CN112910851B - Data packet marking and tracing device based on knowledge graph - Google Patents

Data packet marking and tracing device based on knowledge graph Download PDF

Info

Publication number
CN112910851B
CN112910851B CN202110058724.1A CN202110058724A CN112910851B CN 112910851 B CN112910851 B CN 112910851B CN 202110058724 A CN202110058724 A CN 202110058724A CN 112910851 B CN112910851 B CN 112910851B
Authority
CN
China
Prior art keywords
data packet
information
router
fragment
tracing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110058724.1A
Other languages
Chinese (zh)
Other versions
CN112910851A (en
Inventor
任传伦
郭世泽
张先国
冯景瑜
杨令
夏建民
俞赛赛
刘晓影
乌吉斯古愣
孟祥頔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 15 Research Institute
Xian University of Posts and Telecommunications
Original Assignee
CETC 15 Research Institute
Xian University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 15 Research Institute, Xian University of Posts and Telecommunications filed Critical CETC 15 Research Institute
Priority to CN202110058724.1A priority Critical patent/CN112910851B/en
Publication of CN112910851A publication Critical patent/CN112910851A/en
Application granted granted Critical
Publication of CN112910851B publication Critical patent/CN112910851B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Abstract

The invention discloses a data packet marking and tracing device based on a knowledge graph, which combines an intrusion detection technology and an attack tracing technology, wherein the intrusion detection technology is mainly used for carrying out detection and analysis according to the behavior of describing network flow by the knowledge graph technology, drawing the incidence relation of two communication sides, counting the number of connections, judging abnormal flow once a set threshold value is exceeded, and carrying out corresponding operation on the abnormal behavior; the tracing technology emphasizes a source tracing technology, the tracing of the data history is reproduced according to the tracing path, and the more the path tracing is to determine the forwarding path of the data packet in the network transmission process by using the marking information in the data packet. When the network receives the attack of the malicious data packet, the tracing of the data packet can be accurately and efficiently realized by using the marking device, and the distributed denial of service attack or the attack of the malicious data packet can be rapidly relieved or defended to a certain extent.

Description

Data packet marking and tracing device based on knowledge graph
Technical Field
The invention relates to the field of attack tracing in network security, in particular to a data packet marking and tracing device based on a knowledge graph.
Background
China becomes one of the most serious countries suffering from network attacks all over the world, the current situation of network security is very severe, and how to perform targeted defense is a problem which troubles the national and foreign network security industry and research community for many years and is a big problem of network security research at present.
In order to block network attacks from the root, the source of the attacks, such as the IP addresses of the attacks, hackers implementing the attacks, organizations thereof, and the like, often needs to be traced. Most of the existing safety protection systems focus on discovering and blocking network attacks, and the accurate traceability of attack sources is difficult to provide. If the position of the attack source cannot be determined, the attack cannot be protected pertinently, the attack of the attacker cannot be prevented from being carried out again fundamentally, and deterrence cannot be formed on the network attacker.
The network attack tracing analysis and active protection technology is the key technology of the network security at present. The data packet marking technology is a technical method which has more source tracing research and most abundant results at present, and realizes the source tracing of attackers by marking special marks on transmitted data packets. The tracing process of this technique is divided into two steps, packet marking and victim path reconstruction. The packet marking process is performed by a transmitting node on the network, such as a router. And the path reconstruction of the victim is completed at the victim end, and the information marked in the data packet is identified and recombined through a specific algorithm, so that the recombination of the attack path is finally completed. In the IP packet, there are some areas that are not used or covered and do not affect the network application, and in the packet marking method, such areas are used to record the marking information. The data packet marking utilizes a transmission node (a router with a marking function) to mark the path key information in the network data packet, and if a victim end is attacked, the marking information in the attack data packet is collected to reconstruct an attack path.
Disclosure of Invention
The invention discloses a data packet marking and tracing device based on a knowledge graph, which is suitable for a regional network and combines an intrusion detection technology and an attack tracing technology and is applied to the regional network. The intrusion detection technology is also referred to as an abnormal detection technology, and is mainly used for detecting and analyzing the behavior of network traffic according to the description of the knowledge graph technology, drawing the association relationship between two communication parties, counting the number of connections, judging abnormal traffic once a set threshold value is exceeded, and performing corresponding operation on the abnormal behavior; the tracing technology emphasizes a source tracing technology, the tracing of the data history is reproduced according to the tracing path, and the more the path tracing is to determine the forwarding path of the data packet in the network transmission process by using the marking information in the data packet. When the network receives the attack of the malicious data packet, the tracing of the data packet can be accurately and efficiently realized by using the marking device, and the distributed denial of service attack or the attack of the malicious data packet can be rapidly relieved or defended to a certain extent.
The invention discloses a data packet marking and tracing device based on a knowledge graph, which comprises an anomaly detection module, a tracing control module, a path reconstruction module and a feedback module, wherein the anomaly detection module is connected with the tracing control module, the tracing control module is connected with the path reconstruction module, and the path reconstruction module is connected with the feedback module;
the anomaly detection module is used for carrying out anomaly detection analysis on all data packets in the jurisdiction area of the tracing device, monitoring messages transmitted in a network, constructing a knowledge graph, if the anomaly is detected, obtaining an abnormal entity by using an entity extraction technology in the construction of the knowledge graph, carrying out packet marking tracing, obtaining an attack path and issuing early warning anomalies;
the tracking control module realizes the function of marking the data packet, and marks the data packet after receiving the early warning abnormity issued by the abnormity detection module; in the data packet marking process, probability packet marking is adopted, and the identification of the router is marked into the data packet according to a certain probability;
the path reconstruction module classifies the marked data packets received by the victim terminal according to the distance fields when receiving the tracing request of the tracing control module, extracts the marking information, matches fragment IP address information of each router to the same router, determines the IP of the marked router, and then sequentially adds the obtained router IP to the attack tree according to the sequence, thereby obtaining the attack path;
the feedback module is used for displaying the detected abnormal information, the attacker information and the traced path information in a visual information mode.
The abnormity detection module is connected with the tracking control module, the abnormity detection module sends the early warning abnormity to the tracking control module, the tracking control module starts to work after receiving the early warning abnormity, and a data packet marking process is started.
In the data packet marking process of the tracking control module, the used marking information is the fragment IP address information of the router, the marking probability is calculated by using the Time To Live (TTL), and for the received data packet, one marking time is rewritten to replace the time to live in the original data packet so as to resist the attack of the data packet.
The path reconstruction module classifies the marked data packets received by the victim terminal according to the distance fields, extracts the marking information and matches the fragment IP address information of each router to the same router, and the process is realized by adopting a knowledge graph technology.
The anomaly detection module analyzes a source IP and a destination IP of a received data message, judges whether the two entities exist in a map or not, creates two entities if the two entities do not exist in the map, and finds the two entities if the two entities exist in the map; after finding the two entities, establishing connection between the two entities, creating real connection and virtual connection, traversing the relation of all response messages related to the two entities, if the serial number of the response message is matched with the response of the two messages, the connection between the two entities is real connection, otherwise, the connection between the two entities is virtual connection, and finishing the analysis of the message; after the construction of the knowledge graph is completed, respectively counting the number of connection relations, the real connection occupation ratio and the virtual connection occupation ratio according to the connection relation between two entities in the knowledge graph; and if the virtual connection occupation ratio exceeds a threshold value, judging that the analyzed communication flow is abnormal, and issuing an early warning abnormality. The knowledge graph structure firstly acquires network transmission message data, performs entity extraction on the data, and then performs association according to the relation existing between entities.
The tracking control module starts a packet marking process after receiving the early warning abnormity issued by the abnormity detection, and specifically comprises the following steps: processing the IP address of a router on a network path, dividing the IP address into 4 blocks from high order to low order to obtain fragment IP address information, performing hash conversion on each fragment IP address information to obtain hash segment values corresponding to 4 fragment IP address information, and setting the fragment hash value of a data packet with an offset of i equal to the hash(i+1)mod4(ii) a And receiving the data packet, and directly marking the data packet if the TTL value is lower than a certain threshold value. The method is used for solving the problem that an attacker forges the TTL field to avoid the mark of the router. Calculating the marking probability p as 1/(64-TTL) according to the TTL value, and generating a random number x between (0, 1) if x is<p, generating a random number i between (0 and 4), writing the information of the offset i into the received data packet, respectively corresponding to an ip segment, a hash segment, an offset i and a distance field 0, wherein the distance field represents the distance between the marked router and the victim network, and forwarding the data packet corresponding to the distance field; if x>p, checking whether a distance field of the received data packet is 0, if so, indicating that the data packet is marked by an upstream router, selecting the fragmentation information with the same offset as the data packet from the fragmentation IP address information of the router, and respectively carrying out XOR operation on an IP segment and a hash segment in the data packet, and adding 1 to the distance field of the received data packet; if x>p, and the distance field is not 0, only adding 1 to the distance field; forwarding through a routerAnd (4) processing the data packet.
The path reconstruction module classifies the marked data packets received by the victim terminal according to the distance fields, extracts the marking information and matches the fragment IP address information of each router to the same router, the process is realized by adopting a knowledge graph technology, and the method specifically comprises the following steps,
s1, dividing the received data packets into different data packet sets according to the distance field value at the target host;
s2, starting from distance field distance of 0, constructing a knowledge graph, reassembling each fragment IP address, reassociating each fragment IP address into the same node address, extracting entities with value of 0 distance field, corresponding IP address, hash, etc. in the fragment information, clockwise constructing the knowledge graph according to Offset of 0,1,2,3, taking the fragment IP address as an entity, taking a hash function value obtained by hash transformation as an entity, and finally extracting the fragment hash in the data packet with Offset of 0 as an entity. Extracting the IP obtained by the fragment IP address recombination according to the offset sequence, wherein the IP is the IP corresponding to the router node and is also the node of the last hop of the attack tree;
s3, starting from distance 1, performing xor processing on the IP _ frag field and the Hash _ frag field of each data packet, so as to restore the node information of the previous hop, and finally repeating the knowledge graph construction process in step S2, associating and matching the same node, to obtain the IP information of the previous hop, that is, the node of the penultimate hop of the attack tree; adding 1 to the distance value, repeating the step of S3, and acquiring the IP information of the corresponding hop until the maximum distance value is reached;
and S4, adding the recombined IP information into the attack tree from the distance of 0 by taking the victim as the root node of the attack tree until the node information of the maximum distance is restored and the reconstruction of the attack path is completed.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention introduces knowledge graph technology for the process of matching the abnormal detection process and the association of the data packet to the same node, improves the marking domain from 16-bit segmented IP of the original scheme to 8-bit segmented IP, theoretically improves the efficiency of path reconstruction and simultaneously ensures the tracing accuracy.
2. In the invention, the process is completed by a knowledge graph technology. For example, as is known
Figure BDA0002901668450000051
In the case of the method, b is searched in a previously constructed knowledge graph with distance of 0, and a is obtained after the difference or the difference, the method improves the existing method, because a path reconstruction module does not know which root node each exclusive or should be operated with, and then tries one by one, whether the exclusive or node is correct or not can be confirmed by the fact that the node fragment information obtained after the exclusive or cannot be associated and matched, the method calculates exclusive or values one by one and matches with Hash until the exclusive or node is associated and matched, and therefore matching efficiency is improved.
Drawings
FIG. 1 is a schematic diagram of a tracing apparatus according to the present invention;
FIG. 2 is IP address fragmentation of a router in the present invention;
FIG. 3 is a label message comprising a router in the present invention;
FIG. 4 is a knowledge graph spectrogram of labeled information normally matched for association in the present invention;
FIG. 5 is a knowledge graph of the signature information associated with an abnormal match in the present invention.
Detailed Description
For a better understanding of the present disclosure, an example is given here.
As shown in fig. 1, the invention provides a packet marking and tracing device based on a knowledge graph, which combines abnormal behavior detection and tracing technology, selectively marks data packets to achieve the purpose of tracing, and improves the accuracy and efficiency of attack tracing. The invention discloses a data packet marking and tracing device based on a knowledge graph, which comprises an anomaly detection module, a tracing control module, a path reconstruction module and a feedback module, wherein the anomaly detection module is connected with the tracing control module, the tracing control module is connected with the path reconstruction module, and the path reconstruction module is connected with the feedback module.
The anomaly detection module performs anomaly detection analysis on all data packets in the jurisdiction area of the tracing device, monitors messages transmitted in a network, constructs a knowledge graph, and obtains an abnormal entity (IP) by using an entity extraction technology in the construction of the knowledge graph if anomaly is detected, wherein the IP is an attacking entity party, a certain hop route in an attacking path or a person without an attacking behavior, so that packet marking tracing is performed, the attacking path is obtained, and early warning anomaly is issued;
the tracking control module realizes the function of marking the data packet, and marks the data packet after receiving the early warning abnormity issued by the abnormity detection module; in the data packet marking process, probability packet marking is adopted, and the identification of the router is marked into the data packet according to a certain probability;
the path reconstruction module classifies the marked data packets received by the victim terminal according to the distance fields when receiving the tracing request of the tracing control module, extracts the marking information, matches fragment IP address information of each router to the same router, determines the IP of the marked router, and then sequentially adds the obtained router IP to the attack tree according to the sequence, thereby obtaining the attack path;
the feedback module is used for displaying the detected abnormal information, the attacker information and the traced path information in a visual information mode.
The abnormity detection module is connected with the tracking control module, the abnormity detection module sends the early warning abnormity to the tracking control module, the tracking control module starts to work after receiving the early warning abnormity, and a data packet marking process is started.
In the data packet marking process of the tracking control module, the used marking information is the fragment IP address information of the router, the marking probability is calculated according to the Time To Live (TTL), and for the received data packet, one marking time is rewritten to replace the time to live in the original data packet so as to resist the attack of the data packet.
The path reconstruction module classifies the marked data packets received by the victim terminal according to the distance fields, extracts the marking information and matches the fragment IP address information of each router to the same router, and the process is realized by adopting a knowledge graph technology.
The anomaly detection module analyzes a source IP and a destination IP of a received data message, judges whether the two entities exist in a map or not, creates two entities if the two entities do not exist in the map, and finds the two entities if the two entities exist in the map; after finding the two entities, establishing connection between the two entities, creating real connection and virtual connection, traversing the relation of all response messages related to the two entities, if the serial number of the response message is matched with the response of the two messages, the connection between the two entities is real connection, otherwise, the connection between the two entities is virtual connection, and finishing the analysis of the message; after the construction of the knowledge graph is completed, respectively counting the number of connection relations, the real connection occupation ratio and the virtual connection occupation ratio according to the connection relation between two entities in the knowledge graph; and if the virtual connection occupation ratio exceeds a threshold value, judging that the analyzed communication flow is abnormal, and issuing an early warning abnormality. The knowledge graph structure firstly acquires network transmission message data, performs entity extraction on the data, and then performs association according to the relation existing between entities.
The tracking control module starts a packet marking process after receiving the early warning abnormity issued by the abnormity detection, and specifically comprises the following steps: processing the IP address of the router on the network path, dividing the IP address into 4 blocks from high order to low order to obtain the fragment IP address information, and performing Hash transformation on each fragment IP address information to obtain the Hash segment values corresponding to 4 fragment IP address information, as shown in FIG. 2, obtaining four fragment Hash segment values, and setting the fragment Hash value of the data packet with the offset i equal to the Hash value(i+1)mod4The obtained four segments of fragment IP address information is shown in fig. 3; receiving dataAnd if the TTL value is lower than a certain threshold value, directly marking the TTL value. The method is used for solving the problem that an attacker forges the TTL field to avoid the mark of the router. Calculating the marking probability p as 1/(64-TTL) according to the TTL value, and generating a random number x between (0, 1) if x is<p, generating a random number i between (0 and 4), writing the information of the offset i into the received data packet, respectively corresponding to an ip segment, a hash segment, an offset i and a distance field 0, wherein the distance field represents the distance between the marked router and the victim network, and forwarding the data packet corresponding to the distance field; if x>p, checking whether a distance field of the received data packet is 0, if so, indicating that the data packet is marked by an upstream router, selecting the fragmentation information with the same offset as the data packet from the fragmentation IP address information of the router, and respectively carrying out XOR operation on an IP segment and a hash segment in the data packet, and adding 1 to the distance field of the received data packet; if x>p, and the distance field is not 0, only adding 1 to the distance field; and forwarding the data packet processed by the router.
The path reconstruction module classifies the marked data packets received by the victim terminal according to the distance fields, extracts the marking information and matches the fragment IP address information of each router to the same router, the process is realized by adopting a knowledge graph technology, and the method specifically comprises the following steps,
s1, dividing the received data packets into different data packet sets according to the distance field value at the target host;
s2, starting from distance field distance of 0, constructing a knowledge graph, reassembling each fragment IP address, re-associating each fragment IP address to the same node address, extracting the distance field with value of 0, respectively, corresponding entities such as IP address and Hash in the fragment information, clockwise constructing a knowledge graph according to Offset of 0,1,2,3, for example, a data packet with Offset of 0, using the fragment IP address as an entity, and simultaneously using a Hash function value obtained by Hash transformation of the fragment IP address as an entity, where the two relationships between the fragment IP address and the corresponding Hash function value are corresponding Hash transformations, and finally extracting the fragment Hash in the data packet with Offset of 0 as an entity. Fig. 4 is a knowledge graph spectrogram of the label information normally matched and associated in the present invention, and if the relationship shown in fig. 4 can be constructed, the data packets corresponding to 4 offsets are the same node information, and fig. 5 is a knowledge graph spectrogram of the label information abnormally matched and associated in the present invention, and as shown in fig. 5, the data packets corresponding to 4 offsets are not the same node information, because the hash function corresponding to the segment ip does not have a pairwise correspondence with the segment hash function in the 4 segments of packet information. Extracting the IP obtained by the fragment IP address recombination according to the offset sequence, wherein the IP is the IP corresponding to the router node and is also the node of the last hop of the attack tree;
s3, starting from distance 1, performing xor processing on the IP _ frag field and the Hash _ frag field of each packet, because an xor value between the previous hop information and the last hop information is stored, and the distance 0 constructs the last hop IP and the Hash information, thereby restoring the node information of the previous hop, and finally repeating the knowledge graph construction process in step S2, associating and matching the same node, and obtaining the IP information of the previous hop, that is, the node of the second last hop of the attack tree; adding 1 to the distance value, repeating the step of S3, and acquiring the IP information of the corresponding hop until the maximum distance value is reached;
and S4, adding the recombined IP information into the attack tree from the distance of 0 by taking the victim as the root node of the attack tree until the node information of the maximum distance is restored and the reconstruction of the attack path is completed.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (5)

1. A data packet marking and tracing device based on a knowledge graph is characterized by comprising an anomaly detection module, a tracking control module, a path reconstruction module and a feedback module, wherein the anomaly detection module is connected with the tracking control module, the tracking control module is connected with the path reconstruction module, and the path reconstruction module is connected with the feedback module;
the anomaly detection module is used for carrying out anomaly detection analysis on all data packets in the jurisdiction area of the tracing device, monitoring messages transmitted in a network, constructing a knowledge graph, if the anomaly is detected, obtaining an abnormal entity by using an entity extraction technology in the construction of the knowledge graph, issuing an early warning anomaly, carrying out data packet marking by the tracking control module, and carrying out data packet tracing by the path reconstruction module to obtain an attack path; the entities comprise a source IP and a destination IP;
the tracking control module realizes the function of marking the data packet, and marks the data packet after receiving the early warning abnormity issued by the abnormity detection module; in the data packet marking process, probability packet marking is adopted, and the identification of the router is marked into the data packet according to a certain probability;
the path reconstruction module classifies the marked data packets received by the victim terminal according to the distance fields when receiving the tracing request of the tracing control module, extracts the marking information, matches fragment IP address information of each router to the same router, determines the IP of the marked router, and then sequentially adds the obtained router IP to the attack tree according to the sequence, thereby obtaining the attack path;
the feedback module is used for displaying the detected abnormal information and attacker information and the traced path information in a visual information mode;
the abnormity detection module is connected with the tracking control module, the abnormity detection module sends the early warning abnormity to the tracking control module, the tracking control module starts to work after receiving the early warning abnormity, and a data packet marking process is started;
the anomaly detection module analyzes a source IP and a destination IP of a received data message, judges whether the two entities exist in a map or not, creates two entities if the two entities do not exist in the map, and finds the two entities if the two entities exist in the map; after finding the two entities, establishing connection between the two entities, creating real connection and virtual connection, traversing the relation of all response messages related to the two entities, if the serial number of the response message is matched with the response of the two messages, the connection between the two entities is real connection, otherwise, the connection between the two entities is virtual connection, and finishing the analysis of the message; after the construction of the knowledge graph is completed, respectively counting the number of connection relations, the real connection occupation ratio and the virtual connection occupation ratio according to the connection relation between two entities in the knowledge graph; if the virtual connection occupation ratio exceeds a threshold value, judging that the analyzed communication flow is abnormal, and issuing an early warning abnormality; the knowledge graph structure firstly acquires network transmission message data, performs entity extraction on the data, and then performs association according to the relation existing between entities.
2. The apparatus as claimed in claim 1, wherein the packet tagging process of the trace control module uses the fragment IP address information of the router to calculate the tagging probability according to the lifetime, and rewrites a tag time for replacing the lifetime in the original packet for the received packet to defend against the attack of the packet.
3. The device of claim 2, wherein the tracing control module, after receiving the early warning exception issued by the exception detection, starts a packet marking process, specifically: processing the IP address of a router on a network path, dividing the IP address into 4 blocks from high order to low order to obtain fragment IP address information, performing Hash transformation on each fragment IP address information to obtain Hash segment values corresponding to 4 fragment IP address information, and setting the fragment Hash value of a data packet with an offset of i equal to the Hash(i+1)mod4(ii) a Receiving a data packet, and directly marking the TTL value if the TTL value is lower than a certain threshold value; the method is used for solving the problem that an attacker forges the TTL field to avoid the mark of the router; calculating the marking probability p as 1/(64-TTL) according to the TTL value, and generating a random number x between (0, 1) if x is<p, generating a random number i between (0, 4), and writing the information of the offset i into the received data packet corresponding to the ip segment, the hash segment, the offset i and the distance field respectively0, the distance field represents the distance between the marked router and the victim network, and a data packet corresponding to the distance field is forwarded; if x>p, checking whether a distance field of the received data packet is 0, if so, indicating that the data packet is marked by an upstream router, selecting the fragmentation information with the same offset as the data packet from the fragmentation IP address information of the router, and respectively carrying out XOR operation on an IP segment and a hash segment in the data packet, and adding 1 to the distance field of the received data packet; if x>p, and the distance field is not 0, only adding 1 to the distance field; and forwarding the data packet processed by the router.
4. The device as claimed in claim 1, wherein the path restructuring module classifies the labeled packets received by the victim according to the distance field, extracts the label information, and matches the fragment IP address information of each router to the same router, and this process is implemented by using a knowledge-graph technology.
5. The knowledgegraph-based packet tag traceability device of claim 4,
the path reconstruction module classifies the marked data packets received by the victim terminal according to the distance fields, extracts the marking information and matches the fragment IP address information of each router to the same router, the process is realized by adopting a knowledge graph technology, and the method specifically comprises the following steps,
s1, dividing the received data packets into different data packet sets according to the distance field value at the target host;
s2, starting from distance field distance of 0, constructing a knowledge graph, reassembling each fragment IP address, reassociating each fragment IP address into the same node address, extracting a distance field with a value of 0, respectively, corresponding IP address and Hash entity in the fragment information, clockwise constructing the knowledge graph according to Offset of 0,1,2,3, taking the fragment IP address as an entity, and taking a Hash function value obtained by Hash transform on the fragment IP address as an entity, wherein the two relations of the fragment IP address and the corresponding Hash function value are corresponding Hash transform, and finally extracting the fragment Hash in the data packet with Offset of 0 as an entity; extracting the IP obtained by the fragment IP address recombination according to the offset sequence, wherein the IP is the IP corresponding to the router node and is also the node of the last hop of the attack tree;
s3, starting from distance 1, performing xor processing on the IP _ frag field and the Hash _ frag field of each data packet, so as to restore the node information of the previous hop, and finally repeating the knowledge graph construction process in step S2, associating and matching the same node, to obtain the IP information of the previous hop, that is, the node of the penultimate hop of the attack tree; adding 1 to the distance value, repeating the step of S3, and acquiring the IP information of the corresponding hop until the maximum distance value is reached;
and S4, adding the recombined IP information into the attack tree from the distance of 0 by taking the victim as the root node of the attack tree until the node information of the maximum distance is restored and the reconstruction of the attack path is completed.
CN202110058724.1A 2021-01-16 2021-01-16 Data packet marking and tracing device based on knowledge graph Active CN112910851B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110058724.1A CN112910851B (en) 2021-01-16 2021-01-16 Data packet marking and tracing device based on knowledge graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110058724.1A CN112910851B (en) 2021-01-16 2021-01-16 Data packet marking and tracing device based on knowledge graph

Publications (2)

Publication Number Publication Date
CN112910851A CN112910851A (en) 2021-06-04
CN112910851B true CN112910851B (en) 2021-10-15

Family

ID=76114075

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110058724.1A Active CN112910851B (en) 2021-01-16 2021-01-16 Data packet marking and tracing device based on knowledge graph

Country Status (1)

Country Link
CN (1) CN112910851B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113271317A (en) * 2021-06-16 2021-08-17 中移(杭州)信息技术有限公司 Network attack tracing method and device, communication equipment and storage medium
CN113691550B (en) * 2021-08-27 2023-02-24 西北工业大学 Behavior prediction system of network attack knowledge graph
CN114363036B (en) * 2021-12-30 2023-05-16 绿盟科技集团股份有限公司 Network attack path acquisition method and device and electronic equipment
CN114915444B (en) * 2022-03-23 2023-03-10 中国科学院信息工程研究所 DDoS attack detection method and device based on graph neural network
CN115146075B (en) * 2022-07-11 2023-03-10 中科雨辰科技有限公司 Data processing system for acquiring knowledge graph
CN115801473A (en) * 2023-02-13 2023-03-14 广东电网有限责任公司江门供电局 Knowledge graph-based malicious flow identification method and device for power monitoring system
CN117235200A (en) * 2023-09-12 2023-12-15 杭州湘云信息技术有限公司 Data integration method and device based on AI technology, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101873258A (en) * 2010-06-07 2010-10-27 清华大学 Probabilistic packet marking and attack source tracing method, system and device
CN103249177A (en) * 2012-08-13 2013-08-14 常州大学 Method of tracking DDoS attack in wireless sensor network
CN109922075A (en) * 2019-03-22 2019-06-21 中国南方电网有限责任公司 Network security knowledge map construction method and apparatus, computer equipment
CN111581397A (en) * 2020-05-07 2020-08-25 南方电网科学研究院有限责任公司 Network attack tracing method, device and equipment based on knowledge graph

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004008700A2 (en) * 2002-07-12 2004-01-22 The Penn State Research Foundation Real-time packet traceback and associated packet marking strategies
KR100951770B1 (en) * 2005-12-30 2010-04-08 경희대학교 산학협력단 Method for back-tracking IP based on the IPv6 network
CN105792212B (en) * 2016-02-29 2019-01-04 中南大学 A kind of tracing method based on fair probabilistic packet marking in wireless sensor network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101873258A (en) * 2010-06-07 2010-10-27 清华大学 Probabilistic packet marking and attack source tracing method, system and device
CN103249177A (en) * 2012-08-13 2013-08-14 常州大学 Method of tracking DDoS attack in wireless sensor network
CN109922075A (en) * 2019-03-22 2019-06-21 中国南方电网有限责任公司 Network security knowledge map construction method and apparatus, computer equipment
CN111581397A (en) * 2020-05-07 2020-08-25 南方电网科学研究院有限责任公司 Network attack tracing method, device and equipment based on knowledge graph

Also Published As

Publication number Publication date
CN112910851A (en) 2021-06-04

Similar Documents

Publication Publication Date Title
CN112910851B (en) Data packet marking and tracing device based on knowledge graph
Yang et al. RIHT: a novel hybrid IP traceback scheme
Kamboj et al. Detection techniques of DDoS attacks: A survey
KR100426317B1 (en) System for providing a real-time attacking connection traceback using of packet watermark insertion technique and method therefor
Lee et al. ICMP traceback with cumulative path, an efficient solution for IP traceback
JP2010528496A (en) Method and system for resilient packet reverse detection in wireless mesh and sensor networks
KrishnaKumar et al. Hop count based packet processing approach to counter DDoS attacks
CN110266650B (en) Identification method of Conpot industrial control honeypot
Nicholson et al. A taxonomy of technical attribution techniques for cyber attacks
Saurabh et al. Linear and remainder packet marking for fast IP traceback
Aljifri et al. IP traceback using header compression
Paruchuri et al. TTL based packet marking for IP traceback
CN116132989B (en) Industrial Internet security situation awareness system and method
Al-Duwairi et al. Topology based packet marking
Blaise et al. Split-and-Merge: detecting unknown botnets
Sun et al. Modified deterministic packet marking for DDoS attack traceback in IPv6 network
Ma Tabu marking scheme for ip traceback
Balyk et al. A survey of modern IP traceback methodologies
Ma Tabu marking scheme to speedup IP traceback
Subbulakshmi et al. Attack source identification at router level in real time using marking algorithm deployed in programmable routers
Paruchuri et al. FAST: fast autonomous system traceback
Su et al. Privacy preserving IP traceback
Liu et al. TAP: A Traffic-Aware Probabilistic Packet Marking for Collaborative DDoS Mitigation
Wang et al. IP traceback based on deterministic packet marking and logging
Sairam et al. Coloring networks for attacker identification and response

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant