CN113132377A - Network attack path reconstruction method based on topological information - Google Patents
Network attack path reconstruction method based on topological information Download PDFInfo
- Publication number
- CN113132377A CN113132377A CN202110403131.4A CN202110403131A CN113132377A CN 113132377 A CN113132377 A CN 113132377A CN 202110403131 A CN202110403131 A CN 202110403131A CN 113132377 A CN113132377 A CN 113132377A
- Authority
- CN
- China
- Prior art keywords
- network
- router
- attack
- information
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/12—Shortest path evaluation
- H04L45/122—Shortest path evaluation by minimising distances, e.g. by selecting a route with minimum of number of hops
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/20—Hop count for routing purposes, e.g. TTL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network space security, in particular to a network attack path reconstruction method based on topology information, which comprises the following steps: firstly, topology measurement probes distributed in each area of a network are utilized to obtain a network topology structure through traceroute technology, then router information passed by an attack flow is extracted through NetFlow/NetStream technology, and then according to the extracted routers and related network topology data, a Dijkstra shortest path selection algorithm is adopted to gradually reconstruct an attack path of the whole attack flow. The invention comprehensively utilizes the active and passive network measurement method, can accurately and completely draw the path information of the network attack, and ensures the correctness of the reconstruction structure.
Description
Technical Field
The invention relates to the technical field of network space security, in particular to a network attack path reconstruction method based on topology information.
Background
With the rapid development of the internet, more and more traditional operation modes are being replaced by low-consumption, open and high-efficiency distributed network applications, and the network becomes an indispensable part of people's daily life. But the network-based attacks are also getting stronger, network security events are more and more endless, and various network attacks bring serious harm to the country, the society and individuals. Attackers use the rapid and extensive interconnectivity of networks to make security measures in the traditional sense substantially lose effect, and seriously threaten the security of the country and the society. The network security threat brings huge losses to the nation and people's life, the security problem seriously restricts the development of the network and directly threatens the stability of the nation and the society.
The network attack tracing refers to a technology for determining the identity or position of an attacker and an attack intermediate medium through a network and restoring an attack path. Generally, attackers mostly use technologies such as forged IP addresses, springboards, anonymous networks, and the like to implement network attack activities to escape tracking, so that it is difficult for defenders to determine their attack sources, and targeted protection strategies cannot be implemented. The network attack tracing technology can reconstruct attack time sequence and reshape attack events by actively positioning the attack source, thereby actively implementing targeted interception and countermeasures in time, and is one of key technologies in network attack and defense countermeasures and an important link in network active defense. The method plays a crucial role in minimizing the effect of the network attack and deterrent the potential network attack.
Network security has become a major strategic issue concerning national security. The traditional passive defense strategy can not effectively protect the security of the network and inhibit the attack when facing increasingly complex and intelligent attack behaviors, and an attacker can always break through the network defense and the paralyzed network defense system by utilizing the vulnerabilities of the system, the network and even the defense system, so that the network is directly exposed to the attacker. Attackers make use of the rapid and extensive interconnectivity of networks to essentially disable security measures in the traditional sense; and most network attackers use forged IP addresses, so that the defense is difficult to determine the position of a real attack source, and a targeted defense inhibition strategy cannot be implemented. These all make the tracing technology become an important ring in the network active defense system, which plays a crucial role in minimizing the effect of network attack and deterring potential attacks. Meanwhile, on the basis of accurate tracking and positioning, various security strategies and technical means need to be adopted, and the larger damage caused by network attack is reduced.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a network attack path reconstruction method based on topology information, which can effectively solve the problem that the network attack path is difficult to reconstruct.
In order to solve the technical problems, the invention adopts the following technical scheme:
a network attack path reconstruction method based on topology information comprises the following steps:
step S1, deploying distributed probes in the network, and utilizing the probes to perform traceroute measurement on the IP addresses of the whole network, acquiring each path information of the network, and constructing a network topology structure according to the path information;
step S2, extracting network attack flow information, matching the extracted network attack flow information with the collected NetFlow/NetStream information, and adding the successfully matched router into a router set;
step S3, using the target IP of the attack flow as a reference node;
step S4, judging whether the router set is empty, if not, switching to step S5, otherwise, switching to step S7;
step S5, calculating the hop count of each router and a reference node in the router set according to Dijkstra algorithm;
step S6, selecting the router with the least hop count with the reference node in the router set as the next hop node, connecting the router with the reference node, then using the selected router as a new reference node, deleting the selected router from the router set, and then turning to step S4;
step S7, connecting the reference node with the source IP address of the attack flow, and storing all analysis results;
and finishing network attack path reconstruction based on the topology information.
Compared with the prior art, the invention has the advantages that:
(1) the invention comprehensively utilizes the active and passive network measurement method, can accurately and completely draw the path information of the network attack, and ensures the correctness of the reconstruction structure.
(2) When the invention carries out attack path reconstruction, the Dijkstra algorithm is adopted for calculating the shortest path selection algorithm, thereby effectively ensuring the accuracy of the analysis result of the attack path.
Drawings
Fig. 1 is a schematic flow chart of a network attack path reconstruction method based on topology information according to the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the following description is given in conjunction with the accompanying examples. It is to be understood that the following text is merely illustrative of one or more specific embodiments of the invention and does not strictly limit the scope of the invention as specifically claimed.
The running environment required by the embodiment is a PC with an Intel-Windows architecture, a plurality of PCs running traceroute measurement, and a plurality of routers supporting NetFlow/NetStream, the routers are connected by means of network cables, and the PCs running traceroute measurement are deployed at the edge of the network and are accessed into the network.
The PC system operating the network attack path reconstruction method based on the topology information provided by the invention is configured as follows: the software based on the invention (named as AttackRecover in the embodiment) is installed and operated on a PC with an Intel-Windows architecture, the PC with a Core eight-Core CPU with the main frequency of 2.5GHz or above of the hardware of the PC has the memory of more than or equal to 4GB and the hard disk of 500GB, and operates a Windows10 operating system.
The PC system for running traceroute path measurement provided by the invention is configured as follows: traceroute software is run on an Intel-Windows operating system according to and, the PC hardware has a main frequency of 2.5GHz or above Core eight-Core CPU, a memory is more than or equal to 2GB, a hard disk is 100GB, and a Windows10 operating system is run.
As shown in fig. 1, starting with step S101, a user deploys a distributed probe in a network, and performs traceroute measurement on an IP address of the whole network by using the distributed probe, so as to obtain information of each path of the network, and then proceeds to step S102;
in step S102, the user performs path extraction on the obtained traceroute measurement result, constructs a network topology structure according to the path information, and then proceeds to step S103;
in step S103, the source IP, the destination IP, the source port number, the destination port number, the transport layer protocol type, and the attack time information of the network attack flow are extracted, and then step S104 is performed;
in step S104, matching the extracted network attack flow information with the collected NetFlow/NetStream data, adding a successfully matched router into a routeset set, and then proceeding to step S105;
in step S105, the target IP of the attack flow is used as a reference node, and then the process proceeds to step S106;
in step S106, judging whether the RouterSet set is empty, if not, entering step S107, otherwise, entering step S109;
in step S107, the hop count between each router and the reference node in the RouterSet set is calculated according to the Dijkstra algorithm, and then the step S108 is carried out;
in step S108, the router with the least hop count from the reference node in the routeset set is selected as the next hop node, and is connected to the reference node, and then the node is used as a new reference node, and is deleted from the routeset set, and then the process goes to step S106;
in step S109, the reference node is connected to the source IP address of the attack flow, and then the process proceeds to step S110.
In step S110, all the analysis results are saved, and the analysis is ended.
In summary, the network attack path reconstruction method based on topology information provided by the present invention measures the topology structure of the network through the distributed network topology probe, so as to grasp the connection relationship between the routers in the network, then finds out the router through which the attack flow passes by matching the attack flow information with the NetFlow/NetStream data, and then reconstructs the attack path of the entire attack flow step by step through the shortest path selection algorithm. When the invention carries out attack path reconstruction, the Dijkstra algorithm is adopted for calculating the shortest path selection algorithm, and the Dijkstra algorithm is the main algorithm of the current route calculation, thereby effectively ensuring the accuracy of the analysis result of the attack path.
The present invention is not limited to the above embodiments, and those skilled in the art can make various equivalent changes and substitutions without departing from the principle of the present invention after learning the content of the present invention, and these equivalent changes and substitutions should be considered as belonging to the protection scope of the present invention.
Claims (1)
1. A network attack path reconstruction method based on topology information is characterized by comprising the following steps:
step S1, deploying distributed probes in the network, and utilizing the probes to perform traceroute measurement on the IP addresses of the whole network, acquiring each path information of the network, and constructing a network topology structure according to the path information;
step S2, extracting network attack flow information, matching the extracted network attack flow information with the collected NetFlow/NetStream information, and adding the successfully matched router into a router set;
step S3, using the target IP of the attack flow as a reference node;
step S4, judging whether the router set is empty, if not, switching to step S5, otherwise, switching to step S7;
step S5, calculating the hop count of each router and a reference node in the router set according to Dijkstra algorithm;
step S6, selecting the router with the least hop count with the reference node in the router set as the next hop node, connecting the router with the reference node, then using the selected router as a new reference node, deleting the selected router from the router set, and then turning to step S4;
step S7, connecting the reference node with the source IP address of the attack flow, and storing all analysis results;
and finishing network attack path reconstruction based on the topology information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110403131.4A CN113132377A (en) | 2021-04-15 | 2021-04-15 | Network attack path reconstruction method based on topological information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110403131.4A CN113132377A (en) | 2021-04-15 | 2021-04-15 | Network attack path reconstruction method based on topological information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113132377A true CN113132377A (en) | 2021-07-16 |
Family
ID=76776356
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110403131.4A Pending CN113132377A (en) | 2021-04-15 | 2021-04-15 | Network attack path reconstruction method based on topological information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113132377A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710436A (en) * | 2022-04-19 | 2022-07-05 | 电子科技大学 | Topology reconstruction method of multi-domain unmanned system under topology attack |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010032272A1 (en) * | 2000-04-18 | 2001-10-18 | Nec Corporation | QoS-based shortest path routing for hierarchical communication network |
| CN104202211A (en) * | 2014-08-25 | 2014-12-10 | 电子科技大学 | Autonomous system level network topology identification method combining active and passive measurement |
| CN105337951A (en) * | 2014-08-15 | 2016-02-17 | 中国电信股份有限公司 | Method and device carrying out path backtracking for system attack |
| US20160105453A1 (en) * | 2014-10-10 | 2016-04-14 | The Hong Kong Polytechnic University | Network attack detection method |
-
2021
- 2021-04-15 CN CN202110403131.4A patent/CN113132377A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010032272A1 (en) * | 2000-04-18 | 2001-10-18 | Nec Corporation | QoS-based shortest path routing for hierarchical communication network |
| CN105337951A (en) * | 2014-08-15 | 2016-02-17 | 中国电信股份有限公司 | Method and device carrying out path backtracking for system attack |
| CN104202211A (en) * | 2014-08-25 | 2014-12-10 | 电子科技大学 | Autonomous system level network topology identification method combining active and passive measurement |
| US20160105453A1 (en) * | 2014-10-10 | 2016-04-14 | The Hong Kong Polytechnic University | Network attack detection method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710436A (en) * | 2022-04-19 | 2022-07-05 | 电子科技大学 | Topology reconstruction method of multi-domain unmanned system under topology attack |
| CN114710436B (en) * | 2022-04-19 | 2023-02-07 | 电子科技大学 | Topology reconstruction method of multi-domain unmanned system under topology attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Smys | DDOS attack detection in telecommunication network using machine learning | |
| Osanaiye | Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing | |
| Niu et al. | Identifying APT malware domain based on mobile DNS logging | |
| Chkirbene et al. | A combined decision for secure cloud computing based on machine learning and past information | |
| Osman et al. | Sandnet: Towards high quality of deception in container-based microservice architectures | |
| Ha et al. | On the effectiveness of structural detection and defense against P2P-based botnets | |
| CN111818055A (en) | Network attack path analysis method based on dynamic feedback | |
| CN113132377A (en) | Network attack path reconstruction method based on topological information | |
| Liu et al. | Netobfu: A lightweight and efficient network topology obfuscation defense scheme | |
| Manusankar et al. | Intrusion detection system with packet filtering for IP spoofing | |
| Patil et al. | A Hybrid Traceback based Network Forensic Technique to Identifying Origin of Cybercrime. | |
| Samak et al. | Firecracker: A framework for inferring firewall policies using smart probing | |
| CN112968870A (en) | Network group discovery method based on frequent itemset | |
| Kim et al. | Time-based moving target defense using Bayesian attack graph analysis | |
| Ruehrup et al. | Botnet detection revisited: theory and practice of finding malicious P2P networks via Internet connection graphs | |
| Zhao et al. | Finding key nodes in complex networks: An edge and local partition approach | |
| Baumeister et al. | Using randomized routing to counter routing table insertion attack on Freenet | |
| Murugesan et al. | Design and analysis of hybrid single packet IP traceback scheme | |
| Abdullayeva | Detection of cyberattacks in cloud computing service delivery models using correlation based feature selection | |
| Li et al. | Improved automated graph and FCM based DDoS attack detection mechanism in software defined networks | |
| Gulyás et al. | Hiding information in social networks from de-anonymization attacks by using identity separation | |
| Salami et al. | Implementing flash event discrimination in IP traceback using shark smell optimisation algorithm | |
| Alenezi et al. | IP traceback methodologies | |
| Cam | Model-guided infection prediction and active defense using context-specific cybersecurity observations | |
| Bijalwan et al. | An Anatomy for Recognizing Network Attack Intention |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210716 |