CN112073371A - A malicious behavior detection method for weakly supervised routing devices - Google Patents

A malicious behavior detection method for weakly supervised routing devices Download PDF

Info

Publication number
CN112073371A
CN112073371A CN202010749267.6A CN202010749267A CN112073371A CN 112073371 A CN112073371 A CN 112073371A CN 202010749267 A CN202010749267 A CN 202010749267A CN 112073371 A CN112073371 A CN 112073371A
Authority
CN
China
Prior art keywords
routing
detection
malicious behavior
monitoring
routing device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010749267.6A
Other languages
Chinese (zh)
Inventor
尹小康
蔡瑞杰
刘秉楠
李鹏宇
杨启超
陆炫廷
刘胜利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN202010749267.6A priority Critical patent/CN112073371A/en
Publication of CN112073371A publication Critical patent/CN112073371A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/60Router architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of malicious behavior detection of routing equipment, and particularly provides a malicious behavior detection method for weakly supervised routing equipment, which is used for detecting and alarming malicious behaviors suffered by the routing equipment and protecting network equipment which cannot be considered by traditional security measures by loading a lightweight detection system, wherein the detection system adopts a default calling interface of a routing equipment operating system and realizes the monitoring of the routing equipment and the monitoring of data flow by utilizing the routing equipment operating system; the method has the advantages of low cost, high availability and high expansibility, and can be used for continuous development to deal with the subsequent attack threat aiming at the routing equipment in the weak supervision environment.

Description

一种针对弱监管路由设备的恶意行为检测方法A malicious behavior detection method for weakly supervised routing devices

技术领域technical field

本发明属于路由设备恶意行为检测技术领域,具体涉及一种针对弱监管路由设备的恶意行为检测方法。The invention belongs to the technical field of malicious behavior detection of routing equipment, and particularly relates to a malicious behavior detection method for weakly supervised routing equipment.

背景技术Background technique

根据《2019产业互联网白皮书》,互联网中包含的路由设备据估算至少达到千万数量级。广泛部署的路由设备已成为黑客的重要攻击目标,针对路由设备的攻击层出不穷,按照攻击的流程可将攻击划分为如下阶段:探测扫描、口令猜解、漏洞攻击、设备后门及隐蔽篡改配置等。近年针对俄罗斯的路由设备的攻击表明大量攻击威胁已经由传统PC端、移动端向路由设备转移。According to the "2019 Industrial Internet White Paper", the routing equipment contained in the Internet is estimated to be at least on the order of tens of millions. Widely deployed routing devices have become an important attack target for hackers. Attacks on routing devices emerge in an endless stream. According to the attack process, the attacks can be divided into the following stages: detection and scanning, password guessing, vulnerability attacks, device backdoors, and covert tampering of configurations. In recent years, attacks against Russian routing equipment have shown that a large number of attack threats have been transferred from traditional PC and mobile terminals to routing equipment.

Jaspal Kumar等人通过对路由设备进行脆弱性分析,发现通过路由协议漏洞可以控制路由设备,并对路由设备配置服务的篡改。根据《2019年第一季度DDoS攻击报告》2018至2019年大量的Mikrotik路由器、华为路由器受到Mirai病毒的攻击、大量的Cisco设备被植入EEm事件管理器(Embeded Event Manager ,EEM)后门。Through the vulnerability analysis of routing devices, Jaspal Kumar et al. found that routing devices can be controlled through routing protocol vulnerabilities, and the configuration services of routing devices can be tampered with. According to the "2019 Q1 DDoS Attack Report", a large number of Mikrotik routers and Huawei routers were attacked by the Mirai virus from 2018 to 2019, and a large number of Cisco devices were implanted into the EEm Event Manager (Embeded Event Manager, EEM) backdoor.

与终端、移动端相比,路由设备部署广泛、部署地理位置差异较大,运维措施、安防措施参差不齐,除核心节点设备具备有一定的安防手段外,相当部分路由设备处于弱监管环境中,容易被植入后门,设备存在的漏洞无法及时修补,面临着网络环境下恶意攻击的威胁。针对以上问题,M. I. Mazdadi等学者提出了以基于蜜罐入侵检测为主要手段的安全防护机制,为路由设备安装入侵检测系统提供相关技术支持。然而对于部署在特殊位置的路由设备,部署蜜罐设备或监管服务器存在一定的困难,而且存在较高的攻击漏报率问题。Compared with terminals and mobile terminals, routing equipment is widely deployed, with large differences in geographical locations, and uneven operation and maintenance measures and security measures. Except for core node equipment with certain security measures, a considerable part of routing equipment is in a weak supervision environment. It is easy to be implanted with backdoors, and the loopholes in the equipment cannot be repaired in time, and they face the threat of malicious attacks in the network environment. In response to the above problems, scholars such as M. I. Mazdadi proposed a security protection mechanism based on honeypot intrusion detection as the main means, and provided relevant technical support for the installation of intrusion detection systems on routing equipment. However, for routing devices deployed in special locations, it is difficult to deploy honeypot devices or monitoring servers, and there is a high attack rate of false negatives.

J. M. Ceron对路由设备开展了数字取证和蜜罐技术的研究,对于路由设备日志管理系统进行长时间跟踪,对kiwi syslog、bnare backlog、spectorosoft等路由日志管理引擎和管理软件原理进行详细研究和分析。J. M. Ceron has carried out research on digital forensics and honeypot technology for routing equipment, long-term tracking of routing equipment log management system, and detailed research and analysis on the principles of routing log management engines and management software such as kiwi syslog, bnare backlog, and spectorosoft.

C. Marrison等学者在多个型号的路由设备上进行取证分析,其中包括有Cisco、TP-link、H3C、华为和Mikrotik等。大多数路由设备的研究都主要提取物理指纹信息和设备属性信息,还对部分路由设备的日志记录进行分析。M.Niemierz和J.Schwenk对来自四个不同制造商的路由设备进行了测试评估,并展示出这些设备遭受网络攻击的过程。Scholars such as C. Marrison conducted forensic analysis on multiple models of routing equipment, including Cisco, TP-link, H3C, Huawei, and Mikrotik. Most of the research on routing devices mainly extracts physical fingerprint information and device attribute information, and also analyzes the log records of some routing devices. M. Niemierz and J. Schwenk tested and evaluated routing devices from four different manufacturers and showed how these devices were subjected to cyberattacks.

M. Antonakakis等人通过对路由设备长期的观察与实验,对路由设备攻击方式与攻击效果进行统计与分析。通过对比相关研究人员的实验结果发现,无论攻击者通过何种攻击手段,最终都会对网络设备的控制层面产生影响,而在控制层面通常会根据攻击者的需求,对目标设备进行定制化的配置篡改,植入控制后门,方便攻击者进行长期控制。M. Antonakakis et al. made statistics and analysis on the attack mode and attack effect of routing equipment through long-term observation and experiment of routing equipment. By comparing the experimental results of relevant researchers, it is found that no matter what attack method the attacker uses, it will eventually affect the control layer of the network device, and the control layer usually customizes the configuration of the target device according to the needs of the attacker. Tampering and implanting control backdoors to facilitate long-term control by attackers.

安全研究人员能够通过物理蜜罐、直联设备等成熟的技术手段,充分获取核心节点路由设备遭受攻击的详细信息,调查路由设备的安全性,并提供防护策略,研究路由设备进行部署及科学配置方法以避免可能遭受的攻击,但针对部署位置较为偏僻的弱监管路由设备的研究工作很少。这些路由设备与核心路由设备相比缺乏有效的安全监控,部署蜜罐和监管服务器成本很高,且无法第一时间甄别路由设备受到的攻击。Security researchers can fully obtain detailed information about attacks on core node routing devices through mature technical means such as physical honeypots and directly connected devices, investigate the security of routing devices, provide protection strategies, and study routing devices for deployment and scientific configuration. methods to avoid possible attacks, but little research has been done on weakly supervised routing devices deployed in remote locations. Compared with core routing devices, these routing devices lack effective security monitoring, and the cost of deploying honeypots and monitoring servers is high, and it is impossible to identify attacks on routing devices in the first place.

据此,本发明设计了一种轻量级别的检测系统,该系统通过捕获设备内部配置的变化,结合网络数据流量抓包分析,可有效识别针对路由设备的可疑行为,捕捉攻击行为特征。Accordingly, the present invention designs a light-weight detection system, which can effectively identify suspicious behaviors against routing equipment and capture attack behavior characteristics by capturing changes in device internal configuration and combining with network data traffic capture and analysis.

发明内容SUMMARY OF THE INVENTION

针对现有设备存在的缺陷和问题,本发明弥补传统蜜罐系统在针对弱监管路由设备时,在部署、运行方面的不足,提供一种基于路由设备的轻量级恶意行为检测方法,该方法具备轻便、易用性高、部署方便等优势,具备较高的检测准确度和较低的资源占用率。Aiming at the defects and problems existing in the existing equipment, the present invention makes up for the deficiencies in the deployment and operation of the traditional honeypot system when targeting weakly supervised routing equipment, and provides a lightweight malicious behavior detection method based on routing equipment. It has the advantages of light weight, high ease of use, and convenient deployment, with high detection accuracy and low resource occupancy.

本发明解决其技术问题所采用的方案是:一种针对弱监管路由设备的恶意行为检测方法,其特征在于:对路由设备遭受的恶意行为进行检测告警,通过加载轻量级的检测系统对传统安防手段无法顾忌的网络设备进行防护,所述的检测系统采用的是路由设备操作系统缺省调用接口,利用路由设备操作系统实现对路由设备的监控和对数据流量的监控;所述检测系统包括设备配置信息监控模块和设备流量抓取模块;所述设备信息监控模块主要针对路由设备的配置信息进行监控,利用路由设备提供的monitor函数接口,编写程序hook到配置信息发生改变时的状态,配合恶意行为判定规则,来确定配置信息是否遭到篡改;所述设备流量抓取模块,利用了路由器IOS系统中capture函数,通过以IP、端口、协议为参数,设置流量过滤规则对设备过境流量进行筛查,周期性的抓取流量;The scheme adopted by the present invention to solve the technical problem is: a malicious behavior detection method for weakly supervised routing equipment, which is characterized in that: detecting and alarming the malicious behavior suffered by the routing equipment; The network equipment that the security means cannot be used for protection, the detection system adopts the default calling interface of the routing equipment operating system, and uses the routing equipment operating system to realize the monitoring of the routing equipment and the monitoring of the data flow; the detection system includes: The device configuration information monitoring module and the device traffic capture module; the device information monitoring module mainly monitors the configuration information of the routing device, and uses the monitor function interface provided by the routing device to write a program hook to the state when the configuration information changes, and cooperate with Malicious behavior determination rules to determine whether the configuration information has been tampered with; the device traffic capture module utilizes the capture function in the router IOS system to set traffic filtering rules for device transit traffic by taking IP, port, and protocol as parameters. Screening, periodically grabbing traffic;

所述检测系统包括如下步骤:The detection system includes the following steps:

(1)在检测期间,持续抓取路由设备的数据流量,并周期性的定时向本地回传数据;(1) During the detection period, continuously capture the data traffic of the routing device, and periodically return data to the local;

(2)同时对路由设备的配置信息进行监控,根据预设的判定规则,在配置信息发生改变时,识别并处理恶意攻击行为,并将配置信息发生改变时的路由器数据流量回传到本地,对数据流量进行分析;(2) At the same time, the configuration information of the routing device is monitored. According to the preset judgment rules, when the configuration information changes, it identifies and handles malicious attacks, and transmits the router data traffic when the configuration information changes to the local. Analyze data traffic;

(3)当判定恶意行为出现后,将告警信息反馈到CLI界面上,同时记录恶意行为出现的时间,在本地对恶意行为所在时间段的数据包进行分析,鉴别攻击方式,针对恶意行为采取反制措施。(3) When it is determined that the malicious behavior occurs, the alarm information is fed back to the CLI interface, and the time of the malicious behavior is recorded at the same time, and the data packets in the time period of the malicious behavior are analyzed locally to identify the attack method and take countermeasures against the malicious behavior. control measures.

进一步的,持续抓取路由设备的数据流量的方法包括如下步骤:(1)首先将流量监控工具连接路由设备对路由设备的数据流量进行抓取,所述流量监控工具由TCL语言调用路由设备提供的API接口实现;(2)在路由设备内存开辟环形缓冲区;(3)以5分钟为一个周期抓取的数据流量,并保存到缓冲区;(4)然后将每个周期的数据流量转存为PCAP格式并传回本地,(5)最后判断是否结束检测,若检测继续,则清空缓冲区,并继续执行步骤(3);若结束检测,则关闭缓冲区,检测结束。Further, the method for continuously capturing the data traffic of the routing device includes the following steps: (1) First, connect a traffic monitoring tool to the routing device to capture the data traffic of the routing device, and the traffic monitoring tool is provided by the TCL language calling the routing device. (2) Open up a ring buffer in the memory of the routing device; (3) Capture the data traffic in a 5-minute cycle and save it to the buffer; (4) Then transfer the data traffic of each cycle to Save it in PCAP format and send it back to the local. (5) Finally, determine whether to end the detection. If the detection continues, clear the buffer and continue to perform step (3); if the detection ends, close the buffer and the detection ends.

进一步的,对路由设备的配置信息进行监控包括配置监控和服务监控,所述配置监控包括路由设备在运行状态下账户增减、事件规划、任务执行和网络接口监控;所述服务监控包括端口开启情况、服务开启情况和进出流量的监控。Further, monitoring the configuration information of the routing device includes configuration monitoring and service monitoring, where the configuration monitoring includes account increase or decrease, event planning, task execution and network interface monitoring when the routing device is running; the service monitoring includes port opening. Status, service startup and monitoring of incoming and outgoing traffic.

进一步的,所述判定规则包括如下内容:1)是否使用非法账户对路由设备配置进行修改;2)在进行路由设备配置修改操作时,是否有关闭系统日志的行为;3)在进行路由设备配置修改操作时,时间点是否属于管理员工作的正常时间范围;4)在进行路由设备配置修改操作时,指令数据来源的IP地址是否满足ACL访控列表的限制;5)在进行路由设备配置修改操作时,是否存在通信信道使用了非常规网络协议或者非常用端口的情况。Further, the determination rules include the following content: 1) whether to use an illegal account to modify the configuration of the routing device; 2) whether there is an act of closing the system log when modifying the configuration of the routing device; 3) when configuring the routing device When modifying the operation, whether the time point belongs to the normal time range of the administrator's work; 4) When modifying the routing device configuration, whether the IP address of the command data source meets the restrictions of the ACL access control list; 5) When modifying the routing device configuration In operation, are there any situations in which the communication channel uses unconventional network protocols or uncommon ports.

进一步的,所述检测系统利用TCL工控语言,采用的路由设备默认函数接口,并采用以下两种方式与路由设备建立连接:第一种是将检测系统程序通过FTP、TFTP等方式上传到路由器flash文件目录中;第二种是直接将检测程序传输到路由设备内存直接执行,程序文件并不在实验路由器上存储。Further, the detection system uses the TCL industrial control language, adopts the default function interface of the routing device, and establishes a connection with the routing device in the following two ways: the first is to upload the detection system program to the router flash through FTP, TFTP and other methods. In the file directory; the second is to directly transfer the detection program to the memory of the routing device for direct execution, and the program files are not stored on the experimental router.

进一步的,所述反制措施具体包括:1)针对攻击来源地址,设置基于IP地址、端口、网络协议的ACL防控策略;2)针对非法开启的账户,第一时间通知管理员通过串口线访问设备进行清理;3)针对被篡改的路由设备配置信息,第一时间进行回滚,恢复到管理员保存的镜像;4)在条件允许的情况下,第一时间升级设备固件。Further, the countermeasures specifically include: 1) For the attack source address, set an ACL prevention and control strategy based on IP address, port, and network protocol; 2) For illegally opened accounts, immediately notify the administrator through the serial line. Access the device for cleaning; 3) Roll back the tampered routing device configuration information as soon as possible to restore the image saved by the administrator; 4) Upgrade the device firmware as soon as conditions permit.

本发明的有益效果:相比传统的蜜罐与直联监管服务器的检测方法,本发明具备3个方面的优势:Beneficial effects of the present invention: Compared with the traditional detection method of honeypot and direct-connected supervision server, the present invention has three advantages:

1)检测系统基于路由设备API编写,而大部分的路由设备提供有自动管理的接口,因此具备良好的通用性;1) The detection system is written based on the routing device API, and most routing devices provide automatic management interfaces, so they have good versatility;

2)检测系统部署方便,易用性强,对部署于偏远位置的路由设备,可极大降低运行成本;2) The detection system is easy to deploy and easy to use, and can greatly reduce operating costs for routing equipment deployed in remote locations;

3)灵活性高,运维方面能够做到实时的更新与维护,对新出现的安全威胁,可快速响应,有效检测针对路由设备的入侵行为。3) High flexibility, real-time update and maintenance in operation and maintenance, quick response to emerging security threats, and effective detection of intrusions on routing devices.

上述针对弱监管路由设备的检测方法能够在确保设备稳定运行的同时充分反馈设备状态,通过加载执行轻量级的检测系统对路由设备进行有效的监控和告警,对攻击行为和可疑数据的连续捕捉能力能够弥补传统蜜罐系统在部署、运行方面的不足,与其他的安全检测手段相比适应性更强。The above detection method for weakly supervised routing devices can fully feedback the device status while ensuring the stable operation of the device, effectively monitor and alarm routing devices by loading and executing a lightweight detection system, and continuously capture attack behaviors and suspicious data. The ability can make up for the shortcomings of traditional honeypot systems in deployment and operation, and is more adaptable than other security detection methods.

该检测方法采用的是路由设备操作系统缺省调用接口,接口标准是基于Linux核心开发,因此该检测方法适用于绝大多数品牌和型号的路由设备,并且能够避免检测系统对设备和数据正常运转的影响,增强了路由设备对攻击行为的反应能力,表现出较好的灵活性与普适性,涵盖了主流的路由器攻击方法进行了实验验证,本发明的检测方法正确率和成功率在多种类型恶意攻击下均能保持稳定。The detection method adopts the default calling interface of the routing device operating system, and the interface standard is developed based on the Linux core. Therefore, this detection method is suitable for most brands and models of routing devices, and can avoid the detection system from running the device and data normally. The influence of the router enhances the response ability of the routing device to the attack behavior, shows good flexibility and universality, and covers the mainstream router attack methods. The experimental verification is carried out. The detection method of the present invention has a higher accuracy rate and success rate. It can remain stable under various types of malicious attacks.

为了避免程序的长时间运行对设备转发性能的影响,本发明还增加了计算网络设备可运行内存空间的功能,在保证网络设备正常使用的情况下,尽最大可能的减少检测程序对其带来负载影响。In order to avoid the influence of the long-time running of the program on the forwarding performance of the device, the present invention also adds the function of calculating the running memory space of the network device. Under the condition of ensuring the normal use of the network device, the detection program reduces the impact on it as much as possible. load effect.

附图说明Description of drawings

图1检测方法总体框架示意图。Figure 1 is a schematic diagram of the overall framework of the detection method.

图2路由设备抓取流量示意图。Figure 2 is a schematic diagram of the routing device capturing traffic.

图3检测系统原理示意图。Figure 3 is a schematic diagram of the principle of the detection system.

具体实施方式Detailed ways

下面结合附图和实施例对本发明进一步说明。The present invention will be further described below in conjunction with the accompanying drawings and embodiments.

实施例1:本发明从路由设备状态及设备数据处理转发的视角分析了针对路由设备的恶意行为所具备的特征,提取出区别于正常行为的特征属性,总结归纳出若干种主流的攻击恶意行为攻击方式,并利用其特征制定检测规则,并最终设计出入侵行为检测系统。Embodiment 1: The present invention analyzes the characteristics of malicious behavior of routing equipment from the perspective of routing equipment status and equipment data processing and forwarding, extracts characteristic attributes that are different from normal behaviors, and summarizes several mainstream malicious behaviors. attack method, and use its characteristics to formulate detection rules, and finally design an intrusion behavior detection system.

针对弱监管路由设备的恶意行为检测系统流程如图3,对路由设备遭受的恶意行为进行检测告警,通过加载轻量级的检测系统对传统安防手段无法顾忌的网络设备进行防护,所述的检测系统采用的是路由设备操作系统缺省调用接口,利用路由设备操作系统实现对路由设备的监控和对数据流量的监控。The flow of the malicious behavior detection system for weakly supervised routing devices is shown in Figure 3. The malicious behaviors suffered by routing devices are detected and alarmed, and a lightweight detection system is loaded to protect network devices that traditional security methods cannot care about. The system adopts the default calling interface of the routing device operating system, and uses the routing device operating system to monitor the routing device and monitor the data flow.

所述检测系统包括设备配置信息监控模块和设备流量抓取模块;所述设备信息监控模块主要针对路由设备的配置信息进行监控,利用路由设备提供的monitor函数接口,编写程序hook到配置信息发生改变时的状态,配合恶意行为判定规则,来确定配置信息是否遭到篡改。The detection system includes a device configuration information monitoring module and a device traffic capture module; the device information monitoring module mainly monitors the configuration information of the routing device, and uses the monitor function interface provided by the routing device to write a program hook until the configuration information changes. The state at the time, and the malicious behavior judgment rules are used to determine whether the configuration information has been tampered with.

所述设备流量抓取模块,利用了路由器IOS系统中capture函数,通过以IP、端口、协议为参数,设置流量过滤规则对设备过境流量进行筛查,周期性的抓取流量。The device traffic capture module utilizes the capture function in the router IOS system to screen the device transit traffic by setting the IP, port and protocol as parameters, and periodically captures the traffic.

在具体实施时,所述检测系统包括如下步骤:During specific implementation, the detection system includes the following steps:

(1)在检测期间,持续抓取路由设备的数据流量,并周期性的定时向本地回传数据;(1) During the detection period, continuously capture the data traffic of the routing device, and periodically return data to the local;

(2)同时对路由设备的配置信息进行监控,根据预设的判定规则,在配置信息发生改变时,识别并处理恶意攻击行为,并将配置信息发生改变时的路由器数据流量回传到本地,对数据流量进行分析;(2) At the same time, the configuration information of the routing device is monitored. According to the preset judgment rules, when the configuration information changes, it identifies and handles malicious attacks, and transmits the router data traffic when the configuration information changes to the local. Analyze data traffic;

(3)当判定恶意行为出现后,将告警信息反馈到CLI界面上,同时记录恶意行为出现的时间,在本地对恶意行为所在时间段的数据包进行分析,鉴别攻击方式,针对恶意行为采取反制措施。(3) When it is determined that the malicious behavior occurs, the alarm information is fed back to the CLI interface, and the time of the malicious behavior is recorded at the same time, and the data packets in the time period of the malicious behavior are analyzed locally to identify the attack method and take countermeasures against the malicious behavior. control measures.

本实施例中持续抓取路由设备的数据流量的方法包括如下步骤:(1)首先将流量监控工具连接路由设备对路由设备的数据流量进行抓取,所述流量监控工具由TCL语言调用路由设备提供的API接口实现;(2)在路由设备内存开辟环形缓冲区;(3)以5分钟为一个周期抓取的数据流量,并保存到缓冲区;(4)然后每个周期的数据流量转存为PCAP格式并传回本地,(5)最后判断是否结束检测,若检测继续,则清空缓冲区,并继续执行步骤(3);若结束检测,则关闭缓冲区,检测结束The method for continuously capturing the data traffic of the routing device in this embodiment includes the following steps: (1) First, connect the traffic monitoring tool to the routing device to capture the data traffic of the routing device, and the traffic monitoring tool is called by the TCL language to the routing device The provided API interface implementation; (2) Open up a ring buffer in the memory of the routing device; (3) Capture the data traffic in a 5-minute cycle and save it to the buffer; (4) Then the data traffic in each cycle is transferred. Save it in PCAP format and send it back to the local. (5) Finally, judge whether to end the detection. If the detection continues, clear the buffer and continue to perform step (3); if the detection ends, close the buffer and the detection ends.

检测系统对路由设备的路由设备配置信息进行监控,检测程序在运行过程中实时监控设备各项配置的变化情况,对配置发生变化时的设备操作行为根据恶意行为的判断规则对其进行甄别,判定该操作行为是否属于攻击行为。The detection system monitors the routing device configuration information of the routing device, and the detection program monitors the changes of various configurations of the device in real time during the running process, and discriminates the operation behavior of the device when the configuration changes according to the judgment rules of malicious behavior. Whether the operation behavior is an offensive behavior.

主要的攻击行为有如下几种:The main attacks are as follows:

1)穷举破解1) Exhaustive cracking

穷举破解是试图入侵路由设备系统的一种常见方法,攻击者试图使用字典攻击,用常见的用户名密码组合尝试进入系统。这类攻击非常常见,通常不限于弱监管的路由设备,当前常用字典数量级达28G。通过记录网络设备的过境流量,即可查明是否有攻击者猜解路由设备账户口令。Exhaustive cracking is a common method of trying to break into a routing device system, where attackers try to use dictionary attacks to try to get into the system with common username-password combinations. This type of attack is very common and is usually not limited to weakly supervised routing devices, with currently commonly used dictionaries on the order of 28G. By recording the transit traffic of the network device, it is possible to find out whether an attacker has guessed the password of the routing device account.

2)非法隐藏账户2) Illegal hiding of accounts

设置隐藏账户是深度劫持路由设备的一种常用控制行为。工作原理是利用路由系统的嵌入式事件管理器(Embeded Event Manager ,EEM)功能,劫持路由操作指令的触发过程,并对执行结果进行输出重定向,过滤和隐藏已添加的用户信息,达到设置路由器系统隐藏账户的目的。Setting hidden accounts is a common control behavior for deep hijacking of routing devices. The working principle is to use the embedded event manager (Embeded Event Manager, EEM) function of the routing system to hijack the triggering process of the routing operation instruction, redirect the output of the execution result, filter and hide the added user information, and set the router. The system hides the purpose of the account.

3)配置隐蔽篡改3) Configuration covert tampering

配置隐蔽篡改是攻击者在控制路由设备后,为充分利用设备性能实现进一步的攻击,需对目标设备进行定制化修改,以达成攻击目的。配置隐蔽篡改主要利用设备的CRON功能,通过配置合适的CRON字符串,设定路由设备在特定时间点或时间段执行特定指令,规划和改变路由设备的端口、网口、IP地址等配置信息,方便攻击者在特定时间内执行攻击行为。Configuration covert tampering means that after the attacker controls the routing device, in order to make full use of the device performance to achieve further attacks, the target device needs to be customized and modified to achieve the purpose of the attack. Configuration covert tampering mainly uses the CRON function of the device. By configuring the appropriate CRON string, the routing device is set to execute specific instructions at a specific time point or time period, and the configuration information such as the port, network port, and IP address of the routing device is planned and changed. It is convenient for the attacker to execute the attack behavior within a specific time.

4)后门设置4) Backdoor settings

为了更稳定地控制路由设备,攻击方在取得路由控制权限后,通常会设置后门。出于通用性考虑,多数是通过基于TCL/TBC的后门程序(TBC是TCL脚本加密为机器中间码之后的文件)。该方法实际上是利用TCL在路由设备中的可执行属性,通过非法隐藏的后门用户加载恶意脚本开启特殊端口进行监听,而攻击者能够通过telnet/ssh等命令直接从特殊端口以后门用户权限对路由设备进行访问和操作。In order to control the routing device more stably, the attacker usually sets up a backdoor after obtaining the routing control authority. For the sake of versatility, most of them are backdoor programs based on TCL/TBC (TBC is a file encrypted by TCL script as a machine intermediate code). This method actually uses the executable attribute of TCL in the routing device to load malicious scripts through illegally hidden backdoor users to open special ports for monitoring, and attackers can use commands such as telnet/ssh to directly access the backdoor user rights from the special port. Routing device for access and operation.

同时,结合检测系统实时抓取的流量,对配置发生改变时段的数据包进行分析,通过综合比对,研判分析出配置发生改变时路由设备的具体运行细节。如果在检测过程中出现被检测规则判定为恶意攻击的操作行为,则对其攻击操作流程和被更改的配置属性信息进行记录。根据时间属性,对当时时间段内的数据包进行分析,详细查看路由设备运行状态发生改变时,数据流量的具体变化,对设备管理人员进行告警。At the same time, combined with the traffic captured by the detection system in real time, the data packets during the configuration change period are analyzed. Through comprehensive comparison, the specific operation details of the routing device when the configuration changes are analyzed and analyzed. If an operation behavior determined by the detection rule as a malicious attack occurs during the detection process, the attack operation process and the changed configuration attribute information are recorded. According to the time attribute, analyze the data packets in the current time period, check the specific changes of data traffic when the running state of the routing device changes, and alert the device management personnel.

实施例2:本实施例与实施例1基本相同,其不同在于:本实施例对配置信息和检测规则进一步限定。Embodiment 2: This embodiment is basically the same as Embodiment 1, except that this embodiment further defines configuration information and detection rules.

对路由设备的配置信息进行监控包括配置监控和服务监控,所述配置监控包括路由设备在运行状态下账户增减、事件规划、任务执行和网络接口监控;所述服务监控包括端口开启情况、服务开启情况和进出流量的监控。Monitoring the configuration information of the routing device includes configuration monitoring and service monitoring. The configuration monitoring includes account increase or decrease, event planning, task execution and network interface monitoring when the routing device is running; the service monitoring includes port opening, service Monitoring of open conditions and incoming and outgoing traffic.

所述判定规则包括如下内容:1)是否使用非法账户对路由设备配置进行修改;2)在进行路由设备配置修改操作时,是否有关闭系统日志的行为;3)在进行路由设备配置修改操作时,时间点是否属于管理员工作的正常时间范围;4)在进行路由设备配置修改操作时,指令数据来源的IP地址是否满足ACL访控列表的限制;5)在进行路由设备配置修改操作时,是否存在通信信道使用了非常规网络协议或者非常用端口的情况。The determination rules include the following: 1) whether to use an illegal account to modify the configuration of the routing device; 2) whether there is a behavior of closing the system log when modifying the configuration of the routing device; 3) when modifying the configuration of the routing device , whether the time point belongs to the normal time range of the administrator's work; 4) When modifying the configuration of the routing device, whether the IP address of the command data source meets the restrictions of the ACL access control list; 5) When modifying the configuration of the routing device, Are there any situations where the communication channel uses unconventional network protocols or uncommon ports.

实施例3:本实施例与实施例1基本相同,其不同在于:本实施例对检测系统进一步说明。Embodiment 3: This embodiment is basically the same as Embodiment 1, and the difference is that the detection system is further described in this embodiment.

路由设备操作系统为用户提供了方便实用的管理函数接口,本发明中设计的轻量级检测程序,利用TCL工控语言,采用的路由设备默认函数接口,利用路由设备操作系统捕获设备属性状态和过境流量。The routing device operating system provides the user with a convenient and practical management function interface. The lightweight detection program designed in the present invention uses the TCL industrial control language, adopts the routing device default function interface, and uses the routing device operating system to capture the device attribute state and transit. flow.

检测系统的运行过程主要如下:The operation process of the detection system is mainly as follows:

1)上传并部署检测系统1) Upload and deploy the detection system

在实验路由器上运行检测系统主要有两种方法,第一种是将检测系统程序通过FTP、TFTP等方式上传到路由器flash文件目录中,利用命令行执行:There are two main ways to run the detection system on the experimental router. The first is to upload the detection system program to the router's flash file directory through FTP, TFTP, etc., and use the command line to execute:

Router(2900)#Router(2900)#

Copy tftp://10.114.xxx.xxx/detec.tcl flash;Copy tftp://10.114.xxx.xxx/detec.tcl flash;

Router(2900)#tclsh detect.tcl;Router(2900)#tclsh detect.tcl;

第二种是直接将检测程序传输到路由设备内存直接执行,程序文件并不在实验路由器上存储:The second is to directly transfer the detection program to the memory of the routing device for direct execution, and the program files are not stored on the experimental router:

Router(2900)#Router(2900)#

Tclsh tftp://10.114.xxx.xxx/detect.tcl;Tclsh tftp://10.114.xxx.xxx/detect.tcl;

2)监控设备状态并回传检测结果2) Monitor the device status and send back the test results

检测系统在实验路由器上开辟存储空间,存储检测系统处理结果,同时利用回传功能,将配置恶意篡改情况、CRON、EEM非法变更情况,传回到本地,等待进一步分析。The detection system opens up storage space on the experimental router, stores the processing results of the detection system, and at the same time uses the postback function to transmit the malicious configuration tampering, CRON, and EEM illegal changes back to the local for further analysis.

通过分析利用检测系统抓取的设备流量与检测结果,发现攻击者意图。此外,针对这些特殊的攻击类型,可以发现处于弱监管环境下路由设备遭受的不同类型攻击的趋势或者特征。By analyzing the device traffic and detection results captured by the detection system, the attacker's intent is found. In addition, for these special attack types, the trends or characteristics of different types of attacks suffered by routing devices in a weakly supervised environment can be found.

3)对检测加过及攻击手段进行分析3) Analyze the detection and attack methods

针对路由设备状态信息的改变,主要包括设备的属性信息,例如:端口、IP、EEM服务、Cron任务规划、账户口令等,通过规则判定之后,查看检测系统具体的记录数据,判断是否存在有非法的入侵行为。For the change of the status information of the routing device, it mainly includes the attribute information of the device, such as: port, IP, EEM service, Cron task planning, account password, etc. After passing the rule judgment, check the specific recorded data of the detection system to determine whether there is illegal intrusion behavior.

根据入侵行为发生的具体时间点,分析检测系统抓取的对应时间段的数据流量,通过对数据流量的具体分析,得出设备在恶意行为发生的时间点上攻击者的具体操作行为,结合实际情况通知管理着对设备进行安全维护。According to the specific time point of the intrusion behavior, analyze the data traffic of the corresponding time period captured by the detection system, and through the specific analysis of the data traffic, get the specific operation behavior of the attacker at the time point when the malicious behavior occurred. Notifications govern the safe maintenance of equipment.

本发明可较好的弥补部署应用于小、散、远、边环境下路由设备安全防护方面的不足。为核心节点与大型设备的防护提供一种简单易用的入侵检测方案。The invention can better make up for the deficiency of the security protection of routing equipment deployed in small, scattered, remote and edge environments. It provides an easy-to-use intrusion detection solution for the protection of core nodes and large equipment.

相较已有的恶意行为检测方法,基于路由设备的轻量级检测手段能够支持对中小型、部署分散且安全防护较低的路由设备进行有效的安全防护。Compared with the existing malicious behavior detection methods, the lightweight detection method based on routing devices can support effective security protection for small and medium-sized routing devices with scattered deployment and low security protection.

实施例4,本实施例增加了计算网络设备可运行内存空间的功能。Embodiment 4, this embodiment adds the function of calculating the runnable memory space of the network device.

为了避免程序的长时间运行对设备转发性能的影响,本发明还增加了计算网络设备可运行内存空间的功能,在保证网络设备正常使用的情况下,尽最大可能的减少检测程序对其带来负载影响。In order to avoid the influence of the long-time running of the program on the forwarding performance of the device, the present invention also adds the function of calculating the running memory space of the network device. Under the condition of ensuring the normal use of the network device, the detection program reduces the impact on it as much as possible. load effect.

具体方式如下:The specific methods are as follows:

Figure 550671DEST_PATH_IMAGE001
Figure 550671DEST_PATH_IMAGE001

综上所述,该发明具备低成本、高可用性、高扩展性的优势,可用于持续开发以应对后续的针对弱监管环境下的路由设备的攻击威胁。To sum up, the invention has the advantages of low cost, high availability, and high scalability, and can be used for continuous development to deal with subsequent attack threats against routing equipment in a weak supervision environment.

Claims (6)

1.一种针对弱监管路由设备的恶意行为检测方法,其特征在于:对路由设备遭受的恶意行为进行检测告警,通过加载轻量级的检测系统对传统安防手段无法顾忌的网络设备进行防护,所述的检测系统采用的是路由设备操作系统缺省调用接口,利用路由设备操作系统实现对路由设备的监控和对数据流量的监控;所述检测系统包括设备配置信息监控模块和设备流量抓取模块;所述设备信息监控模块主要针对路由设备的配置信息进行监控,利用路由设备提供的monitor函数接口,编写程序hook到配置信息发生改变时的状态,配合恶意行为判定规则,来确定配置信息是否遭到篡改;所述设备流量抓取模块,利用了路由器IOS系统中capture函数,通过以IP、端口、协议为参数,设置流量过滤规则对设备过境流量进行筛查,周期性的抓取流量;1. a malicious behavior detection method for weakly supervised routing equipment, is characterized in that: the malicious behavior that routing equipment suffers from is detected and alarmed, and the network equipment that traditional security means cannot be scruples is protected by loading a lightweight detection system, The detection system adopts the default calling interface of the routing device operating system, and uses the routing device operating system to monitor the routing device and monitor data traffic; the detection system includes a device configuration information monitoring module and device traffic capture. module; the device information monitoring module mainly monitors the configuration information of the routing device, uses the monitor function interface provided by the routing device, writes a program hook to the state when the configuration information changes, and cooperates with the malicious behavior judgment rules to determine whether the configuration information is Being tampered with; the device traffic capture module utilizes the capture function in the router IOS system, and sets up traffic filtering rules to screen device transit traffic by using IP, port, and protocol as parameters, and periodically captures traffic; 所述检测系统包括如下步骤:The detection system includes the following steps: (1)在检测期间,持续抓取路由设备的数据流量,并周期性的定时向本地回传数据;(1) During the detection period, continuously capture the data traffic of the routing device, and periodically return data to the local; (2)同时对路由设备的配置信息进行监控,根据预设的判定规则,在配置信息发生改变时,识别并处理恶意攻击行为,并将配置信息发生改变时的路由器数据流量回传到本地,对数据流量进行分析;(2) At the same time, the configuration information of the routing device is monitored. According to the preset judgment rules, when the configuration information changes, it identifies and handles malicious attacks, and transmits the router data traffic when the configuration information changes to the local. Analyze data traffic; (3)当判定恶意行为出现后,将告警信息反馈到CLI界面上,同时记录恶意行为出现的时间,在本地对恶意行为所在时间段的数据包进行分析,鉴别攻击方式,针对恶意行为采取反制措施。(3) When it is determined that the malicious behavior occurs, the alarm information is fed back to the CLI interface, and the time of the malicious behavior is recorded at the same time, and the data packets in the time period of the malicious behavior are analyzed locally to identify the attack method and take countermeasures against the malicious behavior. control measures. 2.根据权利要求1所述的针对弱监管路由设备的恶意行为检测方法,其特征在于:持续抓取路由设备的数据流量的方法包括如下步骤:(1)首先将流量监控工具连接路由设备对路由设备的数据流量进行抓取,所述流量监控工具由TCL语言调用路由设备提供的API接口实现;(2)在路由设备内存开辟环形缓冲区;(3)以5分钟为一个周期抓取的数据流量,并保存到缓冲区;(4)然后将每个周期的数据流量转存为PCAP格式并传回本地,(5)最后判断是否结束检测,若检测继续,则清空缓冲区,并继续执行步骤(3);若结束检测,则关闭缓冲区,检测结束。2 . The malicious behavior detection method for weakly supervised routing equipment according to claim 1 , wherein the method for continuously grabbing the data traffic of the routing equipment comprises the following steps: (1) First, connect the flow monitoring tool to the routing equipment pair. 3 . The data traffic of the routing device is captured, and the traffic monitoring tool is implemented by calling the API interface provided by the routing device by the TCL language; (2) Open up a ring buffer in the memory of the routing device; (3) Capture the data in a 5-minute cycle Data traffic, and save it to the buffer; (4) Then dump the data traffic of each cycle into PCAP format and send it back to the local, (5) Finally judge whether to end the detection, if the detection continues, clear the buffer and continue Step (3) is executed; if the detection is over, the buffer is closed, and the detection ends. 3.根据权利要求1所述的针对弱监管路由设备的恶意行为检测方法,其特征在于:对路由设备的配置信息进行监控包括配置监控和服务监控,所述配置监控包括路由设备在运行状态下账户增减、事件规划、任务执行和网络接口监控;所述服务监控包括端口开启情况、服务开启情况和进出流量的监控。3. The malicious behavior detection method for weakly supervised routing equipment according to claim 1, characterized in that: monitoring the configuration information of the routing equipment includes configuration monitoring and service monitoring, and the configuration monitoring includes the routing equipment in a running state. Account increase or decrease, event planning, task execution and network interface monitoring; the service monitoring includes monitoring of port opening, service opening and incoming and outgoing traffic. 4.根据权利要求3所述的针对弱监管路由设备的恶意行为检测方法,其特征在于:所述判定规则包括如下内容:1)是否使用非法账户对路由设备配置进行修改;2)在进行路由设备配置修改操作时,是否有关闭系统日志的行为;3)在进行路由设备配置修改操作时,时间点是否属于管理员工作的正常时间范围;4)在进行路由设备配置修改操作时,指令数据来源的IP地址是否满足ACL访控列表的限制;5)在进行路由设备配置修改操作时,是否存在通信信道使用了非常规网络协议或者非常用端口的情况。4 . The malicious behavior detection method for weakly supervised routing equipment according to claim 3 , wherein the determination rule includes the following contents: 1) whether to use an illegal account to modify the configuration of the routing equipment; 2) when routing Whether the system log is closed when the device configuration is modified; 3) When the routing device configuration modification operation is performed, whether the time point belongs to the normal time range of the administrator's work; 4) When the routing device configuration modification operation is performed, the command data Whether the IP address of the source satisfies the restrictions of the ACL access control list; 5) When modifying the configuration of the routing device, whether there is a situation that the communication channel uses an unconventional network protocol or an uncommon port. 5.根据权利要求1所述的针对弱监管路由设备的恶意行为检测方法,其特征在于: 所述检测系统利用TCL工控语言,采用的路由设备默认函数接口,并采用以下两种方式与路由设备建立连接:第一种是将检测系统程序通过FTP、TFTP等方式上传到路由器flash文件目录中;第二种是直接将检测程序传输到路由设备内存直接执行,程序文件并不在实验路由器上存储。5. the malicious behavior detection method for weakly supervised routing equipment according to claim 1, is characterized in that: Described detection system utilizes TCL industrial control language, the routing equipment default function interface adopted, and adopts following two ways and routing equipment Establish a connection: The first is to upload the detection system program to the router's flash file directory through FTP, TFTP, etc.; the second is to directly transfer the detection program to the memory of the routing device for direct execution, and the program files are not stored on the experimental router. 6.根据权利要求1所述的针对弱监管路由设备的恶意行为检测方法,其特征在于:所述反制措施具体包括:1)针对攻击来源地址,设置基于IP地址、端口、网络协议的ACL防控策略;2)针对非法开启的账户,第一时间通知管理员通过串口线访问设备进行清理;3)针对被篡改的路由设备配置信息,第一时间进行回滚,恢复到管理员保存的镜像;4)在条件允许的情况下,第一时间升级设备固件。6 . The malicious behavior detection method for weakly supervised routing devices according to claim 1 , wherein the countermeasures specifically include: 1) for the attack source address, setting an ACL based on IP address, port, and network protocol. 7 . Prevention and control strategy; 2) For illegally opened accounts, notify the administrator to access the device through the serial line to clean up; 3) For the tampered routing device configuration information, roll back and restore to the administrator saved 4) When conditions permit, upgrade the device firmware as soon as possible.
CN202010749267.6A 2020-07-30 2020-07-30 A malicious behavior detection method for weakly supervised routing devices Pending CN112073371A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010749267.6A CN112073371A (en) 2020-07-30 2020-07-30 A malicious behavior detection method for weakly supervised routing devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010749267.6A CN112073371A (en) 2020-07-30 2020-07-30 A malicious behavior detection method for weakly supervised routing devices

Publications (1)

Publication Number Publication Date
CN112073371A true CN112073371A (en) 2020-12-11

Family

ID=73656669

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010749267.6A Pending CN112073371A (en) 2020-07-30 2020-07-30 A malicious behavior detection method for weakly supervised routing devices

Country Status (1)

Country Link
CN (1) CN112073371A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113868643A (en) * 2021-09-22 2021-12-31 苏州浪潮智能科技有限公司 Safety detection method, device, electronic device and storage medium for operating resources
CN115134098A (en) * 2021-03-12 2022-09-30 北京沃东天骏信息技术有限公司 Hacker information acquisition method and device, electronic equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1363444A2 (en) * 2002-05-17 2003-11-19 Alcatel Presence-aware private branch exchange (PBX)
JP2005094476A (en) * 2003-09-18 2005-04-07 Canon Inc Communication device
CN1921486A (en) * 2006-09-15 2007-02-28 北京天地互连信息技术有限公司 IPv6 remote monitoring device and method
CN101764752A (en) * 2009-12-25 2010-06-30 杭州华三通信技术有限公司 Method and system for managing remote concentrated image
CN101977160A (en) * 2010-11-30 2011-02-16 中国人民解放军信息工程大学 Reconfigurable method for routing protocol software components in reconfigurable route switching platform
CN102025572A (en) * 2011-01-10 2011-04-20 中国科学院软件研究所 Method for preventing and monitoring Internet loop
CN102685016A (en) * 2012-06-06 2012-09-19 济南大学 Internet flow distinguishing method
CN102694733A (en) * 2012-06-06 2012-09-26 济南大学 Method for acquiring network flow data set with accurate application type identification
US10079725B1 (en) * 2015-04-01 2018-09-18 Cisco Technology, Inc. Route map policies for network switches

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1363444A2 (en) * 2002-05-17 2003-11-19 Alcatel Presence-aware private branch exchange (PBX)
JP2005094476A (en) * 2003-09-18 2005-04-07 Canon Inc Communication device
CN1921486A (en) * 2006-09-15 2007-02-28 北京天地互连信息技术有限公司 IPv6 remote monitoring device and method
CN101764752A (en) * 2009-12-25 2010-06-30 杭州华三通信技术有限公司 Method and system for managing remote concentrated image
CN101977160A (en) * 2010-11-30 2011-02-16 中国人民解放军信息工程大学 Reconfigurable method for routing protocol software components in reconfigurable route switching platform
CN102025572A (en) * 2011-01-10 2011-04-20 中国科学院软件研究所 Method for preventing and monitoring Internet loop
CN102685016A (en) * 2012-06-06 2012-09-19 济南大学 Internet flow distinguishing method
CN102694733A (en) * 2012-06-06 2012-09-26 济南大学 Method for acquiring network flow data set with accurate application type identification
US10079725B1 (en) * 2015-04-01 2018-09-18 Cisco Technology, Inc. Route map policies for network switches

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘秉楠: "《一种针对弱监管路由设备的恶意行为检测方法》", 《信息工程大学学报》, vol. 21, no. 3, 15 June 2020 (2020-06-15), pages 362 - 368 *
曾宇: "A virtual machine-based invasion detection system for the virtual computing environment", 《高技术通讯(英文版)》, no. 04, 30 December 2006 (2006-12-30) *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134098A (en) * 2021-03-12 2022-09-30 北京沃东天骏信息技术有限公司 Hacker information acquisition method and device, electronic equipment and storage medium
CN115134098B (en) * 2021-03-12 2024-03-01 北京沃东天骏信息技术有限公司 Hacker information acquisition method and device, electronic equipment and storage medium
CN113868643A (en) * 2021-09-22 2021-12-31 苏州浪潮智能科技有限公司 Safety detection method, device, electronic device and storage medium for operating resources
CN113868643B (en) * 2021-09-22 2023-11-03 苏州浪潮智能科技有限公司 Security detection methods, devices, electronic equipment and storage media for operating resources

Similar Documents

Publication Publication Date Title
Premaratne et al. An intrusion detection system for IEC61850 automated substations
Gu et al. Bothunter: Detecting malware infection through ids-driven dialog correlation.
US7770223B2 (en) Method and apparatus for security management via vicarious network devices
WO2020103454A1 (en) Defense method for configuring weak password vulnerabilities of internal and external network cameras
US20080098476A1 (en) Method and Apparatus for Defending Against Zero-Day Worm-Based Attacks
US20150047032A1 (en) System and method for computer security
CN111385236A (en) Dynamic defense system based on network spoofing
KR101156005B1 (en) System and method for network attack detection and analysis
Kumar et al. A survey on intrusion detection systems for cloud computing environment
CN112398844A (en) Implementation method of traffic analysis based on real-time drainage data of internal and external networks
CN100557545C (en) A Method to Distinguish Unwanted Program Behavior
Song et al. Cooperation of intelligent honeypots to detect unknown malicious codes
Li et al. The research and design of honeypot system applied in the LAN security
CN117319019A (en) A dynamic defense system for power networks based on intelligent decision-making
Sayyed et al. Intrusion Detection System
CN112073371A (en) A malicious behavior detection method for weakly supervised routing devices
Gao et al. Research on the main threat and prevention technology of computer network security
Mudgal et al. Spark-based network security honeypot system: detailed performance analysis
Singh Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) For Network Security: A Critical Analysis
Li-Juan Honeypot-based defense system research and design
Gao et al. Software-defined firewall: Enabling malware traffic detection and programmable security control
Czekster et al. Requirements for designing mobile and flexible applications for online invasion detection and remote control
CN118075035B (en) A method and device for generating honey spots of network cameras based on active defense
Гарасимчук et al. Analysis of principles and systems for detecting remote attacks through the internet
McMillan et al. Efficient dynamic simulation of multiple manipulator systems with singularities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201211