CN111917701A - Passive checking online violation external connection technology based on non-client mode - Google Patents
Passive checking online violation external connection technology based on non-client mode Download PDFInfo
- Publication number
- CN111917701A CN111917701A CN202010240487.6A CN202010240487A CN111917701A CN 111917701 A CN111917701 A CN 111917701A CN 202010240487 A CN202010240487 A CN 202010240487A CN 111917701 A CN111917701 A CN 111917701A
- Authority
- CN
- China
- Prior art keywords
- external connection
- illegal external
- illegal
- public network
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a non-client mode passive check online violation external connection technology, which is realized by the following steps: the traffic of a business application system is led to an intranet illegal external connection server through a mirror image traffic technology, and an illegal external connection sniffing function is started; when the intranet terminal accesses the service application system, a sniffing module portal guides and notes codes; the sniffing module is communicated with an external public network evidence obtaining platform through a private communication protocol; if the communication is successful, recording the terminal attribute information and generating an illegal external connection alarm; meanwhile, the sniffing module returns the terminal attribute information to the intranet illegal external connection detection server, and an illegal external connection alarm is immediately generated. The invention can realize the detection of illegal external connection on the terminal host equipment of the non-client side.
Description
Technical Field
The invention belongs to the field of information security, and relates to an online violation external connection technology based on passive check of a non-client mode.
Background
With the rapid development of information technology and the lack of effective security mechanism in network in recent years, the threat of internal loophole to important resource is far greater than the invasion caused by passing through firewall from internet, and the traditional protection technology such as firewall, IDS and the like can not effectively prevent.
Most domestic units physically isolate the office intranet from the internet, so that the threat of unsafe attributes of the internet to internal important service data is isolated, more and more units deploy desktop terminal management software to prevent illegal external connection in order to avoid the behavior that internal employees are connected with the internet privately, but terminals which are not provided with/cannot be provided with the desktop terminal management software exist in the intranet along with long-time use, the produced illegal external connection is too defensive, and detection holes exist. Meanwhile, most of unit headquarters cannot comprehensively and effectively supervise the illegal external connection protection strength of subordinate units, supervision means are omitted, and the post-perception is realized when a safety event caused by illegal external connection occurs.
At present, the detection technology of the illegal external connection behavior is mainly based on a server/client architecture, and has strong dependency on a client program, namely, a client is installed through a terminal device in a network monitoring range, and a detection and management server of the illegal external connection behavior is deployed in a network, so that the detection and discovery function of the illegal external connection behavior is realized through a configuration strategy. However, in an actual network environment, the type of the terminal is complex, and if a special terminal cannot install a client, a management bug may occur, which results in that the rule-breaking external defense strategy is similar to a nominal one.
Therefore, the invention provides a passive detection technology for online illegal external connection based on a non-client mode, and a client does not need to be deployed on a terminal host, so that the detection function of illegal external connection behavior is realized.
Disclosure of Invention
The invention mainly researches a technology for passively checking online illegal external connection behaviors in an intranet non-client mode, and researches a non-client illegal external connection detection technology which is most suitable for the existing network environment, accords with the existing use habit and does not influence the network by combining the consideration of various factors such as the actual informatization current situation, the network current situation, the use habit and the like.
The invention provides a non-client-side mode passive check online illegal external connection detection technology, which comprises the following specific implementation steps:
and 7, the internal network illegal external connection detection server receives the detection result transmitted by the illegal external connection sniffing module and immediately generates illegal external connection alarm.
THE ADVANTAGES OF THE PRESENT INVENTION
The invention can realize online illegal external connection inspection in a non-client environment and effectively avoid the dilemma of excessively depending on the client. In addition, the intranet illegal external connection server assigns a unique ID to the terminal in the current intranet environment, and the public network evidence obtaining platform receives a message sent by the illegal external connection sniffing module and carries the terminal ID, so that the uniqueness of the illegal external connection terminal is confirmed, and the denial behavior is avoided.
Alternatives
According to the alternative scheme, the proxy server and the extranet evidence obtaining platform are detected by deploying the intranet violation external connection, the proxy server is configured in each intranet terminal host browser, the server address points to the intranet violation external connection proxy server, the proxy server is configured with the violation external detection strategy, and the extranet evidence obtaining platform is matched, so that the online violation external connection behavior is passively detected in a non-client mode. The method comprises the following concrete steps:
and 7, the internal network illegal external connection detection server receives the detection result transmitted by the illegal external connection sniffing module and immediately generates illegal external connection alarm.
Key point and protection point of the invention
The key points and the protection points created by the invention are as follows:
1) by a mirror image flow technology, the flow of an intranet service application system is led to an intranet illegal external connection detection server, an illegal external connection detection strategy is made for the service application system, and an illegal external connection sniffing function is started;
2) the illegal external connection sniffing module defines a private communication protocol and realizes information interaction with an external public network illegal external connection detection platform, so that the illegal external connection detection accuracy is realized.
Drawings
FIG. 1 is an application deployment diagram of a passive inspection online violation external connection system based on a non-client mode according to the present invention;
FIG. 2 is a flow chart of a non-client mode based passive check for online illegal external connection monitoring according to the present invention;
fig. 3 is a schematic structural diagram of a non-client-side passive check online illegal external connection detection system according to the present invention.
Claims (6)
1. The invention provides a non-client-side mode passive check online illegal external connection detection technology, which comprises the following implementation steps:
step 1, deploying an illegal external connection detection server in an internal network environment, and deploying a forensics platform in an external public network;
step 2, introducing the flow of the intranet business application system to an intranet illegal external connection detection server through a mirror image flow technology, making an illegal external connection detection strategy for the business application system, and starting an illegal external connection sniffing function;
step 3, when the intranet terminal accesses the monitored service application system, the illegal external connection sniffing module portal page guides and notes codes without modifying the codes in the existing service application system;
step 4, the illegal external connection sniffing module accesses a public network evidence obtaining platform server from an internal terminal;
step 5, when the public network evidence obtaining platform server does not receive the detection data from the illegal external connection sniffing module, the public network evidence obtaining platform server shows that the terminal host does not have an illegal external connection channel and an illegal external connection behavior;
step 6, when the public network evidence obtaining platform server receives the detection data from the illegal external connection sniffing module, the illegal external connection alarm is generated at the second level, the detection result is returned to the internal network illegal external connection detection server, and simultaneously the information such as the IP/MAC of the terminal host, the equipment ID and the like is recorded to the public network evidence obtaining platform;
and 7, the internal network illegal external connection detection server receives the detection result transmitted by the illegal external connection sniffing module and immediately generates illegal external connection alarm.
2. The non-client-side passive inspection online illegal external connection detection technology as claimed in claim 1, characterized in that an illegal external connection detection server is deployed in an internal network environment, an external public network is deployed with a forensics platform, an illegal external connection sniffing function is enabled, and an illegal external connection sniffing module realizes portal page guidance and code tracing without modifying codes in an existing business application system.
3. The non-client-side mode passive inspection online illegal external connection detection technology is realized by an internal network illegal external connection detection illegal module, an external public network evidence obtaining platform and an illegal external connection sniffing module, and is characterized in that:
intranet violation external connection detection module: the method comprises the steps of deploying in an intranet environment, making an illegal external connection detection strategy, starting an illegal external connection sniffing function, passively checking illegal external connection behaviors in the intranet and generating an alarm;
external public network evidence obtaining platform: the method comprises the steps of deploying in an external public network environment, acquiring a communication request of an illegal external connection sniffing module in real time, and simultaneously recording attribute information such as an IP/MAC (Internet protocol/media access control) of an illegal external connection terminal host, a user, a terminal equipment ID (identity) and the like;
the violation external connection sniffing module: along with the service access request of the terminal system, the portal guides and notes codes and is used for detecting whether the terminal of the internal network has a hidden communication channel which is illegally connected with the external public network.
4. The non-client passive inspection online illegal external connection technology as claimed in claim 3, wherein when the terminal host of the intranet accesses the monitored service system, the illegal external connection sniffing module will chase after code, and when the terminal system service replies the access request and the illegal external connection sniffing module chase after code is loaded to the terminal host, the illegal external connection detection module will be executed immediately.
5. The non-client passive inspection online illegal external connection technology as claimed in claim 3, wherein the illegal external connection sniffing module receives a special protocol reply returned by the external public network forensics platform, and then sends the illegal external connection attribute data to the internal network illegal external connection detection server.
6. The non-client passive inspection online illegal external connection technology according to claim 3 or 5, characterized in that the illegal external connection alarm information comprises an intranet illegal external connection alarm and an external network public network platform illegal external connection alarm, and the alarm information comprises an end host IP address, a MAC address, a device ID, an illegal external connection outlet public network IP and illegal external connection time attribute data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010240487.6A CN111917701A (en) | 2020-03-31 | 2020-03-31 | Passive checking online violation external connection technology based on non-client mode |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010240487.6A CN111917701A (en) | 2020-03-31 | 2020-03-31 | Passive checking online violation external connection technology based on non-client mode |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111917701A true CN111917701A (en) | 2020-11-10 |
Family
ID=73237373
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010240487.6A Withdrawn CN111917701A (en) | 2020-03-31 | 2020-03-31 | Passive checking online violation external connection technology based on non-client mode |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111917701A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112738095A (en) * | 2020-12-29 | 2021-04-30 | 杭州迪普科技股份有限公司 | Method, device, system, storage medium and equipment for detecting illegal external connection |
CN114900377A (en) * | 2022-07-15 | 2022-08-12 | 广州世安信息技术股份有限公司 | Induction data packet-based illegal external connection monitoring method and system |
CN115189964A (en) * | 2022-08-15 | 2022-10-14 | 杭州安恒信息技术股份有限公司 | Illegal external connection detection method, device, equipment and storage medium |
CN115987675A (en) * | 2022-12-30 | 2023-04-18 | 北京明朝万达科技股份有限公司 | Illegal external connection detection method and device, mobile terminal and storage medium |
CN117319088A (en) * | 2023-11-28 | 2023-12-29 | 北京天防安全科技有限公司 | Method, device, equipment and medium for blocking illegal external connection equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103441864A (en) * | 2013-08-12 | 2013-12-11 | 江苏华大天益电力科技有限公司 | Method for monitoring illegal external connection of terminal equipment |
CN103391216B (en) * | 2013-07-15 | 2016-08-10 | 中国科学院信息工程研究所 | A kind of illegal external connection is reported to the police and blocking-up method |
CN106302501A (en) * | 2016-08-27 | 2017-01-04 | 浙江远望信息股份有限公司 | A kind of method of real-time discovery internetwork communication behavior |
CN107733706A (en) * | 2017-09-30 | 2018-02-23 | 北京北信源软件股份有限公司 | The illegal external connection monitoring method and system of a kind of no agency |
CN110191102A (en) * | 2019-05-09 | 2019-08-30 | 黄志英 | A kind of illegal external connection comprehensive monitoring system and its method |
CN110417821A (en) * | 2019-09-09 | 2019-11-05 | 北京华赛在线科技有限公司 | A kind of networking detection method and system |
-
2020
- 2020-03-31 CN CN202010240487.6A patent/CN111917701A/en not_active Withdrawn
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103391216B (en) * | 2013-07-15 | 2016-08-10 | 中国科学院信息工程研究所 | A kind of illegal external connection is reported to the police and blocking-up method |
CN103441864A (en) * | 2013-08-12 | 2013-12-11 | 江苏华大天益电力科技有限公司 | Method for monitoring illegal external connection of terminal equipment |
CN106302501A (en) * | 2016-08-27 | 2017-01-04 | 浙江远望信息股份有限公司 | A kind of method of real-time discovery internetwork communication behavior |
CN107733706A (en) * | 2017-09-30 | 2018-02-23 | 北京北信源软件股份有限公司 | The illegal external connection monitoring method and system of a kind of no agency |
CN110191102A (en) * | 2019-05-09 | 2019-08-30 | 黄志英 | A kind of illegal external connection comprehensive monitoring system and its method |
CN110417821A (en) * | 2019-09-09 | 2019-11-05 | 北京华赛在线科技有限公司 | A kind of networking detection method and system |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112738095A (en) * | 2020-12-29 | 2021-04-30 | 杭州迪普科技股份有限公司 | Method, device, system, storage medium and equipment for detecting illegal external connection |
CN114900377A (en) * | 2022-07-15 | 2022-08-12 | 广州世安信息技术股份有限公司 | Induction data packet-based illegal external connection monitoring method and system |
CN114900377B (en) * | 2022-07-15 | 2022-09-30 | 广州世安信息技术股份有限公司 | Induction data packet-based illegal external connection monitoring method and system |
CN115189964A (en) * | 2022-08-15 | 2022-10-14 | 杭州安恒信息技术股份有限公司 | Illegal external connection detection method, device, equipment and storage medium |
CN115987675A (en) * | 2022-12-30 | 2023-04-18 | 北京明朝万达科技股份有限公司 | Illegal external connection detection method and device, mobile terminal and storage medium |
CN115987675B (en) * | 2022-12-30 | 2024-03-19 | 北京明朝万达科技股份有限公司 | Illegal external connection detection method and device, mobile terminal and storage medium |
CN117319088A (en) * | 2023-11-28 | 2023-12-29 | 北京天防安全科技有限公司 | Method, device, equipment and medium for blocking illegal external connection equipment |
CN117319088B (en) * | 2023-11-28 | 2024-02-23 | 北京天防安全科技有限公司 | Method, device, equipment and medium for blocking illegal external connection equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111917701A (en) | Passive checking online violation external connection technology based on non-client mode | |
Kruegel et al. | Alert verification determining the success of intrusion attempts | |
US9282114B1 (en) | Generation of alerts in an event management system based upon risk | |
US7028338B1 (en) | System, computer program, and method of cooperative response to threat to domain security | |
KR20090065267A (en) | Method and apparaus for analyzing web server log by intrusion detection method | |
CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
CN111786964B (en) | Network security detection method, terminal and network security equipment | |
US9059987B1 (en) | Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network | |
JP6524789B2 (en) | Network monitoring method, network monitoring program and network monitoring device | |
CN112131577A (en) | Vulnerability detection method, device and equipment and computer readable storage medium | |
US20220103584A1 (en) | Information Security Using Blockchain Technology | |
US20210409446A1 (en) | Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file | |
CN106209907B (en) | Method and device for detecting malicious attack | |
CN110879889A (en) | Method and system for detecting malicious software of Windows platform | |
KR102414334B1 (en) | Method and apparatus for detecting threats of cooperative-intelligent transport road infrastructure | |
CN113411295A (en) | Role-based access control situation awareness defense method and system | |
CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
CN112231679B (en) | Terminal equipment verification method and device and storage medium | |
CN111314370B (en) | Method and device for detecting service vulnerability attack behavior | |
CN110086812B (en) | Safe and controllable internal network safety patrol system and method | |
CN113922975A (en) | Security control method, server, terminal, system and storage medium | |
CN115883574A (en) | Access equipment identification method and device in industrial control network | |
CN114301796B (en) | Verification method, device and system for prediction situation awareness | |
CN107294994B (en) | CSRF protection method and system based on cloud platform |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20201110 |