CN112073371A - Malicious behavior detection method for weak supervision routing equipment - Google Patents
Malicious behavior detection method for weak supervision routing equipment Download PDFInfo
- Publication number
- CN112073371A CN112073371A CN202010749267.6A CN202010749267A CN112073371A CN 112073371 A CN112073371 A CN 112073371A CN 202010749267 A CN202010749267 A CN 202010749267A CN 112073371 A CN112073371 A CN 112073371A
- Authority
- CN
- China
- Prior art keywords
- routing
- routing equipment
- equipment
- monitoring
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 87
- 230000006399 behavior Effects 0.000 claims abstract description 60
- 238000012544 monitoring process Methods 0.000 claims abstract description 48
- 238000000034 method Methods 0.000 claims abstract description 23
- 230000006870 function Effects 0.000 claims description 15
- 238000012986 modification Methods 0.000 claims description 12
- 230000004048 modification Effects 0.000 claims description 12
- 238000004891 communication Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 5
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 claims description 3
- 102100026278 Cysteine sulfinic acid decarboxylase Human genes 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 108010064775 protein C activator peptide Proteins 0.000 claims description 3
- 238000011217 control strategy Methods 0.000 claims description 2
- 230000002265 prevention Effects 0.000 claims description 2
- 238000005096 rolling process Methods 0.000 claims description 2
- 238000011161 development Methods 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000011160 research Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 230000007547 defect Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 235000009434 Actinidia chinensis Nutrition 0.000 description 1
- 244000298697 Actinidia deliciosa Species 0.000 description 1
- 235000009436 Actinidia deliciosa Nutrition 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000004374 forensic analysis Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/60—Router architectures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of malicious behavior detection of routing equipment, and particularly provides a malicious behavior detection method for weakly supervised routing equipment, which is used for detecting and alarming malicious behaviors suffered by the routing equipment and protecting network equipment which cannot be considered by traditional security measures by loading a lightweight detection system, wherein the detection system adopts a default calling interface of a routing equipment operating system and realizes the monitoring of the routing equipment and the monitoring of data flow by utilizing the routing equipment operating system; the method has the advantages of low cost, high availability and high expansibility, and can be used for continuous development to deal with the subsequent attack threat aiming at the routing equipment in the weak supervision environment.
Description
Technical Field
The invention belongs to the technical field of malicious behavior detection of routing equipment, and particularly relates to a malicious behavior detection method for weakly supervised routing equipment.
Background
According to the 2019 industry white paper of the internet, the routing equipment included in the internet is estimated to be at least ten million orders of magnitude. The widely deployed routing devices have become an important attack target of hackers, and for the infinite attack layer of the routing devices, the attacks can be divided into the following stages according to the attack flow: detection scanning, password guessing, vulnerability attack, equipment backdoor and hidden tampering configuration and the like. Recent attacks against Russian routing devices have shown that a number of attack threats have shifted from traditional PC-side, mobile-side to routing devices.
Jaspal Kumar et al discover that vulnerability can control routing equipment through a routing protocol vulnerability and tamper the configuration service of the routing equipment by performing vulnerability analysis on the routing equipment. According to DDoS attack report of first quarter in 2019, many Mikrotik routers, huawei routers are attacked by Mirai virus, and many Cisco devices are implanted into an EEm Event Manager (EEm) backdoor in 2018 to 2019.
Compared with a terminal and a mobile terminal, routing equipment is widely deployed, deployed geographic positions are different greatly, operation and maintenance measures and security measures are different, besides a certain security measure is provided for the core node equipment, a considerable part of the routing equipment is in a weak supervision environment and is easily implanted into a backdoor, and leaks existing in the equipment cannot be repaired in time, so that the routing equipment faces the threat of malicious attack in a network environment. In order to solve the problems, students such as M.I. Mazdadi and the like propose a safety protection mechanism based on honeypot intrusion detection as a main means, and provide related technical support for installing an intrusion detection system for routing equipment. However, for the routing equipment deployed at a special position, deployment of honeypot equipment or a supervision server has certain difficulty, and a high attack false negative rate problem exists.
J.M. Ceron develops the research of digital evidence collection and honeypot technology on the routing equipment, tracks the log management system of the routing equipment for a long time, and carries out detailed research and analysis on the principles of routing log management engines and management software such as kiwi syslog, bnare backlog, and spectorosoft.
C. The Marrison et al scholars perform forensic analysis on multiple models of routing devices, including Cisco, TP-link, H3C, Huawei and Mikrotik, etc. Most of the research on routing equipment mainly extracts physical fingerprint information and equipment attribute information and also analyzes log records of partial routing equipment. Niemierz and j.schwenk performed test evaluations on routing devices from four different manufacturers and demonstrated the course of these devices being subject to cyber attacks.
And M, Antonakakis and the like carry out statistics and analysis on the attack mode and the attack effect of the routing equipment through long-term observation and experiment on the routing equipment. Through comparing the experimental results of related researchers, no matter what attack means an attacker passes, the control level of the network device is finally affected, and the target device is generally subjected to customized configuration tampering on the control level according to the requirements of the attacker, and the control backdoor is implanted, so that the attacker can conveniently perform long-term control.
The security researchers can fully acquire the detailed information of the core node routing equipment attacked by the physical honeypot, the direct connection equipment and other mature technical means, investigate the security of the routing equipment, provide a protection strategy, and research a method for deploying and scientifically configuring the routing equipment to avoid the possible attack, but the research work aiming at the weakly supervised routing equipment which is far away in deployment position is less. Compared with core routing devices, the routing devices lack effective security monitoring, are high in cost for deploying honeypots and supervision servers, and cannot screen the attacks on the routing devices in the first time.
Therefore, the invention designs a light-weight-level detection system which can effectively identify suspicious behaviors aiming at the routing equipment and capture attack behavior characteristics by capturing the change of the internal configuration of the equipment and combining network data flow packet capture analysis.
Disclosure of Invention
Aiming at the defects and problems of the existing equipment, the invention makes up the defects of the traditional honeypot system in the aspects of deployment and operation when aiming at the weak supervision routing equipment, and provides a lightweight malicious behavior detection method based on the routing equipment.
The technical scheme adopted by the invention for solving the technical problems is as follows: a malicious behavior detection method aiming at weak supervision routing equipment is characterized by comprising the following steps: the method comprises the steps of detecting and alarming malicious behaviors suffered by the routing equipment, protecting the network equipment which cannot be considered by the traditional security and protection means by loading a lightweight detection system, wherein the detection system adopts a default calling interface of a routing equipment operating system, and realizes the monitoring of the routing equipment and the monitoring of data flow by utilizing the routing equipment operating system; the detection system comprises an equipment configuration information monitoring module and an equipment flow capturing module; the equipment information monitoring module is mainly used for monitoring the configuration information of the routing equipment, compiling a program hook to the state when the configuration information is changed by utilizing a monitor function interface provided by the routing equipment, and determining whether the configuration information is tampered by matching with a malicious behavior judgment rule; the device traffic capturing module screens the transit traffic of the device by using a capture function in the IOS system of the router and setting a traffic filtering rule by taking an IP (Internet protocol), a port and a protocol as parameters, and periodically captures the traffic;
the detection system comprises the following steps:
(1) during the detection period, continuously capturing the data traffic of the routing equipment, and periodically returning data to the local at regular time;
(2) monitoring configuration information of the routing equipment, identifying and processing malicious attack behaviors when the configuration information changes according to a preset judgment rule, transmitting data traffic of the router when the configuration information changes back to the local, and analyzing the data traffic;
(3) and after judging that the malicious behavior occurs, feeding the alarm information back to the CLI interface, recording the time when the malicious behavior occurs, locally analyzing a data packet of the time period of the malicious behavior, identifying an attack mode, and taking a counter measure aiming at the malicious behavior.
Further, the method for continuously capturing the data traffic of the routing device comprises the following steps: (1) firstly, a flow monitoring tool is connected with a routing device to capture data flow of the routing device, wherein the flow monitoring tool is realized by calling an API (application programming interface) provided by the routing device through a TCL (communication control language); (2) opening up a ring buffer area in a memory of the routing equipment; (3) data flow captured by taking 5 minutes as a period is stored in a buffer area; (4) then, the data flow of each period is transferred to a PCAP format and returned to the local, (5) whether the detection is finished or not is judged finally, if the detection is continued, the buffer area is emptied, and the step (3) is continuously executed; and if the detection is finished, closing the buffer area and finishing the detection.
Further, monitoring configuration information of the routing equipment comprises configuration monitoring and service monitoring, wherein the configuration monitoring comprises account increase and decrease, event planning, task execution and network interface monitoring of the routing equipment in an operating state; the service monitoring comprises monitoring of port opening condition, service opening condition and inlet and outlet flow.
Further, the decision rule includes the following: 1) whether to modify the routing device configuration using an illegal account; 2) when the configuration modification operation of the routing equipment is carried out, whether the behavior of the closed system log is related or not is judged; 3) when the configuration modification operation of the routing equipment is carried out, whether the time point belongs to the normal time range of the work of an administrator or not is judged; 4) when the configuration modification operation of the routing equipment is carried out, whether the IP address of the instruction data source meets the limitation of an ACL access control list or not is judged; 5) when the configuration modification operation of the routing equipment is carried out, whether the communication channel uses the unconventional network protocol or the unconventional port exists.
Furthermore, the detection system utilizes TCL industrial control language, adopts a default function interface of the routing equipment, and establishes connection with the routing equipment by adopting the following two modes: the first is to upload the detection system program to the router flash file directory by FTP, TFTP and other modes; and the second method is that the detection program is directly transmitted to the memory of the routing equipment to be directly executed, and the program file is not stored on the experimental router.
Further, the countermeasure specifically includes: 1) setting an ACL (access control list) prevention and control strategy based on an IP (Internet protocol) address, a port and a network protocol aiming at an attack source address; 2) for an illegally opened account, informing an administrator to clean the account through serial port line access equipment at the first time; 3) rolling back the tampered routing equipment configuration information at the first time, and recovering the routing equipment configuration information to a mirror image stored by an administrator; 4) the device firmware is upgraded the first time, if conditions permit.
The invention has the beneficial effects that: compared with the traditional detection method of the honeypot and the direct connection supervision server, the method has the advantages of 3 aspects:
1) the detection system is compiled based on the API of the routing equipment, and most routing equipment is provided with an automatic management interface, so that the detection system has good universality;
2) the detection system is convenient to deploy and high in usability, and the running cost of the routing equipment deployed at a remote position can be greatly reduced;
3) the method has the advantages of high flexibility, real-time updating and maintenance in the aspect of operation and maintenance, quick response to emerging security threats and effective detection of intrusion behaviors aiming at the routing equipment.
The detection method for the weakly supervised routing equipment can ensure stable operation of the equipment and simultaneously sufficiently feed back the equipment state, the light-weight detection system is loaded and executed to effectively monitor and alarm the routing equipment, the continuous capturing capability of attack behaviors and suspicious data can make up the defects of the traditional honeypot system in the aspects of deployment and operation, and the method is stronger in adaptability compared with other safety detection means.
The detection method adopts a default calling interface of the operating system of the routing equipment, and the interface standard is developed based on the Linux core, so the detection method is suitable for most brands and models of routing equipment, can avoid the influence of the detection system on the normal operation of the equipment and data, enhances the reaction capability of the routing equipment on attack behaviors, shows better flexibility and universality, covers the mainstream router attack method and carries out experimental verification, and the accuracy and the success rate of the detection method can be kept stable under various types of malicious attacks.
In order to avoid the influence of the long-time running of the program on the forwarding performance of the equipment, the invention also adds the function of calculating the operable memory space of the network equipment, and reduces the load influence of the detection program on the network equipment as much as possible under the condition of ensuring the normal use of the network equipment.
Drawings
FIG. 1 is a schematic diagram of the overall framework of the detection method.
Fig. 2 is a schematic diagram of a routing device grabbing traffic.
FIG. 3 is a schematic diagram of a detection system.
Detailed Description
The invention is further illustrated with reference to the following figures and examples.
Example 1: the invention analyzes the characteristics of the malicious behavior aiming at the routing equipment from the view point of the state of the routing equipment and the data processing and forwarding of the equipment, extracts the characteristic attributes different from the normal behavior, summarizes and summarizes a plurality of main attacking malicious behavior attacking modes, makes a detection rule by utilizing the characteristics of the attacking modes and finally designs an entrance and exit invasion behavior detection system.
As shown in fig. 3, a malicious behavior detection system flow for weakly supervised routing equipment detects and alarms malicious behaviors suffered by the routing equipment, and protects network equipment which cannot be considered by a traditional security measure by loading a lightweight detection system, wherein the detection system adopts a default call interface of a routing equipment operating system, and monitors the routing equipment and data traffic by using the routing equipment operating system.
The detection system comprises an equipment configuration information monitoring module and an equipment flow capturing module; the equipment information monitoring module is mainly used for monitoring the configuration information of the routing equipment, programming a hook to the state when the configuration information changes by using a monitor function interface provided by the routing equipment, and determining whether the configuration information is tampered by matching with a malicious behavior judgment rule.
The device traffic capturing module screens the transit traffic of the device by using a capture function in the IOS system of the router and setting traffic filtering rules by taking IP, ports and protocols as parameters, and periodically captures the traffic.
In a specific implementation, the detection system comprises the following steps:
(1) during the detection period, continuously capturing the data traffic of the routing equipment, and periodically returning data to the local at regular time;
(2) monitoring configuration information of the routing equipment, identifying and processing malicious attack behaviors when the configuration information changes according to a preset judgment rule, transmitting data traffic of the router when the configuration information changes back to the local, and analyzing the data traffic;
(3) and after judging that the malicious behavior occurs, feeding the alarm information back to the CLI interface, recording the time when the malicious behavior occurs, locally analyzing a data packet of the time period of the malicious behavior, identifying an attack mode, and taking a counter measure aiming at the malicious behavior.
The method for continuously capturing the data traffic of the routing device in the embodiment includes the following steps: (1) firstly, a flow monitoring tool is connected with a routing device to capture data flow of the routing device, wherein the flow monitoring tool is realized by calling an API (application programming interface) provided by the routing device through a TCL (communication control language); (2) opening up a ring buffer area in a memory of the routing equipment; (3) data flow captured by taking 5 minutes as a period is stored in a buffer area; (4) then the data flow of each period is transferred into a PCAP format and returned to the local, (5) whether the detection is finished or not is judged finally, if the detection is continued, the buffer area is emptied, and the step (3) is continuously executed; if the detection is finished, closing the buffer area, and finishing the detection
The detection system monitors the configuration information of the routing equipment, the detection program monitors the change condition of each configuration of the equipment in real time in the running process, the equipment operation behavior when the configuration changes is discriminated according to the judgment rule of the malicious behavior, and whether the operation behavior belongs to the attack behavior or not is judged.
The main attack behaviors are as follows:
1) exhaustive interpretation
Exhaustive hacking is a common method for attempting to invade a routing device system, and an attacker attempts to use a dictionary attack and tries to enter the system by using a common username and password combination. This type of attack is very common and is not usually limited to weakly supervised routing devices, currently in the order of 28G in common dictionaries. By recording the transit traffic of the network device, it can be ascertained whether an attacker guesses the routing device account password.
2) Illegal hidden account
Setting a hidden account is a common control action for deeply hijacking a routing device. The working principle is that the Embedded Event Manager (EEM) function of the routing system is utilized to hijack the triggering process of the routing operation instruction, output and redirect the execution result, filter and hide the added user information, and the purpose of setting the hidden account of the routing system is achieved.
3) Configuration covert tampering
The configuration hidden tampering is that after an attacker controls the routing equipment, in order to fully utilize the equipment performance to realize further attack, the target equipment needs to be customized and modified so as to achieve the purpose of attack. Configuration hiding mainly utilizes the CRON function of the equipment, sets the routing equipment to execute a specific instruction at a specific time point or time period by configuring a proper CRON character string, plans and changes configuration information such as a port, a network port, an IP address and the like of the routing equipment, and facilitates an attacker to execute an attack behavior in a specific time.
4) Rear door arrangement
In order to control the routing device more stably, an attacker usually sets a back door after obtaining the routing control authority. For versatility, most are through a TCL/TBC based backdoor program (TBC is a file after TCL script is encrypted into machine middleware). The method actually utilizes the executable attribute of the TCL in the routing equipment, and the illegal hidden back door user loads the malicious script to open the special port for monitoring, and an attacker can directly access and operate the routing equipment from the special port by the back door user authority through commands such as telnet/ssh and the like.
Meanwhile, the data packets in the time period when the configuration is changed are analyzed by combining the flow captured by the detection system in real time, and the specific operation details of the routing equipment when the configuration is changed are researched and analyzed through comprehensive comparison. And if the operation behavior which is judged to be a malicious attack by the detected rule occurs in the detection process, recording the attack operation flow and the changed configuration attribute information. And analyzing the data packets in the current time period according to the time attributes, checking the specific change of the data flow when the running state of the routing equipment is changed in detail, and giving an alarm to equipment management personnel.
Example 2: this example is substantially the same as example 1, except that: the present embodiment further defines the configuration information and the detection rule.
Monitoring configuration information of the routing equipment, including configuration monitoring and service monitoring, wherein the configuration monitoring comprises account increase and decrease, event planning, task execution and network interface monitoring of the routing equipment in an operating state; the service monitoring comprises monitoring of port opening condition, service opening condition and inlet and outlet flow.
The decision rule includes the following: 1) whether to modify the routing device configuration using an illegal account; 2) when the configuration modification operation of the routing equipment is carried out, whether the behavior of the closed system log is related or not is judged; 3) when the configuration modification operation of the routing equipment is carried out, whether the time point belongs to the normal time range of the work of an administrator or not is judged; 4) when the configuration modification operation of the routing equipment is carried out, whether the IP address of the instruction data source meets the limitation of an ACL access control list or not is judged; 5) when the configuration modification operation of the routing equipment is carried out, whether the communication channel uses the unconventional network protocol or the unconventional port exists.
Example 3: this example is substantially the same as example 1, except that: the present embodiment further illustrates the detection system.
The invention relates to a method for capturing the attribute state and transit flow of a routing device, which is characterized in that a routing device operating system provides a convenient and practical management function interface for a user.
The operation process of the detection system is mainly as follows:
1) upload and deploy detection system
The first method is that a detection system program is uploaded to a router flash file directory in modes of FTP, TFTP and the like, and is executed by using a command line:
Router(2900)#
Copy tftp://10.114.xxx.xxx/detec.tcl flash;
Router(2900)#tclsh detect.tcl;
the second method is that the detection program is directly transmitted to the memory of the routing device to be directly executed, and the program file is not stored on the experimental router:
Router(2900)#
Tclsh tftp://10.114.xxx.xxx/detect.tcl;
2) monitoring equipment state and returning detection result
The detection system opens up a storage space on the experimental router, stores the processing result of the detection system, and simultaneously transmits the configuration malicious tampering condition, the CRON and EEM illegal changing condition back to the local by utilizing a return function to wait for further analysis.
And discovering the intention of the attacker by analyzing the equipment flow and the detection result captured by the detection system. Furthermore, for these particular attack types, trends or characteristics of different types of attacks that the routing device is subjected to in a weakly supervised environment may be discovered.
3) Analyzing the detection and attack means
For the change of the routing device status information, the attribute information of the device is mainly included, for example: and after the port, the IP, the EEM service, the Cron task planning, the account password and the like are judged by the rules, the specific recorded data of the detection system is checked, and whether illegal intrusion behaviors exist is judged.
And analyzing the data traffic of the corresponding time period captured by the detection system according to the specific time point of the occurrence of the intrusion behavior, obtaining the specific operation behavior of the attacker of the equipment at the time point of the occurrence of the malicious behavior through specific analysis of the data traffic, and informing the management of safety maintenance of the equipment in combination with actual conditions.
The invention can better make up the defects of the safety protection of the routing equipment applied to small, scattered, far and side environments. And a simple and easy-to-use intrusion detection scheme is provided for the protection of the core node and the large-scale equipment.
Compared with the existing malicious behavior detection method, the light-weight detection means based on the routing equipment can support effective security protection on the small and medium routing equipment with dispersed deployment and lower security protection.
Embodiment 4, this embodiment adds a function of a memory space that can be run by the computing network device.
In order to avoid the influence of the long-time running of the program on the forwarding performance of the equipment, the invention also adds the function of calculating the operable memory space of the network equipment, and reduces the load influence of the detection program on the network equipment as much as possible under the condition of ensuring the normal use of the network equipment.
The specific mode is as follows:
in conclusion, the method has the advantages of low cost, high availability and high expansibility, and can be used for continuous development to deal with the subsequent attack threat aiming at the routing equipment in the weak supervision environment.
Claims (6)
1. A malicious behavior detection method aiming at weak supervision routing equipment is characterized by comprising the following steps: the method comprises the steps of detecting and alarming malicious behaviors suffered by the routing equipment, protecting the network equipment which cannot be considered by the traditional security and protection means by loading a lightweight detection system, wherein the detection system adopts a default calling interface of a routing equipment operating system, and realizes the monitoring of the routing equipment and the monitoring of data flow by utilizing the routing equipment operating system; the detection system comprises an equipment configuration information monitoring module and an equipment flow capturing module; the equipment information monitoring module is mainly used for monitoring the configuration information of the routing equipment, compiling a program hook to the state when the configuration information is changed by utilizing a monitor function interface provided by the routing equipment, and determining whether the configuration information is tampered by matching with a malicious behavior judgment rule; the device traffic capturing module screens the transit traffic of the device by using a capture function in the IOS system of the router and setting a traffic filtering rule by taking an IP (Internet protocol), a port and a protocol as parameters, and periodically captures the traffic;
the detection system comprises the following steps:
(1) during the detection period, continuously capturing the data traffic of the routing equipment, and periodically returning data to the local at regular time;
(2) monitoring configuration information of the routing equipment, identifying and processing malicious attack behaviors when the configuration information changes according to a preset judgment rule, transmitting data traffic of the router when the configuration information changes back to the local, and analyzing the data traffic;
(3) and after judging that the malicious behavior occurs, feeding the alarm information back to the CLI interface, recording the time when the malicious behavior occurs, locally analyzing a data packet of the time period of the malicious behavior, identifying an attack mode, and taking a counter measure aiming at the malicious behavior.
2. The malicious behavior detection method for weakly supervised routing devices of claim 1, characterized in that: the method for continuously capturing the data traffic of the routing equipment comprises the following steps: (1) firstly, a flow monitoring tool is connected with a routing device to capture data flow of the routing device, wherein the flow monitoring tool is realized by calling an API (application programming interface) provided by the routing device through a TCL (communication control language); (2) opening up a ring buffer area in a memory of the routing equipment; (3) data flow captured by taking 5 minutes as a period is stored in a buffer area; (4) then, the data flow of each period is transferred to a PCAP format and returned to the local, (5) whether the detection is finished or not is judged finally, if the detection is continued, the buffer area is emptied, and the step (3) is continuously executed; and if the detection is finished, closing the buffer area and finishing the detection.
3. The malicious behavior detection method for weakly supervised routing devices of claim 1, characterized in that: monitoring configuration information of the routing equipment, including configuration monitoring and service monitoring, wherein the configuration monitoring comprises account increase and decrease, event planning, task execution and network interface monitoring of the routing equipment in an operating state; the service monitoring comprises monitoring of port opening condition, service opening condition and inlet and outlet flow.
4. A malicious behavior detection method for a weakly supervised routing device as recited in claim 3, characterized in that: the decision rule includes the following: 1) whether to modify the routing device configuration using an illegal account; 2) when the configuration modification operation of the routing equipment is carried out, whether the behavior of the closed system log is related or not is judged; 3) when the configuration modification operation of the routing equipment is carried out, whether the time point belongs to the normal time range of the work of an administrator or not is judged; 4) when the configuration modification operation of the routing equipment is carried out, whether the IP address of the instruction data source meets the limitation of an ACL access control list or not is judged; 5) when the configuration modification operation of the routing equipment is carried out, whether the communication channel uses the unconventional network protocol or the unconventional port exists.
5. The malicious behavior detection method for weakly supervised routing devices of claim 1, characterized in that: the detection system utilizes TCL industrial control language, adopts a default function interface of the routing equipment, and adopts the following two ways to establish connection with the routing equipment: the first is to upload the detection system program to the router flash file directory by FTP, TFTP and other modes; and the second method is that the detection program is directly transmitted to the memory of the routing equipment to be directly executed, and the program file is not stored on the experimental router.
6. The malicious behavior detection method for weakly supervised routing devices of claim 1, characterized in that: the countermeasures specifically include: 1) setting an ACL (access control list) prevention and control strategy based on an IP (Internet protocol) address, a port and a network protocol aiming at an attack source address; 2) for an illegally opened account, informing an administrator to clean the account through serial port line access equipment at the first time; 3) rolling back the tampered routing equipment configuration information at the first time, and recovering the routing equipment configuration information to a mirror image stored by an administrator; 4) the device firmware is upgraded the first time, if conditions permit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010749267.6A CN112073371A (en) | 2020-07-30 | 2020-07-30 | Malicious behavior detection method for weak supervision routing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010749267.6A CN112073371A (en) | 2020-07-30 | 2020-07-30 | Malicious behavior detection method for weak supervision routing equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112073371A true CN112073371A (en) | 2020-12-11 |
Family
ID=73656669
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010749267.6A Pending CN112073371A (en) | 2020-07-30 | 2020-07-30 | Malicious behavior detection method for weak supervision routing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112073371A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113868643A (en) * | 2021-09-22 | 2021-12-31 | 苏州浪潮智能科技有限公司 | Security detection method and device for running resources, electronic equipment and storage medium |
| CN115134098A (en) * | 2021-03-12 | 2022-09-30 | 北京沃东天骏信息技术有限公司 | Hacker information acquisition method and device, electronic equipment and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1363444A2 (en) * | 2002-05-17 | 2003-11-19 | Alcatel | Presence-aware private branch exchange (PBX) |
| JP2005094476A (en) * | 2003-09-18 | 2005-04-07 | Canon Inc | Communication device |
| CN1921486A (en) * | 2006-09-15 | 2007-02-28 | 北京天地互连信息技术有限公司 | IPv6 remote monitoring device and method |
| CN101764752A (en) * | 2009-12-25 | 2010-06-30 | 杭州华三通信技术有限公司 | Method and system for managing remote concentrated image |
| CN101977160A (en) * | 2010-11-30 | 2011-02-16 | 中国人民解放军信息工程大学 | Reconfigurable method for routing protocol software components in reconfigurable route switching platform |
| CN102025572A (en) * | 2011-01-10 | 2011-04-20 | 中国科学院软件研究所 | Method for preventing and monitoring Internet loop |
| CN102685016A (en) * | 2012-06-06 | 2012-09-19 | 济南大学 | Internet flow distinguishing method |
| CN102694733A (en) * | 2012-06-06 | 2012-09-26 | 济南大学 | Method for acquiring network flow data set with accurate application type identification |
| US10079725B1 (en) * | 2015-04-01 | 2018-09-18 | Cisco Technology, Inc. | Route map policies for network switches |
-
2020
- 2020-07-30 CN CN202010749267.6A patent/CN112073371A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1363444A2 (en) * | 2002-05-17 | 2003-11-19 | Alcatel | Presence-aware private branch exchange (PBX) |
| JP2005094476A (en) * | 2003-09-18 | 2005-04-07 | Canon Inc | Communication device |
| CN1921486A (en) * | 2006-09-15 | 2007-02-28 | 北京天地互连信息技术有限公司 | IPv6 remote monitoring device and method |
| CN101764752A (en) * | 2009-12-25 | 2010-06-30 | 杭州华三通信技术有限公司 | Method and system for managing remote concentrated image |
| CN101977160A (en) * | 2010-11-30 | 2011-02-16 | 中国人民解放军信息工程大学 | Reconfigurable method for routing protocol software components in reconfigurable route switching platform |
| CN102025572A (en) * | 2011-01-10 | 2011-04-20 | 中国科学院软件研究所 | Method for preventing and monitoring Internet loop |
| CN102685016A (en) * | 2012-06-06 | 2012-09-19 | 济南大学 | Internet flow distinguishing method |
| CN102694733A (en) * | 2012-06-06 | 2012-09-26 | 济南大学 | Method for acquiring network flow data set with accurate application type identification |
| US10079725B1 (en) * | 2015-04-01 | 2018-09-18 | Cisco Technology, Inc. | Route map policies for network switches |
Non-Patent Citations (2)
| Title |
|---|
| 刘秉楠: "《一种针对弱监管路由设备的恶意行为检测方法》", 《信息工程大学学报》, vol. 21, no. 3, 15 June 2020 (2020-06-15), pages 362 - 368 * |
| 曾宇: "A virtual machine-based invasion detection system for the virtual computing environment", 《高技术通讯(英文版)》, no. 04, 30 December 2006 (2006-12-30) * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115134098A (en) * | 2021-03-12 | 2022-09-30 | 北京沃东天骏信息技术有限公司 | Hacker information acquisition method and device, electronic equipment and storage medium |
| CN115134098B (en) * | 2021-03-12 | 2024-03-01 | 北京沃东天骏信息技术有限公司 | Hacker information acquisition method and device, electronic equipment and storage medium |
| CN113868643A (en) * | 2021-09-22 | 2021-12-31 | 苏州浪潮智能科技有限公司 | Security detection method and device for running resources, electronic equipment and storage medium |
| CN113868643B (en) * | 2021-09-22 | 2023-11-03 | 苏州浪潮智能科技有限公司 | Security detection method and device for running resources, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2533853C (en) | Method and system for detecting unauthorised use of a communication network | |
| KR102017810B1 (en) | Preventive Instrusion Device and Method for Mobile Devices | |
| CN107733878B (en) | Safety protection device of industrial control system | |
| US20080098476A1 (en) | Method and Apparatus for Defending Against Zero-Day Worm-Based Attacks | |
| US20030188190A1 (en) | System and method of intrusion detection employing broad-scope monitoring | |
| KR102222377B1 (en) | Method for Automatically Responding to Threat | |
| CN111010384A (en) | Self-security defense system and security defense method for terminal of Internet of things | |
| CN118054973B (en) | Active defense method, system, equipment and medium based on internet access lock | |
| CN112073371A (en) | Malicious behavior detection method for weak supervision routing equipment | |
| CN118337540B (en) | Internet of things-based network intrusion attack recognition system and method | |
| CN115549943B (en) | Four-honey-based integrated network attack detection method | |
| Singh | Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) For Network Security: A Critical Analysis | |
| CN111885020A (en) | Network attack behavior real-time capturing and monitoring system with distributed architecture | |
| JP4159814B2 (en) | Interactive network intrusion detection system and interactive intrusion detection program | |
| Vokorokos et al. | Network security on the intrusion detection system level | |
| KR20140078329A (en) | Method and apparatus for defensing local network attacks | |
| JP4328679B2 (en) | Computer network operation monitoring method, apparatus, and program | |
| Resmi et al. | Intrusion detection system techniques and tools: A survey | |
| Sharma et al. | Detecting data exfiltration by integrating information across layers | |
| Karie et al. | Cybersecurity Incident Response in the Enterprise | |
| Ranđelović et al. | A test of IDS application open source and commercial source | |
| CN118523971B (en) | Network security defense method, system, equipment and medium | |
| KR102450471B1 (en) | System for blocking external intrusion using smart home network pattern analysis based on artificial intelligence and method thereof | |
| Gheorghe et al. | Attack evaluation and mitigation framework | |
| Mason et al. | Digital Forensics Process of an Attack Vector in ICS environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201211 |
|
| RJ01 | Rejection of invention patent application after publication |