CN112437062B - ICMP tunnel detection method, device, storage medium and electronic equipment - Google Patents

ICMP tunnel detection method, device, storage medium and electronic equipment Download PDF

Info

Publication number
CN112437062B
CN112437062B CN202011257029.XA CN202011257029A CN112437062B CN 112437062 B CN112437062 B CN 112437062B CN 202011257029 A CN202011257029 A CN 202011257029A CN 112437062 B CN112437062 B CN 112437062B
Authority
CN
China
Prior art keywords
packet
icmp
string distance
payload field
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011257029.XA
Other languages
Chinese (zh)
Other versions
CN112437062A (en
Inventor
刘盈
董叶豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202011257029.XA priority Critical patent/CN112437062B/en
Publication of CN112437062A publication Critical patent/CN112437062A/en
Application granted granted Critical
Publication of CN112437062B publication Critical patent/CN112437062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An embodiment of the application provides a method, a device, a storage medium and an electronic device for detecting an ICMP tunnel, wherein the method comprises the following steps: acquiring an ICMP data packet; extracting a payload field in the ICMP data packet; calculating a character string distance according to the effective load field, and constructing a feature vector by using the character string distance; and detecting the characteristic vector by using a pre-trained detection model to determine whether an ICMP tunnel exists. According to the embodiment of the application, the payload field in the ICMP data packet is extracted, the character string distance is calculated according to the payload field, the character string distance is utilized to construct the characteristic vector, and the pre-trained detection model is used for determining whether the ICMP tunnel exists or not, so that the detection of the hidden channel based on the ICMP data message is realized, and the network security can be improved.

Description

ICMP tunnel detection method, device, storage medium and electronic equipment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting an Internet Control Message Protocol (ICMP) tunnel, a storage medium, and an electronic device.
Background
At present, most ICMP flow can avoid the detection of a security network device such as a firewall, and an attacker can hide data in a payload part of an ICMP message by using an Internet control message protocol, so that an ICMP hidden channel is formed.
For example, in a malicious attack, it is often the case that an attacker somehow gains the right of a host to obtain files, such as domain hash values and/or password files, and needs to transmit them back to the local site for cracking. However, the firewall blocks the request initiated by the intranet, only the ICMP protocol is not blocked, and the attacker needs to return the file, at this time, if the attacker can use a PING (Packet Internet Groper) remote computer, the attacker can try to establish an ICMP tunnel, and the ICMP tunnel encapsulates the traffic into a PING Packet, so that the detection by the firewall can be realized.
Therefore, the existing ICMP tunnel utilizes the characteristics of the network protocol to carry out data transmission in a concealed manner, which seriously threatens information security, so that the detection of the ICMP tunnel becomes more and more important.
Disclosure of Invention
An embodiment of the present application aims to provide a method, an apparatus, a storage medium, and an electronic device for detecting an ICMP tunnel, so as to improve network security.
In a first aspect, an embodiment of the present application provides a method for detecting an ICMP tunnel, where the method includes: acquiring an ICMP data packet; extracting a payload field in the ICMP data packet; calculating a character string distance according to the effective load field, and constructing a feature vector by using the character string distance; and detecting the characteristic vector by using a pre-trained detection model to determine whether an ICMP tunnel exists.
Therefore, the embodiment of the application realizes the detection of the hidden channel based on the ICMP data message by extracting the payload field in the ICMP data packet, then calculating the character string distance according to the payload field, constructing the characteristic vector by using the character string distance and determining whether the ICMP tunnel exists by using the pre-trained detection model, thereby improving the network security.
In one possible embodiment, the ICMP packet includes a first request packet, a first response packet, a second request packet, and a second response packet, and the second request packet is a packet adjacent to the first response packet after the first response packet; the string distance includes a first type of string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the first response packet, a second type of string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the second request packet, and a third type of string distance determined by calculating a string distance between a payload field in the first response packet and a payload field in the second response packet.
Therefore, the embodiment of the application does not need to extract the preset characteristics of the ICMP data packet and judge whether the transmission content is disordered, but directly extracts the payload field in the ICMP data packet, thereby realizing the detection of the hidden channel based on the ICMP data message and improving the network security.
In one possible embodiment, before the feature vectors are detected by using a pre-trained detection model, the detection method includes: and training the initial detection model by using the characteristic matrix sample to obtain a pre-trained detection model, wherein the characteristic matrix sample is constructed by using the characteristic vector sample.
In one possible embodiment, obtaining an ICMP packet comprises: and acquiring the ICMP data packet in an off-line mode.
In a second aspect, an embodiment of the present application provides a detection apparatus for an ICMP tunnel, where the detection apparatus includes: the acquisition module is used for acquiring an ICMP data packet; the extraction module is used for extracting a payload field in the ICMP data packet; the calculation creation module is used for calculating the distance of the character strings according to the effective load fields and constructing the characteristic vectors by utilizing the distance of the character strings; and the determining module is used for detecting the characteristic vector by utilizing a pre-trained detection model so as to determine whether the ICMP tunnel exists.
In one possible embodiment, the ICMP packet includes a first request packet, a first response packet, a second request packet, and a second response packet, and the second request packet is a packet adjacent to the first response packet after the first response packet; the string distance includes a first type of string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the first response packet, a second type of string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the second request packet, and a third type of string distance determined by calculating a string distance between a payload field in the first response packet and a payload field in the second response packet.
In one possible embodiment, the detection means comprises: and the training module is used for training the initial detection model by utilizing the characteristic matrix sample to obtain a pre-trained detection model, wherein the characteristic matrix sample is constructed by the characteristic vector sample.
In one possible embodiment, the obtaining module is configured to obtain the ICMP packet in an offline manner.
In a third aspect, an embodiment of the present application provides a storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the computer program performs the method described in the first aspect or any optional implementation manner of the first aspect.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the first aspect or any of the alternative implementations of the first aspect.
In a fifth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the first aspect or any possible implementation manner of the first aspect.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic diagram illustrating an application scenario provided in an embodiment of the present application;
fig. 2 is a flowchart illustrating a method for detecting an ICMP tunnel according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating interaction between a first device and a second device provided in an embodiment of the present application;
fig. 4 is a block diagram illustrating a structure of a detection apparatus for an ICMP tunnel according to an embodiment of the present disclosure;
fig. 5 shows a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not construed as indicating or implying relative importance.
Currently, the existing ICMP tunnel detection methods mainly include the following two methods: one method comprises the steps of acquiring an ICMP data packet, then extracting preset features of the ICMP data packet, performing feature statistics according to the preset features to obtain a target feature vector, and finally detecting the target feature vector by using a detection model to determine whether an ICMP tunnel exists; and the other method is to analyze the obtained ICMP flow message to obtain a transmission identifier and transmission content and judge whether the transmission content is disordered. And if the transmission content is disordered, judging whether the request content and the response content corresponding to the target transmission identification are the same. And if the request content and the response content corresponding to the target transmission identifier are not the same, determining the hidden channel communication behavior based on the target transmission identifier.
However, for the method of detecting a target feature vector by using a detection model to determine whether an ICMP tunnel exists, the method needs to extract a preset feature of an ICMP packet, but how to judge the accuracy of the extracted preset feature of the ICMP packet does not have a uniform standard, and meanwhile, in the process of performing feature statistics according to the preset feature, a situation that the feature is not counted due to a large data volume may occur, so that a feature statistical value may be greatly influenced; for the scheme of identifying whether hidden channel communication behavior based on the ICMP protocol exists based on traffic analysis, it is necessary to determine whether transmission content is scrambled, but a threshold value for determining whether content is scrambled is difficult to determine, so that there is a case where normal transmission content is determined to be scrambled or abnormal transmission content is determined to be not scrambled, thereby affecting the accuracy of subsequent determination of whether hidden channel communication behavior exists.
Based on this, an embodiment of the present application provides a detection scheme for an ICMP tunnel, where an ICMP packet is obtained, a payload (payload) field in the ICMP packet is then extracted, a string distance is then calculated according to the payload field, a feature vector is constructed by using the string distance, and finally a pre-trained detection model is used to detect the feature vector to determine whether the ICMP tunnel exists.
Therefore, the embodiment of the application realizes the detection of the hidden channel based on the ICMP data message by extracting the payload field in the ICMP data packet, then calculating the character string distance according to the payload field, constructing the characteristic vector by using the character string distance and determining whether the ICMP tunnel exists by using the pre-trained detection model, thereby improving the network security.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
"string distance": it is the number of characters that need to be replaced to convert one string into another.
For example, the string distance between the string "1017101" and the string "1007001" is 2.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating an application scenario provided in an embodiment of the present application. The application scenario as shown in fig. 1 includes a first device, a network security device, and a second device.
It should be understood that the specific apparatus of the first device, the specific apparatus of the network security device, and the specific apparatus of the second device may all be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, where the first device is a client, the second device may be a server; in the case where the first device is a server, the second device may be a client.
For another example, the network security device may be a firewall, or may be a router.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
Specifically, the network security device may capture an ICMP packet used in an interactive process between the first device and the second device, and since the ICMP packet includes a payload field, the network security device may extract the payload field from the ICMP packet. Then, the network security device may calculate a string distance according to the payload field and construct a feature vector using the string distance. Finally, the network security device may detect the feature vector using a pre-trained detection model to determine whether an ICMP tunnel exists.
It should be noted that the ICMP tunnel detection scheme provided in the embodiment of the present application may be further extended to other suitable implementation scenarios, and is not limited to the application scenario shown in fig. 1.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for detecting an ICMP tunnel according to an embodiment of the present application. The detection method shown in fig. 2 includes:
step S210, the network security device acquires the ICMP data packet.
It should be understood that the specific process of the network security device acquiring the ICMP packet may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, the network security device may obtain the ICMP packet in an off-line manner, so that the gateway device may directly read the ICMP packet. That is, the ICMP tunnel detection method in the embodiment of the present application may not be a real-time detection scheme, but may be an offline detection scheme.
It should be further understood that the specific number of the ICMP data packets may be set according to actual requirements, as long as it is ensured that the number of the ICMP data packets is not less than the number of data packets corresponding to two interactive processes of the first device and the second device, that is, the ICMP data packets at least include a first request data packet, a first response data packet, a second request data packet, and a second response data packet, where the first response data packet is a data packet corresponding to the first request data packet (for example, in a case that the first request data packet is sent by the first device to the second device, the first response data packet is a response data packet sent by the second device to the first device according to the first request data packet), the second request data packet is a data packet after and adjacent to the first response data packet, and the second response data packet is a data packet corresponding to the second request data packet, which the embodiment of the present application is not limited herein.
For example, the ICMP packet may include packets corresponding to ten interactive processes of the first device and the second device.
It should be noted here that, in the case that the first device and the second device have m interactions, the first request packet and the first response packet may be packets corresponding to the nth interaction procedure in m-1 interactions, and correspondingly, the second request packet and the second response packet may be packets corresponding to the n +1 th interaction procedure. Wherein m is a positive integer of 2 or more, and n is a positive integer of 1 or more and m-1 or less.
For example, when the first device and the second device have 10 interactions, the first request packet and the first response packet may be packets corresponding to the 1 st interaction procedure, packets corresponding to the 5 th interaction procedure, and packets corresponding to the 9 th interaction procedure.
It should be further noted that, in this embodiment, an interaction procedure may refer to the first device sending a request packet to the second device, and the second device sending a response packet corresponding to the request packet back to the first device.
Step S220, the network security device extracts the payload field in the ICMP packet.
Specifically, in the case where the number of ICMP packets is plural, the network security device may extract a payload field in each of the plural ICMP packets.
And step S230, the network security equipment calculates the character string distance according to the effective load field, and constructs the characteristic vector by using the character string distance.
It should be understood that the manner of obtaining the string distance may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
Optionally, referring to fig. 3, fig. 3 shows a schematic diagram of interaction between a first device and a second device provided in the embodiment of the present application. As shown in fig. 3, the first device first sends a request packet with Type8 (i.e. Type 8) to the second device, and the second device sends a response packet with Type0 (i.e. Type 0) back to the first device. By analogy, a request packet sent by the first device to the second device and a response packet corresponding to the request packet sent back by the second device to the first device may constitute 8-0 pairs, a request packet in two adjacent interaction processes of the first device and the second device (or two consecutive request packets sent by the first device to the second device) may constitute 8-8 pairs, and a response packet in two adjacent interaction processes of the first device and the second device (or two consecutive response packets sent back by the second device to the first device) may constitute 0-0 pairs.
Further, the string distances may include a first type string distance corresponding to 8-0 pairs, a second type string distance corresponding to 8-8 pairs, and a third type string distance corresponding to 0-0 pairs.
That is, in the case where the ICMP packet includes a first request packet, a first response packet, a second request packet, and a second response packet, and the second request packet is a packet adjacent to the first response packet after the first response packet, the first-type string distance is determined by calculating a string distance between a payload field in the first request packet and a payload field in the first response packet; the second type of character string distance is determined by calculating the character string distance between the payload field in the first request data packet and the payload field in the second request data packet; the third type of string distance is determined by calculating the string distance between the payload field in the first response packet and the payload field in the second response packet.
It should be noted here that although there are many types of ICMP packets (e.g., type 3 packets indicate unreachable, etc.), only Type8 and Type0 may form a matching status.
It should be further noted that, in order to clearly illustrate the interaction process between the first device and the second device, the network security device is not shown in fig. 3.
It should be further noted that, although fig. 3 only shows 3 times of interaction processes, it should be understood by those skilled in the art that the number of interactions between the first device and the second device may also be set according to actual requirements, and the embodiment of the present application is not limited thereto.
In order to facilitate understanding of the embodiments of the present application, the following description is given by way of specific examples.
Specifically, in the case where the ICMP packet may include a first request packet, a first response packet, a second request packet, and a second response packet, the network security apparatus may calculate a string distance a between a payload field in the first request packet and a payload field in the first response packet, and the network security apparatus may further calculate a string distance b between a payload field in the first request packet and a payload field in the second request packet, and the network security apparatus may further calculate a string distance c between a payload field in the first response packet and a payload field in the second response packet.
Thus, for two interactive processes of the first device and the second device, the network security device can construct a feature vector [ a, b, c ] by using the character string distance a, the character string distance b and the character string distance c.
Correspondingly, in the case that the ICMP packet further includes other request packets and other response packets, it may sequentially obtain corresponding feature vectors according to the above process.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
Optionally, with continued reference to fig. 3, the network security appliance extracts the payload fields of the two packets in the first 8-0 pair, and the network security appliance may calculate the string distance a between the payload fields of the two packets in the first 8-0 pair 1
And the network security appliance continues to extract the payload fields of the two packets in the second 8-0 pair. The network security appliance may then calculate the string distance b between the payload field of the type8 packet in the first 8-0 pair and the payload field of the type8 packet in the second 8-0 pair 1 And the string distance c between the payload field of the type0 packet in the first 8-0 pair and the payload field of the type0 packet in the second 8-0 pair may also be calculated 1
Thus, for the first two 8-0 pairs, the network security device can construct a feature vector [ a ] using the three string distances 1 ,b 1 ,c 1 ]。
And the network safety equipment can also calculate the character string distance a between the payload field of the 8 th type data packet and the payload field of the 0 th type data packet in the second 8-0 pair 2 . And, a netThe network security appliance may also calculate the string distance b between the payload field of the type8 packet in the second 8-0 pair and the payload field of the type8 packet in the third 8-0 pair 2 . And the network safety equipment can also calculate the character string distance c between the payload field of the data packet of the 0 th type in the second 8-0 pair and the payload field of the data packet of the 0 th type in the third 8-0 pair 2
Thus, for the second 8-0 pair and the third 8-0 pair, the network security device can construct a feature vector [ a ] using three string distances 2 ,b 2 ,c 2 ]。
By analogy, the network security device may take similar actions as described above for the third 8-0 pair, the fourth 8-0 pair, and the fifth 8-0 pair to obtain the remaining feature vectors.
In step S240, the network security device detects the feature vector by using a pre-trained detection model to determine whether an ICMP tunnel exists.
It should be understood that the model structure, the training process, and the like of the detection model may be set according to actual requirements, and the embodiments of the present application are not limited thereto.
Alternatively, a plurality of feature vector samples are obtained, and then a feature matrix sample for training the detection model can be constructed using the plurality of feature vector samples. And training the initial detection model by using the characteristic matrix sample to obtain a trained detection model. The process of obtaining a plurality of feature vector samples is similar to the process of step S130, and will not be described in detail here, and specific reference may be made to the related description of step S130.
It should also be understood that the process of constructing feature matrix samples by using multiple feature vector samples may be set according to actual requirements, and the embodiments of the present application are not limited thereto.
For example, in the case of acquiring the first, second, and third eigenvector samples, the network security device may use the first eigenvector sample as the uppermost row vector of the eigenvector sample, use the second eigenvector sample as the middle row vector of the eigenvector sample, and use the third eigenvector sample as the lowermost row vector of the eigenvector sample. The first feature vector sample, the second feature vector sample and the third feature vector sample are determined in sequence according to the interaction sequence of the first device and the second device.
In addition, the output result of the trained detection model may be a first probability that the ICMP tunnel exists and a second probability that the ICMP tunnel does not exist. The subsequent network security device may thus determine whether an ICMP tunnel is present based on the magnitudes of the first and second probabilities (e.g., where the first probability is greater than the second probability and the first probability is greater than a preset probability, the network security device determines that an ICMP tunnel is present).
It should also be understood that the specific procedure for determining whether the ICMP tunnel exists may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
Alternatively, in the case that the detection result of each feature vector in the at least one feature vector is obtained by a trained detection model, the existence of the ICMP tunnel may be directly determined as long as the detection result indicating the existence of the ICMP tunnel is included in the at least one detection result.
For example, in the case where 10 detection results are obtained, by looking at the 10 detection results to determine that one of the detection results is for indicating that an ICMP tunnel exists, it can be directly determined that an ICMP tunnel exists.
Alternatively, in the case that the detection result of each of the at least one feature vector is obtained through the trained detection model, a first total number of detection results indicating that the ICMP tunnel exists and a second total number of detection results indicating that the ICMP tunnel does not exist may be counted. And determining that an ICMP tunnel exists if the first total number is greater than or equal to the second total number; in the case where the first total number is less than the second total number, it may be determined that there is no ICMP tunnel.
For example, in the case where 10 detection results are acquired, it is determined that 6 detection results are for indicating that an ICMP tunnel exists by looking at 10 detection results, and it is determined that an ICMP tunnel exists.
It should be noted that, for a normal ICMP packet, a request packet and its corresponding response packet should be the same, but for an abnormal ICMP packet, a request packet and its corresponding response packet are different (for example, the request packet is small, but the response packet is large), so that the embodiments of the present application can detect whether an ICMP tunnel exists based on the above-mentioned principle.
Therefore, in the embodiment of the application, the payload field in the ICMP data packet is directly extracted without extracting the preset feature of the ICMP data packet or judging whether the transmission content is disordered, then the character string distance is calculated according to the payload field, the feature vector is constructed by using the character string distance, and the feature vector is detected by using a pre-trained detection model to determine whether the ICMP tunnel exists, so that the detection of the hidden channel based on the ICMP data message is realized, and the network security can be improved.
It should be understood that the above ICMP tunnel detection method is only exemplary, and those skilled in the art may make various modifications according to the above method, and the solution after the modification also falls within the scope of the present application.
Referring to fig. 4, fig. 4 shows a structural block diagram of a detection apparatus 400 for an ICMP tunnel according to an embodiment of the present application, it should be understood that the detection apparatus 400 can perform various steps in the above method embodiment, and specific functions of the detection apparatus 400 may be referred to the above description, and detailed descriptions are appropriately omitted here to avoid repetition. The detection apparatus 400 includes at least one software function module that can be stored in a memory in the form of software or firmware (firmware) or is fixed in an Operating System (OS) of the detection apparatus 400. Specifically, the detection apparatus 400 includes:
an obtaining module 410, configured to obtain an ICMP packet; an extracting module 420, configured to extract a payload field in the ICMP packet; the calculation and construction module 430 is used for calculating the string distance according to the payload field and constructing a feature vector by using the string distance; a determining module 440, configured to detect the feature vector by using a pre-trained detection model to determine whether an ICMP tunnel exists.
In one possible embodiment, the ICMP packet includes a first request packet, a first response packet, a second request packet, and a second response packet, and the second request packet is a packet adjacent to the first response packet after the first response packet; the string distance includes a first type of string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the first response packet, a second type of string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the second request packet, and a third type of string distance determined by calculating a string distance between a payload field in the first response packet and a payload field in the second response packet.
In one possible embodiment, the detection apparatus 400 includes: and a training module (not shown) for training the initial detection model by using the feature matrix samples to obtain a pre-trained detection model, wherein the feature matrix samples are constructed by the feature vector samples.
In one possible embodiment, the obtaining module 410 is specifically configured to obtain the ICMP packet in an off-line manner.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
Fig. 5 shows a block diagram of an electronic device 500 according to an embodiment of the present application. As shown in fig. 5, electronic device 500 may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used for realizing direct connection communication of the components. The communication interface 520 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. Processor 510 may be an integrated circuit chip having signal processing capabilities. The Processor 510 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 530 has stored therein computer readable instructions, which when executed by the processor 510, the electronic device 500 may perform the steps of the above-described method embodiments.
The electronic device 500 may further include a memory controller, an input-output unit, an audio unit, and a display unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, the input/output unit, the audio unit, and the display unit are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, these elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is adapted to execute executable modules stored in the memory 530, such as software functional modules or computer programs comprised by the electronic device 500.
The input and output unit is used for providing input data for a user to realize the interaction of the user and the server (or the local terminal). The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
The audio unit provides an audio interface to the user, which may include one or more microphones, one or more speakers, and audio circuitry.
The display unit provides an interactive interface (e.g., a user interface) between the electronic device and the user or for displaying image data to the user reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the display can be a capacitive touch screen or a resistive touch screen, which supports single-point and multi-point touch operations. The support of single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are sent to the processor for calculation and processing.
It will be appreciated that the configuration shown in FIG. 5 is merely illustrative and that electronic device 500 may include more or fewer components than shown in FIG. 5 or have a different configuration than shown in FIG. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.
The present application provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the method of an embodiment.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method, and redundant description is not repeated here.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and reference may be made to the partial description of the method embodiment for relevant points.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined or explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (8)

1. A method for detecting an internet control message protocol ICMP tunnel, comprising:
acquiring an ICMP data packet;
extracting a payload field in the ICMP packet;
calculating a character string distance according to the effective load field, and constructing a feature vector by using the character string distance;
detecting the characteristic vector by using a pre-trained detection model to determine whether an ICMP tunnel exists or not;
wherein the ICMP data packet comprises a first request data packet, a first response data packet, a second request data packet and a second response data packet, and the second request data packet is a data packet adjacent to the first response data packet after the first response data packet;
the string distance includes a first type string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the first response packet, a second type string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the second request packet, and a third type string distance determined by calculating a string distance between a payload field in the first response packet and a payload field in the second response packet.
2. The detection method according to claim 1, wherein before the detecting the feature vector by using the pre-trained detection model, the detection method comprises:
and training an initial detection model by using a characteristic matrix sample to obtain the pre-trained detection model, wherein the characteristic matrix sample is constructed by a characteristic vector sample.
3. The method of detecting according to claim 1, wherein said obtaining an ICMP packet comprises:
and acquiring the ICMP data packet in an off-line mode.
4. An apparatus for detecting an internet control message protocol ICMP tunnel, comprising:
the acquisition module is used for acquiring the ICMP data packet;
an extracting module, configured to extract a payload field in the ICMP packet;
the calculation and creation module is used for calculating a character string distance according to the effective load field and constructing a characteristic vector by using the character string distance;
the determining module is used for detecting the characteristic vector by utilizing a pre-trained detection model so as to determine whether an ICMP tunnel exists or not;
wherein the ICMP packet comprises a first request packet, a first response packet, a second request packet and a second response packet, and the second request packet is a packet adjacent to the first response packet after the first response packet;
the string distance includes a first type of string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the first response packet, a second type of string distance determined by calculating a string distance between a payload field in the first request packet and a payload field in the second request packet, and a third type of string distance determined by calculating a string distance between a payload field in the first response packet and a payload field in the second response packet.
5. The detection device according to claim 4, characterized in that it comprises:
and the training module is used for training the initial detection model by utilizing the characteristic matrix sample to obtain the pre-trained detection model, wherein the characteristic matrix sample is constructed by the characteristic vector sample.
6. The apparatus of claim 4, wherein the obtaining module is configured to obtain the ICMP packet in an off-line manner.
7. A storage medium having stored thereon a computer program which, when being executed by a processor, is adapted to carry out the method of detecting an internet control message protocol ICMP tunnel according to any one of claims 1-3.
8. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over the bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the method of detecting an internet control message protocol ICMP tunnel according to any one of claims 1-3.
CN202011257029.XA 2020-11-10 2020-11-10 ICMP tunnel detection method, device, storage medium and electronic equipment Active CN112437062B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011257029.XA CN112437062B (en) 2020-11-10 2020-11-10 ICMP tunnel detection method, device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011257029.XA CN112437062B (en) 2020-11-10 2020-11-10 ICMP tunnel detection method, device, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN112437062A CN112437062A (en) 2021-03-02
CN112437062B true CN112437062B (en) 2023-03-07

Family

ID=74699666

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011257029.XA Active CN112437062B (en) 2020-11-10 2020-11-10 ICMP tunnel detection method, device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112437062B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113179278B (en) * 2021-05-20 2023-04-18 北京天融信网络安全技术有限公司 Abnormal data packet detection method and electronic equipment
CN113364793A (en) * 2021-06-17 2021-09-07 北京天融信网络安全技术有限公司 ICMP hidden tunnel detection method, device and storage medium
CN114095265B (en) * 2021-11-24 2024-04-05 中国南方电网有限责任公司超高压输电公司昆明局 ICMP hidden tunnel detection method and device and computer equipment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104778407B (en) * 2015-04-14 2017-08-08 电子科技大学 A kind of multidimensional is without condition code malware detection methods
US11216502B2 (en) * 2018-06-05 2022-01-04 LogsHero Ltd. Clustering of log messages
CN110427991A (en) * 2019-07-22 2019-11-08 联动优势科技有限公司 A kind of character string matching method and device
CN110958241B (en) * 2019-11-27 2021-08-24 腾讯科技(深圳)有限公司 Network data detection method and device, computer equipment and storage medium
CN111478920A (en) * 2020-04-27 2020-07-31 深信服科技股份有限公司 Method, device and equipment for detecting communication of hidden channel

Also Published As

Publication number Publication date
CN112437062A (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN112437062B (en) ICMP tunnel detection method, device, storage medium and electronic equipment
US10721244B2 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
WO2019136953A1 (en) C&c domain name analysis-based botnet detection method, device, apparatus and medium
EP2979425B1 (en) Method and apparatus for detecting a multi-stage event
US9038178B1 (en) Detection of malware beaconing activities
CN108718298B (en) Malicious external connection flow detection method and device
EP2854362B1 (en) Software network behavior analysis and identification system
CN108718306B (en) Abnormal flow behavior discrimination method and device
CN109257390B (en) CC attack detection method and device and electronic equipment
US10262122B2 (en) Analysis apparatus, analysis system, analysis method, and analysis program
CN107612911B (en) Method for detecting infected host and C & C server based on DNS traffic
JP5832951B2 (en) Attack determination device, attack determination method, and attack determination program
Krishnaveni et al. Ensemble approach for network threat detection and classification on cloud computing
CN112839017B (en) Network attack detection method and device, equipment and storage medium thereof
CN107426136B (en) Network attack identification method and device
CN110798488A (en) Web application attack detection method
CN107231383B (en) CC attack detection method and device
CN110061998B (en) Attack defense method and device
CN113364784B (en) Detection parameter generation method and device, electronic equipment and storage medium
CN113678419B (en) Port scan detection
CN109257384B (en) Application layer DDoS attack identification method based on access rhythm matrix
CN114172707B (en) Fast-Flux botnet detection method, device, equipment and storage medium
CN113792291B (en) Host recognition method and device infected by domain generation algorithm malicious software
KR20180101868A (en) Apparatus and method for detecting of suspected malignant information
CN115412312A (en) Malicious domain name determination method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant