CN110784469B - Method and system for identifying abnormal login by identifying forged MAC address - Google Patents

Method and system for identifying abnormal login by identifying forged MAC address Download PDF

Info

Publication number
CN110784469B
CN110784469B CN201911044777.7A CN201911044777A CN110784469B CN 110784469 B CN110784469 B CN 110784469B CN 201911044777 A CN201911044777 A CN 201911044777A CN 110784469 B CN110784469 B CN 110784469B
Authority
CN
China
Prior art keywords
mac address
identifying
information entropy
account
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911044777.7A
Other languages
Chinese (zh)
Other versions
CN110784469A (en
Inventor
余贤喆
梁淑云
刘胜
马影
陶景龙
王启凡
魏国富
徐�明
殷钱安
周晓勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN201911044777.7A priority Critical patent/CN110784469B/en
Publication of CN110784469A publication Critical patent/CN110784469A/en
Application granted granted Critical
Publication of CN110784469B publication Critical patent/CN110784469B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Abstract

The invention provides a method for identifying abnormal login by identifying a forged MAC address, which comprises the following steps: 1) acquiring an MAC address corresponding to the account to be identified; 2) acquiring the information entropy of each MAC address by using an information entropy algorithm; 3) and taking the set of the MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set. The invention also provides a system for identifying abnormal login by identifying forged MAC addresses. By applying the method and the device, the MAC address with lower information entropy can be judged to be an abnormal MAC address.

Description

Method and system for identifying abnormal login by identifying forged MAC address
Technical Field
The invention relates to a method and a system for identifying abnormal login, in particular to a method and a system for identifying abnormal login by identifying a forged MAC address.
Background
With the continuous development of internet technology, a large number of network platforms are available on the internet at present, which is convenient for users to meet the needs of life and office work. The user may use the same login information on a plurality of network platforms, and once information leakage occurs on one platform, a lawbreaker may log in other platforms used by the user through the obtained login information of the user so as to obtain more sensitive information for a lawbreaking purpose. User accounts, especially those of operators and financial industry operators, are more dangerous and may cause irreparable loss once illegally logged in.
The invention patent with application number CN201510728387.7 discloses a method and apparatus for preventing malicious access to login/registration interface. Wherein the method comprises: monitoring login/registration operation on a login/registration interface of a specified platform, and judging whether a behavior of maliciously accessing the login/registration interface exists or not by counting, analyzing and monitoring results; if so, positioning a source IP address of the behavior of maliciously accessing the login/registration interface by analyzing the log of the specified platform; and performing restriction operation on the source IP address. The technical scheme provides effective solutions for the behaviors of the login/registration interface of the malicious access platform, and the malicious attacker can not continue to carry out malicious access on the login/registration interface of the platform through the source IP address by limiting the operation on the source IP address of the behaviors of the malicious access login/registration interface, so that the occurrence of malicious access is restrained from the source. The existing login abnormity detection is mostly used for carrying out abnormity detection on IP and login behaviors, and if lawless persons collect account information and log in by forging MAC addresses, the existing technology cannot identify the login behaviors. Therefore, the technical problem that the abnormal login identification is inaccurate exists in the prior art.
Disclosure of Invention
The technical problem to be solved by the invention is how to provide a method and a system for identifying abnormal login by identifying a forged MAC address so as to improve the accuracy rate of abnormal login identification.
The invention solves the technical problems through the following technical means:
the embodiment of the invention provides a method for identifying abnormal login by identifying a forged MAC address, which comprises the following steps:
1) acquiring an MAC address corresponding to the account to be identified;
2) acquiring the information entropy of each MAC address by using an information entropy algorithm;
3) and taking the set of the MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set.
Optionally, before step 2), the method further includes:
and preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the MAC address generation rule.
Optionally, before step 2), the method further includes:
deleting invalid characters in an MAC address corresponding to an account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
Optionally, the obtaining the information entropy of each MAC address by using an information entropy algorithm includes:
by means of the formula (I) and (II),
Figure BDA0002253834940000021
and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
Optionally, the method further includes: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
The embodiment of the invention also provides a system for identifying abnormal login by identifying a forged MAC address, which comprises:
the first acquisition module is used for acquiring the MAC address corresponding to the account to be identified;
the second acquisition module is used for acquiring the information entropy of each MAC address by using an information entropy algorithm;
and the marking module is used for taking the set of the MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set.
Optionally, the system further includes:
and the screening module is used for preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the generation rule of the MAC address.
Optionally, the system further includes:
the deleting module is used for deleting invalid characters in the MAC address corresponding to the account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
Optionally, the second obtaining module is configured to:
by means of the formula (I) and (II),
Figure BDA0002253834940000031
and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
Optionally, the system further includes: a third obtaining module configured to: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
The invention has the advantages that:
by applying the embodiment of the invention, when lawless persons can forge the MAC address through the script login, the regularity of the MAC address is very strong, so that the information entropy is low; the embodiment of the invention identifies the value of the information entropy of the MAC address field through the information entropy algorithm, and further judges that the MAC address with lower information entropy is an abnormal MAC address.
Drawings
Fig. 1 is a schematic flowchart of a method for identifying abnormal login by identifying a forged MAC address according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a system for identifying abnormal login by identifying a forged MAC address according to an embodiment of the present invention;
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Fig. 1 is a schematic flowchart of a method for identifying an abnormal login by identifying a forged MAC address according to an embodiment of the present invention, as shown in fig. 1, the method includes:
s101: and acquiring the MAC address corresponding to the account to be identified.
In the network protocol, the information sent by the user when the server is connected contains the MAC address, otherwise the server cannot identify the corresponding machine. When the user logs in, the network data exchange log records the MAC (Media Access Control) address of the machine used by the user, so that the MAC addresses used by all logged-in accounts can be obtained from the network data exchange log.
S102: acquiring the information entropy of each MAC address by using an information entropy algorithm;
specifically, the method and system for identifying abnormal login by identifying forged MAC addresses according to claim 1, wherein the obtaining the information entropy of each MAC address by using an information entropy algorithm comprises:
by means of the formula (I) and (II),
Figure BDA0002253834940000051
and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address; i is more than or equal to 1 and less than or equal to n.
In order to consider the average uncertainty of all possible transmission cases in a MAC address, assume that there are n values in the MAC address symbol: u1 … Ui … Un, the corresponding probability is: p1 … pi … pn, and the occurrence of the various symbols is independent of each other, when the average uncertainty of the MAC-the statistical average (E) of log2pi, can be referred to as the entropy of the information of the MAC address.
Illustratively, in the case of 00-01-6C-06-a6-29, n is 7;
Figure BDA0002253834940000052
obviously, the less information a MAC address contains, the smaller the information entropy value.
S103: and taking the set of MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set.
Illustratively, a normal MAC address is generally recorded as, for example, 00-01-6C-06-A6-29, 00:01:6C:06: A6:29, or 080009A 04A B1, similar to such formats. The MAC address is a unique identification of the machine hardware, and the MAC address of a user logged in through the normal way is necessarily compliant. Some lawbreakers wishing to bypass security arrangements will forge MAC addresses when logging in via a script. If the forged MAC address can be identified at the moment, the method is helpful for preventing lawbreakers from stealing user information to invade the network platform. However, when faking a MAC address, a lawless person cannot know all existing MAC addresses, so more faking ways are to generate a combination of a string of alphabets, such as A5DE8DE5EF7E, 000000000000, which does not meet the rules or have strong regularity.
Therefore, the embodiment of the present invention uses the characteristic of high complexity of the normal MAC address, and uses the MAC address with the information entropy value smaller than the preset threshold value, which is calculated in step S102, as the abnormal MAC address, to determine whether the login account is abnormal.
Further, the distribution range of the information entropy of the legitimate MAC address can be calculated by the method in step S102. Then, taking the minimum value of the information entropy distribution range of the legal MAC address as a preset threshold value; a value in a range larger than the minimum value and smaller than the average value may be set as the preset threshold value.
By applying the embodiment of the invention, when lawless persons can forge the MAC address through the script login, the regularity of the MAC address is very strong, so that the information entropy is low; the embodiment of the invention identifies the value of the information entropy of the MAC address field through the information entropy algorithm, and further judges that the MAC address with lower information entropy is an abnormal MAC address.
Example 2
The embodiment 2 of the invention is added with the following steps on the basis of the embodiment 1:
and preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the MAC address generation rule.
Illustratively, a normal MAC address is typically recorded as, for example, 00-01-6C-06-A6-29, 00:01:6C:06: A6:29, or 080009A 04A B1, similar to such formats, but with its own rules, such as the lowest order bit of the first byte is the multicast identification, which must be 0, so the upper 00, 08 are both even numbers, and so on.
Whether the basic rules of the MAC address are met can be judged, for example, whether the multicast identification is correct or not, whether the multicast identification is a broadcast or multicast address or not can be judged, the forged MAC address is marked in advance, a second abnormal MAC set is obtained, and invalid data calculation is avoided.
In practical applications, the second set of anomalous MACs may be combined with the aggregate set of first set of anomalous MACs as an anomalous MAC address.
By applying the embodiment of the invention, partial forged MAC addresses can be screened out in advance, the calculation amount of subsequent information entropy calculation is reduced, and the identification efficiency is improved.
Example 3
The embodiment 2 of the invention is added with the following steps on the basis of the embodiment 1:
deleting invalid characters in an MAC address corresponding to an account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
For example, systems with different requirements may record user MAC addresses in different formats, unify MAC address formats, and eliminate invalid characters, thereby facilitating later calculation of information entropy and comparison of information entropy.
It is understood that the invalid character refers to a character that only plays a role of separation and does not affect the identification role of the MAC address, including but not limited to the above characters.
By applying the embodiment of the invention, the number of characters in the MAC address is reduced, the calculation amount of subsequent information entropy calculation is reduced, and the identification efficiency is improved.
Example 4
The embodiment 2 of the invention is added with the following steps on the basis of the embodiment 1:
and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
For example, the login account corresponding to the MAC address marked as abnormal may be output to perform a reminding or freezing operation
By applying the embodiment of the invention, the abnormal account corresponding to the abnormal MAC address can be processed.
Example 5
Fig. 2 is a schematic structural diagram of a system for identifying abnormal login by identifying a forged MAC address according to an embodiment of the present invention, as shown in fig. 2, the system includes:
a first obtaining module 201, configured to obtain an MAC address corresponding to an account to be identified;
a second obtaining module 202, configured to obtain an information entropy of each MAC address by using an information entropy algorithm;
and the marking module 203 is configured to use a set of MAC addresses corresponding to the information entropy with a value smaller than a preset threshold as a first abnormal MAC set.
By applying the embodiment of the invention, when lawless persons can forge the MAC address through the script login, the regularity of the MAC address is very strong, so that the information entropy is low; the embodiment of the invention identifies the value of the information entropy of the MAC address field through the information entropy algorithm, and further judges that the MAC address with lower information entropy is an abnormal MAC address.
In a specific implementation manner of the embodiment of the present invention, the system further includes:
and the screening module is used for preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the generation rule of the MAC address.
In a specific implementation manner of the embodiment of the present invention, the system further includes:
the deleting module is used for deleting invalid characters in the MAC address corresponding to the account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
In a specific implementation manner of the embodiment of the present invention, the second obtaining module 202 is configured to:
by means of the formula (I) and (II),
Figure BDA0002253834940000091
and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
In a specific implementation manner of the embodiment of the present invention, the system further includes: a third obtaining module configured to: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (8)

1. A method for identifying an abnormal login by identifying a forged MAC address, the method comprising:
1) acquiring an MAC address corresponding to the account to be identified;
2) acquiring the information entropy of each MAC address by using an information entropy algorithm;
3) taking a set of MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set; prior to step 2), the method further comprises:
deleting invalid characters in an MAC address corresponding to an account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
2. A method for identifying abnormal login by identifying forged MAC address as claimed in claim 1, wherein before step 2), the method further comprises:
and preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the MAC address generation rule.
3. The method for identifying abnormal login by identifying forged MAC address as claimed in claim 1, wherein the obtaining the information entropy of each MAC address by using the information entropy algorithm comprises:
by means of the formula (I) and (II),
Figure FDA0003154332940000011
and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
4. The method of claim 1, further comprising: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
5. A system for identifying abnormal logins by identifying forged MAC addresses, the system comprising:
the first acquisition module is used for acquiring the MAC address corresponding to the account to be identified;
the second acquisition module is used for acquiring the information entropy of each MAC address by using an information entropy algorithm;
the marking module is used for taking a set of MAC addresses corresponding to the information entropy with the value smaller than the preset threshold value as a first abnormal MAC set; the system further comprises:
the deleting module is used for deleting invalid characters in the MAC address corresponding to the account to be identified, wherein the invalid characters comprise: one or a combination of spaces, dashes, underlines, and punctuation marks.
6. The system for identifying abnormal login by identifying forged MAC address as claimed in claim 5, further comprising:
and the screening module is used for preliminarily screening a second abnormal MAC set from the MAC address corresponding to the account to be identified according to the generation rule of the MAC address.
7. The system for identifying abnormal login by identifying forged MAC address as claimed in claim 5, wherein the second obtaining module is used for:
by means of the formula (I) and (II),
Figure FDA0003154332940000021
and acquiring the information entropy of each MAC address, wherein,
e is the information entropy corresponding to the MAC address; sigma is a summation function; n is the number of symbols in the MAC address; p is a radical ofiIs the probability of the ith symbol in the MAC address to occur.
8. The system for identifying abnormal login by identifying forged MAC address as claimed in claim 5, further comprising: a third obtaining module configured to: and acquiring the account logged in the abnormal MAC address, freezing the account or sending a prompt aiming at the account to an administrator.
CN201911044777.7A 2019-10-30 2019-10-30 Method and system for identifying abnormal login by identifying forged MAC address Active CN110784469B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911044777.7A CN110784469B (en) 2019-10-30 2019-10-30 Method and system for identifying abnormal login by identifying forged MAC address

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911044777.7A CN110784469B (en) 2019-10-30 2019-10-30 Method and system for identifying abnormal login by identifying forged MAC address

Publications (2)

Publication Number Publication Date
CN110784469A CN110784469A (en) 2020-02-11
CN110784469B true CN110784469B (en) 2021-09-03

Family

ID=69387709

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911044777.7A Active CN110784469B (en) 2019-10-30 2019-10-30 Method and system for identifying abnormal login by identifying forged MAC address

Country Status (1)

Country Link
CN (1) CN110784469B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112566043B (en) * 2021-02-22 2021-05-14 腾讯科技(深圳)有限公司 MAC address identification method and device, storage medium and electronic equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103181131A (en) * 2010-10-29 2013-06-26 瑞典爱立信有限公司 Load balancing in shortest-path-bridging networks

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10353638B2 (en) * 2014-11-18 2019-07-16 Microsemi SoC Corporation Security method and apparatus to prevent replay of external memory data to integrated circuits having only one-time programmable non-volatile memory

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103181131A (en) * 2010-10-29 2013-06-26 瑞典爱立信有限公司 Load balancing in shortest-path-bridging networks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于SDN的网络安全技术研究》;蒋亚杰;《万方》;20180119;全文 *

Also Published As

Publication number Publication date
CN110784469A (en) 2020-02-11

Similar Documents

Publication Publication Date Title
CN109525558B (en) Data leakage detection method, system, device and storage medium
US9369479B2 (en) Detection of malware beaconing activities
US10721245B2 (en) Method and device for automatically verifying security event
CN109194680B (en) Network attack identification method, device and equipment
US7526806B2 (en) Method and system for addressing intrusion attacks on a computer system
US10915629B2 (en) Systems and methods for detecting data exfiltration
CN104239758A (en) Man-machine identification method and system
CN111641658A (en) Request intercepting method, device, equipment and readable storage medium
CN101529862A (en) Methods and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
EP3660719A1 (en) Method for detecting intrusions in an audit log
CN110879889A (en) Method and system for detecting malicious software of Windows platform
CN110611635A (en) Detection method based on multi-dimensional lost account
US11652833B2 (en) Detection of anomalous count of new entities
JP6386593B2 (en) Malignant communication pattern extraction apparatus, malignant communication pattern extraction system, malignant communication pattern extraction method, and malignant communication pattern extraction program
CN110784469B (en) Method and system for identifying abnormal login by identifying forged MAC address
CN112738107B (en) Network security evaluation method, device, equipment and storage medium
Shen et al. A novel comprehensive steganalysis of transmission control protocol/Internet protocol covert channels based on protocol behaviors and support vector machine
CN112583763B (en) Intrusion detection device and intrusion detection method
CN109474593B (en) Method for identifying C & C periodic loop back connection behaviors
CN109729084B (en) Network security event detection method based on block chain technology
WO2021018440A1 (en) METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF
CN109756483B (en) Safety protection method aiming at MELASEC protocol
CN108650274B (en) Network intrusion detection method and system
CN115296904B (en) Domain name reflection attack detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant