CN111917701A - Passive checking online violation external connection technology based on non-client mode - Google Patents

Passive checking online violation external connection technology based on non-client mode Download PDF

Info

Publication number
CN111917701A
CN111917701A CN202010240487.6A CN202010240487A CN111917701A CN 111917701 A CN111917701 A CN 111917701A CN 202010240487 A CN202010240487 A CN 202010240487A CN 111917701 A CN111917701 A CN 111917701A
Authority
CN
China
Prior art keywords
external connection
illegal external
illegal
public network
intranet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202010240487.6A
Other languages
Chinese (zh)
Inventor
刘正海
刘超
及晨鸣
及晨明
李京飞
李强
王献奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ronghui Huafang Technology Co ltd
Original Assignee
Beijing Ronghui Huafang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ronghui Huafang Technology Co ltd filed Critical Beijing Ronghui Huafang Technology Co ltd
Priority to CN202010240487.6A priority Critical patent/CN111917701A/en
Publication of CN111917701A publication Critical patent/CN111917701A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a non-client mode passive check online violation external connection technology, which is realized by the following steps: the traffic of a business application system is led to an intranet illegal external connection server through a mirror image traffic technology, and an illegal external connection sniffing function is started; when the intranet terminal accesses the service application system, a sniffing module portal guides and notes codes; the sniffing module is communicated with an external public network evidence obtaining platform through a private communication protocol; if the communication is successful, recording the terminal attribute information and generating an illegal external connection alarm; meanwhile, the sniffing module returns the terminal attribute information to the intranet illegal external connection detection server, and an illegal external connection alarm is immediately generated. The invention can realize the detection of illegal external connection on the terminal host equipment of the non-client side.

Description

Passive checking online violation external connection technology based on non-client mode
Technical Field
The invention belongs to the field of information security, and relates to an online violation external connection technology based on passive check of a non-client mode.
Background
With the rapid development of information technology and the lack of effective security mechanism in network in recent years, the threat of internal loophole to important resource is far greater than the invasion caused by passing through firewall from internet, and the traditional protection technology such as firewall, IDS and the like can not effectively prevent.
Most domestic units physically isolate the office intranet from the internet, so that the threat of unsafe attributes of the internet to internal important service data is isolated, more and more units deploy desktop terminal management software to prevent illegal external connection in order to avoid the behavior that internal employees are connected with the internet privately, but terminals which are not provided with/cannot be provided with the desktop terminal management software exist in the intranet along with long-time use, the produced illegal external connection is too defensive, and detection holes exist. Meanwhile, most of unit headquarters cannot comprehensively and effectively supervise the illegal external connection protection strength of subordinate units, supervision means are omitted, and the post-perception is realized when a safety event caused by illegal external connection occurs.
At present, the detection technology of the illegal external connection behavior is mainly based on a server/client architecture, and has strong dependency on a client program, namely, a client is installed through a terminal device in a network monitoring range, and a detection and management server of the illegal external connection behavior is deployed in a network, so that the detection and discovery function of the illegal external connection behavior is realized through a configuration strategy. However, in an actual network environment, the type of the terminal is complex, and if a special terminal cannot install a client, a management bug may occur, which results in that the rule-breaking external defense strategy is similar to a nominal one.
Therefore, the invention provides a passive detection technology for online illegal external connection based on a non-client mode, and a client does not need to be deployed on a terminal host, so that the detection function of illegal external connection behavior is realized.
Disclosure of Invention
The invention mainly researches a technology for passively checking online illegal external connection behaviors in an intranet non-client mode, and researches a non-client illegal external connection detection technology which is most suitable for the existing network environment, accords with the existing use habit and does not influence the network by combining the consideration of various factors such as the actual informatization current situation, the network current situation, the use habit and the like.
The invention provides a non-client-side mode passive check online illegal external connection detection technology, which comprises the following specific implementation steps:
step 1, deploying an illegal external connection detection server in an internal network environment, and deploying a forensics platform in an external public network;
step 2, introducing the flow of the intranet business application system to an intranet illegal external connection detection server through a mirror image flow technology, making an illegal external connection detection strategy for the business application system, and starting an illegal external connection sniffing function;
step 3, when the intranet terminal accesses the monitored service application system, the illegal external connection sniffing module returns to the access host browser along with the accessed page;
step 4, the illegal external connection sniffing module accesses a public network evidence obtaining platform server from an internal terminal;
step 5, when the public network evidence obtaining platform server does not receive a special protocol communication request detected by the illegal external connection sniffing module, the public network evidence obtaining platform server indicates that an illegal external connection communication channel does not exist in the terminal host and an illegal external connection behavior is not generated;
step 6, when the public network evidence obtaining platform server receives a special protocol communication request detected by an illegal external connection sniffing module, illegal external connection alarm is generated at a second level, a detection result is fed back to an internal network illegal external connection detection server, and information such as IP/MAC (Internet protocol/media access control) of the terminal host, equipment ID (identity) and the like is recorded to the public network evidence obtaining platform;
and 7, the internal network illegal external connection detection server receives the detection result transmitted by the illegal external connection sniffing module and immediately generates illegal external connection alarm.
THE ADVANTAGES OF THE PRESENT INVENTION
The invention can realize online illegal external connection inspection in a non-client environment and effectively avoid the dilemma of excessively depending on the client. In addition, the intranet illegal external connection server assigns a unique ID to the terminal in the current intranet environment, and the public network evidence obtaining platform receives a message sent by the illegal external connection sniffing module and carries the terminal ID, so that the uniqueness of the illegal external connection terminal is confirmed, and the denial behavior is avoided.
Alternatives
According to the alternative scheme, the proxy server and the extranet evidence obtaining platform are detected by deploying the intranet violation external connection, the proxy server is configured in each intranet terminal host browser, the server address points to the intranet violation external connection proxy server, the proxy server is configured with the violation external detection strategy, and the extranet evidence obtaining platform is matched, so that the online violation external connection behavior is passively detected in a non-client mode. The method comprises the following concrete steps:
step 1, deploying an intranet illegal external connection detection proxy server and an extranet evidence obtaining platform;
step 2, pointing the internal network browser proxy server to the IP address of the internal network illegal external connection detection proxy server;
step 3, when the intranet terminal accesses the business application system by using the illegal external connection proxy server through the browser, detecting whether an illegal external connection behavior exists in real time;
step 4, accessing a public network evidence obtaining platform server from an internal terminal by an illegal external connection detection strategy;
step 5, when the public network evidence obtaining platform does not receive the data packet from the illegal external connection detection strategy, the public network evidence obtaining platform indicates that the terminal host does not have an illegal external connection communication channel and does not generate illegal external connection behaviors;
step 6, when the public network evidence obtaining platform receives the illegal external connection strategy data packet, the illegal external connection alarm is generated in second level, the detection result is fed back to the internal network illegal external connection detection server, and simultaneously the information of the terminal host machine IP/MAC, the equipment ID and the like is recorded to the public network evidence obtaining platform;
and 7, the internal network illegal external connection detection server receives the detection result transmitted by the illegal external connection sniffing module and immediately generates illegal external connection alarm.
Key point and protection point of the invention
The key points and the protection points created by the invention are as follows:
1) by a mirror image flow technology, the flow of an intranet service application system is led to an intranet illegal external connection detection server, an illegal external connection detection strategy is made for the service application system, and an illegal external connection sniffing function is started;
2) the illegal external connection sniffing module defines a private communication protocol and realizes information interaction with an external public network illegal external connection detection platform, so that the illegal external connection detection accuracy is realized.
Drawings
FIG. 1 is an application deployment diagram of a passive inspection online violation external connection system based on a non-client mode according to the present invention;
FIG. 2 is a flow chart of a non-client mode based passive check for online illegal external connection monitoring according to the present invention;
fig. 3 is a schematic structural diagram of a non-client-side passive check online illegal external connection detection system according to the present invention.

Claims (6)

1. The invention provides a non-client-side mode passive check online illegal external connection detection technology, which comprises the following implementation steps:
step 1, deploying an illegal external connection detection server in an internal network environment, and deploying a forensics platform in an external public network;
step 2, introducing the flow of the intranet business application system to an intranet illegal external connection detection server through a mirror image flow technology, making an illegal external connection detection strategy for the business application system, and starting an illegal external connection sniffing function;
step 3, when the intranet terminal accesses the monitored service application system, the illegal external connection sniffing module portal page guides and notes codes without modifying the codes in the existing service application system;
step 4, the illegal external connection sniffing module accesses a public network evidence obtaining platform server from an internal terminal;
step 5, when the public network evidence obtaining platform server does not receive the detection data from the illegal external connection sniffing module, the public network evidence obtaining platform server shows that the terminal host does not have an illegal external connection channel and an illegal external connection behavior;
step 6, when the public network evidence obtaining platform server receives the detection data from the illegal external connection sniffing module, the illegal external connection alarm is generated at the second level, the detection result is returned to the internal network illegal external connection detection server, and simultaneously the information such as the IP/MAC of the terminal host, the equipment ID and the like is recorded to the public network evidence obtaining platform;
and 7, the internal network illegal external connection detection server receives the detection result transmitted by the illegal external connection sniffing module and immediately generates illegal external connection alarm.
2. The non-client-side passive inspection online illegal external connection detection technology as claimed in claim 1, characterized in that an illegal external connection detection server is deployed in an internal network environment, an external public network is deployed with a forensics platform, an illegal external connection sniffing function is enabled, and an illegal external connection sniffing module realizes portal page guidance and code tracing without modifying codes in an existing business application system.
3. The non-client-side mode passive inspection online illegal external connection detection technology is realized by an internal network illegal external connection detection illegal module, an external public network evidence obtaining platform and an illegal external connection sniffing module, and is characterized in that:
intranet violation external connection detection module: the method comprises the steps of deploying in an intranet environment, making an illegal external connection detection strategy, starting an illegal external connection sniffing function, passively checking illegal external connection behaviors in the intranet and generating an alarm;
external public network evidence obtaining platform: the method comprises the steps of deploying in an external public network environment, acquiring a communication request of an illegal external connection sniffing module in real time, and simultaneously recording attribute information such as an IP/MAC (Internet protocol/media access control) of an illegal external connection terminal host, a user, a terminal equipment ID (identity) and the like;
the violation external connection sniffing module: along with the service access request of the terminal system, the portal guides and notes codes and is used for detecting whether the terminal of the internal network has a hidden communication channel which is illegally connected with the external public network.
4. The non-client passive inspection online illegal external connection technology as claimed in claim 3, wherein when the terminal host of the intranet accesses the monitored service system, the illegal external connection sniffing module will chase after code, and when the terminal system service replies the access request and the illegal external connection sniffing module chase after code is loaded to the terminal host, the illegal external connection detection module will be executed immediately.
5. The non-client passive inspection online illegal external connection technology as claimed in claim 3, wherein the illegal external connection sniffing module receives a special protocol reply returned by the external public network forensics platform, and then sends the illegal external connection attribute data to the internal network illegal external connection detection server.
6. The non-client passive inspection online illegal external connection technology according to claim 3 or 5, characterized in that the illegal external connection alarm information comprises an intranet illegal external connection alarm and an external network public network platform illegal external connection alarm, and the alarm information comprises an end host IP address, a MAC address, a device ID, an illegal external connection outlet public network IP and illegal external connection time attribute data.
CN202010240487.6A 2020-03-31 2020-03-31 Passive checking online violation external connection technology based on non-client mode Withdrawn CN111917701A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010240487.6A CN111917701A (en) 2020-03-31 2020-03-31 Passive checking online violation external connection technology based on non-client mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010240487.6A CN111917701A (en) 2020-03-31 2020-03-31 Passive checking online violation external connection technology based on non-client mode

Publications (1)

Publication Number Publication Date
CN111917701A true CN111917701A (en) 2020-11-10

Family

ID=73237373

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010240487.6A Withdrawn CN111917701A (en) 2020-03-31 2020-03-31 Passive checking online violation external connection technology based on non-client mode

Country Status (1)

Country Link
CN (1) CN111917701A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738095A (en) * 2020-12-29 2021-04-30 杭州迪普科技股份有限公司 Method, device, system, storage medium and equipment for detecting illegal external connection
CN114900377A (en) * 2022-07-15 2022-08-12 广州世安信息技术股份有限公司 Induction data packet-based illegal external connection monitoring method and system
CN115189964A (en) * 2022-08-15 2022-10-14 杭州安恒信息技术股份有限公司 Illegal external connection detection method, device, equipment and storage medium
CN115987675A (en) * 2022-12-30 2023-04-18 北京明朝万达科技股份有限公司 Illegal external connection detection method and device, mobile terminal and storage medium
CN117319088A (en) * 2023-11-28 2023-12-29 北京天防安全科技有限公司 Method, device, equipment and medium for blocking illegal external connection equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103441864A (en) * 2013-08-12 2013-12-11 江苏华大天益电力科技有限公司 Method for monitoring illegal external connection of terminal equipment
CN103391216B (en) * 2013-07-15 2016-08-10 中国科学院信息工程研究所 A kind of illegal external connection is reported to the police and blocking-up method
CN106302501A (en) * 2016-08-27 2017-01-04 浙江远望信息股份有限公司 A kind of method of real-time discovery internetwork communication behavior
CN107733706A (en) * 2017-09-30 2018-02-23 北京北信源软件股份有限公司 The illegal external connection monitoring method and system of a kind of no agency
CN110191102A (en) * 2019-05-09 2019-08-30 黄志英 A kind of illegal external connection comprehensive monitoring system and its method
CN110417821A (en) * 2019-09-09 2019-11-05 北京华赛在线科技有限公司 A kind of networking detection method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103391216B (en) * 2013-07-15 2016-08-10 中国科学院信息工程研究所 A kind of illegal external connection is reported to the police and blocking-up method
CN103441864A (en) * 2013-08-12 2013-12-11 江苏华大天益电力科技有限公司 Method for monitoring illegal external connection of terminal equipment
CN106302501A (en) * 2016-08-27 2017-01-04 浙江远望信息股份有限公司 A kind of method of real-time discovery internetwork communication behavior
CN107733706A (en) * 2017-09-30 2018-02-23 北京北信源软件股份有限公司 The illegal external connection monitoring method and system of a kind of no agency
CN110191102A (en) * 2019-05-09 2019-08-30 黄志英 A kind of illegal external connection comprehensive monitoring system and its method
CN110417821A (en) * 2019-09-09 2019-11-05 北京华赛在线科技有限公司 A kind of networking detection method and system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738095A (en) * 2020-12-29 2021-04-30 杭州迪普科技股份有限公司 Method, device, system, storage medium and equipment for detecting illegal external connection
CN114900377A (en) * 2022-07-15 2022-08-12 广州世安信息技术股份有限公司 Induction data packet-based illegal external connection monitoring method and system
CN114900377B (en) * 2022-07-15 2022-09-30 广州世安信息技术股份有限公司 Induction data packet-based illegal external connection monitoring method and system
CN115189964A (en) * 2022-08-15 2022-10-14 杭州安恒信息技术股份有限公司 Illegal external connection detection method, device, equipment and storage medium
CN115987675A (en) * 2022-12-30 2023-04-18 北京明朝万达科技股份有限公司 Illegal external connection detection method and device, mobile terminal and storage medium
CN115987675B (en) * 2022-12-30 2024-03-19 北京明朝万达科技股份有限公司 Illegal external connection detection method and device, mobile terminal and storage medium
CN117319088A (en) * 2023-11-28 2023-12-29 北京天防安全科技有限公司 Method, device, equipment and medium for blocking illegal external connection equipment
CN117319088B (en) * 2023-11-28 2024-02-23 北京天防安全科技有限公司 Method, device, equipment and medium for blocking illegal external connection equipment

Similar Documents

Publication Publication Date Title
CN111917701A (en) Passive checking online violation external connection technology based on non-client mode
Kruegel et al. Alert verification determining the success of intrusion attempts
US9282114B1 (en) Generation of alerts in an event management system based upon risk
US7028338B1 (en) System, computer program, and method of cooperative response to threat to domain security
KR20090065267A (en) Method and apparaus for analyzing web server log by intrusion detection method
CN111651757A (en) Attack behavior monitoring method, device, equipment and storage medium
CN111786964B (en) Network security detection method, terminal and network security equipment
US9059987B1 (en) Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network
JP6524789B2 (en) Network monitoring method, network monitoring program and network monitoring device
CN112131577A (en) Vulnerability detection method, device and equipment and computer readable storage medium
US20220103584A1 (en) Information Security Using Blockchain Technology
US20210409446A1 (en) Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file
CN106209907B (en) Method and device for detecting malicious attack
CN110879889A (en) Method and system for detecting malicious software of Windows platform
KR102414334B1 (en) Method and apparatus for detecting threats of cooperative-intelligent transport road infrastructure
CN113411295A (en) Role-based access control situation awareness defense method and system
CN113411297A (en) Situation awareness defense method and system based on attribute access control
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
CN112231679B (en) Terminal equipment verification method and device and storage medium
CN111314370B (en) Method and device for detecting service vulnerability attack behavior
CN110086812B (en) Safe and controllable internal network safety patrol system and method
CN113922975A (en) Security control method, server, terminal, system and storage medium
CN115883574A (en) Access equipment identification method and device in industrial control network
CN114301796B (en) Verification method, device and system for prediction situation awareness
CN107294994B (en) CSRF protection method and system based on cloud platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20201110