CN110417821B - Networking detection method and system - Google Patents
Networking detection method and system Download PDFInfo
- Publication number
- CN110417821B CN110417821B CN201910849414.4A CN201910849414A CN110417821B CN 110417821 B CN110417821 B CN 110417821B CN 201910849414 A CN201910849414 A CN 201910849414A CN 110417821 B CN110417821 B CN 110417821B
- Authority
- CN
- China
- Prior art keywords
- user side
- request
- detection
- current user
- target server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a networking detection method, which belongs to the technical field of network security detection and comprises the following steps: receiving a first JS request sent by a current user side to a target server; judging whether the accumulated request times of the JS requests sent to the target server by the current user side reach a preset threshold value or not; if the accumulated request times reach a preset threshold value, splicing reply contents of all JS requests and JS detection messages by a target server to generate new reply contents, wherein when the JS detection messages are executed, a detection request is sent to a cloud detection platform by an executing client; when a second JS request sent by the current user side to the target server is received again, the new reply content is sent to the current user side; and the current user side executes the new reply content and sends a detection request to the cloud detection platform so as to enable the cloud detection platform to record the external connection information of the current user side, thereby realizing zero invasion to the internal network service system and enhancing the stability of the external connection detection function.
Description
Technical Field
The invention relates to the technical field of network security detection, in particular to a network detection method and a network detection system.
Background
With the development and wide application of internet technology, office systems and business systems of government departments, military troops and various enterprises and public institutions have been networked and informationized, and a large amount of confidential information is stored in the important information systems, so that once the information is attacked by a network or leaked, serious damage can be caused to the security of the enterprises and public institutions and even the security of the country. Network security and informatization supplement each other, security is a precondition for development, the development is a security guarantee, and the security and the development need to be synchronously promoted. In order to improve the security of an important information system, some units with higher information security requirements adopt a physical or logical isolation mode to prohibit an internal network from being connected with an external network such as a public information network and the internet, so that the security threat from the external network is reduced.
However, in actual work, because some users have low security awareness, the internal network in which the important information system is deployed is often connected with the external network illegally intentionally and unintentionally, the essence of the behavior is to build a secret bridge for information transmission from inside to outside, and directly connect the internal network with the internet, so that the monitoring of security protection measures on the whole network boundary can be separated, the security of the internal network is greatly threatened, security events such as hacker intrusion, data loss and the like are easily caused, and great convenience is provided for some internal personnel who conspire to steal secret data to transmit information to an internet host.
Violation of external connection: the method is equivalent to establishing new channels between network safety zones and between an internal network and an external network, so that an information safety guarantee defense line formed by protection equipment such as a firewall, a safety isolation gateway and the like becomes a Marchano defense line. External hackers and viruses can bypass protective barriers such as firewalls and gateways, invade illegal externally-connected computers, illegally steal sensitive data, and even use the computers as a springboard to further permeate important servers of an intranet, so that the whole internal network faces a great controlled risk.
At present, the technical point of the violation external connection detection mode based on HTTP traffic is mainly embodied in the injection of detection messages and the initiation of external connection detection requests. There are two main ways. The first method comprises the following steps: and integrating the JS detection message into an intranet service system, such as an OA system, an ERP system and the like. And initiating an external connection detection request through the execution of the JS. The main disadvantages of this approach are the intrusiveness into the business system, the modification to the original business system, and the large amount of extra work. If the number of the detected service systems in the intranet is N, if the detection range is to be fully covered, N times of extra work is caused, and great inconvenience is brought to the deployment work of the system. And the second method comprises the following steps: and detecting the HTTP request, and redirecting to an external connection detection request. The main disadvantage of this approach is that the original HTTP request is affected, which may cause the user page to be displayed abnormally, and the page is blank, and the user needs to manually refresh the page to be used normally, resulting in poor user experience. Moreover, a cache mechanism is used in the process of loading the webpage by the browser, certain resources can be directly read from the browser locally when being loaded again after being cached by the browser, a request cannot be initiated to the HTTP server, and HTTP traffic cannot be detected, so that the external connection detection function is disabled.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a networking detection method, which comprises the following steps:
receiving a first JS request sent by a current user side to a target server;
judging whether the accumulated request times of the JS requests sent to the target server by the current user side reach a preset threshold value or not;
if the accumulated request times reach a preset threshold value, splicing reply contents of all JS requests and JS detection messages by the target server to generate new reply contents, wherein when the JS detection messages are executed, a detection request is sent to a cloud detection platform by an executing client;
when a second JS request sent by the current user side to a target server is received again, the new reply content is sent to the current user side;
and the current user side executes the new reply content and sends a detection request to the cloud detection platform so as to enable the cloud detection platform to record the external connection information of the current user side.
In some embodiments, further comprising:
and if the accumulated request times do not reach a preset threshold value, continuously receiving and accumulating the times of JS requests sent to the target server by the current user side.
In some embodiments, further comprising:
and caching key information of the reply content of the first JS request by the target server, wherein the key information comprises the packet length and the checksum of the reply content.
In some embodiments, further comprising:
judging whether the currently cached reply content changes;
if the accumulated request times reaches a preset threshold value, splicing reply contents and JS detection messages of all JS requests by the target server to generate new reply contents, and the method comprises the following steps:
and if the accumulated request times reach a preset threshold value and the currently cached reply content does not change, splicing the reply content of all JS requests and the JS detection messages by the target server to generate new reply content.
In some embodiments, after the sending the new reply content to the current user side when the second JS request sent by the current user side to the target server is received again, the method further includes:
and sending a reset message to the target server to enable the target server to reset the communication connection between the current user side and the target server.
In some embodiments, the current user side executes the new reply content and sends a detection request to the cloud detection platform, where the detection request includes:
and the current user side executes the new reply content, newly establishes a timer and executes the timer, and sends a detection request to the cloud detection platform, and when the detection request is executed, the cloud detection platform records the intranet IP where the current user side is located and the extranet outlet IP of the target server.
In some embodiments, further comprising:
and when the current user side executes the timer, if the communication connection with the cloud detection platform is not established, the detection request is sent to the cloud detection platform again after a preset time period.
In some embodiments, further comprising:
and destroying the timer after the current user side receives the reply information of the cloud detection platform.
Aiming at the defects in the prior art, the invention also provides a networking detection system which comprises a probe and a cloud detection platform, wherein the probe is deployed at the user side and mirrors the flow of the user side, and the cloud detection platform is deployed in the internet;
the system comprises a probe, a cloud detection platform and a client side, wherein the probe is used for receiving a first JS request sent by the client side to a target server, judging whether the accumulated request frequency of the JS request sent by the client side to the target server reaches a preset threshold value or not, splicing reply contents and JS detection messages of all JS requests by the target server if the accumulated request frequency reaches the preset threshold value, and generating new reply contents;
and the cloud detection platform is used for recording the external connection information of the current user side.
In some embodiments, the probe is further for:
caching key information of the reply content of the first JS request by the target server, wherein the key information comprises the packet length and the checksum of the reply content, and judging whether the currently cached reply content changes;
and if the accumulated request times reach a preset threshold value and the currently cached reply content does not change, splicing the reply content of all JS requests and the JS detection messages by the target server to generate new reply content.
The invention has the beneficial effects that:
the JS detection message is injected into the detection message in a mode of splicing the JS detection message into the original reply content, zero invasion to the intranet service system is achieved, the intranet service system does not need to be added, and any code and configuration are changed. In the scheme, any request is not redirected, the loading sequence of the original request is not changed, the function use of an internal network service system is not influenced, and the illegal external connection behavior is detected under the condition that a user does not perceive the behavior. According to the scheme, the JS detection message and the original reply content are combined together, the stability of the external connection detection function is enhanced, and the detection function is prevented from being invalid under the conditions of browser caching and the like.
Drawings
In order to more clearly illustrate the detailed description of the invention or the technical solutions in the prior art, the drawings that are needed in the detailed description of the invention or the prior art will be briefly described below. Throughout the drawings, like elements or portions are generally identified by like reference numerals. In the drawings, elements or portions are not necessarily drawn to scale.
Fig. 1 is a flowchart of a networking detection method according to a first embodiment of the present application;
FIG. 2 is a flowchart of a networked detection method according to a second embodiment of the present application;
FIG. 3 is a block flow diagram of a networking detection method according to a third embodiment of the present application;
FIG. 4 is a timing chart of a networking detection method according to a fourth embodiment of the present application;
FIG. 5 is a schematic structural diagram of a networked detection system according to a fifth embodiment of the present application;
fig. 6 is a network diagram of a networked detection system according to a sixth embodiment of the present application.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and therefore are only examples, and the protection scope of the present invention is not limited thereby.
It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which the invention pertains.
Fig. 1 is a flowchart of a networking detection method according to a first embodiment of the present application. As shown in fig. 1, the networking detection method of the present embodiment may include the following steps:
s101: and receiving a first JS request sent by the current user side to the target server.
The method of the embodiment can be applied to information systems in enterprises or department units, and is used for monitoring the behavior of illegally connecting an internal network with an external network in the information systems, so that the threats to the safety of the internal network, and the occurrence of security events such as hacker intrusion, data loss and the like are avoided. Specifically, the method of this embodiment may deploy a probe on the core device side of the enterprise network, where the probe is used to mirror the core device traffic, that is, by setting a port mirror on a core layer or convergence layer switch of the network, the outbound traffic of an uplink port on the switch is copied to an Openet BSMP front-end processor, and then the requests of all users for accessing the network can be acquired. At present, most of middle-high-end switches support a port mirroring function and are used for flow detection and analysis. The method comprises the steps that a cloud detection platform is deployed in the Internet, and the cloud detection platform is used for receiving an illegal external connection request of enterprise network core equipment, detecting the connectivity of the enterprise network and the Internet, and recording relevant information. When the method of the embodiment of the application is used for performing networking detection on the enterprise network core devices (i.e. the user side), for one of the network core devices in the enterprise (i.e. the current user side), the probe deployed on the current user side receives a first JS request sent by the current user side to the target server. The JS request here refers to a JavaScript request, which is a script language that can be executed on a browser, and can enhance functions of HTML (hypertext markup language), such as initiating a web request, changing a page display structure, and the like. The sending of the first JS request to the target server by the current user side may be a click operation for browsing a shopping website through the current user side and introducing a commodity, or a click operation for accessing a video website through the current user side and introducing a video stream, such as opening a video, pausing, fast forwarding, fast rewinding or closing the video, and the like. That is, when a user side in an information system in an enterprise or a department unit accesses an external network, a probe deployed on the current user side receives a first JS request sent by the current user side to a target server.
S102: and judging whether the accumulated request times of the JS requests sent to the target server by the current user side reaches a preset threshold value.
In this embodiment, after the probe receives the first JS request sent by the current client to the target server, it is determined whether the accumulated request times of the JS requests sent by the current client to the target server reaches a preset threshold. Specifically, after receiving a JS request sent by the current user side to the target server, the probe accumulates the request times of the sent JS request, and may preset a preset threshold to determine whether the number of times that the current user side sends the JS request to the target server reaches the preset threshold. The current user end to the number of times of the JS request that the target server sent can be right through the target server the reply of the JS request that the current user end sent is confirmed, namely the probe can confirm the current user end to the accumulative request number of times of the JS request that the target server sent through checking the reply content that the JS request that the current user end sent corresponds to the target server.
S103: and if the accumulated request times reach a preset threshold value, splicing the reply content of all JS requests and the JS detection messages by the target server to generate new reply content, wherein when the JS detection messages are executed, the executed user side sends a detection request to the cloud detection platform.
In this embodiment, when the cumulative request number of JS requests sent by the current client to the target server reaches a preset threshold, the probe splices the reply content and the JS detection messages of all the JS requests that are received cumulatively by the target server, and generates new reply content. After the new reply content is generated, caching the generated new reply content, waiting for a new JS request sent by the current user side to the target server, and after receiving the new JS request sent by the current user side to the target server, sending the generated new reply content to the previous user side. In this embodiment, the JS detection message may be generated by the probe, or may be a detection message pre-stored in the probe, and when the JS detection message is executed, the executed user side sends a detection request to the cloud detection platform.
S104: and when the second JS request sent to the target server by the current user side is received again, the new reply content is sent to the current user side.
In this embodiment, after the probe receives the reply content of the second JS request sent by the target server to the current user side, the cached new reply content is sent to the current user side.
S105: and the current user side executes the new reply content and sends a detection request to the cloud detection platform so as to enable the cloud detection platform to record the external connection information of the current user side.
After receiving the new reply content sent by the probe, the current user side executes the received new reply content, in the process of executing the new reply content, on one hand, the reply content of the JS request sent by the target server is obtained, on the other hand, the detection message in the new reply content is executed, the detection request is sent to the cloud detection platform, and after the cloud detection platform receives the detection request sent by the current user side, the cloud detection platform records the event that the current user side accesses the target server.
According to the networking detection method, the JS detection messages are spliced into the original reply content to be injected into the detection messages, zero invasion to the intranet service system is achieved, the intranet service system does not need to be added, and any code and configuration are changed. In the scheme, any request is not redirected, the loading sequence of the original request is not changed, the function use of an internal network service system is not influenced, and the illegal external connection behavior is detected under the condition that a user does not perceive the behavior. According to the scheme, the JS detection message and the original reply content are combined together, the stability of the external connection detection function is enhanced, and the detection function is prevented from being invalid under the conditions of browser caching and the like.
Fig. 2 is a flowchart of a networking detection method according to a second embodiment of the present application. As can be seen from fig. 2, the networking detection method of the present embodiment may include the following steps:
s201: and receiving a first JS request sent by the current user side to the target server.
S202: and judging whether the accumulated request times of the JS requests sent to the target server by the current user side reaches a preset threshold value. When the cumulative request number of JS requests sent by the current client to the target server reaches a preset threshold, the process proceeds to step S204, and when the cumulative request number of JS requests sent by the current client to the target server does not reach the preset threshold, the process proceeds to step S203. The preset threshold in this embodiment may be set according to actual needs, or may be determined according to an empirical value, which is not described in detail here.
S203: and continuously receiving and accumulating the number of times of JS requests sent to the target server by the current user side. In this embodiment, each time the probe receives a JS request sent by the current user side to the target server, the number of times of the received JS request is accumulated on the original basis, the accumulated data is updated, and whether the updated accumulated data reaches a preset threshold value is determined. And if the updated accumulated data does not reach the preset threshold value, continuously receiving and accumulating the number of times of JS requests sent to the target server by the current user side. In this embodiment, the number of JS requests sent by the current client to the target server may be received and accumulated within a preset time period, and when the accumulated data does not reach a preset threshold within the preset time period, the accumulated data may be cleared.
S204: and if the accumulated request times reach a preset threshold value, splicing the reply content of all JS requests and the JS detection messages by the target server to generate new reply content, wherein when the JS detection messages are executed, the executed user side sends a detection request to the cloud detection platform.
S205: and caching key information of the reply content of the first JS request by the target server, wherein the key information comprises the packet length and the checksum of the reply content.
In this embodiment, when the cumulative request number of JS requests sent by the current client to the target server reaches a preset threshold, the probe splices the reply content and the JS detection messages of all the JS requests that are received cumulatively by the target server, and generates new reply content. After the new reply content is generated, caching the generated new reply content, waiting for a new JS request sent by the current user side to the target server, and after receiving the new JS request sent by the current user side to the target server, sending the generated new reply content to the previous user side. In this embodiment, the JS detection message may be generated by the probe, or may be a detection message pre-stored in the probe, and when the JS detection message is executed, the executed user side sends a detection request to the cloud detection platform.
S206: and when the second JS request sent to the target server by the current user side is received again, the new reply content is sent to the current user side.
S207: and the current user side executes the new reply content and sends a detection request to the cloud detection platform so as to enable the cloud detection platform to record the external connection information of the current user side.
After receiving the new reply content sent by the probe, the current user side executes the received new reply content, in the process of executing the new reply content, on one hand, the reply content of the JS request sent by the target server is obtained, on the other hand, the detection message in the new reply content is executed, the detection request is sent to the cloud detection platform, and after the cloud detection platform receives the detection request sent by the current user side, the cloud detection platform records the event that the current user side accesses the target server.
S208: and the cloud detection platform records the intranet IP where the current user side is located and the extranet outlet IP of the target server.
After the current user side is in communication connection with the cloud detection platform, the cloud detection platform records the intranet IP where the current user side is located and the extranet outlet IP of the target server accessed by the current user side.
S209: and sending a reset message to the target server to enable the target server to reset the communication connection between the current user side and the target server.
In this embodiment, after the cloud detection platform completes detection of the current user side, the probe sends a reset message to the target server, so that the target server resets communication connection between the current user side and the target server, thereby completing one-time networking detection for the current user side.
According to the networking detection method, the JS detection messages are spliced into the original reply content to be injected into the detection messages, zero invasion to the intranet service system is achieved, the intranet service system does not need to be added, and any code and configuration are changed. In the scheme, any request is not redirected, the loading sequence of the original request is not changed, the function use of an internal network service system is not influenced, and the illegal external connection behavior is detected under the condition that a user does not perceive the behavior. According to the scheme, the JS detection message and the original reply content are combined together, the stability of the external connection detection function is enhanced, and the detection function is prevented from being invalid under the conditions of browser caching and the like.
In addition, as an optional embodiment of the present application, on the basis of the foregoing embodiment, when the cumulative number of requests of the JS requests sent by the current client to the target server reaches a preset threshold, the method further includes:
and judging whether the reply content cached currently changes, if the accumulated request times reaches a preset threshold value and the reply content cached currently does not change, splicing the reply content of all JS requests and the JS detection messages by the target server to generate new reply content.
In addition, as an optional embodiment of the present application, the step "the current user side executes the new reply content and sends a detection request to the cloud detection platform" in the foregoing embodiment may specifically include:
and the current user side executes the new reply content, newly establishes a timer and executes the timer, and sends a detection request to the cloud detection platform, and when the detection request is executed, the cloud detection platform records the intranet IP where the current user side is located and the extranet outlet IP of the target server. And when the current user side executes the timer, if the communication connection with the cloud detection platform is not established, the detection request is sent to the cloud detection platform again after a preset time period. And destroying the timer after the current user side receives the reply information of the cloud detection platform.
The networking detection method of the embodiment injects the detection message by splicing the JS detection message into the original reply content, so that zero invasion to the intranet service system is achieved, the intranet service system does not need to be added, and any code and configuration are changed. In the scheme, any request is not redirected, the loading sequence of the original request is not changed, the function use of an internal network service system is not influenced, and the illegal external connection behavior is detected under the condition that a user does not perceive the behavior. According to the scheme, the JS detection message and the original reply content are combined together, the stability of the external connection detection function is enhanced, and the detection function is prevented from being invalid under the conditions of browser caching and the like.
Fig. 3 is a block flow diagram of a networking detection method according to a third embodiment of the present application. As a specific embodiment of the present application, when detecting a communication connection between a client and an external network server in an internal network by using the networking detection method of the present embodiment, a probe first determines whether the client uses a browser cache, if the client does not use the browser cache, after detecting a JS request sent from the client to the external network server, the probe determines whether a cache corresponding to a current JS request exists in the probe, that is, a cache of the JS request sent from the client to the external network server before the current JS request exists, if such a cache exists, a reply content of the JS request initiated by the client by the external network server and a detection message are spliced into a new reply content and sent to the client (i.e., client), and after the new reply content is received by the client, the browser of the client executes the new reply content, the method comprises the steps that reply content aiming at a JS request is displayed, a detection message is executed, the detection request is sent to a cloud detection platform, so that the cloud detection platform records the external connection information of a user side, meanwhile, a timer is established at the user side, if the user side is successfully connected with the cloud detection platform by sending the detection request to the cloud detection platform, the cloud detection platform records the external connection information of the user side and replies the information of successful connection to the user side, and the user side clears the established timing after receiving the reply information of the cloud detection platform. If the user side fails to be connected with the cloud detection platform by sending the detection request to the cloud detection platform after the timer is established, the user side can repeatedly send the connection request to the cloud detection platform due to the existence of the timer until the user side is successfully connected with the cloud detection platform.
If the cache corresponding to the current JS request does not exist in the probe, the principle that the number of times the user side sends the JS request to the extranet server is accumulated, and the number of times the JS request is sent to the extranet server by the probe obtaining user side in the above embodiment is already described, and a description is not repeated here. After the probe accumulation user side sends the JS request to the external network server for times, the current reply flow of the JS request is monitored, the key information of the reply content is obtained, whether the accumulated request times and the key information reach the standard or not is judged, namely whether the accumulated request times reach a preset threshold value or not is judged, whether the key information of the reply content changes or not is judged, the key information of the reply content comprises a packet length and a checksum, namely whether the packet length and the checksum of the reply content change or not within a period of time is judged. And if the accumulated request times reach a preset threshold value and the key information of the reply content does not change, splicing the cached reply content and the JS detection message into new reply content, caching the new reply content in the probe, and returning to the step of judging whether the user side uses the browser cache or not.
If the user side uses the browser cache, after receiving the reply content of the server, the user side sends a detection request to the cloud detection platform to enable the cloud detection platform to record the external connection information of the user side, meanwhile, the user side creates a timer, if the user side is successfully connected with the cloud detection platform by sending the detection request to the cloud detection platform, the cloud detection platform records the external connection information of the user side and replies the successfully connected information to the user side, and after receiving the reply information of the cloud detection platform, the user side clears the previously created timing. If the user side fails to be connected with the cloud detection platform by sending the detection request to the cloud detection platform after the timer is established, the user side can repeatedly send the connection request to the cloud detection platform due to the existence of the timer until the user side is successfully connected with the cloud detection platform.
The networking detection method of the embodiment injects the detection message by splicing the JS detection message into the original reply content, so that zero invasion to the intranet service system is achieved, the intranet service system does not need to be added, and any code and configuration are changed. In the scheme, any request is not redirected, the loading sequence of the original request is not changed, the function use of an internal network service system is not influenced, and the illegal external connection behavior is detected under the condition that a user does not perceive the behavior. According to the scheme, the JS detection message and the original reply content are combined together, the stability of the external connection detection function is enhanced, and the detection function is prevented from being invalid under the conditions of browser caching and the like.
Fig. 4 is a timing chart of a networking detection method according to a fourth embodiment of the present application. When the networking detection method of this embodiment is executed, the client (i.e. the client) sends a JS request to the external network server, the probe detects the reply content of the first JS request sent by the external network server to the client, and subsequently continues to detect the reply content of the JS request sent by the external network server to the client, the number of times of the JS request sent by the client is accumulated until the number of times of the JS request sent by the client (i.e. the client) to the external network server reaches the preset threshold N, and when the reply content of the JS request sent by the external network server to the client is stable and unchanged (i.e. the packet length and checksum), the reply content of the JS request sent by the external network server to the client and the JS detection message are spliced to generate and cache a new reply content, and after the reply content of the (N +1 st JS request) sent by the external network server to the client is received, and sending the new reply content to the user side, and resetting the current connection with the external network server. And after receiving the new reply content, the user side executes the detection message in the received new reply content, and sends a detection request to the cloud detection platform so as to enable the cloud detection platform to record the external connection information of the current user side. The method comprises the steps that after a user side receives new reply content sent by a probe, the received new reply content is executed, in the process of executing the new reply content, on one hand, reply content of a JS request sent by an external network server for the user side is obtained, on the other hand, a detection message in the new reply content is executed, a detection request is sent to a cloud detection platform, meanwhile, a timer is established by the user side, if the user side is successfully connected with the cloud detection platform by sending the detection request to the cloud detection platform, the cloud detection platform records external connection information of the user side and replies information of successful connection to the user side, and after the user side receives the reply information of the cloud detection platform, the previously established timing is cleared. If the user side fails to be connected with the cloud detection platform by sending the detection request to the cloud detection platform after the timer is established, the user side can repeatedly send the connection request to the cloud detection platform due to the existence of the timer until the user side is successfully connected with the cloud detection platform. The method comprises the steps that after a detection request sent by a user side is received by a cloud detection platform, an event that the user side accesses an external network server is recorded, the user side is informed of successful connection, and after the user side receives the notice sent by the cloud detection platform, a timer is destroyed, and meanwhile a timing connection attempt of the cloud detection platform is stopped.
In the networking detection method of the embodiment, the JS detection message is injected into the detection message by splicing the JS detection message into the original reply content, so that zero intrusiveness on the intranet service system is achieved, the intranet service system does not need to be added, and any code and configuration are changed. In the scheme, any request is not redirected, the loading sequence of the original request is not changed, the function use of an internal network service system is not influenced, and the illegal external connection behavior is detected under the condition that a user does not perceive the behavior. According to the scheme, the JS detection message and the original reply content are combined together, the stability of the external connection detection function is enhanced, and the detection function is prevented from being invalid under the conditions of browser caching and the like.
Fig. 5 is a schematic structural diagram of a networked detection system according to a fifth embodiment of the present application. The networked detection system of the embodiment includes a probe 501 and a cloud detection platform 503, where the probe 501 is deployed at a user side 502 to mirror traffic of the user side 502, and the cloud detection platform 503 is deployed in the internet;
probe 501 is used for receiving a first JS request sent by current client 502 to a target server, and judges whether the current client 501 sends the accumulated request times of the JS request sent by the target server reaches a preset threshold, if the accumulated request times reaches the preset threshold, the target server splices reply contents and JS detection messages of all JS requests to generate new reply contents, wherein, when the JS detection messages are executed, the detection request is sent to a cloud detection platform by the executed client, and when the JS detection messages are received again, the new reply contents are sent to the current client when the current client 501 sends a second JS request to the target server, the current client 501 executes the new reply contents, and the detection request is sent to the cloud detection platform 503.
Specifically, the method of this embodiment may be applied to an information system in an enterprise or a department unit, and is used for monitoring a behavior of an internal network illegally connecting to an external network in the information system, thereby avoiding a threat to security of the internal network and occurrence of security events such as hacker intrusion and data loss. Specifically, the method of this embodiment may deploy a probe on the core device side of the enterprise network, where the probe is used to mirror the core device traffic, that is, by setting a port mirror on a core layer or convergence layer switch of the network, the outbound traffic of an uplink port on the switch is copied to an Openet BSMP front-end processor, and then the requests of all users for accessing the network can be acquired. At present, most of middle-high-end switches support a port mirroring function and are used for flow detection and analysis. The method comprises the steps that a cloud detection platform is deployed in the Internet, and the cloud detection platform is used for receiving an illegal external connection request of enterprise network core equipment, detecting the connectivity of the enterprise network and the Internet, and recording relevant information. When the method of the embodiment of the application is used for performing networking detection on the enterprise network core devices (i.e. the user side), for one of the network core devices in the enterprise (i.e. the current user side), the probe deployed on the current user side receives a first JS request sent by the current user side to the target server. The JS request here refers to a JavaScript request, which is a script language that can be executed on a browser, and can enhance functions of HTML (hypertext markup language), such as initiating a web request, changing a page display structure, and the like. The sending of the first JS request to the target server by the current user side may be a click operation for browsing a shopping website through the current user side and introducing a commodity, or a click operation for accessing a video website through the current user side and introducing a video stream, such as opening a video, pausing, fast forwarding, fast rewinding or closing the video, and the like. That is, when a user side in an information system in an enterprise or a department unit accesses an external network, a probe deployed on the current user side receives a first JS request sent by the current user side to a target server.
After the probe receives a first JS request sent by a current user side to a target server, whether the accumulated request times of the JS requests sent by the current user side to the target server reach a preset threshold value or not is judged. Specifically, after receiving a JS request sent by the current user side to the target server, the probe accumulates the request times of the sent JS request, and may preset a preset threshold to determine whether the number of times that the current user side sends the JS request to the target server reaches the preset threshold. The current user end to the number of times of the JS request that the target server sent can be right through the target server the reply of the JS request that the current user end sent is confirmed, namely the probe can confirm the current user end to the accumulative request number of times of the JS request that the target server sent through checking the reply content that the JS request that the current user end sent corresponds to the target server.
And when the accumulated request times of the JS requests sent to the target server by the current client reach a preset threshold value, splicing the reply contents of all the JS requests and the JS detection messages of the target server which are received accumulatively by the probe to generate new reply contents. After the new reply content is generated, caching the generated new reply content, waiting for a new JS request sent by the current user side to the target server, and after receiving the new JS request sent by the current user side to the target server, sending the generated new reply content to the previous user side. In this embodiment, the JS detection message may be generated by the probe, or may be a detection message pre-stored in the probe, and when the JS detection message is executed, the executed user side sends a detection request to the cloud detection platform.
And after the probe receives the reply content of the second JS request sent by the target server aiming at the current user side, sending the cached new reply content to the current user side.
After receiving the new reply content sent by the probe, the current user side executes the received new reply content, in the process of executing the new reply content, on one hand, the reply content of the JS request sent by the target server is obtained, on the other hand, the detection message in the new reply content is executed, the detection request is sent to the cloud detection platform, and after the cloud detection platform receives the detection request sent by the current user side, the cloud detection platform records the event that the current user side accesses the target server.
Furthermore, in this embodiment, the probe is further configured to: caching key information of the reply content of the first JS request by the target server, wherein the key information comprises the packet length and the checksum of the reply content, and judging whether the currently cached reply content changes; and if the accumulated request times reach a preset threshold value and the currently cached reply content does not change, splicing the reply content of all JS requests and the JS detection messages by the target server to generate new reply content.
The networking detection system of the embodiment can obtain the similar technical effects to those of the networking detection method, and such details are not repeated.
Fig. 6 is a network diagram of a networked detection system according to a sixth embodiment of the present application. The networked detection system of the embodiment includes a client (i.e., the user terminal in the above), a probe, a Web server, a core routing exchange, and a cloud detection platform. There may be a plurality of clients in this embodiment, only one of which is shown in the figure to facilitate the description of the principle of the networking detection system of this embodiment, and there may also be a plurality of core routing switches, which will not be described in quantity here. The probe is arranged on the core route exchange side, the client accesses the Web server through the core route exchange, and connection is established with the cloud detection platform through the core route exchange. After a client initiates an access request to a Web server, a probe can detect a current JS request initiated by the client, at the moment, the probe judges whether a cache corresponding to the current JS request exists or not, namely the cache of the JS request sent to the Web server by the client before the current JS request exists, if so, reply content and a detection message of the JS request initiated by the client by the Web server are spliced into new reply content, and the new reply content is sent to the client. And after receiving the detection request sent by the client, the cloud detection platform records the event that the current client accesses the Web server, so that the recording of the Web server of the client accessing the external network is completed.
The networking detection system of the present embodiment can obtain similar technical effects to those of the networking detection method described above, and such details are not repeated.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.
Claims (8)
1. A method for detecting a network connection, comprising:
receiving a first JS request sent by a current user side to a target server;
judging whether the accumulated request times of the JS requests sent to the target server by the current user side reach a preset threshold value or not;
if the accumulated request times reach a preset threshold value and the currently cached reply content does not change, splicing the reply content of all JS requests and JS detection messages by the target server to generate new reply content, wherein when the JS detection messages are executed, the executed user side sends a detection request to the cloud detection platform;
when a second JS request sent by the current user side to a target server is received again, the new reply content is sent to the current user side;
and the current user side executes the new reply content and sends a detection request to the cloud detection platform so as to enable the cloud detection platform to record the external connection information of the current user side.
2. The networked detection method of claim 1, further comprising:
and if the accumulated request times do not reach a preset threshold value, continuously receiving and accumulating the times of JS requests sent to the target server by the current user side.
3. The networked detection method of claim 1, further comprising:
and caching key information of the reply content of the first JS request by the target server, wherein the key information comprises the packet length and the checksum of the reply content.
4. The networking detection method according to claim 1, wherein after the sending of the new reply content to the current user side when the second JS request sent by the current user side to the target server is received again, the method further comprises:
and sending a reset message to the target server to enable the target server to reset the communication connection between the current user side and the target server.
5. The networking detection method of claim 4, wherein the current user side executes the new reply content and sends a detection request to the cloud detection platform, and the detection request comprises:
and the current user side executes the new reply content, newly establishes a timer and executes the timer, and sends a detection request to the cloud detection platform, and when the detection request is executed, the cloud detection platform records the intranet IP where the current user side is located and the extranet outlet IP of the target server.
6. The networked detection method of claim 5, further comprising:
and when the current user side executes the timer, if the communication connection with the cloud detection platform is not established, the detection request is sent to the cloud detection platform again after a preset time period.
7. The networked detection method of claim 6, further comprising:
and destroying the timer after the current user side receives the reply information of the cloud detection platform.
8. The networked detection system is characterized by comprising a probe and a cloud detection platform, wherein the probe is deployed at the user side and mirrors the flow of a user side, and the cloud detection platform is deployed in the Internet;
the probe is used for receiving a first JS request sent by a current user side to a target server, judging whether the accumulated request frequency of the JS request sent by the current user side to the target server reaches a preset threshold value or not, if the accumulated request frequency reaches the preset threshold value and the currently cached reply content does not change, splicing the reply content of all JS requests and JS detection messages by the target server to generate new reply content, wherein when the JS detection messages are executed, the executed user side sends a detection request to a cloud detection platform, and when a second JS request sent by the current user side to the target server is received again, the new reply content is sent to the current user side, and the current user side executes the new reply content and sends a detection request to the cloud detection platform;
and the cloud detection platform is used for recording the external connection information of the current user side.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910849414.4A CN110417821B (en) | 2019-09-09 | 2019-09-09 | Networking detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910849414.4A CN110417821B (en) | 2019-09-09 | 2019-09-09 | Networking detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110417821A CN110417821A (en) | 2019-11-05 |
| CN110417821B true CN110417821B (en) | 2021-11-02 |
Family
ID=68370202
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910849414.4A Active CN110417821B (en) | 2019-09-09 | 2019-09-09 | Networking detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110417821B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131203B (en) * | 2019-12-12 | 2022-06-28 | 杭州迪普科技股份有限公司 | External connection monitoring method and device |
| CN111917702A (en) * | 2020-03-31 | 2020-11-10 | 北京融汇画方科技有限公司 | Non-client-side mode passive checking off-line illegal external connection technology |
| CN111917701A (en) * | 2020-03-31 | 2020-11-10 | 北京融汇画方科技有限公司 | Passive checking online violation external connection technology based on non-client mode |
| CN111913862A (en) * | 2020-08-05 | 2020-11-10 | 北京控制与电子技术研究所 | User behavior safety monitoring method oriented to application system |
| CN114598503B (en) * | 2022-02-21 | 2023-12-12 | 北京北信源软件股份有限公司 | Illegal external connection detection method, device and system and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1063829A2 (en) * | 1999-06-24 | 2000-12-27 | Matsushita Electric Industrial Co., Ltd. | Gateway apparatus and the method thereof |
| CN1604541A (en) * | 2004-11-01 | 2005-04-06 | 沈明峰 | Security policy based network security management system and method |
| US7149189B2 (en) * | 2001-07-17 | 2006-12-12 | Mcafee, Inc. | Network data retrieval and filter systems and methods |
| CN107733706A (en) * | 2017-09-30 | 2018-02-23 | 北京北信源软件股份有限公司 | The illegal external connection monitoring method and system of a kind of no agency |
| CN108881211A (en) * | 2018-06-11 | 2018-11-23 | 杭州盈高科技有限公司 | A kind of illegal external connection detection method and device |
| CN109413097A (en) * | 2018-11-30 | 2019-03-01 | 深信服科技股份有限公司 | A kind of lawless exterior joint detecting method, device, equipment and storage medium |
| CN109981596A (en) * | 2019-03-05 | 2019-07-05 | 腾讯科技(深圳)有限公司 | A kind of host external connection detection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050060535A1 (en) * | 2003-09-17 | 2005-03-17 | Bartas John Alexander | Methods and apparatus for monitoring local network traffic on local network segments and resolving detected security and network management problems occurring on those segments |
| US8752208B2 (en) * | 2011-05-13 | 2014-06-10 | Imperva Inc. | Detecting web browser based attacks using browser digest compute tests launched from a remote source |
-
2019
- 2019-09-09 CN CN201910849414.4A patent/CN110417821B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1063829A2 (en) * | 1999-06-24 | 2000-12-27 | Matsushita Electric Industrial Co., Ltd. | Gateway apparatus and the method thereof |
| US7149189B2 (en) * | 2001-07-17 | 2006-12-12 | Mcafee, Inc. | Network data retrieval and filter systems and methods |
| CN1604541A (en) * | 2004-11-01 | 2005-04-06 | 沈明峰 | Security policy based network security management system and method |
| CN107733706A (en) * | 2017-09-30 | 2018-02-23 | 北京北信源软件股份有限公司 | The illegal external connection monitoring method and system of a kind of no agency |
| CN108881211A (en) * | 2018-06-11 | 2018-11-23 | 杭州盈高科技有限公司 | A kind of illegal external connection detection method and device |
| CN109413097A (en) * | 2018-11-30 | 2019-03-01 | 深信服科技股份有限公司 | A kind of lawless exterior joint detecting method, device, equipment and storage medium |
| CN109981596A (en) * | 2019-03-05 | 2019-07-05 | 腾讯科技(深圳)有限公司 | A kind of host external connection detection method and device |
Non-Patent Citations (4)
| Title |
|---|
| "A Ferry-based Intrusion Detection Scheme for Sparsely Connected Ad Hoc Networks";M. Chuah, P. Yang and J. Han;《2007 Fourth Annual International Conference on Mobile and Ubiquitous Systems: Networking & Services (MobiQuitous), Philadelphia, PA, USA》;20071231;1-8 * |
| "内网安全管理系统的设计与实现";马欢;《中国优秀硕士论文全文数据库(电子期刊) 信息科技辑》;20170315(第3期);I139-75 * |
| "内网安全系统中网络访问与连接控制技术的研究与应用";胡航川;《中国优秀硕士论文全文数据库(电子期刊) 信息科技辑》;20150815(第8期);I139-151 * |
| "浅谈非法外联检测技术的演变";CSDN博主;《https://blog.csdn.net/zcnetcsdn/article/details/72865288》;20170605;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110417821A (en) | 2019-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110417821B (en) | Networking detection method and system | |
| CN110365793B (en) | Illegal external connection monitoring method, device and system and storage medium | |
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| US7801964B2 (en) | System and method for providing conditional access to server-based applications from remote access devices | |
| US8844034B2 (en) | Method and apparatus for detecting and defending against CC attack | |
| CN101789947B (en) | Method and firewall for preventing HTTP POST flooding attacks | |
| KR101462311B1 (en) | Method for preventing malicious code | |
| US8161538B2 (en) | Stateful application firewall | |
| US8839424B2 (en) | Cross-site request forgery protection | |
| CN109922062B (en) | Source code leakage monitoring method and related equipment | |
| US9166951B2 (en) | Strict communications transport security | |
| CN103095778A (en) | Web application firewall and web application safety protection method | |
| US20160057163A1 (en) | Validating and enforcing end-user workflow for a web application | |
| CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
| TW201423471A (en) | System and Method of Monitoring Attacks of Cross Site Script | |
| US20140075553A1 (en) | Domain name system rebinding attack protection | |
| KR20110059963A (en) | Apparatus and method for blocking harmful traffic and system for blocking harmful traffic using the same | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN104506529A (en) | Website protection method and device | |
| CN113709136B (en) | Access request verification method and device | |
| KR101503456B1 (en) | Terminal device and control method thereof | |
| CN111881384B (en) | Evidence obtaining method, system and storage medium for illegal external connection | |
| CN114257604A (en) | Data processing method and system | |
| KR101997181B1 (en) | Apparatus for managing domain name servide and method thereof | |
| JP5359292B2 (en) | ACCESS CONTROL SYSTEM, ACCESS CONTROL DEVICE, ACCESS CONTROL METHOD, AND PROGRAM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |