CN109688161A - A kind of network trace method, apparatus, system, equipment and storage medium - Google Patents

A kind of network trace method, apparatus, system, equipment and storage medium Download PDF

Info

Publication number
CN109688161A
CN109688161A CN201910115002.8A CN201910115002A CN109688161A CN 109688161 A CN109688161 A CN 109688161A CN 201910115002 A CN201910115002 A CN 201910115002A CN 109688161 A CN109688161 A CN 109688161A
Authority
CN
China
Prior art keywords
network
attack
partition
watermark
flowing water
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910115002.8A
Other languages
Chinese (zh)
Inventor
李建华
陈璐艺
伍军
李高勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANGHAI PENGYUE JINGHONG INFORMATION TECHNOLOGY DEVELOPMENT Co Ltd
Original Assignee
SHANGHAI PENGYUE JINGHONG INFORMATION TECHNOLOGY DEVELOPMENT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANGHAI PENGYUE JINGHONG INFORMATION TECHNOLOGY DEVELOPMENT Co Ltd filed Critical SHANGHAI PENGYUE JINGHONG INFORMATION TECHNOLOGY DEVELOPMENT Co Ltd
Priority to CN201910115002.8A priority Critical patent/CN109688161A/en
Publication of CN109688161A publication Critical patent/CN109688161A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to computer network security technology field, a kind of network trace method, apparatus, system, equipment and storage medium are disclosed.Steps are as follows: when the first partition network is under attack, the insertion first network flowing water print in the first network flow signal for flowing through the boundary node input terminal between first partition network and the second partition network;It extracts by the second network flow signal of object of attack input terminal, determines the second network flow watermark in the second network flow signal;Second network flow watermark and first network flowing water print are compared, if the second network flow watermark and first network flowing water print meet preset similarity condition, confirm that second subregion takes part in network attack.Network trace method of the invention can real-time and efficiently complete the Intrusion traing of collaboration, simplify the management difficulty of network trace establishing network attacker-tracing between the subregion of partition network in the way of network flow watermark insertion.

Description

A kind of network trace method, apparatus, system, equipment and storage medium
Technical field
The present invention relates to computer network security technology fields, more particularly to a kind of network trace method, apparatus, are System, equipment and storage medium.
Background technique
With information-based and networking continuous development, network attack is increasingly severe.Wherein, for partition network and Speech, due to the complicated network structure of itself, it is difficult to complete network attack link when analyzing under attack, to be difficult to realize Tracking to network attack.
Currently, the mode most-often used for the attack traceback of partition network is dug by network traffic analysis technology Network node relevant to network attack is dug, and then realizes the tracking of network attack, main feature is to need to analyze interconnection All-network behavior on network termination, and correlation data analysis is carried out for this network behavior, do not have to change although having The strong feature of original network flow, concealment, but the fusion for generally involving multiple technologies uses, such as fingerprint technique, Time labelling technique and difference labelling technique etc..
As it can be seen that in the prior art, rely primarily on the traditional skill analyzed in network for the network trace of partition network comprehensively Art, need to obtain a large amount of data can accurate tracking network attack, running memory is big, low efficiency and real-time are poor;And It is related to the combination of many technologies, implementation is more many and diverse.
Summary of the invention
Based on this, it is necessary to for above-mentioned problem, provide a kind of network trace method, apparatus, system, equipment and storage Medium.
In example 1, it the present invention provides a kind of network trace method, is attacked applied to the network between partition network Tracking is hit, is included the following steps:
When the first partition network is under attack, point between first partition network and the second partition network is being flowed through First network flowing water print is embedded in the first network flow signal of boundary's node input terminal, the first network flow signal is from described Second partition network flows to first partition network;
Extraction is extracted by the second network flow signal of object of attack input terminal, and from the second network flow signal Second network flow watermark;
The second network flow watermark and first network flowing water print are compared, if the second network flow watermark Meet preset similarity condition with first network flowing water print, then confirms that second subregion takes part in network attack.
In example 2, it the present invention provides a kind of network trace method, is attacked applied to the network inside partition network Tracking is hit, is included the following steps:
When partition network is under attack, determine that object is initiated in the attack that initiation is directly attacked according to by object of attack, It initiates to be embedded in third network in the third network flow signal for the network node output end that object input terminal is connected with the attack Flowing water print;
The 4th network flow signal that object output end is initiated in the attack is extracted, is determined in the 4th network flow signal 4th network flow watermark;
The 4th network flow watermark is compared with the third network flow watermark, if the 4th network flow watermark Meet preset similarity condition with the third network flow watermark, then confirms and initiate what object input terminal was connected with the attack The network node takes part in network attack, to track the network attack in partition network.
In the third embodiment, it the present invention provides a kind of network trace device, is attacked applied to the network between partition network Hit tracking, comprising:
First-class watermark embedding module, for when the first partition network is under attack, flow through the first partition network with Insertion first network flowing water print, institute in the first network flow signal of boundary node input terminal between second partition network It states first network flow signal and flows to first partition network from second partition network;
First-class watermark extracting module, for extracting by the second network flow signal of object of attack input terminal, and from institute It states and extracts the second network flow watermark in the second network flow signal;
First attack judgment module, for carrying out pair the second network flow watermark and first network flowing water print Than confirming described the if the second network flow watermark and first network flowing water print meet preset similarity condition Two subregions take part in network attack.
In example IV, the present invention provides a kind of network trace devices, attack applied to the network inside partition network Hit tracking characterized by comprising
Second watermark embedding module, for being initiated directly according to being determined by object of attack when partition network is under attack Object is initiated in the attack for connecing attack, in the third network for initiating the network node output end that object input terminal is connected with the attack The watermark of third network flow is embedded in flow signal;
Second watermark extracting module initiates the 4th network flow signal of object output end for extracting the attack, Determine the 4th network flow watermark in the 4th network flow signal;
Second attack judgment module, for carrying out pair the 4th network flow watermark and the third network flow watermark Than, if the 4th network flow watermark and the third network flow watermark meet preset similarity condition, confirmation with it is described Attack initiates the connected network node of object input terminal and takes part in network attack, to track the network attack in partition network.
In embodiment five, the present invention also provides a kind of network tracking systems, comprising:
First partition network and the second partition network exist between first partition network and second partition network Network flow signal interaction;
First network follow-up mechanism, for executing one institute of embodiment when first partition network is by network attack The network trace method stated, to be chased after to the network attack between first partition network and second partition network Track;
Second network trace device, for individually being carried out to first partition network and/or second partition network Network trace executes two institute of embodiment when first partition network and/or second partition network are by network attack The network trace method stated, individually to be attacked respectively to the network in first partition network and/or second partition network It hits and is tracked.
It is described in one of the embodiments, the present invention also provides a kind of computer equipment, including memory and processor Computer program is stored in memory, when the computer program is executed by the processor, so that the processor executes The step of partition network method for tracing described above.
In one of the embodiments, the present invention also provides a kind of storage medium, calculating is stored on the storage medium Machine program, when the computer program is executed by processor, so that the processor executes network trace method described above Step.
Network trace method, apparatus, system, equipment and storage medium in the embodiment of the present invention, by utilizing network flow The mode of watermark insertion establishes network attacker-tracing between the subregion of partition network, while executable intranet again inside subregion Network attacker-tracing can real-time and efficiently complete the Intrusion traing of collaboration;Tracking simultaneously inside each subregion is mutually indepedent, nothing It need to be concerned about the topological structure of adjacent sectors, simplify the management difficulty of network trace.
Detailed description of the invention
Fig. 1 is the applied environment figure of the network trace method provided in one embodiment;
Fig. 2 is the flow chart of the network trace method provided in one embodiment;
Fig. 3 is the flow chart of insertion first network flowing water print in one embodiment;
Fig. 4 is to judge whether partition network participates in the flow chart of attack in one embodiment;
Fig. 5 is the flow chart of another network trace method provided in one embodiment;
Fig. 6 is the specific embodiment schematic diagram tracked in area in one embodiment;
Fig. 7 is the structural block diagram of the network trace device provided in one embodiment;
Fig. 8 is the structural block diagram of the first-class watermark embedding module provided in one embodiment;
Fig. 9 is to provide the structural block diagram of the first attack judgment module in one embodiment;
Figure 10 is the structural block diagram of another network trace device provided in one embodiment;
Figure 11 is the structural block diagram of the network tracking system provided in one embodiment;
Figure 12 is the internal structure block diagram of computer equipment in one embodiment.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
It is appreciated that term " first " used in this application, " second " etc. can be used to describe various elements herein, But unless stated otherwise, these elements should not be limited by these terms.These terms are only used to by first element and another yuan Part is distinguished.For example, in the case where not departing from scope of the present application, the first xx unit can be known as the 2nd xx unit, And similarly, the 2nd xx unit can be known as the first xx unit.
Fig. 1 is the applied environment figure of network trace method provided in one embodiment, as shown in Figure 1, applying ring at this In border, including partition network 110 and network tracking system 120.
Partition network 110 refers to reduce the volume of the network architecture, thus split the network into different sub-networks into Row management, sub-network therein is partition network.Partition network is applied than wide, such as by taking national grid as an example, according to The Network of Power security protection requirement of State Electricity Regulatory Commission's publication, electric power networks need to be divided into four areas, wherein one Area is production real-time control great Qu, and 2nd area are to produce non real-time control great Qu, and 3rd area are then production directorial area, and 4th area are predominantly managed Information system and company ERP system etc. are managed, an area, 2nd area are known as to produce control great Qu, 3rd area and 4th area are known as managing letter The area Xi great.Other different partition networks are no longer illustrated one by one using the present invention.
Network tracking system 120, by the way that on the basis of network flow digital watermark, collaboration different subregions network completes network The inside and outside tracking of the partition network of invasion.
Embodiment one
As shown in Fig. 2, in one embodiment it is proposed that a kind of network trace method, applied between partition network Attack traceback, the present embodiment mainly in this way be applied to above-mentioned Fig. 1 in network tracking system 120 come for example, It can specifically include following steps:
Step S201, when the first partition network is under attack, flow through the first partition network and the second partition network it Between boundary node input terminal first network flow signal in insertion first network flowing water print, first network flow signal is from the Two partition networks flow to the first partition network;
Step S202 extracts by the second network flow signal of object of attack input terminal, determines the second network flow signal In the second network flow watermark;
Step S203, by the second network flow watermark and first network flowing water print compare, if the second network flow watermark with First network flowing water print meets preset similarity condition, then confirms that the second subregion takes part in network attack.
In embodiments of the present invention, by extracting by the network characterization parameter of object of attack, and all or part will be possessed For node in first partition network of identical above-mentioned network characterization parameter as possible by object of attack, network characterization parameter can To be the key that contained by the IP for being attacked node or equipment, network protocol used in it or meshed network data on flows packet The information such as word.
In embodiments of the present invention, network flow watermark is also called flow label, and principle mainly passes through change or modulation hair The load of sending end data packet, time interval, interval reach the information such as time delay and interval center of gravity or flow rate to be embedded in watermark, Receiving end identifies the watermark, to achieve the purpose that associated sender and recipient's relationship.
In embodiments of the present invention, step S201 is flowing through the boundary between the first partition network and the second partition network It is embedded in first network flowing water print in the first network flow signal of node input terminal, specifically includes:
Step S301 generates random pseudo-noise code and first network flowing water print;
Step S302 spreads first network flowing water print by random pseudo-noise code;
The print insertion of first network flowing water is flowed through the boundary between the first partition network and the second partition network by step S303 In the first network flow signal of node input terminal.
Specifically, being spread by random pseudo-noise code to first network flowing water print, can be formulated as:
Wherein, WPFor the matrix representation forms of the first network flowing water print after spread spectrum, W is the matrix of first network flowing water print Representation, P are the matrix representation forms of random pseudo-noise code, and random pseudo-noise code is represented by P=(p1, p2..., pn), pJ (j=1,2 ..., n)∈ { -1,1 }, first network flowing water print are represented by W=(w1, w2..., wm)T, wI (i=1,2 ... m)∈{-1,1}。
Specifically, the print insertion of first network flowing water is flowed through the boundary section between the first partition network and the second partition network In the first network flow signal of point input terminal, it can be formulated as:
S=f+ α × wi×pj
Wherein, S is the flow velocity for being embedded in the first network flow signal after first network flowing water print, and f is insertion first network The flow velocity of first network flow signal before flowing water print, α is constant coefficient, wiIt is printed in matrix representation forms for first network flowing water Component, pjFor the component in random pseudo-noise code matrix representation forms.
In embodiments of the present invention, the second network flow watermark in the second network flow signal is determined, specifically:
Second network flow signal is filtered and noise reduction process, determines the second network flow watermark.
Specifically, in conjunction with above-mentioned formula, since noise N, the second network flow that receiving end receives can be generated in communication process Amount signal flow velocity is R=f+ α × wi×pj+ N, by obtaining R '=α × w after filtering out f with high-pass filteri×pjThen+N is enabled R ' multiplies P and obtains S '=α × wi×pjFirst network stream watermark signal W can be obtained after filtering out noise NP in × P+NP.
In embodiments of the present invention, the second network flow watermark and first network flowing water print are compared, if the second network Flowing water print meets preset similarity condition with first network flowing water print, then confirms that the second subregion takes part in network attack, specifically Include:
Step S401 calculates the similarity of the second network flow watermark and first network flowing water print, and by similarity and presets Threshold value is compared;
Step S402, if similarity is greater than preset threshold, the second network flow watermark is associated with first network flowing water print, Then determine that the network node being connected in the second subregion with boundary node input terminal takes part in network attack;
Step S403, if similarity is less than or equal to preset threshold, the second network flow watermark and first network flowing water print It is not associated with, determines that the second subregion is not involved in network attack.
Specifically, in embodiments of the present invention, the similarity of the second network flow watermark and first network flowing water print is calculated, it can It is formulated are as follows:
Wherein, W is the matrix representation forms of first network flowing water print, and W ' is that the matrix of the second network flow watermark indicates shape Formula, wiThe component in matrix representation forms, p are printed for first network flowing waterjFor in random pseudo-noise code matrix representation forms Component.
Network trace method in the embodiment of the present invention, by network flow watermark insertion in the way of in partition network Network attacker-tracing is established between subregion, can real-time and efficiently be completed the Intrusion traing of collaboration, be simplified the pipe of network trace Manage difficulty.
Embodiment two
As shown in figure 5, being chased after the present invention provides a kind of network trace method applied to the network attack inside partition network Track includes the following steps:
Step S501 determines that the attack that initiation is directly attacked is sent out according to by object of attack when partition network is under attack Object is played, is embedded in third in the third network flow signal for initiating the network node output end that object input terminal is connected with attack Network flow watermark;
Step S502, extracting attack initiate the 4th network flow signal of object output end, determine that the 4th network flow is believed The 4th network flow watermark in number;
Step S503 compares the 4th network flow watermark and third network flow watermark, if the 4th network flow watermark with Third network flow watermark meets preset similarity condition, then confirms and initiate the network node that object input terminal is connected with attack Network attack is taken part in, to track the network attack in partition network.
Specifically, after determining that initiating the network node that object input terminal is connected with attack takes part in network attack, then It is secondary that object is initiated using the network node as new attack, repeat network flow watermark insertion or directly utilizes first insertion Network flow watermark and extraction and carry out network flow watermark similarity verifying, with the complete network attack route of determination.
In a specific embodiment, as shown in fig. 6, including tri- network nodes of A, B, C inside partition network.Known A By the attack of B, this can directly be learnt from network log.It is now to determine attack whether actually from C.Therefore in C It is embedded in watermark into the network flow of B, detects watermark in the network flow of B to A.If the two meets preset similarity Condition illustrates attack actually from C.
In embodiments of the present invention, third network flow is embedded in the third network flow signal by object of attack input terminal The mode of watermark is identical as the mode that embedded network flowing water in embodiment one prints;Determine the 4th net in the 4th network flow signal The step of network flowing water prints is identical as the step of the second network flow watermark is determined in embodiment one;By the 4th network flow watermark and third Network flow watermark compares the step of with the second network flow watermark and first network flowing water print is compared in embodiment one It is identical.
Network trace method in the embodiment of the present invention, by network flow watermark insertion in the way of in partition network Network attacker-tracing is established, internal network attacker-tracing can be performed inside subregion, can real-time and efficiently complete the invasion of collaboration Tracking, without being concerned about the topological structure of adjacent sectors, simplifies the management difficulty of network trace.
Embodiment three
As shown in fig. 7, in one embodiment, a kind of network trace device is provided, applied between partition network Attack traceback, the network trace device can integrate in above-mentioned network tracking system 120, can specifically include:
First-class watermark embedding module 701, for flowing through the first partition network when the first partition network is under attack Insertion first network flowing water print in the first network flow signal of boundary node input terminal between the second partition network, first Network flow signal flows to the first partition network from the second partition network;
First-class watermark extracting module 702, for extracting by the second network flow signal of object of attack input terminal, and from The second network flow watermark is extracted in second network flow signal;
First attack judgment module 703, for the second network flow watermark and first network flowing water print to be compared, if the Two network flow watermarks and first network flowing water print meet preset similarity condition, then confirm that the second subregion takes part in network and attacks It hits.
In embodiments of the present invention, by extracting by the network characterization parameter of object of attack, and all or part will be possessed For node in first partition network of identical above-mentioned network characterization parameter as possible by object of attack, network characterization parameter can To be the key that contained by the IP for being attacked node or equipment, network protocol used in it or meshed network data on flows packet The information such as word.
In embodiments of the present invention, network flow watermark is also called flow label, and principle mainly passes through change or modulation hair The load of sending end data packet, time interval, interval reach the information such as time delay and interval center of gravity or flow rate to be embedded in watermark, Receiving end identifies the watermark, to achieve the purpose that associated sender and recipient's relationship.
In embodiments of the present invention, first-class watermark embedding module 701 includes:
Pseudo-noise code and signal generation unit 801, for generating random pseudo-noise code and first network flowing water print;
Signal spread-spectrum unit 802, for being spread by random pseudo-noise code to first network flowing water print;
Signal embedded unit 803, for the print insertion of first network flowing water to be flowed through the first partition network and the second partition network In the first network flow signal of boundary node input terminal between network.
Specifically, signal spread-spectrum unit 802 spreads first network flowing water print by random pseudo-noise code, public affairs can be used Formula indicates are as follows:
Wherein, WPFor the matrix representation forms of the first network flowing water print after spread spectrum, W is the matrix of first network flowing water print Representation, P are the matrix representation forms of random pseudo-noise code, and random pseudo-noise code is represented by P=(p1, p2..., pn), pJ (j=1,2 ..., n)∈ { -1,1 }, first network flowing water print are represented by W=(w1, w2..., wm)T, wI (i=1,2 ... m)∈{-1,1}。
Specifically, the print insertion of first network flowing water is flowed through the first partition network and the second subregion by signal embedded unit 803 In the first network flow signal of boundary node input terminal between network, it can be formulated as:
S=f+ α × wi×pj
Wherein, S is the flow velocity for being embedded in the first network flow signal after first network flowing water print, and f is insertion first network The flow velocity of first network flow signal before flowing water print, α is constant coefficient, wiIt is printed in matrix representation forms for first network flowing water Component, pjFor the component in random pseudo-noise code matrix representation forms.
In embodiments of the present invention, the second network flow watermark in the second network flow signal is determined, specifically:
Second network flow signal is filtered and noise reduction process, determines the second network flow watermark.
Specifically, in conjunction with above-mentioned formula, since noise N, the second network flow that receiving end receives can be generated in communication process Amount signal flow velocity is R=f+ α × wi×pj+ N, by obtaining R '=α × w after filtering out f with high-pass filteri×pjThen+N is enabled R ' multiplies P and obtains S '=α × wi×pjFirst network stream watermark signal W can be obtained after filtering out noise NP in × P+NP.
In embodiments of the present invention, the first attack judgment module 703 specifically includes:
Similarity calculated 901, for calculating the similarity of the second network flow watermark and first network flowing water print, and will Similarity is compared with preset threshold;
Determination unit 902 is attacked, if being greater than preset threshold, the second network flow watermark and first network stream for similarity Watermark is associated, it is determined that the network node being connected in the second subregion with boundary node input terminal takes part in network attack;If phase It is less than or equal to preset threshold like degree, then the second network flow watermark is not associated with first network flowing water print, determines the second subregion not Participate in network attack.
Specifically, in embodiments of the present invention, the similarity of the second network flow watermark and first network flowing water print is calculated, it can It is formulated are as follows:
Wherein, W is the matrix representation forms of first network flowing water print, and W ' is that the matrix of the second network flow watermark indicates shape Formula, wiThe component in matrix representation forms, p are printed for first network flowing waterjFor in random pseudo-noise code matrix representation forms Component.
Network trace device in the embodiment of the present invention, by network flow watermark insertion in the way of in partition network Network attacker-tracing is established, internal network attacker-tracing can be performed inside subregion, can real-time and efficiently complete the invasion of collaboration Tracking, without being concerned about the topological structure of adjacent sectors, simplifies the management difficulty of network trace.
Example IV
As shown in Figure 10, the present invention provides a kind of network trace devices, applied to the network attack inside partition network Tracking, comprising:
Second watermark embedding module 1001, for being sent out according to being determined by object of attack when partition network is under attack It plays the attack directly attacked and initiates object, in the third network for initiating the network node output end that object input terminal is connected with attack The watermark of third network flow is embedded in flow signal;
Second watermark extracting module 1002 initiates the 4th network flow signal of object output end for extracting attack, Determine the 4th network flow watermark in the 4th network flow signal;
Second attack judgment module 1003, for the 4th network flow watermark and third network flow watermark to be compared, if 4th network flow watermark and the watermark of third network flow meet preset similarity condition, then confirmation initiates object input terminal with attack The connected network node takes part in network attack, to track the network attack in partition network.
Specifically, after the network node that confirmation is connected with attack initiation object input terminal takes part in network attack, again Object is initiated using the network node as new attack, repeats network flow watermark insertion or directly using being embedded in for the first time Network flow watermark and extraction and the similarity verifying for carrying out network flow watermark, with the complete network attack route of determination.
In embodiments of the present invention, third network flow is embedded in the third network flow signal by object of attack input terminal The mode of watermark is identical as the mode that embedded network flowing water in embodiment one prints;Determine the 4th net in the 4th network flow signal The step of network flowing water prints is identical as the step of the second network flow watermark is determined in embodiment one;By the 4th network flow watermark and third Network flow watermark compares the step of with the second network flow watermark and first network flowing water print is compared in embodiment one It is identical.
Network trace device in the embodiment of the present invention, by network flow watermark insertion in the way of in partition network Network attacker-tracing is established, internal network attacker-tracing can be performed inside subregion, can real-time and efficiently complete the invasion of collaboration Tracking, without being concerned about the topological structure of adjacent sectors, simplifies the management difficulty of network trace.
Embodiment five
As shown in figure 11, in one embodiment, a kind of network tracking system is provided, comprising:
First partition network 1101 and the second partition network 1102, the first partition network 1101 and the second partition network 1102 Between there are network flow signal interactions;
First network follow-up mechanism 1103, for executing embodiment when the first partition network 1101 is by network attack Network trace method described in one, to be carried out to the network attack between the first partition network 1101 and the second partition network 1102 Tracking;
Second network trace device 1104, for individually to first partition network and/or second partition network Network trace is carried out, when the first partition network 1101 and/or the second partition network 1102 are by network attack, executes embodiment Network trace method described in two, individually respectively to the net in the first partition network 1101 and/or the second partition network 1102 Network attack is tracked.
In embodiments of the present invention, when the first partition network is under attack, by determining by object of attack, first network Follow-up mechanism 1103 executes network trace method described in embodiment one, judges whether the second partition network takes part in network and attack It hits, if the network node being connected in the second subregion with boundary node input terminal takes part in network attack, with network node work For the network trace method for being executed embodiment two by object of attack;Meanwhile first the second network trace dress inside partition network Network trace method described in 1104 execution embodiments two is set, to chase after to the network attack in the first partition network 1101 Track may be implemented to carry out network trace between subregion, and the independent network carried out inside subregion simultaneously inside each subregion Tracking.
Network tracking system in the embodiment of the present invention, by network flow watermark insertion in the way of in partition network Network attacker-tracing is established between subregion, while executable internal network attacker-tracing again inside subregion, it can be real-time and efficiently Complete the Intrusion traing of collaboration;Tracking simultaneously inside each subregion is mutually indepedent, without being concerned about the topological structure of adjacent sectors, Simplify the management difficulty of network trace.
Embodiment six
It as shown in figure 12, is a kind of structural block diagram of computer equipment provided in an embodiment of the present invention, the embodiment of the present invention A kind of computer equipment provided, including memory 1201, processor 1202, communication module 1203 and user interface 1204.
Operating system 1205 is stored in memory 1201, for handling various basic system services and for executing hardware The program of inter-related task;It is stored with application software 1206, also for realizing each of the network trace method in the embodiment of the present invention A step.
In embodiments of the present invention, memory 1201 can be high-speed random access memory, such as DRAM, SRAM, DDR, RAM or other random access solid states storage equipment or nonvolatile memory, such as one or more hard disks are deposited Store up equipment, optical disc memory apparatus, memory device etc..
In embodiments of the present invention, processor 1202 can send and receive data by communication module 1203 to realize network Communication or local communication.
User interface 1204 may include one or more input equipments 1207, such as keyboard, mouse, touch screen displays, User interface 1204 can also include one or more output equipment 1208, such as display, loudspeaker etc..
Embodiment seven
In addition, the embodiment of the invention also provides a kind of computer readable storage medium, on computer readable storage medium It is stored with computer program, when computer program is executed by processor, so that processor executes the step of above-mentioned network trace method Suddenly.
Although should be understood that various embodiments of the present invention flow chart in each step according to arrow instruction successively It has been shown that, but these steps are not that the inevitable sequence according to arrow instruction successively executes.Unless expressly state otherwise herein, There is no stringent sequences to limit for the execution of these steps, these steps can execute in other order.Moreover, each embodiment In at least part step may include that perhaps these sub-steps of multiple stages or stage are not necessarily multiple sub-steps Completion is executed in synchronization, but can be executed at different times, the execution in these sub-steps or stage sequence is not yet Necessarily successively carry out, but can be at least part of the sub-step or stage of other steps or other steps in turn Or it alternately executes.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a non-volatile computer and can be read In storage medium, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, provided herein Each embodiment used in any reference to memory, storage, database or other media, may each comprise non-volatile And/or volatile memory.Nonvolatile memory may include that read-only memory (ROM), programming ROM (PROM), electricity can be compiled Journey ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) directly RAM (RDRAM), straight Connect memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.

Claims (13)

1. a kind of network trace method, applied to the attack traceback between partition network, which is characterized in that including walking as follows It is rapid:
When the first partition network is under attack, the boundary section between first partition network and the second partition network is being flowed through Insertion first network flowing water print in the first network flow signal of point input terminal, the first network flow signal is from described second Partition network flows to first partition network;
It extracts by the second network flow signal of object of attack input terminal, determines the second net in the second network flow signal Network flowing water print;
The second network flow watermark and first network flowing water print are compared, if the second network flow watermark and institute It states first network flowing water print and meets preset similarity condition, then confirm that second subregion takes part in network attack.
2. network trace method as described in claim 1, which is characterized in that described to flow through first partition network and institute Insertion first network flowing water print in the first network flow signal of the boundary node input terminal between the second partition network is stated, specifically Include:
Generate random pseudo-noise code and first network flowing water print;
First network flowing water print is spread by the random pseudo-noise code;
The print insertion of first network flowing water is flowed through into the boundary node between first partition network and second partition network In the first network flow signal of input terminal.
3. network trace method as claimed in claim 2, which is characterized in that it is described by the random pseudo-noise code to described First network flowing water print is spread, and can be formulated as:
Wherein, WPFor the matrix representation forms of the first network flowing water print after spread spectrum, W is first network flowing water print Matrix representation forms, P are the matrix representation forms of the random pseudo-noise code, and the random pseudo-noise code is represented by P= (p1, p2..., pn), pJ (j=1,2 ..., n)∈ { -1,1 }, the first network flowing water print are represented by W=(w1, w2..., wm)T, wI (i=1,2 ... m)∈{-1,1}。
4. network trace method as claimed in claim 2, which is characterized in that described that the print insertion of first network flowing water is flowed through institute In the first network flow signal for stating the boundary node input terminal between the first partition network and second partition network, it can use Formula indicates are as follows:
S=f+ α × wi×pj
Wherein, S is the flow velocity of the first network flow signal after the insertion first network flowing water print, and f is described in insertion The flow velocity of the first network flow signal before first network flowing water print, α is constant coefficient, wiFor the first network flowing water Print the component in matrix representation forms, pjFor the component in the random pseudo-noise code matrix representation forms.
5. network trace method as described in claim 1, which is characterized in that in determination the second network flow signal The second network flow watermark, specifically:
The second network flow signal is filtered and noise reduction process, determines the second network flow watermark.
6. network trace method as described in claim 1, which is characterized in that it is described by the second network flow watermark with it is described First network flowing water print compares, if the second network flow watermark and the first network flowing water print meet it is preset similar Degree condition then confirms that second subregion takes part in network attack, specifically includes:
The similarity of the second network flow watermark and first network flowing water print is calculated, and by the similarity and default threshold Value is compared;
If the similarity is greater than the preset threshold, the second network flow watermark and the first network flowing water print are closed Connection, it is determined that the network node being connected in second subregion with the boundary node input terminal takes part in network attack;
If the similarity is less than or equal to the preset threshold, the second network flow watermark and the first network flowing water Print is not associated with, and determines that second subregion is not involved in network attack.
7. network trace method as claimed in claim 6, which is characterized in that described to calculate the second network flow watermark and institute The similarity for stating first network flowing water print, can be formulated as:
Wherein, W is the matrix representation forms of first network flowing water print, and W ' is that the matrix of the second network flow watermark indicates Form, wiThe component in matrix representation forms, p are printed for the first network flowing waterjFor the random pseudo-noise code matrix table Show the component in form.
8. a kind of network trace method, which is characterized in that walked applied to the attack traceback inside partition network, including as follows It is rapid:
When partition network is under attack, according to being determined that initiating the attack directly attacked initiates object by object of attack, with institute Attack is stated to initiate to be embedded in third network flowing water in the third network flow signal of the connected network node output end of object input terminal Print;
The 4th network flow signal that object output end is initiated in the attack is extracted, determines the 4th in the 4th network flow signal Network flow watermark;
The 4th network flow watermark is compared with the third network flow watermark, if the 4th network flow watermark and institute It states third network flow watermark and meets preset similarity condition, then confirm and initiate the net that object input terminal is connected with the attack Network node takes part in network attack, to track the network attack in partition network.
9. a kind of network trace device, applied to the attack traceback between partition network characterized by comprising
First-class watermark embedding module, for when the first partition network is under attack, flow through first partition network with Insertion first network flowing water print in the first network flow signal of boundary node input terminal between second partition network, described the One network flow signal flows to first partition network from second partition network;
First-class watermark extracting module, for extracting by the second network flow signal of object of attack input terminal, and from described The second network flow watermark is extracted in two network flow signals;
First attack judgment module, for the second network flow watermark and first network flowing water print to be compared, if The second network flow watermark and first network flowing water print meet preset similarity condition, then confirm second subregion Take part in network attack.
10. a kind of network trace device, applied to the attack traceback inside partition network characterized by comprising
Second watermark embedding module, for initiating directly to attack according to being determined by object of attack when partition network is under attack Object is initiated in the attack hit, in the third network flow for initiating the network node output end that object input terminal is connected with the attack The watermark of third network flow is embedded in signal;
Second watermark extracting module is initiated the 4th network flow signal of object output end for extracting the attack, is determined The 4th network flow watermark in 4th network flow signal;
Second attack judgment module, for the 4th network flow watermark to be compared with the third network flow watermark, if The 4th network flow watermark and the third network flow watermark meet preset similarity condition, then confirmation is sent out with the attack It plays the connected network node of object input terminal and takes part in network attack, to track the network attack in partition network.
11. a kind of network tracking system characterized by comprising
First partition network and the second partition network, there are networks between first partition network and second partition network Flow signal interaction;
First network follow-up mechanism, for when first partition network is by network attack, perform claim to require 1~7 Network trace method described in one, with to the network attack between first partition network and second partition network into Row tracking;
Second network trace device, for individually carrying out network to first partition network and/or second partition network Tracking, when first partition network and/or second partition network are by network attack, perform claim is required described in 8 Network trace method, individually respectively to the network attack in first partition network and/or second partition network It is tracked.
12. a kind of computer equipment, which is characterized in that including memory and processor, be stored with computer in the memory Program, when the computer program is executed by the processor, so that the processor perform claim requires any one of 1 to 8 Described in claim the step of network trace method.
13. a kind of storage medium, which is characterized in that be stored with computer program, the computer program on the storage medium When being executed by processor, so that the processor perform claim requires network trace method described in any one of 1 to 8 claim The step of.
CN201910115002.8A 2019-02-14 2019-02-14 A kind of network trace method, apparatus, system, equipment and storage medium Pending CN109688161A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910115002.8A CN109688161A (en) 2019-02-14 2019-02-14 A kind of network trace method, apparatus, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910115002.8A CN109688161A (en) 2019-02-14 2019-02-14 A kind of network trace method, apparatus, system, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN109688161A true CN109688161A (en) 2019-04-26

Family

ID=66195779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910115002.8A Pending CN109688161A (en) 2019-02-14 2019-02-14 A kind of network trace method, apparatus, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN109688161A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365675A (en) * 2019-07-11 2019-10-22 武汉思普崚技术有限公司 A kind of methods, devices and systems of network trace reel chain attack
CN110378404A (en) * 2019-07-11 2019-10-25 武汉思普崚技术有限公司 A kind of methods, devices and systems of network trace reel chain attack
CN113301044A (en) * 2021-05-24 2021-08-24 中国电子科技集团公司第十五研究所 Tracking and tracing-oriented spread spectrum network beacon generation method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1414778A (en) * 2002-12-12 2003-04-30 中山大学 Watermark method using geometry calibrated anti geometry conversion image
CN104852914A (en) * 2015-04-30 2015-08-19 中国人民解放军国防科学技术大学 Watermark hopping communication method based on data packet interval
US20160171186A1 (en) * 2004-09-20 2016-06-16 Secure Content Storage Association Llc Content distribution with renewable content protection
CN106375157A (en) * 2016-10-31 2017-02-01 华侨大学 A Network Flow Association Method Based on Phase Space Reconstruction
CN108650054A (en) * 2018-04-03 2018-10-12 厦门大学 The method for establishing private communication channel with the network flow watermark of forward error correction and interlaced code

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1414778A (en) * 2002-12-12 2003-04-30 中山大学 Watermark method using geometry calibrated anti geometry conversion image
US20160171186A1 (en) * 2004-09-20 2016-06-16 Secure Content Storage Association Llc Content distribution with renewable content protection
CN104852914A (en) * 2015-04-30 2015-08-19 中国人民解放军国防科学技术大学 Watermark hopping communication method based on data packet interval
CN106375157A (en) * 2016-10-31 2017-02-01 华侨大学 A Network Flow Association Method Based on Phase Space Reconstruction
CN108650054A (en) * 2018-04-03 2018-10-12 厦门大学 The method for establishing private communication channel with the network flow watermark of forward error correction and interlaced code

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
潘政: "《基于数字水印的网络追踪方案》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
许小强: "《基于网络流水印的跨域协同追踪技术研究》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365675A (en) * 2019-07-11 2019-10-22 武汉思普崚技术有限公司 A kind of methods, devices and systems of network trace reel chain attack
CN110378404A (en) * 2019-07-11 2019-10-25 武汉思普崚技术有限公司 A kind of methods, devices and systems of network trace reel chain attack
CN110378404B (en) * 2019-07-11 2021-11-26 武汉思普崚技术有限公司 Method, device and system for network tracking long chain attack
CN113301044A (en) * 2021-05-24 2021-08-24 中国电子科技集团公司第十五研究所 Tracking and tracing-oriented spread spectrum network beacon generation method

Similar Documents

Publication Publication Date Title
Homayoun et al. BoTShark: A deep learning approach for botnet traffic detection
Xu et al. Data-driven network intelligence for anomaly detection
CN109688161A (en) A kind of network trace method, apparatus, system, equipment and storage medium
CN105429968B (en) Network forensics load affiliation method based on Bloom filter and system
CN104408149A (en) Criminal suspect mining association method and system based on social network analysis
CN112202782A (en) Method and system for detecting behavior of hidden network user based on network traffic
JP7602482B2 (en) A Graph Stream Mining Pipeline for Efficient Subgraph Discovery
CN110286998A (en) Virtual machine graphics user interface comes into force, implementation procedure recording method and device
CN111181930A (en) DDoS attack detection method, device, computer equipment and storage medium
Yu et al. Deploying robust security in internet of things
CN116668152A (en) Anonymous network flow correlation method and device based on confusion execution feature recognition
CN103281158A (en) Method for detecting communication granularity of deep web and detection equipment thereof
CN108712369A (en) A kind of more attribute constraint access control decision system and method for industrial control network
Zhu et al. A novel covert timing channel based on bitcoin messages
KR101073402B1 (en) Method for simulating and examining traffic and network traffic analysis system
Singh Blockchain and IOT integrated Smart City Architecture
CN113938496B (en) Block chain network method and system based on Internet of things equipment
Yang et al. Sliding window based ON/OFF flow watermarking on Tor
CN115643369A (en) Computing resource allocation scheduling method under cross-network environment
CN103544354A (en) Network-based dynamic simulation method and device for parallel computers
CN113949576B (en) Zero network communication flow detection method and device based on mixed leakage information
Kim et al. IP traceback with sparsely-tagged fragment marking scheme under massively multiple attack paths
Aryeh et al. ONDaSCA: On-demand Network Data Set Creation Application for Intrusion Detection System
CN115378741B (en) Early identification method for fine-grained behavior flow of lightweight encryption application
KR101548378B1 (en) Behavior signature generation system and method, and network traffic analyzation system and method with the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190426

RJ01 Rejection of invention patent application after publication