.
Each terminal device is provided with a client, and the client can receive the illegal external connection strategy issued by the management server and detect the message received or sent by the terminal device to determine whether the terminal device accesses the network resource which is not allowed to be accessed.
The network manager can configure the illegal external connection policy on the management server, and the management server can issue the illegal external connection policy to the client after the configuration is completed.
The management server may be deployed in an intranet, and certainly, the management server may also be deployed in an extranet, which is not specifically limited herein.
The network architecture may further include an intranet server, and a forwarding device between the terminal device and the intranet server, where the terminal device may send an access request for accessing the intranet server to the intranet server through the forwarding device, and receive data and the like returned by the intranet server through the forwarding device.
Referring to fig. 3, fig. 3 is a flowchart illustrating a violation external connection detection method according to an exemplary embodiment of the present application.
Before introducing the illegal external connection detection method, firstly, the configuration of the illegal external connection strategy is introduced.
The network management personnel can remotely log in the management server to configure the illegal external connection strategy. For example, a network administrator may log into the management server via a browser and then configure a white list in which at least one accessible IP address is recorded.
It should be noted that the address recorded in the white list may be one IP address, or may be multiple IP addresses, and the multiple recorded IP addresses may be continuous (for example, IP address range) or discontinuous IP addresses. Here, the IP addresses of the white list records are only exemplarily described, and are not particularly limited.
In addition, the network manager can also configure the measure that the terminal equipment has illegal external connection on the management server. For example, a network administrator may configure: after the terminal equipment has the illegal external connection, the terminal equipment sends alarm information to the management server to process the illegal external connection and the like.
The method provides three functions for the client, namely an anti-misjudgment function of illegal external connection, a function of detecting whether to use a proxy server to access network resources and a function of forbidding ping (Packet Internet Groper, Internet Packet detector) of white list external network resources. The network manager can configure whether to start the three functions on the management server.
After the configuration of the illegal external connection policy is completed, the management server may issue the illegal external connection policy to the client installed on each terminal device. After receiving the violation external connection policy, the client may record the violation external connection policy. For example, the client may update the violating external connection policy into the client driver. If the function of forbidding the ping white list external network resources is started, the illegal external connection strategy is updated to a firewall driver of WFP (Windows Filter Platform, which is an API and system service set for providing support for a network filtering application Platform) or PF (Packet Filter).
After the configuration of the above-mentioned violation external connection policy is introduced, a detailed description is given below of a detection method of violation external connection.
The client installed on the terminal device may perform the following steps 301 to 304 to perform detection of an illegal external connection.
Step 301: and acquiring the message.
It should be noted that the client on the terminal device may obtain the message sent by the device to the outside, and the client may obtain the message from other devices.
Step 302: detecting whether a source IP address or a destination IP address of the message hits a pre-configured white list; the white list records the accessible IP addresses.
Step 302 may be performed by a client driver in the client.
When the message acquired by the client driver is a message sent by the device to the outside, the client driver can detect whether the destination IP address of the message is recorded in the white list. And if the destination IP address of the message is not recorded in the white list, determining that the destination IP address of the message does not hit the white list. And if the destination IP address of the message is recorded in the white list, determining that the destination IP address of the message hits the white list.
When the message acquired by the client driver is a message from another device, the client driver may detect whether the source IP address of the message is recorded in the white list. And if the source IP address of the message is not recorded in the white list, determining that the source IP address of the message does not hit the white list. And if the source IP address of the message is recorded in the white list, determining that the source IP address of the message hits the white list.
Step 303: if not, acquiring a page title of a page requested by a pre-configured URL (Uniform Resource Locator) address, and detecting whether the acquired page title is consistent with the pre-configured page title corresponding to the URL address;
step 304: and if so, determining that the illegal external connection occurs in the equipment.
In addition, the corresponding relation between the URL address and the page title is configured on the client.
The page title refers to characters in a preset area on a page. For example, when a page is the top page of hundredths, the page is titled "hundredths, you know".
The correspondence may be www.baidu.com to "know you at hundred degrees".
For convenience of description, a URL address in a correspondence relationship between a configured URL address and a page title is referred to as a preconfigured URL address, and a page title in the correspondence relationship is referred to as a preconfigured page title.
In this embodiment of the present application, after the client driver determines that the source IP address or the destination IP address of the received packet does not hit the preconfigured white list, the client driver may send a notification message to the client process. The notification message may carry an illegal process for processing the packet, a source IP address or a destination IP address of the packet, a port for transceiving the packet, and the like.
The client process, upon receiving the notification message, may obtain a page title of the page requested by the preconfigured URL address.
Specifically, the client process may read a preconfigured URL address and then send a page fetch request corresponding to the preconfigured URL address.
After the client process receives the page corresponding to the page obtaining request, the client process may obtain a page title of the page. The client process may then detect whether the retrieved page title is consistent with a preconfigured page title corresponding to the preconfigured URL. If the two devices are consistent, the device is proved to have illegal external connection, namely, the external network resources are accessed illegally. At this time, a message whose source IP address or destination IP address misses the white list may be recorded as an illegal external message.
And when the client process does not receive the page corresponding to the page acquisition request or the acquired page title is inconsistent with the page title corresponding to the pre-configured URL, indicating that the device does not have illegal external connection.
For example, assume that the correspondence of the pre-configured URL and the page title is www.baidu.com corresponding to "at hundredths you know". When the client driver detects that the source IP address or the destination IP address of a certain packet misses the white list, the client driver may send a notification message to the client process.
When the client process receives the notification message, the client process may read a preconfigured URL, www.baidu.com. The client process may then send a page fetch request corresponding to www.baidu.com.
When the client process receives the page of the page obtaining request, the page title of the page can be obtained. Suppose the retrieved page title is "hundredths of a degree" you know ".
The client process may detect whether the retrieved page title is consistent with the corresponding preconfigured page title of www.baidu.com. In this example, the acquired page title is "hundred degrees, you know", and the preconfigured page title is also "hundred degrees, you know", and since the acquired page title is consistent with the preconfigured page title corresponding to www.baidu.com, the client process can determine that the terminal device has an illegal external connection.
It should be noted that, the white list is only used to determine whether the device has an illegal external connection, which may cause misjudgment.
For example, if it is assumed that the terminal device accesses the intranet device, but the IP address of the intranet device is not configured in the white list, if the illegal external connection judgment is performed only by using the white list, it is considered that the terminal device accesses the external network resource, but the terminal device does not access the external network resource, which may cause erroneous judgment.
In order to solve the problem, the method further performs the false-proof operation through step 303 on the basis of detecting the white list. Step 303 is used to further check whether the access of the terminal device is really an access to an external network resource after determining that the IP address of the message received or sent by the terminal device does not hit the white list, in other words, whether the terminal device is really connected to the external network. Therefore, the step 303 can effectively prevent the occurrence of misjudgment behaviors, and greatly increase the accuracy of illegal external connection detection.
In addition, in the embodiment of the present application, after the client determines that the terminal device has an illegal external connection, the client may perform one or a combination of several of the following operations according to an illegal external connection policy:
the client can generate an illegal external connection event and upload the illegal external connection event to the management server. The illegal external connection event at least comprises a source IP address, a destination IP address, a source port and a destination port of the illegal external connection message, an illegal process path of the message, a user identification corresponding to the equipment and the time of the illegal external connection.
The management server can record the illegal external connection event and generate an illegal external connection database. After the network manager logs in the management server, the management server can display the illegal external connection event to be inquired by the network manager.
In addition, the client can also carry out the illegal external connection strategy issued by the management server and carry out corresponding illegal external connection processing.
The violation external processing at least comprises one or a combination of the following steps:
1) displaying prompt information to a user, for example, popping up a prompt box on a screen of the terminal equipment to prompt the user that the terminal equipment illegally accesses the extranet resource;
2) disconnecting the link when the illegal external connection is broken;
3) closing the process of the illegal external connection;
4) restarting the equipment;
5) and cutting off the network of the equipment.
Of course, the above is only an exemplary illustration of the violation external processing, and other violation external processing measures may be included, and the violation external processing is not specifically limited herein.
In addition, in the embodiment of the application, when the client opens the function of forbidding the enabling agent to access the network resource. The client can periodically check whether the terminal equipment accesses the network resource through the proxy server.
Here, the access to the network resource through the proxy server means that the terminal device transmits an access request to the target server to the proxy server, and the proxy server transmits the access request to the target server.
For example, if the terminal device wants to access a hundredth server, the user may enable a proxy function on the terminal device and enter the address of the proxy server. When the terminal device wants to access the hundred degree server, the terminal device may first send a message to the proxy server, and the proxy server sends the message to the hundred degree server.
However, when the IP address of the proxy server is in the white list, the client considers that the message addressed to the proxy server is a normal message. However, when the user accesses the extranet resource through the proxy server, the client considers that the access message is a normal message, so that the illegal external connection of the terminal equipment cannot be detected.
In order to improve the accuracy of the illegal external connection detection, in the embodiment of the application, when the client starts the function of forbidding the enabled agent to access the network resource. The client can periodically check whether the terminal device accesses the network resource through the proxy.
The checking method can at least comprise one or a combination of the following methods:
1) and checking a system registry of the terminal equipment, and checking whether the proxy switch is started or not through the system registry. If the proxy switch is turned on, it indicates that the terminal device has started proxy to access network resources, and if the proxy switch is not turned on, it indicates that the terminal device has not started proxy.
2) Checking whether a configuration file aiming at the proxy exists in the configuration file of the specified browser, if so, determining that the terminal equipment accesses the network resource through the proxy, and if not, determining that the terminal equipment does not start the proxy. The specified browser may be a browser such as a Firefox browser that can be configured as an agent.
3) An HTTP (Hypertext Transfer Protocol) message sent to the outside by the terminal device is captured by a packet capturing tool, and whether the HTTP message carries an agent label is detected. And if the terminal carries the network resource, determining that the terminal accesses the network resource through the proxy server. And if not, determining that the terminal does not access the network resource through the proxy server.
When the client determines that the terminal device accesses the network resource through the proxy server, the client may perform one or a combination of the following operations:
1) and sending the illegal external connection agent event to a management server. The violation proxy event can at least carry the IP address of the terminal device, the user identifier corresponding to the terminal device, and the like.
The management server can record the IP address, the proxy server IP address and port of the terminal equipment, the user identification corresponding to the terminal equipment and the like carried in the illegal external connection proxy event. After the network manager logs in the management server, the management server can display the illegal external connection agent event to be inquired by the network manager to the network manager.
2) And carrying out violation agent processing, wherein the violation agent processing at least comprises one or a combination of the following steps:
displaying prompt information to a user to prompt that the terminal equipment starts an agent;
cutting off the network connection of the terminal equipment;
restart this terminal equipment
Of course, the above is only an exemplary illustration of the violation agent handling, and of course, other violation agent handling measures may also be included, such as turning off the terminal device, and the like, and the violation agent handling is not specifically limited here.
Of course, in the embodiment of the present application, the validation time of the above-mentioned violation external policy may also be defined, such as validation in a specified time period, validation or non-validation when the server is disconnected, and the like.
In addition, because the client driver cannot judge whether an ICMP (Internet Control Messages Protocol) message hits a white list, some hackers attack the intranet through the ICMP message. Therefore, the function of forbidding the ping external network is added in the application, so as to prevent the attack.
In this embodiment of the present application, after the client enables the function of prohibiting the IP address not included in the ping white list, if the device obtains an ICMP message whose destination address or source address is an IP address not included in the white list, the ICMP message is discarded.
In the embodiment of the application, when a user unloads a client on the terminal device or a network manager deletes an illegal external connection policy on the management server, the terminal device can automatically close the illegal external connection function. If the offline of the terminal equipment configured in the illegal external connection strategy is not effective, the terminal equipment can automatically close the illegal external connection function when the network connection between the terminal equipment and the management server is not smooth.
The application provides a detection method for illegal external connection, wherein a client installed on a terminal device can acquire a message; detecting whether a source IP address or a destination IP address of the message hits a pre-configured white list; the white list records accessible IP addresses; if not, acquiring a page title of a page requested by the pre-configured URL address, and detecting whether the acquired page title is consistent with the pre-configured page title corresponding to the URL address; and if so, determining that the illegal external connection occurs in the equipment.
On one hand, the page title is further judged on the basis of adopting the white list judgment, so that the illegal external connection detection is realized, meanwhile, the misjudgment can be effectively prevented, and the accuracy of the illegal external connection detection is greatly improved.
On the other hand, after the terminal equipment is determined to have the illegal external connection, the illegal external connection processing can be automatically carried out, and the damage of the illegal external connection behavior is reduced. Meanwhile, the generated illegal external connection event can be uploaded to a management server, so that a manager can inquire the illegal external connection event on the management server, and the network manager can manage the illegal external connection event conveniently.
In the third aspect, the method and the device can also monitor the proxy behavior in real time, and forbid the proxy server from accessing the extranet resource, so that the accuracy of illegal external connection detection is improved.
In a fourth aspect, the application also opens a function of forbidding the IP addresses not included in the ping white list, and prevents the external network equipment from attacking the internal network of the company through the ICMP message.
In a fifth aspect, the C/S architecture is adopted, network management personnel only need to configure the illegal external connection strategy on the management server, and the client side on each terminal device can automatically execute illegal external connection detection processing and the like, so that one-key deployment is realized, and the time delay from deployment to execution of illegal external connection detection is shortened.
Referring to fig. 4, the present application also provides a hardware architecture diagram of a terminal device, where the terminal device includes: a communication interface 401, a processor 402, a machine-readable storage medium 403, and a bus 404; wherein the communication interface 401, the processor 402 and the machine-readable storage medium 403 communicate with each other via a bus 404. The processor 402 may perform the violation external detection methods described above by reading and executing machine-executable instructions in the machine-readable storage medium 403 corresponding to the violation external detection control logic.
The machine-readable storage medium 403 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
Referring to fig. 5, a block diagram of an illegal external connection detection device according to an exemplary embodiment of the present application is shown. The device can be applied to terminal equipment and can comprise the following units.
An obtaining unit 501, configured to obtain a message; the obtained message is a message to be sent by the equipment or a message received by the equipment;
a first detecting unit 502, configured to detect whether a source IP address or a destination IP address of a packet hits a preconfigured white list; the white list records accessible IP addresses;
a second detecting unit 503, configured to obtain a page title of a page requested by a preconfigured URL address if the page title is not hit, and detect whether the obtained page title is consistent with a preconfigured page title corresponding to the URL address;
and the determining unit 504 is configured to determine that the device has an illegal external connection if the devices are consistent with each other.
Optionally, the second detecting unit 503 is specifically configured to send a page obtaining request corresponding to the preconfigured URL address when obtaining a page title of a page requested by the preconfigured URL address; and receiving page data returned by aiming at the page acquisition request, and acquiring a page title of the page data.
Optionally, the apparatus further comprises:
a processing unit 505 (not shown in FIG. 5) for performing at least one of:
generating an illegal external connection event and uploading the illegal external connection event to a management server; the illegal external connection event at least comprises a source IP address, a destination IP address, a source port and a destination port of the message, an illegal process path of the message, a user identification corresponding to the equipment and the time of the illegal external connection;
carrying out illegal external connection treatment; the violation external processing at least comprises one or a combination of the following steps: displaying violation external connection prompt information to a user; and disconnecting the link when the illegal external connection is broken, closing the process of the illegal external connection, and restarting the equipment.
Optionally, the apparatus further comprises:
a checking unit 506 (not shown in fig. 5) for periodically checking whether the device accesses the network resource through the proxy server; if so, one or a combination of the following operations is performed:
sending out an illegal external connection agent event to a management server; the violation proxy event includes at least: the local IP address, the proxy server IP address and port, the user identification corresponding to the equipment and the time of the illegal proxy;
carrying out violation proxy processing; the violation agent processing at least comprises one or a combination of the following steps: displaying prompt information to a user to prompt that the terminal equipment starts an agent; and cutting off the network connection of the terminal equipment and restarting the equipment.
Optionally, the apparatus further comprises:
a discarding unit 507 (not shown in fig. 5) configured to discard the ICMP message when the ICMP message whose destination address is an IP address not included in the white list is obtained.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (8)
1. A violation external connection detection method is applied to a client on a terminal device, and comprises the following steps:
acquiring a message; the obtained message is a message to be sent by the equipment or a message received by the equipment;
detecting whether a source IP address or a destination IP address of the message hits a pre-configured white list; the white list records accessible IP addresses;
if not, acquiring a page title of a page requested by the pre-configured URL address, and detecting whether the acquired page title is consistent with the pre-configured page title corresponding to the URL address;
if the equipment is consistent with the external connection rule, determining that the equipment has illegal external connection;
the client does not support the detection of whether the ICMP message hits the white list, and the method also comprises the following steps:
when an ICMP message of which the destination address or the source address is an IP address not contained in the white list is obtained, the ICMP message is discarded.
2. The method of claim 1, wherein obtaining a page title for a page requested by a preconfigured URL address comprises:
sending a page acquisition request corresponding to the pre-configured URL address;
and receiving page data returned by aiming at the page acquisition request, and acquiring a page title of the page data.
3. The method according to claim 1, wherein when it is determined that the terminal device has an illegal external connection, the method further comprises at least one of the following steps:
generating an illegal external connection event and uploading the illegal external connection event to a management server; the illegal external connection event at least comprises a source IP address, a destination IP address, a source port and a destination port of the message, an illegal process path of the message, a user identification corresponding to the equipment and the time of the illegal external connection;
carrying out illegal external connection treatment; the violation external processing at least comprises one or a combination of the following steps: displaying violation external connection prompt information to a user; cutting off the network of the equipment; disconnecting the link when the illegal external connection is broken; closing the process of the illegal external connection; and restarting the equipment.
4. The method of claim 1, further comprising:
periodically checking whether the equipment accesses network resources through a proxy server;
if so, one or a combination of the following operations is performed:
sending out an illegal external connection agent event to a management server; the illegal external agent event at least comprises the following steps: the local IP address, the proxy server IP address and port, the user identification corresponding to the equipment and the time of the illegal proxy;
carrying out violation proxy processing; the violation agent processing at least comprises one or a combination of the following steps: displaying prompt information to a user to prompt that the terminal equipment starts an agent; and cutting off the network connection of the terminal equipment and restarting the equipment.
5. The illegal external connection detection device is applied to a client side on a terminal device, and comprises the following components:
an obtaining unit, configured to obtain a message; the obtained message is a message to be sent by the equipment or a message received by the equipment;
the first detection unit is used for detecting whether the source IP address or the destination IP address of the message hits a pre-configured white list or not; the white list records accessible IP addresses;
the second detection unit is used for acquiring a page title of a page requested by the pre-configured URL address if the page title is not hit, and detecting whether the acquired page title is consistent with the pre-configured page title corresponding to the URL address;
the determining unit is used for determining that the illegal external connection occurs in the equipment if the equipment is consistent with the equipment;
the client does not support the detection of whether the ICMP message hits the white list, and the apparatus further includes:
and the discarding unit is used for discarding the ICMP message when the ICMP message of which the destination address or the source address is the IP address not contained in the white list is acquired.
6. The apparatus according to claim 5, wherein the second detecting unit, when acquiring a page header of a page requested by a preconfigured URL address, is specifically configured to send a page acquisition request corresponding to the preconfigured URL address; and receiving page data returned by aiming at the page acquisition request, and acquiring a page title of the page data.
7. The apparatus of claim 5, further comprising:
a processing unit to perform at least one of:
generating an illegal external connection event and uploading the illegal external connection event to a management server; the illegal external connection event at least comprises a source IP address, a destination IP address, a source port and a destination port of the message, an illegal process path of the message, a user identification corresponding to the equipment and the time of the illegal external connection;
carrying out illegal external connection treatment; the violation external processing at least comprises one or a combination of the following steps: displaying violation external connection prompt information to a user; and disconnecting the link when the illegal external connection is broken, closing the process of the illegal external connection, and restarting the equipment.
8. The apparatus of claim 5, further comprising:
a checking unit, for periodically checking whether the device accesses the network resource through the proxy server; if so, one or a combination of the following operations is performed:
sending out an illegal external connection agent event to a management server; the illegal external agent event at least comprises the following steps: the local IP address, the proxy server IP address and port, the user identification corresponding to the equipment and the time of the illegal proxy;
carrying out violation proxy processing; the violation agent processing at least comprises one or a combination of the following steps: displaying prompt information to a user to prompt that the terminal equipment starts an agent; and cutting off the network connection of the terminal equipment and restarting the equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810596544.7A CN108881211B (en) | 2018-06-11 | 2018-06-11 | Illegal external connection detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810596544.7A CN108881211B (en) | 2018-06-11 | 2018-06-11 | Illegal external connection detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108881211A CN108881211A (en) | 2018-11-23 |
| CN108881211B true CN108881211B (en) | 2021-10-08 |
Family
ID=64338663
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810596544.7A Active CN108881211B (en) | 2018-06-11 | 2018-06-11 | Illegal external connection detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108881211B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109587175A (en) * | 2019-01-11 | 2019-04-05 | 杭州迪普科技股份有限公司 | A kind of illegal external connection processing method and system |
| JP7232121B2 (en) * | 2019-05-10 | 2023-03-02 | アズビル株式会社 | Monitoring device and monitoring method |
| CN110365793B (en) * | 2019-07-30 | 2020-05-15 | 北京华赛在线科技有限公司 | Illegal external connection monitoring method, device and system and storage medium |
| CN110417821B (en) * | 2019-09-09 | 2021-11-02 | 北京华赛在线科技有限公司 | Networking detection method and system |
| CN110768999B (en) * | 2019-10-31 | 2022-01-25 | 杭州迪普科技股份有限公司 | Method and device for detecting illegal external connection of equipment |
| CN112769739B (en) * | 2019-11-05 | 2023-08-04 | 中国移动通信集团安徽有限公司 | Database operation violation processing method, device and equipment |
| CN111131163A (en) * | 2019-11-26 | 2020-05-08 | 视联动力信息技术股份有限公司 | Data processing method and device based on video network |
| CN111131203B (en) * | 2019-12-12 | 2022-06-28 | 杭州迪普科技股份有限公司 | External connection monitoring method and device |
| CN111106983B (en) * | 2019-12-27 | 2021-09-21 | 杭州迪普科技股份有限公司 | Method and device for detecting network connectivity |
| CN111917702A (en) * | 2020-03-31 | 2020-11-10 | 北京融汇画方科技有限公司 | Non-client-side mode passive checking off-line illegal external connection technology |
| CN112333191A (en) * | 2020-11-06 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Illegal network asset detection and access blocking method, device, equipment and medium |
| CN113542264B (en) * | 2021-07-13 | 2022-08-26 | 杭州安恒信息技术股份有限公司 | File transmission control method, device and equipment and readable storage medium |
| CN114257404B (en) * | 2021-11-16 | 2024-04-30 | 广东电网有限责任公司 | Abnormal external connection statistical alarm method, device, computer equipment and storage medium |
| CN114268481A (en) * | 2021-12-15 | 2022-04-01 | 南方电网数字电网研究院有限公司 | Method, device, equipment and medium for processing illegal external connection information of intranet terminal |
| CN114866318A (en) * | 2022-05-05 | 2022-08-05 | 金祺创(北京)技术有限公司 | Threat intelligence correlation analysis method and system based on user key service network security flow |
| CN115051867B (en) * | 2022-06-22 | 2024-04-09 | 深信服科技股份有限公司 | Illegal external connection behavior detection method and device, electronic equipment and medium |
| CN116915503B (en) * | 2023-09-08 | 2023-11-14 | 成都卓拙科技有限公司 | Illegal external connection detection method and device, storage medium and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103441864A (en) * | 2013-08-12 | 2013-12-11 | 江苏华大天益电力科技有限公司 | Method for monitoring illegal external connection of terminal equipment |
| CN108092936A (en) * | 2016-11-22 | 2018-05-29 | 北京计算机技术及应用研究所 | A kind of Host Supervision System based on plug-in architecture |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8073959B2 (en) * | 2008-03-28 | 2011-12-06 | Microsoft Corporation | Automatically detecting whether a computer is connected to a public or private network |
| US10382436B2 (en) * | 2016-11-22 | 2019-08-13 | Daniel Chien | Network security based on device identifiers and network addresses |
| CN107566334B (en) * | 2017-07-17 | 2019-10-01 | 全球能源互联网研究院有限公司 | A kind of distribution terminal safety monitoring method and device realized based on agency |
| CN107426208A (en) * | 2017-07-24 | 2017-12-01 | 郑州云海信息技术有限公司 | A kind of method for monitoring network illegal external connection |
| CN107733706A (en) * | 2017-09-30 | 2018-02-23 | 北京北信源软件股份有限公司 | The illegal external connection monitoring method and system of a kind of no agency |
-
2018
- 2018-06-11 CN CN201810596544.7A patent/CN108881211B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103441864A (en) * | 2013-08-12 | 2013-12-11 | 江苏华大天益电力科技有限公司 | Method for monitoring illegal external connection of terminal equipment |
| CN108092936A (en) * | 2016-11-22 | 2018-05-29 | 北京计算机技术及应用研究所 | A kind of Host Supervision System based on plug-in architecture |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108881211A (en) | 2018-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881211B (en) | Illegal external connection detection method and device | |
| CN101588247B (en) | For detecting the system and method for the leak of server | |
| US9654494B2 (en) | Detecting and marking client devices | |
| US10587647B1 (en) | Technique for malware detection capability comparison of network security devices | |
| CN110719291A (en) | Network threat identification method and identification system based on threat information | |
| US10033761B2 (en) | System and method for monitoring falsification of content after detection of unauthorized access | |
| CN105659245A (en) | Context-aware network forensics | |
| CN107347057B (en) | Intrusion detection method, detection rule generation method, device and system | |
| CN109922062B (en) | Source code leakage monitoring method and related equipment | |
| CN113676449B (en) | Network attack processing method and device | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN111818073B (en) | Method, device, equipment and medium for detecting defect host | |
| CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
| CN110855698B (en) | Terminal information obtaining method, device, server and storage medium | |
| CN111343188A (en) | Vulnerability searching method, device, equipment and storage medium | |
| CN103701816A (en) | Scanning method and scanning device of server executing DOS (Denial Of service) | |
| CN116340943A (en) | Application program protection method, device, equipment, storage medium and program product | |
| CN116015717A (en) | Network defense method, device, equipment and storage medium | |
| JP7161021B2 (en) | Cybersecurity protection system and associated proactive suspicious domain warning system | |
| JP2006040196A (en) | Software monitoring system and monitoring method | |
| CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
| KR101522139B1 (en) | Method for blocking selectively in dns server and change the dns address using proxy | |
| KR101494329B1 (en) | System and Method for detecting malignant process | |
| US20170054742A1 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN107341396B (en) | Intrusion detection method and device and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |