CN110784469B - Method and system for identifying abnormal login by identifying forged MAC address - Google Patents
Method and system for identifying abnormal login by identifying forged MAC address Download PDFInfo
- Publication number
- CN110784469B CN110784469B CN201911044777.7A CN201911044777A CN110784469B CN 110784469 B CN110784469 B CN 110784469B CN 201911044777 A CN201911044777 A CN 201911044777A CN 110784469 B CN110784469 B CN 110784469B
- Authority
- CN
- China
- Prior art keywords
- mac address
- identifying
- information entropy
- account
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Abstract
The invention provides a method for identifying abnormal login by identifying a forged MAC address, which comprises the following steps: 1) acquiring an MAC address corresponding to the account to be identified; 2) acquiring the information entropy of each MAC address by using an information entropy algorithm; 3) and taking the set of the MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set. The invention also provides a system for identifying abnormal login by identifying forged MAC addresses. By applying the method and the device, the MAC address with lower information entropy can be judged to be an abnormal MAC address.
Description
Technical Field
The invention relates to a method and a system for identifying abnormal login, in particular to a method and a system for identifying abnormal login by identifying a forged MAC address.
Background
With the continuous development of internet technology, a large number of network platforms are available on the internet at present, which is convenient for users to meet the needs of life and office work. The user may use the same login information on a plurality of network platforms, and once information leakage occurs on one platform, a lawbreaker may log in other platforms used by the user through the obtained login information of the user so as to obtain more sensitive information for a lawbreaking purpose. User accounts, especially those of operators and financial industry operators, are more dangerous and may cause irreparable loss once illegally logged in.
The invention patent with application number CN201510728387.7 discloses a method and apparatus for preventing malicious access to login/registration interface. Wherein the method comprises: monitoring login/registration operation on a login/registration interface of a specified platform, and judging whether a behavior of maliciously accessing the login/registration interface exists or not by counting, analyzing and monitoring results; if so, positioning a source IP address of the behavior of maliciously accessing the login/registration interface by analyzing the log of the specified platform; and performing restriction operation on the source IP address. The technical scheme provides effective solutions for the behaviors of the login/registration interface of the malicious access platform, and the malicious attacker can not continue to carry out malicious access on the login/registration interface of the platform through the source IP address by limiting the operation on the source IP address of the behaviors of the malicious access login/registration interface, so that the occurrence of malicious access is restrained from the source. The existing login abnormity detection is mostly used for carrying out abnormity detection on IP and login behaviors, and if lawless persons collect account information and log in by forging MAC addresses, the existing technology cannot identify the login behaviors. Therefore, the technical problem that the abnormal login identification is inaccurate exists in the prior art.
Disclosure of Invention
The technical problem to be solved by the invention is how to provide a method and a system for identifying abnormal login by identifying a forged MAC address so as to improve the accuracy rate of abnormal login identification.
The invention solves the technical problems through the following technical means:
the embodiment of the invention provides a method for identifying abnormal login by identifying a forged MAC address, which comprises the following steps:
1) acquiring an MAC address corresponding to the account to be identified;
2) acquiring the information entropy of each MAC address by using an information entropy algorithm;
3) and taking the set of the MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set.
Optionally, before step 2), the method further includes:
and preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the MAC address generation rule.
Optionally, before step 2), the method further includes:
deleting invalid characters in an MAC address corresponding to an account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
Optionally, the obtaining the information entropy of each MAC address by using an information entropy algorithm includes:
by means of the formula (I) and (II),and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
Optionally, the method further includes: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
The embodiment of the invention also provides a system for identifying abnormal login by identifying a forged MAC address, which comprises:
the first acquisition module is used for acquiring the MAC address corresponding to the account to be identified;
the second acquisition module is used for acquiring the information entropy of each MAC address by using an information entropy algorithm;
and the marking module is used for taking the set of the MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set.
Optionally, the system further includes:
and the screening module is used for preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the generation rule of the MAC address.
Optionally, the system further includes:
the deleting module is used for deleting invalid characters in the MAC address corresponding to the account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
Optionally, the second obtaining module is configured to:
by means of the formula (I) and (II),and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
Optionally, the system further includes: a third obtaining module configured to: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
The invention has the advantages that:
by applying the embodiment of the invention, when lawless persons can forge the MAC address through the script login, the regularity of the MAC address is very strong, so that the information entropy is low; the embodiment of the invention identifies the value of the information entropy of the MAC address field through the information entropy algorithm, and further judges that the MAC address with lower information entropy is an abnormal MAC address.
Drawings
Fig. 1 is a schematic flowchart of a method for identifying abnormal login by identifying a forged MAC address according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a system for identifying abnormal login by identifying a forged MAC address according to an embodiment of the present invention;
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Fig. 1 is a schematic flowchart of a method for identifying an abnormal login by identifying a forged MAC address according to an embodiment of the present invention, as shown in fig. 1, the method includes:
s101: and acquiring the MAC address corresponding to the account to be identified.
In the network protocol, the information sent by the user when the server is connected contains the MAC address, otherwise the server cannot identify the corresponding machine. When the user logs in, the network data exchange log records the MAC (Media Access Control) address of the machine used by the user, so that the MAC addresses used by all logged-in accounts can be obtained from the network data exchange log.
S102: acquiring the information entropy of each MAC address by using an information entropy algorithm;
specifically, the method and system for identifying abnormal login by identifying forged MAC addresses according to claim 1, wherein the obtaining the information entropy of each MAC address by using an information entropy algorithm comprises:
by means of the formula (I) and (II),and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address; i is more than or equal to 1 and less than or equal to n.
In order to consider the average uncertainty of all possible transmission cases in a MAC address, assume that there are n values in the MAC address symbol: u1 … Ui … Un, the corresponding probability is: p1 … pi … pn, and the occurrence of the various symbols is independent of each other, when the average uncertainty of the MAC-the statistical average (E) of log2pi, can be referred to as the entropy of the information of the MAC address.
Illustratively, in the case of 00-01-6C-06-a6-29, n is 7;
obviously, the less information a MAC address contains, the smaller the information entropy value.
S103: and taking the set of MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set.
Illustratively, a normal MAC address is generally recorded as, for example, 00-01-6C-06-A6-29, 00:01:6C:06: A6:29, or 080009A 04A B1, similar to such formats. The MAC address is a unique identification of the machine hardware, and the MAC address of a user logged in through the normal way is necessarily compliant. Some lawbreakers wishing to bypass security arrangements will forge MAC addresses when logging in via a script. If the forged MAC address can be identified at the moment, the method is helpful for preventing lawbreakers from stealing user information to invade the network platform. However, when faking a MAC address, a lawless person cannot know all existing MAC addresses, so more faking ways are to generate a combination of a string of alphabets, such as A5DE8DE5EF7E, 000000000000, which does not meet the rules or have strong regularity.
Therefore, the embodiment of the present invention uses the characteristic of high complexity of the normal MAC address, and uses the MAC address with the information entropy value smaller than the preset threshold value, which is calculated in step S102, as the abnormal MAC address, to determine whether the login account is abnormal.
Further, the distribution range of the information entropy of the legitimate MAC address can be calculated by the method in step S102. Then, taking the minimum value of the information entropy distribution range of the legal MAC address as a preset threshold value; a value in a range larger than the minimum value and smaller than the average value may be set as the preset threshold value.
By applying the embodiment of the invention, when lawless persons can forge the MAC address through the script login, the regularity of the MAC address is very strong, so that the information entropy is low; the embodiment of the invention identifies the value of the information entropy of the MAC address field through the information entropy algorithm, and further judges that the MAC address with lower information entropy is an abnormal MAC address.
Example 2
The embodiment 2 of the invention is added with the following steps on the basis of the embodiment 1:
and preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the MAC address generation rule.
Illustratively, a normal MAC address is typically recorded as, for example, 00-01-6C-06-A6-29, 00:01:6C:06: A6:29, or 080009A 04A B1, similar to such formats, but with its own rules, such as the lowest order bit of the first byte is the multicast identification, which must be 0, so the upper 00, 08 are both even numbers, and so on.
Whether the basic rules of the MAC address are met can be judged, for example, whether the multicast identification is correct or not, whether the multicast identification is a broadcast or multicast address or not can be judged, the forged MAC address is marked in advance, a second abnormal MAC set is obtained, and invalid data calculation is avoided.
In practical applications, the second set of anomalous MACs may be combined with the aggregate set of first set of anomalous MACs as an anomalous MAC address.
By applying the embodiment of the invention, partial forged MAC addresses can be screened out in advance, the calculation amount of subsequent information entropy calculation is reduced, and the identification efficiency is improved.
Example 3
The embodiment 2 of the invention is added with the following steps on the basis of the embodiment 1:
deleting invalid characters in an MAC address corresponding to an account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
For example, systems with different requirements may record user MAC addresses in different formats, unify MAC address formats, and eliminate invalid characters, thereby facilitating later calculation of information entropy and comparison of information entropy.
It is understood that the invalid character refers to a character that only plays a role of separation and does not affect the identification role of the MAC address, including but not limited to the above characters.
By applying the embodiment of the invention, the number of characters in the MAC address is reduced, the calculation amount of subsequent information entropy calculation is reduced, and the identification efficiency is improved.
Example 4
The embodiment 2 of the invention is added with the following steps on the basis of the embodiment 1:
and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
For example, the login account corresponding to the MAC address marked as abnormal may be output to perform a reminding or freezing operation
By applying the embodiment of the invention, the abnormal account corresponding to the abnormal MAC address can be processed.
Example 5
Fig. 2 is a schematic structural diagram of a system for identifying abnormal login by identifying a forged MAC address according to an embodiment of the present invention, as shown in fig. 2, the system includes:
a first obtaining module 201, configured to obtain an MAC address corresponding to an account to be identified;
a second obtaining module 202, configured to obtain an information entropy of each MAC address by using an information entropy algorithm;
and the marking module 203 is configured to use a set of MAC addresses corresponding to the information entropy with a value smaller than a preset threshold as a first abnormal MAC set.
By applying the embodiment of the invention, when lawless persons can forge the MAC address through the script login, the regularity of the MAC address is very strong, so that the information entropy is low; the embodiment of the invention identifies the value of the information entropy of the MAC address field through the information entropy algorithm, and further judges that the MAC address with lower information entropy is an abnormal MAC address.
In a specific implementation manner of the embodiment of the present invention, the system further includes:
and the screening module is used for preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the generation rule of the MAC address.
In a specific implementation manner of the embodiment of the present invention, the system further includes:
the deleting module is used for deleting invalid characters in the MAC address corresponding to the account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
In a specific implementation manner of the embodiment of the present invention, the second obtaining module 202 is configured to:
by means of the formula (I) and (II),and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
In a specific implementation manner of the embodiment of the present invention, the system further includes: a third obtaining module configured to: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (8)
1. A method for identifying an abnormal login by identifying a forged MAC address, the method comprising:
1) acquiring an MAC address corresponding to the account to be identified;
2) acquiring the information entropy of each MAC address by using an information entropy algorithm;
3) taking a set of MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set; prior to step 2), the method further comprises:
deleting invalid characters in an MAC address corresponding to an account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
2. A method for identifying abnormal login by identifying forged MAC address as claimed in claim 1, wherein before step 2), the method further comprises:
and preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the MAC address generation rule.
3. The method for identifying abnormal login by identifying forged MAC address as claimed in claim 1, wherein the obtaining the information entropy of each MAC address by using the information entropy algorithm comprises:
by means of the formula (I) and (II),and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
4. The method of claim 1, further comprising: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
5. A system for identifying abnormal logins by identifying forged MAC addresses, the system comprising:
the first acquisition module is used for acquiring the MAC address corresponding to the account to be identified;
the second acquisition module is used for acquiring the information entropy of each MAC address by using an information entropy algorithm;
the marking module is used for taking a set of MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set; the system further comprises:
the deleting module is used for deleting invalid characters in the MAC address corresponding to the account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
6. The system for identifying abnormal login by identifying forged MAC address as claimed in claim 5, further comprising:
and the screening module is used for preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the generation rule of the MAC address.
7. The system for identifying abnormal login by identifying forged MAC address as claimed in claim 5, wherein the second obtaining module is used for:
by means of the formula (I) and (II),and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
8. The system for identifying abnormal login by identifying forged MAC address as claimed in claim 5, further comprising: a third obtaining module configured to: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911044777.7A CN110784469B (en) | 2019-10-30 | 2019-10-30 | Method and system for identifying abnormal login by identifying forged MAC address |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911044777.7A CN110784469B (en) | 2019-10-30 | 2019-10-30 | Method and system for identifying abnormal login by identifying forged MAC address |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110784469A CN110784469A (en) | 2020-02-11 |
CN110784469B true CN110784469B (en) | 2021-09-03 |
Family
ID=69387709
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911044777.7A Active CN110784469B (en) | 2019-10-30 | 2019-10-30 | Method and system for identifying abnormal login by identifying forged MAC address |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110784469B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112566043B (en) * | 2021-02-22 | 2021-05-14 | 腾讯科技(深圳)有限公司 | MAC address identification method and device, storage medium and electronic equipment |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103181131A (en) * | 2010-10-29 | 2013-06-26 | 瑞典爱立信有限公司 | Load balancing in shortest-path-bridging networks |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10353638B2 (en) * | 2014-11-18 | 2019-07-16 | Microsemi SoC Corporation | Security method and apparatus to prevent replay of external memory data to integrated circuits having only one-time programmable non-volatile memory |
-
2019
- 2019-10-30 CN CN201911044777.7A patent/CN110784469B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103181131A (en) * | 2010-10-29 | 2013-06-26 | 瑞典爱立信有限公司 | Load balancing in shortest-path-bridging networks |
Non-Patent Citations (1)
Title |
---|
《基于SDN的网络安全技术研究》;蒋亚杰;《万方》;20180119;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN110784469A (en) | 2020-02-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
US9369479B2 (en) | Detection of malware beaconing activities | |
US10721245B2 (en) | Method and device for automatically verifying security event | |
CN109194680B (en) | Network attack identification method, device and equipment | |
US7526806B2 (en) | Method and system for addressing intrusion attacks on a computer system | |
US10915629B2 (en) | Systems and methods for detecting data exfiltration | |
CN104239758A (en) | Man-machine identification method and system | |
CN111641658A (en) | Request intercepting method, device, equipment and readable storage medium | |
CN101529862A (en) | Methods and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis | |
CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
EP3660719A1 (en) | Method for detecting intrusions in an audit log | |
CN110879889A (en) | Method and system for detecting malicious software of Windows platform | |
CN110611635A (en) | Detection method based on multi-dimensional lost account | |
US11652833B2 (en) | Detection of anomalous count of new entities | |
JP6386593B2 (en) | Malignant communication pattern extraction apparatus, malignant communication pattern extraction system, malignant communication pattern extraction method, and malignant communication pattern extraction program | |
CN110784469B (en) | Method and system for identifying abnormal login by identifying forged MAC address | |
CN112738107B (en) | Network security evaluation method, device, equipment and storage medium | |
Shen et al. | A novel comprehensive steganalysis of transmission control protocol/Internet protocol covert channels based on protocol behaviors and support vector machine | |
CN112583763B (en) | Intrusion detection device and intrusion detection method | |
CN109474593B (en) | Method for identifying C & C periodic loop back connection behaviors | |
CN109729084B (en) | Network security event detection method based on block chain technology | |
WO2021018440A1 (en) | METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF | |
CN109756483B (en) | Safety protection method aiming at MELASEC protocol | |
CN108650274B (en) | Network intrusion detection method and system | |
CN115296904B (en) | Domain name reflection attack detection method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |