CN112702234A - Identification method and device for multi-network connection equipment - Google Patents

Identification method and device for multi-network connection equipment Download PDF

Info

Publication number
CN112702234A
CN112702234A CN202011529645.6A CN202011529645A CN112702234A CN 112702234 A CN112702234 A CN 112702234A CN 202011529645 A CN202011529645 A CN 202011529645A CN 112702234 A CN112702234 A CN 112702234A
Authority
CN
China
Prior art keywords
message
redirection
session
network server
primary
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011529645.6A
Other languages
Chinese (zh)
Inventor
仇俊杰
董岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202011529645.6A priority Critical patent/CN112702234A/en
Publication of CN112702234A publication Critical patent/CN112702234A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method and a device for identifying multi-network connection equipment. The method is applied to monitoring equipment, wherein the monitoring equipment is positioned between target equipment and a local network server, and comprises the following steps: intercepting a session message sent to target equipment by a local network server; performing primary redirection operation on the session message to generate a primary redirection message, wherein the primary redirection operation is used for redirecting the session message to an address of an external network server, and adding an address of a monitoring device and identification information corresponding to a target device into the session message to indicate the external network server to perform secondary redirection operation on the received primary redirection message to generate a secondary redirection message, and the secondary redirection operation is used for redirecting the primary redirection message to the address of the monitoring device and continuously carrying the identification information in the secondary redirection message; and monitoring the received message, and judging that the target equipment is multi-network connection equipment under the condition of determining that the secondary redirection message is received.

Description

Identification method and device for multi-network connection equipment
Technical Field
The present application relates to the field of network device monitoring, and in particular, to a method and an apparatus for identifying multiple network connection devices.
Background
Nowadays, diversified network interconnection and intercommunication modes become a great challenge in standardized management work of internal networks of various industries and enterprises. If some electronic equipment is connected with an external network when being connected with the internal network, hacker attacks or viruses of the external network can invade the electronic equipment to bypass the security mechanism of the external network, so that sensitive information and confidential data of the internal network are stolen, and even the electronic equipment is used as a springboard to attack or infect an important server of the internal network, so that the internal network is paralyzed. Therefore, the method effectively prevents illegal external connection of the electronic equipment and has great significance for ensuring safe and stable operation of the internal network information system.
At present, illegal external connection is monitored mainly by installing a client at a terminal side or installing a detection server at an external network side, but the installation of the client at the terminal side has strict requirements on software and hardware of the terminal, and the maintenance cost is high; the detection server installed on the extranet side also needs the terminal to have detectable specified software and is influenced by the current network environment, so that the universality of the two current modes is poor.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for identifying multiple network connection devices, and the technical scheme is as follows:
according to a first aspect of the present application, a method for identifying a multi-network connection device is provided, which is applied to a monitoring device, where the monitoring device is located between a target device and a local network server, and the method includes:
intercepting a session message sent to the target equipment by the local network server;
performing a primary redirection operation on the session message to generate a primary redirection message, where the primary redirection operation is used to redirect the session message to an address of an external network server, and add an address of the monitoring device and identification information corresponding to the target device to the session message to instruct the external network server to perform a secondary redirection operation on the received primary redirection message to generate a secondary redirection message, where the secondary redirection operation is used to redirect the primary redirection message to the address of the monitoring device, and continue to carry the identification information in the secondary redirection message;
monitoring the received message, and judging that the target equipment is multi-network connection equipment under the condition of determining to receive the secondary redirection message.
Optionally, the intercepting a session packet sent by the local web server to the target device includes:
monitoring a request message sent to the local network server by the target equipment, and recording session information of a session to which the request message belongs;
and monitoring the message sent by the local network server according to the session information so as to intercept and capture a response message returned in response to the request message, and taking the response message as the session message.
Optionally, the session information includes a session ID, and the session ID is added to the session message as the identification information.
Optionally, the monitoring a request packet sent by the target device to the local web server includes:
and filtering the message sent by the target equipment to the local network server according to a preset condition to obtain the request message.
Optionally, the method further includes:
and storing the identification information corresponding to the target equipment into a blacklist under the condition that the target equipment is judged to be multi-network connection equipment so as to prohibit the target equipment from continuously accessing the local network server.
Optionally, the method further includes:
and if the secondary redirection message is not received or the primary redirection message sent by the target equipment is received, judging that the target equipment does not belong to the multi-network connection equipment.
Optionally, the session packet is an HTTP packet, and the address of the external network server, the address of the monitoring device, and the identification information corresponding to the target device are added to a preset field in an HTTP header of the HTTP packet to form the primary redirect packet;
and the address of the monitoring equipment and the identification information corresponding to the target equipment are added into the preset field in the HTTP header of the primary redirection message to form the secondary redirection message.
According to a second aspect of the present application, an apparatus for identifying multiple network connection devices is provided, which is applied to a monitoring device, where the monitoring device is located between a target device and a local network server, and the apparatus includes:
the acquisition module is used for acquiring a session message sent to the target equipment by the local network server;
a redirection module, configured to perform a primary redirection operation on the session packet to generate a primary redirection packet, where the primary redirection operation is configured to redirect the session packet to an address of an external network server, and add an address of the monitoring device and identification information corresponding to the target device to the session packet, so as to instruct the external network server to perform a secondary redirection operation on the received primary redirection packet to generate a secondary redirection packet, where the secondary redirection operation is configured to redirect the primary redirection packet to the address of the monitoring device, and continue to carry the identification information in the secondary redirection packet;
and the monitoring module is used for monitoring the received message and judging that the target equipment is multi-network connection equipment under the condition of determining that the secondary redirection message is received.
According to a third aspect of the present application, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of any of the methods in the embodiments described above.
According to a fourth aspect of the present application, there is provided an electronic device comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any of the above embodiments.
As can be seen from the foregoing embodiments, in the present application, a session packet sent to a target device by a local network server is intercepted by a monitoring device, and a redirection operation is performed on the session packet to generate a redirection packet, where the purpose of the redirection operation is to add an address of the monitoring device and identification information corresponding to the target device in the session packet and redirect the session packet to an address of an external network server; the external network server receives the primary redirection message and then carries out secondary redirection operation on the primary redirection message to generate a secondary redirection message, the secondary redirection operation aims to redirect the primary redirection message to the address of the monitoring device, and identification information corresponding to the target device is continuously carried in the secondary redirection message, so that the monitoring device can identify the target device as a multi-network connection device through the identification information corresponding to the target device carried by the monitoring device after receiving the secondary redirection message, the aim of identifying the multi-network connection device only by adding the monitoring device and without installing a client or detectable specified software in the target device is achieved, limitations caused by high software and hardware requirements of installation software or other factors are avoided, and the universality of an identification mode is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
FIG. 1 is a system architecture diagram provided herein;
fig. 2 is a flowchart of an embodiment of an identification method for a multi-network connection device provided in the present application;
FIG. 3 is a flow diagram of a multi-party interaction process for identifying multiple network connection devices provided herein;
FIG. 4 is a schematic diagram of an electronic device;
fig. 5 is a block diagram of an embodiment of an identification apparatus of a multi-network connection device.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Fig. 1 is a system architecture diagram provided in the present application, which mainly includes a local web server 101, a monitoring device 102, a target device 103, and an external web server 104. The local web server 101 and the monitoring device 102 belong to a local network, and the external web server 104 belongs to an external network; when the target device 103 is connected to the local network, it needs to be connected to the local web server 101 through the monitoring device 102, and when the target device 103 is connected to the external network, it is connected to the external web server 104. When information interaction behaviors such as data transmission and the like are carried out between the target device 103 and the local network server 101, the monitoring device 102 is required to pass through the monitoring device 102, the monitoring device 102 is responsible for monitoring and recording messages sent to the local network server 101 from the target device 103, intercepting specified messages sent to the target device 103 from the local network server 101, and sending primary redirection messages generated based on the specified messages to the external network server 104, so that after the primary redirection messages are received by the external network server 104, secondary redirection messages can be further generated and sent to the address of the monitoring device 102, and the monitoring device 102 can recognize the target device 103 based on the secondary redirection messages.
After the same message is circulated in the system by the first redirection operation of the monitoring device 102 and the second redirection operation of the external network server 104, after the cycle of the local network server 101, the monitoring device 102, the target device 103, the external network server 104, the target device 103, and the monitoring device 102 is implemented, the monitoring device 102 can determine that the target device 103 corresponding to the identification information carried in the received second redirection message is the multi-network connection device. The method can avoid the limitation caused by other factors such as software and hardware requirements of the target equipment, and can also utilize the monitoring equipment to carry out communication blocking on the identified multi-network connection equipment, thereby ensuring the safety of the local network server.
Fig. 2 is a flowchart of an embodiment of an identification method for monitoring multiple network connection devices on a device side, where the method may include the following steps:
in step 201, a session message sent by a local network server to a target device is intercepted.
In an embodiment, when the local network server sends any message to the target device, the monitoring device intercepts and captures the message, and the intercepted message is used as a session message.
In an embodiment, the monitoring device monitors a request message sent by the target device to the local web server, and records session information of a session to which the request message belongs. And monitoring a message sent by the local network server according to the recorded session information, intercepting a response message returned by the local network server in response to the request message, and taking the intercepted response message as the session message. The session information recorded by the monitoring device is any information that can represent the current packet and is carried in both the request packet and the response packet, so that the monitoring device can match the request packet sent by the target device with the response packet returned by the local network server in response to the request packet, the specific content of the session information may be a source IP, a destination IP, a source port, a destination port, and/or a target device ID, and the application is not limited thereto.
In an embodiment, when the monitoring device monitors a request message sent by the target device to the local network server, all messages sent by the target device to the local network server may be filtered in advance according to a preset condition, so as to obtain a required request message. The preset condition may be a format of target data requested by the message, for example, filtering out a message requesting to access a picture, or filtering out a message requesting to access a document, or filtering out a message requesting to access an audio/video resource. The target data of the picture type may have multiple formats, for example, the target data of the picture type may include formats of bmp, jpg, png, gif, and the like, and the filtering operation may filter a message accessing all formats of the same category, or may access a specific format of the same category, and taking the target data of the picture type as an example, the filtering operation may filter a message accessing pictures of all formats of bmp, jpg, png, gif, and the like, or may filter a message accessing pictures of, for example, the bmp format only, but not filter messages accessing pictures of other formats of jpg, png, gif, and the like. The preset condition may also be the content of target data requested by the message, for example, a message requesting to access a file is filtered out, and the name or the content of the file includes a preset keyword, or a message requesting to access a picture is filtered out, and the picture includes image information of a preset person or article, and the like, which are not listed here.
In step 202, a primary redirection operation is performed on the session packet to generate a primary redirection packet, and the address of the monitoring device and the identification information corresponding to the target device are added to the session packet to instruct the external network server to perform a secondary redirection operation on the received primary redirection packet to generate a secondary redirection packet.
In an embodiment, the monitoring device performs a redirection operation on the intercepted session message to generate a redirection message, where the redirection operation is used to redirect the session message to an address of an external network server, and adds the address of the monitoring device and identification information corresponding to the target device to the session message. When the target device is connected to the external network at the same time, the primary redirection message generated after the primary redirection operation of the monitoring device is automatically forwarded to the external network server by the target device. After the external network server receives the primary redirection message carrying the address of the monitoring device and the identification information corresponding to the target device, the primary redirection message is subjected to secondary redirection operation according to the address of the monitoring equipment carried by the primary redirection message and a secondary redirection message is generated, the redirection target of the secondary redirection message is the address of the monitoring device contained in the primary redirection message, and the secondary redirection message will continuously carry the identification information contained in the primary redirection message, so that the monitoring device can extract and identify the identification information contained in the message when receiving the message from the external network server, thereby, in the case where the identification information matches the target device, determining the target device as a multi-network connection device, meanwhile, the corresponding message is also described as the specific information of the multi-network connection equipment identified according to the identification information carried in the received secondary redirection message.
In one embodiment, after a monitoring device performs a redirection operation on an intercepted session message and generates a redirection message, if a target device is not connected to an external network at the same time, the redirection message returns to the target device and is analyzed, and the target device actively interrupts an access operation because an external network server address cannot be accessed; or the target device returns the primary redirection message to the monitoring device because the external network server address cannot be accessed, and the monitoring device further interrupts the access operation. Therefore, if the monitoring device does not receive the secondary redirection message within the preset time length after sending the primary redirection message, or receives the primary redirection message again, it may be determined that the target device is a non-multi-network connection device, that is, the target device is not connected to the external network.
In an embodiment, if the session message intercepted by the monitoring device is an HTTP message, the specific operation of the primary redirection operation is to add an address of an external network server, an address of the monitoring device, and identification information corresponding to the target device to an HTTP header of the HTTP message, and add a format form as follows: http://47.111.138.166, where ip is 10.35.11.110& id is 00000001, where 47.111.138.166 is the address of the external network server, ip is 10.35.11.110 is the address of the monitoring device, and id is 00000001 is the identification information corresponding to the target device. After receiving and analyzing the primary redirection message, the target device actively revisits the message address 47.111.138.166 after the primary redirection operation, and since the address is the address of the external network server in the external network, the target device sends the primary redirection message to the external network server when being connected to the external network at the same time. After receiving the primary redirection message, the external network server performs a secondary redirection operation on the primary redirection message and generates a secondary redirection message, a redirection address of the secondary redirection operation is a parameter ip ═ 10.35.11.110 carried in the primary redirection message, a header format of the secondary redirection message after the secondary redirection operation is changed into http://10.35.11.110id ═ 00000001, and identification information corresponding to a target device included in the primary redirection message is carried, namely id ═ 00000001. The external network server returns the secondary redirection message to the target device, and after receiving and analyzing the secondary redirection message, the target device actively revisits the address 10.35.11.110 and sends the secondary redirection message to the monitoring device corresponding to the address.
In one embodiment, since most electronic devices use 80 and 443 port numbers as default management ports, when performing a second redirection operation by the external network server, in order to avoid conflict between the used management ports and the normal default management ports, the adopted management ports can be designated at the same time, for example, the modified header format is http://10.35.11.110: 81? id 00000001, i.e., using port 81 as the management port for the secondary redirect operation.
In step 203, the received message is monitored, and the target device is determined to be a multi-network connection device under the condition that it is determined that the secondary redirection message is received.
In an embodiment, when the monitoring device receives the secondary redirection packet, it is determined that the target device corresponding to the identification information corresponding to the target device carried in the packet is the multi-network connection device.
Taking the HTTP message as an example, when receiving a message with an HTTP header, where// 10.35.11.110id is 00000001 or HTTP://10.35.11.110:81id is 00000001, it may be determined that the message is a secondary redirection message in which an external network server modifies the HTTP header, and according to identification information id corresponding to a target device carried in the HTTP header of the secondary redirection message, it is determined that the target device corresponding to the identification information is a multi-network connection device.
In an embodiment, after the monitoring device identifies that the target device is a multi-network connection device, the identification information corresponding to the target device may be stored in a black list or removed from a white list, and the target device is prohibited from continuing to access the local network server, so as to ensure information security of the local network server.
In an embodiment, after the monitoring device returns the primary redirection message generated after the primary redirection operation to the target device, if a secondary redirection message generated after the secondary redirection operation is performed by the external network server is not received within a preset time period or the primary redirection message is received again, it is indicated that the target device is not connected to the external network, and the primary redirection message cannot be sent to the external network server, it may be determined that the target device does not belong to the multi-network connection device, and the target device is allowed to continue to access the local network server.
The above embodiments are all embodiments of a method for identifying a multi-network connection device on a monitoring device side, and the present application further provides an embodiment of a multi-party interaction method for identifying a multi-network connection device, as shown in fig. 3, the method includes the following steps:
in step 301, the target device sends a request message to the local web-server.
In an embodiment, when the target device accesses the local network resource, a request message needs to be sent to the local network server, where the request message is monitored by the monitoring device, and the monitoring device can record session information corresponding to the request message.
In step 302, the local web-server returns a reply message.
In an embodiment, after receiving an access request of a target device, a local network server returns a corresponding response message to the target device, and after successfully matching session information of the response message with session information of a recorded request message, a monitoring device intercepts the response message.
In an embodiment, the monitoring device is configured to intercept all session messages sent by the local network server to the target device without performing session information recording and matching operations of the foregoing embodiment.
In step 303, the monitoring device performs a redirection operation.
In an embodiment, after intercepting a response message returned by the local network server, the monitoring device performs a redirection operation on the response message to generate a redirection message, where a redirection address of the redirection operation is an address of an external network server in an external network, and the redirection operation is further configured to add an address of the monitoring device and identification information corresponding to the target device in the response message.
When the response message intercepted by the monitoring device is a message in an HTTP format, the specific operation of the primary redirection operation is to add an address of an external network server, an address of the monitoring device, and identification information corresponding to the target device to an HTTP header of the HTTP message, and the addition format is as follows: http://47.111.138.166, where ip is 10.35.11.110& id is 00000001, where 47.111.138.166 is the address of the external network server, ip is 10.35.11.110 is the address of the monitoring device, and id is 00000001 is the identification information corresponding to the target device.
In an embodiment, the monitoring device is configured to intercept all session messages sent by the local web server, and perform a redirection operation on the intercepted session messages in the above embodiment.
In step 304, the monitoring device returns a redirection packet.
In an embodiment, the monitoring device continues to return the primary redirection packet generated after the primary redirection operation is completed to the target device.
In step 305, the target device automatically forwards the redirect packet once.
In an embodiment, after the target device receives the primary redirection packet, since the packet address of the primary redirection packet is modified, after the primary redirection packet is analyzed by the target device, the target device automatically forwards the primary redirection packet to the corresponding external network server according to the modified address.
When the primary redirect message received by the target device is a message in an HTTP format and the HTTP header carries information in the form of HTTP://47.111.138.166ip 10.35.11.110& id 00000001, the target device actively accesses the address 47.111.138.166 in the HTTP header after the primary redirect message is analyzed by the target device, and since the address points to the external network server, the target device sends the primary redirect message to the external network server when the target device is connected to the external network at the same time.
In step 306, the external network server performs a secondary redirection operation.
In an embodiment, after receiving the primary redirection message, the external network server performs a secondary redirection operation on the primary redirection message according to an address of the monitoring device carried in the primary redirection message to generate a secondary redirection message, where a redirection address of the secondary redirection operation is an address of the monitoring device, and the secondary redirection operation continues to retain identification information corresponding to the target device added in the primary redirection operation in the above embodiment.
When the primary redirect message received by the external network server is a message in HTTP format, and the format of the HTTP header is HTTP://47.111.138.166ip ═ 10.35.11.110& id ═ 00000001, the specific operation of the secondary redirect operation is to modify the HTTP header into HTTP://10.35.11.110& id ═ 00000001 according to the address information ip ═ 10.35.11.110 carried in the HTTP header, that is, modify the HTTP header of the primary redirect message, redirect the HTTP header to the address 10.35.11.110 of the monitoring device, and continuously carry the identification information id ═ 00000001 corresponding to the target device in the HTTP header.
In step 307, the external network server returns a secondary redirect message.
In an embodiment, the external network server returns the secondary redirection packet generated after the secondary redirection operation is completed to the target device.
In step 308, the target device automatically forwards the secondary redirect packet.
In an embodiment, after the target device receives the secondary redirection packet, since the packet address of the secondary redirection packet is modified by the secondary redirection operation, after the secondary redirection packet is analyzed by the target device, the target device automatically forwards the secondary redirection packet to the corresponding monitoring device according to the modified address.
If the secondary redirection message received by the target device is a message in an HTTP format and the HTTP header carries information in the form of HTTP://10.35.11.110& id ═ 00000001, the target device will actively re-access the address 10.35.11.110 in the HTTP header after the secondary redirection message is analyzed by the target device, and the target device will send the secondary redirection message to the monitoring device because the address points to the monitoring device.
In step 309, the monitoring device identifies and confirms the secondary redirection packet.
In an embodiment, the monitoring device receives the secondary redirection packet with the identification information corresponding to the target device, that is, may determine that the target device corresponding to the identification information is the multi-network connection device.
If the secondary redirection message received by the monitoring device is a message in an HTTP format and the HTTP header carries information in the form of HTTP://10.35.11.110& id ═ 00000001, the target device corresponding to the identification information can be determined to be a multi-network connection device according to the identification information id ═ 00000001 corresponding to the target device in the HTTP header.
In an embodiment, after the monitoring device identifies the multi-network connection device, the identification information corresponding to the target device corresponding to the multi-network connection device may be stored in a black list or removed from a white list, so as to prohibit the multi-network connection device from continuing to access the local web server, so as to ensure information security of the local web server.
As the foregoing embodiments of the method for identifying multiple network connection devices correspond, the present application also provides embodiments of an identification apparatus for multiple network connection devices.
Fig. 4 is a schematic structural diagram of an electronic device according to an exemplary embodiment. As shown in fig. 4, at the hardware level, the device includes a processor 401, an internal bus 402, an input/output interface 403, a memory 404, a non-volatile memory 405, and may also include hardware required for other services. The processor 401 reads the corresponding computer program from the non-volatile memory 405 into the memory 404 and runs the computer program, thereby forming the identification means of the multi-network connection device on a logical level. Of course, besides software implementation, the one or more embodiments of the present disclosure do not exclude other implementations, such as logic devices or combination of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic module, and may also be hardware or logic devices.
Referring to fig. 5, in a software implementation, the identifying means of the multi-network connection device may include:
an intercepting module 501, configured to intercept a session message sent by the local network server to the target device;
a redirection module 502, configured to perform a primary redirection operation on the session packet to generate a primary redirection packet, where the primary redirection operation is used to redirect the session packet to an address of an external network server, and add an address of the monitoring device and identification information corresponding to the target device to the session packet, so as to instruct the external network server to perform a secondary redirection operation on the received primary redirection packet to generate a secondary redirection packet, where the secondary redirection operation is used to redirect the primary redirection packet to the address of the monitoring device, and continue to carry the identification information in the secondary redirection packet;
a monitoring module 503, configured to monitor the received packet, and determine that the target device is a multi-network connection device when it is determined that the secondary redirection packet is received.
Optionally, the capturing module 501 is specifically configured to:
monitoring a request message sent to the local network server by the target equipment, and recording session information of a session to which the request message belongs;
and monitoring the message sent by the local network server according to the session information so as to intercept and capture a response message returned in response to the request message, and taking the response message as the session message.
Optionally, the session information includes: a session ID, which is added to the session message as the identification information.
Optionally, the capturing module 501 is specifically configured to:
and filtering the message sent by the target equipment to the local network server according to a preset condition to obtain the request message.
Optionally, the method further includes:
an access management module 504, configured to store, in a blacklist, identification information corresponding to the target device to prohibit the target device from continuing to access the local web server, if it is determined that the target device is a multi-network connection device.
Optionally, the method further includes:
a determining module 505, configured to determine that the target device does not belong to a multi-network connection device if the secondary redirection packet is not received or the primary redirection packet sent by the target device is received.
Optionally, the session packet is an HTTP packet, and the address of the external network server, the address of the monitoring device, and the identification information corresponding to the target device are added to a preset field in an HTTP header of the HTTP packet to form the primary redirect packet;
and the address of the monitoring equipment and the identification information corresponding to the target equipment are added into the preset field in the HTTP header of the primary redirection message to form the secondary redirection message.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the disclosed solution. One of ordinary skill in the art can understand and implement the method without inventive effort.
Accordingly, the present application also provides a non-transitory computer readable storage medium comprising instructions, such as a memory comprising instructions, executable by a processor of an apparatus to perform a method as described in any of the embodiments above. For example, the non-transitory computer readable storage medium may be a Read Only Memory (ROM), a Random Access Memory (RAM), a compact disc read only memory (CD-ROM), a magnetic tape, a floppy disk, an optical data storage device, and the like.
Accordingly, the present application also provides an electronic device, comprising a processor and a memory for storing processor-executable instructions, wherein the processor is configured to implement the method according to any one of the embodiments of the method.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A method for identifying a multi-network connection device, which is applied to a monitoring device, wherein the monitoring device is located between a target device and a local network server, and the method comprises the following steps:
intercepting a session message sent to the target equipment by the local network server;
performing a primary redirection operation on the session message to generate a primary redirection message, where the primary redirection operation is used to redirect the session message to an address of an external network server, and add an address of the monitoring device and identification information corresponding to the target device to the session message to instruct the external network server to perform a secondary redirection operation on the received primary redirection message to generate a secondary redirection message, where the secondary redirection operation is used to redirect the primary redirection message to the address of the monitoring device, and continue to carry the identification information in the secondary redirection message;
monitoring the received message, and judging that the target equipment is multi-network connection equipment under the condition of determining to receive the secondary redirection message.
2. The method of claim 1, wherein the intercepting the session packet sent by the local web-server to the target device comprises:
monitoring a request message sent to the local network server by the target equipment, and recording session information of a session to which the request message belongs;
and monitoring the message sent by the local network server according to the session information so as to intercept and capture a response message returned in response to the request message, and taking the response message as the session message.
3. The method of claim 2, the session information comprising a session ID, the session ID being added to the session message as the identification information.
4. The method of claim 2, wherein the listening for the request message sent by the target device to the local web-server comprises:
and filtering the message sent by the target equipment to the local network server according to a preset condition to obtain the request message.
5. The method of claim 1, further comprising:
and storing the identification information corresponding to the target equipment into a blacklist under the condition that the target equipment is judged to be multi-network connection equipment so as to prohibit the target equipment from continuously accessing the local network server.
6. The method of claim 1, further comprising:
and if the secondary redirection message is not received or the primary redirection message sent by the target equipment is received, judging that the target equipment does not belong to the multi-network connection equipment.
7. The method of claim 1,
the session message is an HTTP message, and the address of the external network server, the address of the monitoring device and the identification information corresponding to the target device are added into a preset field in an HTTP header of the HTTP message to form the primary redirection message;
and the address of the monitoring equipment and the identification information corresponding to the target equipment are added into the preset field in the HTTP header of the primary redirection message to form the secondary redirection message.
8. An apparatus for identifying a multi-network connection device, applied to a monitoring device, the monitoring device being located between a target device and a local network server, the apparatus comprising:
the acquisition module is used for acquiring a session message sent to the target equipment by the local network server;
a redirection module, configured to perform a primary redirection operation on the session packet to generate a primary redirection packet, where the primary redirection operation is configured to redirect the session packet to an address of an external network server, and add an address of the monitoring device and identification information corresponding to the target device to the session packet, so as to instruct the external network server to perform a secondary redirection operation on the received primary redirection packet to generate a secondary redirection packet, where the secondary redirection operation is configured to redirect the primary redirection packet to the address of the monitoring device, and continue to carry the identification information in the secondary redirection packet;
and the monitoring module is used for monitoring the received message and judging that the target equipment is multi-network connection equipment under the condition of determining that the secondary redirection message is received.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
10. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any one of claims 1-7.
CN202011529645.6A 2020-12-22 2020-12-22 Identification method and device for multi-network connection equipment Pending CN112702234A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011529645.6A CN112702234A (en) 2020-12-22 2020-12-22 Identification method and device for multi-network connection equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011529645.6A CN112702234A (en) 2020-12-22 2020-12-22 Identification method and device for multi-network connection equipment

Publications (1)

Publication Number Publication Date
CN112702234A true CN112702234A (en) 2021-04-23

Family

ID=75510511

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011529645.6A Pending CN112702234A (en) 2020-12-22 2020-12-22 Identification method and device for multi-network connection equipment

Country Status (1)

Country Link
CN (1) CN112702234A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040050929A1 (en) * 2002-09-16 2004-03-18 Fayfield Robert W. Extranet security system and method
CN107276979A (en) * 2017-04-26 2017-10-20 浙江远望信息股份有限公司 A kind of method that automatic detection terminal device intranet and extranet interconnect behavior
CN109413097A (en) * 2018-11-30 2019-03-01 深信服科技股份有限公司 A kind of lawless exterior joint detecting method, device, equipment and storage medium
CN110365793A (en) * 2019-07-30 2019-10-22 北京华赛在线科技有限公司 Illegal external connection monitoring method, device, system and storage medium
CN111385376A (en) * 2020-02-24 2020-07-07 杭州迪普科技股份有限公司 Illegal external connection monitoring method, device, system and equipment for terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040050929A1 (en) * 2002-09-16 2004-03-18 Fayfield Robert W. Extranet security system and method
CN107276979A (en) * 2017-04-26 2017-10-20 浙江远望信息股份有限公司 A kind of method that automatic detection terminal device intranet and extranet interconnect behavior
CN109413097A (en) * 2018-11-30 2019-03-01 深信服科技股份有限公司 A kind of lawless exterior joint detecting method, device, equipment and storage medium
CN110365793A (en) * 2019-07-30 2019-10-22 北京华赛在线科技有限公司 Illegal external connection monitoring method, device, system and storage medium
CN111385376A (en) * 2020-02-24 2020-07-07 杭州迪普科技股份有限公司 Illegal external connection monitoring method, device, system and equipment for terminal

Similar Documents

Publication Publication Date Title
KR102580898B1 (en) System and method for selectively collecting computer forensics data using DNS messages
US9444821B2 (en) Management server, communication cutoff device and information processing system
JP2010508598A (en) Method and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis
CN112738095A (en) Method, device, system, storage medium and equipment for detecting illegal external connection
CN113179280B (en) Deception defense method and device based on malicious code external connection behaviors and electronic equipment
CN111565203B (en) Method, device and system for protecting service request and computer equipment
CN111182537A (en) Network access method, device and system for mobile application
CN109905352B (en) Method, device and storage medium for auditing data based on encryption protocol
CN112231679A (en) Terminal equipment verification method and device and storage medium
CN113098727A (en) Data packet detection processing method and device
CN112702234A (en) Identification method and device for multi-network connection equipment
CN110198298A (en) A kind of information processing method, device and storage medium
CN115883574A (en) Access equipment identification method and device in industrial control network
CN110233822A (en) A kind of vulnerability rapid scanning method and vulnerability scanners
CN115603938A (en) Attack protection method, terminal device and computer readable storage medium
US11683337B2 (en) Harvesting fully qualified domain names from malicious data packets
CN111881384B (en) Evidence obtaining method, system and storage medium for illegal external connection
CN111683063B (en) Message processing method, system, device, storage medium and processor
JP3986871B2 (en) Anti-profiling device and anti-profiling program
CN110071936B (en) System and method for identifying proxy IP
KR100862321B1 (en) Method and apparatus for detecting and blocking network attack without attack signature
CN114465746B (en) Network attack control method and system
CN117955739B (en) Interface security identification method and device, computing equipment and storage medium
CN114465795B (en) Method and system for interfering network scanner
RU2776349C1 (en) Systems and methods for using dns messages for selective collection of computer forensic data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210423