CN110661799A - ARP (Address resolution protocol) deception behavior detection method and system - Google Patents
ARP (Address resolution protocol) deception behavior detection method and system Download PDFInfo
- Publication number
- CN110661799A CN110661799A CN201910903498.5A CN201910903498A CN110661799A CN 110661799 A CN110661799 A CN 110661799A CN 201910903498 A CN201910903498 A CN 201910903498A CN 110661799 A CN110661799 A CN 110661799A
- Authority
- CN
- China
- Prior art keywords
- arp
- detected
- standard
- character string
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for detecting ARP deception behavior. The invention provides a method and a system for detecting ARP deception behavior, which can obtain the IP address and the MAC address of a sender by analyzing an ARP data packet to be detected; and then, carrying out field combination on the IP address and the MAC address of the sender to obtain the character string to be detected. On the basis, whether a standard character string matched with the character string to be detected exists in the white list database is further judged, if yes, the fact that ARP spoofing does not exist in the host corresponding to the ARP data packet to be detected is determined; otherwise, determining that the host corresponding to the ARP data packet to be detected has ARP spoofing behavior. Therefore, the detection method and the detection system provided by the invention can quickly and efficiently detect the ARP deception behavior without manual intervention. Moreover, the detection mode provided by the invention belongs to real-time detection, so that ARP deception behavior can be effectively identified in time.
Description
Technical Field
The invention relates to the technical field of Ethernet security, in particular to a method and a system for detecting ARP deception behavior.
Background
In the ethernet environment of an enterprise, that is, in a local area network that is often referred to at ordinary times, there are many behaviors threatening network security, such as an ARP (Address Resolution Protocol) attack, a DHCP attack, a DDOS attack, and a penetration. Among the many security threats, ARP spoofing is the most fundamental and important since all communication activities begin with ARP. In the prior art, ARP deception behaviors are mostly collected, compared and identified in a manual mode. The current enterprise Ethernet is generally large in planning, the number of terminals is large, and the popularization of wireless 802.11 is combined, so that the range is greatly enlarged on the traditional network, and therefore, the workload is large and the efficiency is low in a mode of manually identifying ARP deception behaviors.
Currently, there are also some methods for automatically detecting ARP spoofing behavior through a Single Network Management Protocol (SNMP). However, because the SNMP reads the ARP entry of the device in a polling manner, the entry can only store the last update result, and polling is performed at intervals, when an attack occurs within two polling times, the method cannot discover and identify the ARP at all, so that ARP spoofing cannot be discovered in a full range in time and effectively.
Disclosure of Invention
The invention aims to provide a method and a system for detecting ARP deception, which can detect the ARP deception in time, quickly and efficiently.
In order to achieve the purpose, the invention provides the following scheme:
a method of detecting ARP spoofing, the method comprising:
acquiring a white list database and an ARP (address resolution protocol) data packet to be detected, wherein the white list database comprises a plurality of standard character strings, and each standard character string represents the mapping relation between a group of standard IP addresses and corresponding standard MAC addresses;
analyzing the ARP data packet to be tested to obtain the IP address and the MAC address of the sender;
combining fields of the IP address and the MAC address of the sender to obtain a character string to be detected;
judging whether a standard character string matched with the character string to be detected exists in the white list database or not;
if so, determining that the host corresponding to the ARP data packet to be detected does not have ARP spoofing behavior;
and if not, determining that the host corresponding to the ARP data packet to be tested has ARP spoofing behavior.
Optionally, each standard character string in the white list database is obtained by performing hash encryption processing on the standard IP address and the corresponding standard MAC address.
Optionally, before the determining whether the white list database has the standard character string matched with the character string to be detected, the method further includes:
and carrying out the Hash encryption processing on the character string to be detected to obtain the encrypted character string to be detected.
Optionally, the standard character string includes an update timestamp field, and the update timestamp field represents an update time of a mapping relationship between the standard IP address and the standard MAC address.
Optionally, after determining that the host corresponding to the ARP packet to be detected has ARP spoofing, the method further includes:
and storing the character string to be detected into an early warning database.
A detection system for ARP spoofing, the detection system comprising:
the system comprises a data acquisition module, a data processing module and a data processing module, wherein the data acquisition module is used for acquiring a white list database and an ARP (address resolution protocol) data packet to be detected, the white list database comprises a plurality of standard character strings, and each standard character string represents the mapping relation between a group of standard IP addresses and corresponding standard MAC addresses;
the analysis module is used for analyzing the ARP data packet to be tested to obtain the IP address and the MAC address of the sender;
the field merging module is used for carrying out field merging on the IP address and the MAC address of the sender to obtain a character string to be detected;
the judging module is used for judging whether a standard character string matched with the character string to be detected exists in the white list database or not to obtain a judging result;
the processing module is used for determining that the host corresponding to the ARP data packet to be detected does not have ARP spoofing behavior when the judgment result shows that the host corresponds to the ARP data packet to be detected;
and when the judgment result shows that the ARP data packet to be detected does not exist, determining that the host corresponding to the ARP data packet to be detected has ARP deception behavior.
Optionally, each standard character string in the white list database is obtained by performing hash encryption processing on the standard IP address and the corresponding standard MAC address.
Optionally, the detection system further includes a hash encryption module, where the hash encryption module is configured to perform hash encryption processing on the to-be-detected character string to obtain an encrypted to-be-detected character string.
Optionally, the standard character string includes an update timestamp field, and the update timestamp field represents an update time of a mapping relationship between the standard IP address and the standard MAC address.
Optionally, the detection system further includes:
and the storage module is used for storing the character string to be detected into an early warning database after the ARP spoofing action of the host corresponding to the ARP data packet to be detected is determined.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the invention provides a method and a system for detecting ARP deception, which are characterized in that an IP address and an MAC address of a sender are obtained by analyzing an ARP data packet to be detected; and then, carrying out field combination on the IP address and the MAC address of the sender to obtain the character string to be detected. On the basis, whether a standard character string matched with the character string to be detected exists in the white list database is further judged, if yes, the fact that ARP spoofing does not exist in the host corresponding to the ARP data packet to be detected is determined; otherwise, determining that the host corresponding to the ARP data packet to be detected has ARP spoofing behavior. Therefore, the detection method and the detection system provided by the invention can quickly and efficiently detect the ARP deception behavior without manual intervention. Moreover, the detection mode provided by the invention belongs to real-time detection, so that ARP deception behavior can be effectively identified in time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
Fig. 1 is a flowchart of a method for detecting ARP spoofing according to an embodiment of the present invention;
fig. 2 is a block diagram of a system for detecting ARP spoofing according to an embodiment of the present invention;
FIG. 3 is a white list data format provided by an embodiment of the present invention;
FIG. 4 is a white list table structure according to an embodiment of the present invention;
fig. 5 is a structure of an ARP table according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a method and a system for detecting ARP deception, which can detect the ARP deception in time, quickly and efficiently.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Fig. 1 is a method for detecting ARP spoofing according to an embodiment of the present invention. As shown in fig. 1, the detection method includes:
step 101: the method comprises the steps of obtaining a white list database and an ARP data packet to be detected, wherein the white list database comprises a plurality of standard character strings, and each standard character string represents the mapping relation between a group of standard IP addresses and corresponding standard MAC (media Access control) addresses.
Step 102: and analyzing the ARP data packet to be tested to obtain the IP address and the MAC address of the sender.
Step 103: and combining fields of the IP address and the MAC address of the sender to obtain the character string to be detected.
Step 104: and judging whether the white list database has a standard character string matched with the character string to be detected.
If yes, go to step 105; if not, go to step 106.
Step 105: and determining that the host corresponding to the ARP data packet to be detected does not have ARP spoofing behavior.
Step 106: and determining that the host corresponding to the ARP data packet to be tested has ARP deception behavior.
In order to improve the security, in this embodiment, each standard character string in the white list database is obtained by performing hash encryption processing on the standard IP address and the corresponding standard MAC address. Meanwhile, step 104 is executed: before judging whether the white list database has the standard character string matched with the character string to be detected, the method further comprises the following steps:
and carrying out the Hash encryption processing on the character string to be detected to obtain the encrypted character string to be detected.
Further, the standard character string in this embodiment includes an update time stamp field, where the update time stamp field represents an update time of the mapping relationship between the standard IP address and the standard MAC address.
Furthermore, the step 106: after determining that the host corresponding to the ARP packet to be detected has the ARP spoofing behavior, this embodiment further includes:
and storing the character string to be detected into an early warning database.
Fig. 2 is a block diagram of a system for detecting ARP spoofing according to an embodiment of the present invention. As shown in fig. 2, the detection system includes:
the data obtaining module 201 is configured to obtain a white list database and an ARP data packet to be detected, where the white list database includes a plurality of standard character strings, and each standard character string represents a mapping relationship between a group of standard IP addresses and corresponding standard MAC addresses.
And the analyzing module 202 is configured to analyze the ARP data packet to be detected to obtain an IP address and an MAC address of the sender.
And the field merging module 203 is configured to perform field merging on the IP address and the MAC address of the sender to obtain a character string to be tested.
The judging module 204 is configured to judge whether a standard character string matching the character string to be detected exists in the white list database, and obtain a judgment result.
A processing module 205, configured to determine that an ARP spoofing behavior does not exist in the host corresponding to the to-be-detected ARP packet when the determination result indicates yes;
and when the judgment result shows that the ARP data packet to be detected does not exist, determining that the host corresponding to the ARP data packet to be detected has ARP deception behavior.
As a preferable mode, each standard character string in the white list database is obtained by performing hash encryption processing on the standard IP address and the corresponding standard MAC address. Therefore, the detection system further comprises a hash encryption module, wherein the hash encryption module is used for carrying out hash encryption processing on the character string to be detected to obtain the encrypted character string to be detected.
Further, the standard character string includes an update timestamp field, and the update timestamp field represents an update time of the mapping relationship between the standard IP address and the standard MAC address.
In this embodiment, the detection system further includes:
and the storage module is used for storing the character string to be detected into an early warning database after the ARP spoofing action of the host corresponding to the ARP data packet to be detected is determined.
The specific implementation flow of the ARP deception detection method provided by the invention is as follows:
(1) creation/update of white list database.
The creation of the white list database includes initializing the mapping relation between the valid IP address and the MAC (media Access control) address of each network segment and updating the time stamp. According to the requirement of the enterprise information security management unified specification, the IP address and the MAC address are integrated into an encryption character string which can be used for detection and comparison and stored in the database, and the encryption is carried out by adopting a Hash algorithm in the process so as to ensure the security of data. The updating of the white list needs to follow the unified specification of enterprise information safety management, meets various safety management needs, can realize the real-time updating of the list content according to the requirements, and ensures the change or new application of all terminal IP address resources, and a corresponding resource allocation control mechanism is ensured to finally generate the white list data of IP and MAC, and the format of the data is shown in figure 3.
Considering that real-time screening of ARP data packets and detection of ARP data packet abnormity require frequent database searching and writing, logic simplification of the database searching is added, and the flow of the database is very large, the invention selects a non-relational database elastic search to improve the data reading and writing performance. The white list table structure is shown in fig. 4, the index name of the table is ipAndMacDictionary, and the field ipAndMacInfo represents the encrypted string concatenated by "-" between the host IP and MAC strings such as: "% 3 Deggefggf" ", and the field stampTime is represented as a time stamp for the white list update. The structure of the abnormal ARP table is shown in fig. 5, where the index name of the table is arpList, the field IP is denoted as end host IP, the field MAC is denoted as end host MAC, and the field timeStamp is denoted as time stamp of warehousing.
In view of information security, the white list needs to be stored in the database after being processed by hash encryption, and the step of storing the white list in the database is as follows:
the invention adopts an elasticsearch database, the data to be put in storage needs to be in a json format, so that the white list data is analyzed through javascript language (node. js), the white list data is read through the fs module of the node, all the data are arranged into json arrays in the format of tempArr [ { ip: "192.168.222.1", mac: "ff: ff: ff: ff", stampTime:1567130468}, { ip: "192.168.222.2", mac: "ff: ff: ff: ff: ff: 1567130469} ….
Through circulating traversing json array, a tempArr integrates an IP address and a MAC address of a white list into a field ipAndMacInfo, the fields are connected by "-", such as IP (192.168.222.1), MAC (ff: ff: ff: ff) is merged into (192.168.222.1-ff: ff: ff: ff) at the moment, hash encryption needs to be carried out on the integrated field ipAndMacInfo, a charCodeAt () method is adopted to convert a character string ipAndMacInfo into a corresponding unicode, then a number is added to the unicode, a String.
body=[{ipAndMacInfo:”%3Deggggefgg”,tiemStamp:1567130469},{ipAndMacInfo:”%3Degsfggefgg”,stampTime:1567130468},…]。
The warehousing mode of the invention adopts the technical scheme that an elastic search provides a jsrestful interface aiming at nodejs, and elastic, client, create ({ index: ipAndMacDirectionary, type: "ipandMac", id: new Date (), body: body }), wherein index is the name of a database index, body is the data for updating a white list, each warehousing is the full amount of white list data, and the aim is to simplify the comparison and updating with the original data during warehousing.
The database format required for the creation/update of the white list is shown in fig. 4, and the ipAndMacInfo field indicates that the host IP and MAC strings are hash-encrypted strings, such as: "192.168.222.1-ff: ff: ff: ff: ff" corresponds to "% 3 Deggggefgff", and stamTime is the timestamp of the update maintenance. And finally, completing the operation of updating the white list through the application program.
(2) And collecting the ARP data packet to be tested.
When ARP data packets are collected, monitoring agent terminals are configured in all network segments of an enterprise, and a bypass mirror image mode is adopted for data capture, so that the influence on a service system is avoided. In order to improve the data capturing performance, when an ARP data packet is collected, based on the libpcap or a pf _ ring/dpdk tool for encapsulating a libpcap interface, a BPF filter is adopted, and only ARP data are filtered out by calling the interface pcap _ setfilter provided by the libpcap. The specific implementation process is as follows:
structbpf_program fcode;
std::string strFilter="arp";
pcap_compile(m_pHandel,&fcode,strFilter.c_str(),1,m_nNetmask);
pcap_setfilter(m_pHandel,&fcode)。
(3) ARP spoofing identification.
And analyzing the ARP data packet to obtain a combined character string with a data format of IP address + MAC address, and performing data comparison and verification with a white list in a white list database after hash encryption. And when the comparison contents are matched, determining that the corresponding host does not have ARP spoofing behavior, otherwise determining that the host has the ARP spoofing behavior, decrypting the corresponding ARP data packet to obtain the IP address and the MAC address of the corresponding host and storing the IP address and the MAC address into the early warning database, and early warning the corresponding host IP.
Because the data packet is collected in a bypass mirroring mode, vlan information may exist in the data packet. Firstly, analyzing the two-layer header information to judge the Type value, if the Type is 0x8100, the data is Vlan data, the data packet pointer is directly shifted by 4 bytes, and then analyzing the ARP information.
Judging the type of the current ARP data packet according to the ARP header opcode field, wherein opcode 1 is a request packet, and 8 bytes are directly deviated from the initial position of ARP data to analyze senderMac and senderIp. The opcode 2 packet is a response packet, and targetMac and targetIp are directly parsed 18 bytes from the ARP data position offset.
And converting the analyzed IP address and the MACc address into a 'xxx.xxx.xxx.xxx.xxx-aa: bb: cc: dd: ee: ff', setting the format as a variable ipAndMacInfoTemp, and performing hash encryption processing on the field, wherein the encryption method is consistent with the white list entry encryption method. And inquiring white list information from a database, loading the white list information into a memory, and storing the white list information in a binary tree form so as to improve the speed of comparison inquiry, namely comparing ipAndMacInfo and ipAndMacInfoTemp fields in the white list, if the ipAndMacInfo and the ipAndMacInfoTemp fields are different, indicating that the MAC address of the IP of the terminal data packet is changed, and at the moment, regarding the MAC data packet as abnormal, obtaining the IP and the MAC through a reverse decryption method corresponding to an encryption method, and positioning the terminal to have ARP deception behavior.
And finally, the application program stores the IP variable, the MAC variable and the timeStamp variable corresponding to the abnormal ARP data packet into an abnormal ARP table arpList of the database for use by an upper-layer application program.
The method and the system for detecting the ARP deception behavior are suitable for any Ethernet environment, are irrelevant to factors such as complex programs, layering depth, depth defense and the like of an internal network of an enterprise network, and can actively identify deception sources and effectively alarm without manual intervention operation. Moreover, the invention can detect and identify ARP spoofing behavior in real time, thereby effectively prolonging the processing time of fault problems, improving the network quality and the utilization rate and effectively improving the safety performance of the Ethernet.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.
Claims (10)
1. A method for detecting ARP spoofing, the method comprising:
acquiring a white list database and an ARP (address resolution protocol) data packet to be detected, wherein the white list database comprises a plurality of standard character strings, and each standard character string represents the mapping relation between a group of standard IP addresses and corresponding standard MAC addresses;
analyzing the ARP data packet to be tested to obtain the IP address and the MAC address of the sender;
combining fields of the IP address and the MAC address of the sender to obtain a character string to be detected;
judging whether a standard character string matched with the character string to be detected exists in the white list database or not;
if so, determining that the host corresponding to the ARP data packet to be detected does not have ARP spoofing behavior;
and if not, determining that the host corresponding to the ARP data packet to be tested has ARP spoofing behavior.
2. The detection method according to claim 1, wherein each standard string in the white list database is obtained by performing hash encryption processing on the standard IP address and the corresponding standard MAC address.
3. The detecting method according to claim 2, wherein before determining whether the white list database has the standard character string matching the character string to be detected, further comprising:
and carrying out the Hash encryption processing on the character string to be detected to obtain the encrypted character string to be detected.
4. The detection method according to claim 1, wherein the standard string contains an update time stamp field, and the update time stamp field represents an update time of the mapping relationship between the standard IP address and the standard MAC address.
5. The method according to claim 1, wherein after determining that there is ARP spoofing in the host corresponding to the ARP packet to be detected, the method further comprises:
and storing the character string to be detected into an early warning database.
6. A detection system for ARP spoofing, the detection system comprising:
the system comprises a data acquisition module, a data processing module and a data processing module, wherein the data acquisition module is used for acquiring a white list database and an ARP (address resolution protocol) data packet to be detected, the white list database comprises a plurality of standard character strings, and each standard character string represents the mapping relation between a group of standard IP addresses and corresponding standard MAC addresses;
the analysis module is used for analyzing the ARP data packet to be tested to obtain the IP address and the MAC address of the sender;
the field merging module is used for carrying out field merging on the IP address and the MAC address of the sender to obtain a character string to be detected;
the judging module is used for judging whether a standard character string matched with the character string to be detected exists in the white list database or not to obtain a judging result;
the processing module is used for determining that the host corresponding to the ARP data packet to be detected does not have ARP spoofing behavior when the judgment result shows that the host corresponds to the ARP data packet to be detected;
and when the judgment result shows that the ARP data packet to be detected does not exist, determining that the host corresponding to the ARP data packet to be detected has ARP deception behavior.
7. The detection system according to claim 6, wherein each standard string in the white list database is obtained by performing hash encryption processing on the standard IP address and the corresponding standard MAC address.
8. The detection system according to claim 7, further comprising a hash encryption module, wherein the hash encryption module is configured to perform the hash encryption processing on the to-be-detected character string to obtain an encrypted to-be-detected character string.
9. The detection system according to claim 6, wherein the standard string contains an update time stamp field, and the update time stamp field represents an update time of the mapping relationship between the standard IP address and the standard MAC address.
10. The detection system of claim 6, further comprising:
and the storage module is used for storing the character string to be detected into an early warning database after the ARP spoofing action of the host corresponding to the ARP data packet to be detected is determined.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910903498.5A CN110661799B (en) | 2019-09-24 | 2019-09-24 | ARP (Address resolution protocol) deception behavior detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910903498.5A CN110661799B (en) | 2019-09-24 | 2019-09-24 | ARP (Address resolution protocol) deception behavior detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110661799A true CN110661799A (en) | 2020-01-07 |
| CN110661799B CN110661799B (en) | 2020-11-20 |
Family
ID=69038366
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910903498.5A Active CN110661799B (en) | 2019-09-24 | 2019-09-24 | ARP (Address resolution protocol) deception behavior detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110661799B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113556364A (en) * | 2021-09-18 | 2021-10-26 | 浙江大学 | DPDK-based DDoS real-time defense system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101179566A (en) * | 2007-11-24 | 2008-05-14 | 华为技术有限公司 | Method and apparatus for preventing ARP packet attack |
| CN101345643A (en) * | 2007-07-09 | 2009-01-14 | 珠海金山软件股份有限公司 | Method and device for early warning of network appliance |
| CN101635628A (en) * | 2009-08-28 | 2010-01-27 | 杭州华三通信技术有限公司 | Method and device for preventing ARP attacks |
| CN102546658A (en) * | 2012-02-20 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and system for preventing address resolution protocol (ARP) gateway spoofing |
| US8359376B1 (en) * | 2010-04-20 | 2013-01-22 | Hewlett-Packard Development Company, L.P. | Proactive sending of an IP-to-MAC address binding for a high fan-in node |
| CN103581363A (en) * | 2013-11-29 | 2014-02-12 | 杜跃进 | Method and device for controlling baleful domain name and illegal access |
| CN105262738A (en) * | 2015-09-24 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Router and method for preventing ARP attacks thereof |
| CN106899612A (en) * | 2017-04-01 | 2017-06-27 | 汕头大学 | A kind of method of automatic detection personation host A RP deceptions |
| US20180049128A1 (en) * | 2007-06-26 | 2018-02-15 | Blackberry Limited | System and method for conserving power for a wireless device while maintaining a connection to a network |
| CN107786499A (en) * | 2016-08-25 | 2018-03-09 | 大连楼兰科技股份有限公司 | For the method for early warning and device of ARP Attack by Gateway Spoofing |
| CN109951459A (en) * | 2019-03-06 | 2019-06-28 | 山东信天辰信息安全技术有限公司 | A kind of ARP spoofing attack detection method based on local area network |
-
2019
- 2019-09-24 CN CN201910903498.5A patent/CN110661799B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180049128A1 (en) * | 2007-06-26 | 2018-02-15 | Blackberry Limited | System and method for conserving power for a wireless device while maintaining a connection to a network |
| CN101345643A (en) * | 2007-07-09 | 2009-01-14 | 珠海金山软件股份有限公司 | Method and device for early warning of network appliance |
| CN101179566A (en) * | 2007-11-24 | 2008-05-14 | 华为技术有限公司 | Method and apparatus for preventing ARP packet attack |
| CN101635628A (en) * | 2009-08-28 | 2010-01-27 | 杭州华三通信技术有限公司 | Method and device for preventing ARP attacks |
| US8359376B1 (en) * | 2010-04-20 | 2013-01-22 | Hewlett-Packard Development Company, L.P. | Proactive sending of an IP-to-MAC address binding for a high fan-in node |
| CN102546658A (en) * | 2012-02-20 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and system for preventing address resolution protocol (ARP) gateway spoofing |
| CN103581363A (en) * | 2013-11-29 | 2014-02-12 | 杜跃进 | Method and device for controlling baleful domain name and illegal access |
| CN105262738A (en) * | 2015-09-24 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Router and method for preventing ARP attacks thereof |
| CN107786499A (en) * | 2016-08-25 | 2018-03-09 | 大连楼兰科技股份有限公司 | For the method for early warning and device of ARP Attack by Gateway Spoofing |
| CN106899612A (en) * | 2017-04-01 | 2017-06-27 | 汕头大学 | A kind of method of automatic detection personation host A RP deceptions |
| CN109951459A (en) * | 2019-03-06 | 2019-06-28 | 山东信天辰信息安全技术有限公司 | A kind of ARP spoofing attack detection method based on local area network |
Non-Patent Citations (2)
| Title |
|---|
| 林宏刚等: "一种主动检测和防范ARP攻击的算法研究", 《四川大学学报(工程科学版)》 * |
| 潘家富: "ARP攻击的原理分析及防范对策研究", 《软件工程》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113556364A (en) * | 2021-09-18 | 2021-10-26 | 浙江大学 | DPDK-based DDoS real-time defense system |
| CN113556364B (en) * | 2021-09-18 | 2021-12-07 | 浙江大学 | DPDK-based DDoS real-time defense system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110661799B (en) | 2020-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110113345B (en) | Automatic asset discovery method based on flow of Internet of things | |
| US10547674B2 (en) | Methods and systems for network flow analysis | |
| Rafique et al. | Firma: Malware clustering and network signature generation with mixed network behaviors | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| CN109474575B (en) | DNS tunnel detection method and device | |
| CN111953673B (en) | DNS hidden tunnel detection method and system | |
| CN113794605B (en) | Method, system and device for detecting kernel packet loss based on eBPF | |
| CN110808879B (en) | Protocol identification method, device, equipment and readable storage medium | |
| CN101854275A (en) | Method and device for detecting Trojans by analyzing network behaviors | |
| US20210266333A1 (en) | Characterizing unique network flow sessions for network security | |
| US10855549B2 (en) | Network data processing driver for a cognitive artificial intelligence system | |
| US10440035B2 (en) | Identifying malicious communication channels in network traffic by generating data based on adaptive sampling | |
| CN109842588B (en) | Network data detection method and related equipment | |
| CN104639391A (en) | Method for generating network flow record and corresponding flow detection equipment | |
| Vaarandi et al. | Using security logs for collecting and reporting technical security metrics | |
| CN110868409A (en) | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint | |
| US20170295068A1 (en) | Logical network topology analyzer | |
| CN108737385A (en) | A kind of malice domain name matching method mapping IP based on DNS | |
| US10348751B2 (en) | Device, system and method for extraction of malicious communication pattern to detect traffic caused by malware using traffic logs | |
| CN110661799B (en) | ARP (Address resolution protocol) deception behavior detection method and system | |
| US20110016208A1 (en) | Apparatus and method for sampling security event based on contents of the security event | |
| CN105207829B (en) | Intrusion detection data processing method, device and system | |
| Komárek et al. | Passive NAT detection using HTTP access logs | |
| CN113849820A (en) | Vulnerability detection method and device | |
| CN112422486B (en) | SDK-based safety protection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |