CN113364793A - ICMP hidden tunnel detection method, device and storage medium - Google Patents
ICMP hidden tunnel detection method, device and storage medium Download PDFInfo
- Publication number
- CN113364793A CN113364793A CN202110671360.4A CN202110671360A CN113364793A CN 113364793 A CN113364793 A CN 113364793A CN 202110671360 A CN202110671360 A CN 202110671360A CN 113364793 A CN113364793 A CN 113364793A
- Authority
- CN
- China
- Prior art keywords
- icmp
- message
- icmp message
- determining
- attribute information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 48
- 238000000034 method Methods 0.000 claims abstract description 50
- 230000008569 process Effects 0.000 claims description 27
- 230000005540 biological transmission Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 4
- 230000006399 behavior Effects 0.000 description 13
- 230000004044 response Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000005641 tunneling Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002592 echocardiography Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000036962 time dependent Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides an ICMP hidden tunnel detection method, a device and a storage medium, wherein the method comprises the following steps: obtaining a first ICMP message; determining the IP address of the first ICMP message; determining a corresponding conversation object in a target file at least based on the IP address, wherein the target file is used for storing a conversation object, the conversation object is used for representing that a second ICMP message corresponding to the IP address is obtained, the conversation simultaneous object comprises attribute information of the second ICMP message, and the attribute information comprises time information, content information and/or length information of the second ICMP message; determining attribute information of the second ICMP message based on the conversation object; and determining whether an ICMP hidden tunnel exists in the network or not based on the attribute information of the first ICMP message and the second ICMP message. The ICMP hidden tunnel detection method can efficiently and accurately detect the ICMP hidden tunnel, and has a wide application range.
Description
Technical Field
The embodiment of the invention relates to the field of network security detection, in particular to an ICMP hidden tunnel detection method, a device and a storage medium.
Background
The tunnel utilizes the characteristics of a network Protocol to carry out data transmission in a concealed manner, seriously threatens information safety, and most ICMP (Internet Control Message Protocol) flow can avoid the detection of network equipment such as a firewall and the like, so that an attacker utilizes an ICMP (Internet Control Message Protocol) to conceal data in an effective load part of the ICMP to form an ICMP concealed channel. For example, in malicious attacks, it is often the case that an attacker gains the authority of a host in some way, obtains some files, such as domain hashes, password files, and the like, and needs to transmit them back to the local for cracking, but the firewall blocks a request initiated by the intranet, and only the ICMP protocol is not blocked, but the attacker needs to transmit back the files, and at this time, if the attacker can ping (Packet Internet Groper, which is an Internet Packet explorer, a program for testing network connection amount, which is used to send an ICMP Echo request message to a destination host, test whether the destination station can reach and know its relevant state) and go to a remote computer, the establishment of an ICMP tunnel, which is a detection that traffic is encapsulated in a ping Packet and aims to use ping data to penetrate the firewall, can be attempted. The detection of ICMP tunnels is therefore becoming increasingly important.
The existing ICMP tunnel detection method is based on flow analysis to identify whether hidden channel communication behavior based on ICMP protocol exists. Specifically, the step of identifying whether the hidden channel communication behavior based on the ICMP protocol exists based on flow analysis comprises the steps of analyzing an obtained ICMP flow message to obtain a transmission identifier and transmission content, and judging whether the transmission content is disordered. And if the transmission content is disordered, judging whether the request content and the response content corresponding to the target transmission identification are the same. And if the request content and the response content corresponding to the target transmission identifier are not the same, determining the communication behavior of the hidden channel based on the target transmission identifier. However, since the above detection method needs to determine whether the content is scrambled, the threshold for determining that the content is scrambled is difficult to determine. Therefore, the normal transmission content is judged to be disordered and the abnormal transmission content is judged to be not disordered, so that the accuracy of judging whether the hidden channel exists or not is influenced. And simultaneously, the method judges whether the request content and the response content corresponding to the target transmission identifier are the same or not, and if not, determines the communication behavior of the hidden channel. However, this method cannot work for some ICMP tunneling tools, such as ICMP Transmitter tunneling tool, which is a tool that requests and responds in accordance with the content, and thus cannot identify the hidden channel. Or, some tunnel tools, such as traceroute, do not respond to the ICMP message, so the hidden channel cannot be detected by the above method.
Disclosure of Invention
The invention provides an ICMP hidden tunnel detection method, device and storage medium which are efficient, accurate and wide in application range.
In order to solve the above technical problem, an embodiment of the present invention provides an ICMP hidden tunnel detection method, including:
obtaining a first ICMP message;
determining the IP address of the first ICMP message;
determining a corresponding session object in a destination file at least based on the IP address, wherein the destination file is used for storing a session object, the session object is used for representing that a second ICMP message corresponding to the IP address is obtained, and the session object simultaneously contains attribute information of the second ICMP message, wherein the attribute information comprises time information, content information and/or length information of the second ICMP message;
determining attribute information of the second ICMP message based on the conversation object;
and determining whether an ICMP hidden tunnel exists in the network or not based on the attribute information of the first ICMP message and the second ICMP message.
Optionally, the attribute information includes a message length of the second ICMP message, and a time for obtaining or storing the second ICMP message;
the determining whether an ICMP hidden tunnel exists in a network based on the attribute information of the first ICMP packet and the second ICMP packet includes:
determining the length of the first ICMP message;
if the length of the first ICMP message is different from that of the second ICMP message, calculating to obtain the time difference of the first ICMP message and the second ICMP message;
and if the time difference meets a time threshold, determining that the ICMP hidden tunnel exists in the network.
Optionally, the attribute information includes a byte offset of a payload in the second ICMP message, a content of a target word node, and a time for obtaining or storing the second ICMP message;
the determining whether an ICMP hidden tunnel exists in a network based on the attribute information of the first ICMP packet and the second ICMP packet includes:
determining the byte offset of the effective load in the first ICMP message and the target word node content of the effective load;
if the byte offset of the effective load in the first ICMP message and the target word node content of the effective load are at least partially different from the byte offset of the effective load in the second ICMP message and the target word node content of the effective load, calculating to obtain the time difference of the first ICMP message and the second ICMP message;
and if the time difference meets a time threshold, determining that the ICMP hidden tunnel exists in the network.
Optionally, the attribute information further includes a packet length of the second ICMP packet, and the method further includes:
determining the length of the first ICMP message;
if the lengths of the first ICMP message and the second ICMP message are the same, and the byte offset of the effective load in the first ICMP message and the target word node content of the effective load are correspondingly the same as the byte offset of the effective load in the second ICMP message and the target word node content of the effective load, determining that the first ICMP message and the second ICMP message are messages sent out based on the same process in a network application layer;
and updating the attribute information stored in the corresponding conversation object based on the first ICMP message.
Optionally, the target word node is an ith byte, and the updating, based on the first ICMP packet, the attribute information stored in the corresponding session object includes:
determining the content of the (i + 1) th byte in the first ICMP message;
updating the content of a target word node in the attribute information based on the content of the (i + 1) th byte;
determining a byte offset of a payload in the first ICMP message;
updating byte offset information in the attribute information based on byte offset of the first ICMP message, wherein if the byte offset of the first ICMP message is the same as the message length of a second ICMP message in the attribute information, updating the byte offset information in the attribute information based on a preset default value, wherein the default value is related to the standard length of a payload in a secure ICMP message.
Optionally, the determining an IP address of the first ICMP packet includes:
and determining the source IP address and the destination IP address of the first ICMP message.
Optionally, the target file is a hash table;
the method further comprises the following steps:
determining a transmission protocol corresponding to the first ICMP message;
determining the type of the first ICMP message based on the transmission protocol and the first ICMP message;
determining a corresponding key based on the type, the source IP address and the destination IP address;
the determining a corresponding conversation object based at least on the IP address includes:
looking up the corresponding conversation object in the hash table based on the key.
Optionally, the method further comprises:
if the corresponding conversation object is not found, establishing the conversation object based on the first ICMP message;
and forming a key value pair based on the key and the conversation object, and storing the key value pair into the hash table.
Another embodiment of the present invention also provides an ICMP hidden tunnel detection apparatus, including:
an obtaining module, configured to obtain a first ICMP packet;
a first determining module, configured to determine an IP address of the first ICMP packet;
a second determining module, configured to determine a corresponding session object in a destination file based on at least the IP address, where the destination file is used to store a session object, where the session object is used to characterize a second ICMP packet corresponding to the IP address, where the second ICMP packet is a normal packet, and the session object includes attribute information of the second ICMP packet, where the attribute information includes time information, content information, and/or length information of the second ICMP packet;
a third determining module, configured to determine attribute information of the second ICMP packet according to the session object;
and the detection module is used for determining whether an ICMP hidden tunnel exists in the network according to the attribute information of the first ICMP message and the second ICMP message.
Another embodiment of the present invention also provides a storage medium having a computer program stored thereon, which when executed by a processor, is configured to implement the above ICMP covert tunnel detection method.
Based on the disclosure of the above embodiment, it can be known that the embodiments of the present invention have the beneficial effects of recording the ICMP packet transmitted between hosts corresponding to the same IP address, and creating a session object based on the obtained packet, where the session object includes attribute information, and the attribute information has time information, content information, and/or length information about the packet, so that when the system obtains the ICMP packet corresponding to the same IP address again, it can determine whether the ICMP hidden tunnel exists in the network by comparing the currently obtained ICMP packet with the stored attribute information. The detection process does not relate to a response message, and does not relate to a step of judging whether the content of the ICMP message obtained currently is disordered, so the application range is wider, and the detection efficiency and the detection precision are greatly improved because the method of the invention does not need to set a disordered threshold value for determining whether the content of the message is disordered.
Drawings
Fig. 1 is a flowchart of an ICMP hidden tunnel detection method in an embodiment of the present invention.
Fig. 2 is a flowchart of a first application of the ICMP hidden tunnel detection method in the embodiment of the present invention.
Fig. 3 is a flowchart of a second application of the ICMP hidden tunnel detection method in the embodiment of the present invention.
Fig. 4 is a flowchart of a third application of the ICMP hidden tunnel detection method in the embodiment of the present invention.
Fig. 5 is a block diagram of an ICMP covert tunnel detection device in an embodiment of the present invention.
Detailed Description
The following detailed description of specific embodiments of the present invention is provided in connection with the accompanying drawings, which are not intended to limit the invention.
It will be understood that various modifications may be made to the embodiments disclosed herein. The following description is, therefore, not to be taken in a limiting sense, but is made merely as an exemplification of embodiments. Other modifications will occur to those skilled in the art within the scope and spirit of the disclosure.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the disclosure and, together with a general description of the disclosure given above, and the detailed description of the embodiments given below, serve to explain the principles of the disclosure.
These and other characteristics of the invention will become apparent from the following description of a preferred form of embodiment, given as a non-limiting example, with reference to the accompanying drawings.
It should also be understood that, although the invention has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of the invention, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present disclosure will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present disclosure are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely examples of the disclosure that may be embodied in various forms. Well-known and/or repeated functions and structures have not been described in detail so as not to obscure the present disclosure with unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present disclosure in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the disclosure.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
As shown in fig. 1 and fig. 2, an embodiment of the present invention provides an ICMP hidden tunnel detection method, including:
obtaining a first ICMP message;
determining an IP address of the first ICMP message;
determining a corresponding conversation object in a target file at least based on the IP address, wherein the target file is used for storing the conversation object, the conversation object is used for representing a second ICMP message of which the corresponding IP address is obtained, the conversation object simultaneously contains attribute information of the second ICMP message, and the attribute information comprises time information, content information and/or length information of the second ICMP message;
determining attribute information of the second ICMP message based on the conversation object;
and determining whether an ICMP hidden tunnel exists in the network or not based on the attribute information of the first ICMP message and the second ICMP message.
For example, an ICMP (Internet Control Message Protocol) Message is a Message transmitted based on the Protocol. When the method is applied, a ping (Packet Internet Groper, an Internet Packet explorer) in an intranet may be used for a program for testing a network connection amount, and is used for sending an ICMP Echo request Message (i.e., an ICMP Message) to a destination host, and testing whether a destination station can reach and know a related state of the destination station) process to obtain a first ICMP Message transmitted between two hosts, where the first ICMP Message may specifically be a Message based on a Message Type 8/0 structure Type in an ICMP 4(IPv4 is "Internet Protocol Version 4", Internet Protocol Version 4) Protocol, and certainly may specifically not be unique, or may also be a Message based on a structure Type in an ICMP 6 Protocol, and the like. After the first ICMP message is obtained, the IP address of the first ICMP message is determined, and then whether a matching Session object (Session object for short) exists in the target file is determined based on the IP address. The target file records ICMP flows between different hosts and defines the ICMP flows as a session object, where the session object is associated with an IP address of an ICMP message, and if the session object corresponding to the current IP address is recorded in the target file, it indicates that an ICMP message, i.e., a second ICMP message, has been transmitted between the two hosts before this point, and the second ICMP message is a normal message or is a normal message by default. Further, the session object records attribute information of the second ICMP packet, where the attribute information may specifically include time information, content information and/or length information about the second ICMP packet, that is, the attribute information includes time information, and the content information and the length information may be included alternatively or both. When a matching session object can be found in a target file based on the currently obtained ICMP message, that is, the IP address of the first ICMP message, the attribute information of the session object is determined, and a series of comparisons are performed between the first ICMP message and the attribute information, so as to determine, for example, whether the first ICMP message is a machine behavior based on the attribute information, and if the first ICMP message is a machine behavior, an ICMP hidden tunnel is likely to exist in the network.
As can be seen from the above, in this embodiment, by recording ICMP packets transmitted between hosts corresponding to the same IP address and creating a session object based on the obtained packets, where the session object includes attribute information, and the attribute information includes time information, content information, and/or length information about the packet, when the system obtains an ICMP packet corresponding to the same IP address again, it may determine whether an ICMP hidden tunnel exists in the network by comparing the currently obtained ICMP packet with the stored attribute information. The detection process does not relate to a response message, and does not relate to a step of judging whether the content of the ICMP message obtained currently is disordered, so the application range is wider, and the detection efficiency and the detection precision are greatly improved because the method of the invention does not need to set a disordered threshold value for determining whether the content of the message is disordered.
Further, the process of detecting the hidden tunnel has a certain difference due to different attribute information, and the following description is given with reference to different embodiments:
for example, as shown in fig. 2 and fig. 3, in the first embodiment, the attribute information in the present embodiment includes a message length of the second ICMP message and a time (denoted as time) for obtaining or storing the second ICMP message. The message Length of the second ICMP message may be recorded as ICMP _ packet _ len, and the calculation method is Total Length attribute value of the IP Header-Header Length attribute value of the IP Header. When the first ICMP Message and the second ICMP Message are both the same Type messages transmitted by the same process based on the same version protocol, they are both normal messages and have the same Message length, for example, the first ICMP Message and the second ICMP Message are both Message Type 8/0 Type messages transmitted by the same ping process based on the ICMPv4 protocol.
Determining whether an ICMP hidden tunnel exists in a network based on the attribute information of the first ICMP message and the second ICMP message comprises the following steps:
determining the length of the first ICMP message;
if the length of the first ICMP message is different from that of the second ICMP message, calculating to obtain the time difference of the first ICMP message and the second ICMP message;
and if the time difference meets the time threshold, determining that the ICMP hidden tunnel exists in the network.
For example, taking the first and second ICMP messages as Message Type 8/0 Type messages transmitted based on the ICMPv4 protocol as an example, the lengths of the payloads of the ICMP messages sent by the same ping process are identical under normal conditions. The first 11 bytes of the payload in the message need to be skipped when calculating the payload length, since the first 11 bytes are time dependent and will change constantly. After the first ICMP message is obtained, calculating the length of the first ICMP message, and recording the length as cur _ packet _ len, then comparing whether cur _ packet _ len is equal to ICMP _ packet _ len in the attribute information of the corresponding Session object, if so, executing the subsequent identification step, and temporarily determining that the first ICMP message and the second ICMP message are possibly sent based on the same ping process. If the two length values are not equal, the current system time is calculated and recorded as cur _ time, which can be regarded as the acquisition time of the first ICMP, and then the time value recorded in the Session object is subtracted from the cur _ time, if the time difference is smaller than the time threshold Δ t, for example, smaller than 0.1s, then a hidden tunnel can be considered to exist. Because the payload in the ICMP type 8 message changes due to either human behavior (e.g., using parameters of the ping program to modify the content of the ICMP payload (denoted as data)) or machine behavior (e.g., using tunneling tools for covert communication). But the behavior of the two is distinguished by a distinct time interval and frequency. The message generated by human behavior is normal and changes slowly; the message generated by the machine behavior is abnormal and changes very quickly. Therefore, there is an obvious boundary between messages generated by human behaviors and machine behaviors, and this embodiment is to assist in judging whether the first ICMP message is a message transmitted by the machine based on the hidden tunnel based on the boundary, and further determine whether a hidden tunnel exists.
Further, in the second embodiment, with continuing to refer to fig. 2 and fig. 3, the attribute information in this embodiment includes a byte offset (denoted as i or N) of a payload in the second ICMP message, a content (denoted as byte _ i) of the target word node, and a time (denoted as time) for obtaining or storing the second ICMP message; the byte offset of the payload is 19, and the count is started from the 0 th byte of the ICMP message, because 11 bytes in the first byte of the payload of the ICMP message sent by the host are related to the timestamp and change continuously, the 19 (equal to 8 (offset unit) +11) bytes in the first byte of the ICMP message need to be skipped. In addition, when the first ICMP message and the second ICMP message are both the same type messages transmitted by the same process based on the same version protocol, both messages are normal messages, and at least byte offset in the payload and the content of the target node are respectively corresponding to the same. For example, the first ICMP Message and the second ICMP Message are both Message Type 8/0 messages transmitted by the same ping process based on ICMPv4 protocol.
Determining whether an ICMP hidden tunnel exists in a network based on the attribute information of the first ICMP message and the second ICMP message comprises the following steps:
determining a byte offset of a payload in the first ICMP message and a destination word node content of the payload;
if the byte offset of the effective load in the first ICMP message and the target word node content of the effective load are at least partially different from the byte offset of the effective load in the second ICMP message and the target word node content of the effective load, calculating to obtain the time difference of the first ICMP message and the second ICMP message;
and if the time difference meets the time threshold, determining that the ICMP hidden tunnel exists in the network.
For example, in this embodiment, the target word node is the ith byte of the payload, and when performing detection, the attribute N of the Session object may be extracted, the ith byte in the payload of the first ICMP packet is extracted, and the content of the ith byte is determined and recorded as cur _ byte _ i. It is compared whether cur _ byte _ i is equal to attribute byte _ i of the Session object. If the time difference is smaller than the time threshold delta t, for example, smaller than 0.1s, it can be considered that a hidden tunnel exists.
Further, in the third embodiment, with continuing to be combined with fig. 2 and fig. 3, the attribute information in this embodiment includes not only the information in the second embodiment, but also the Message length of the second ICMP Message, when the first ICMP Message and the second ICMP Message are both the same Type messages transmitted by the same process based on the same version protocol, both the first ICMP Message and the second ICMP Message are normal messages, and the Message lengths are equal, and at least the byte offset and the content of the target node in the payload are respectively corresponding to the same, for example, the first ICMP Message and the second ICMP Message are both Message Type 8/0 Type messages transmitted by the same ping process based on the ICMP 4 protocol, and the like.
The detection method of the present embodiment further includes, on the basis of the second embodiment:
determining the length of the first ICMP message;
if the lengths of the first ICMP message and the second ICMP message are the same, and the byte offset of the effective load in the first ICMP message and the target word node content of the effective load are correspondingly the same as the byte offset of the effective load in the second ICMP message and the target word node content of the effective load, determining that the first ICMP message and the second ICMP message are messages sent based on the same process;
and updating the attribute information stored in the corresponding conversation object based on the first ICMP message.
That is, when the lengths of the first ICMP packet and the second ICMP packet are the same, it is determined whether the byte offset of the payload and the contents of the target word node are the same, or when it is determined that the byte offset of the payload and the contents of the target word node are the same, it is determined whether the lengths of the two packets are the same, and as long as one of the byte offset, the contents of the target word node, and the lengths of the packets is different, the time difference corresponding to the two packets is directly calculated, and it is determined whether a hidden tunnel exists based on the time difference. If the three parameters in the two messages are correspondingly the same, it is determined that the first ICMP message and the second ICMP message are messages sent based on the same process in the network application layer. At this time, the system may update the attribute information stored in the corresponding session object based on the first ICMP message.
Optionally, as described above, as shown in fig. 2, the updating, by the target word node in this embodiment, the attribute information stored in the corresponding session object based on the first ICMP packet, for the ith byte in the payload, includes:
determining the content of the (i + 1) th byte in the first ICMP message;
updating the content of the target word node in the attribute information based on the content of the (i + 1) th byte;
determining a byte offset of a payload in the first ICMP message;
updating byte offset information in the attribute information based on the byte offset of the first ICMP message, wherein if the byte offset of the first ICMP message is the same as the message length of the second ICMP message in the attribute information, updating the byte offset information in the attribute information based on a preset default value, wherein the default value is related to the standard length of an effective load in the security ICMP message.
For example, taking a Message Type 8/0 Type Message transmitted by the first and second ICMP messages based on the ICMPv4 protocol by the same ping process as an example, an i +1 th byte and its content in the payload of the first ICMP Message are determined, and then the byte _ i and the byte offset N in the attribute information of the Session object are respectively updated correspondingly, if i +1 is equal to ICMP _ pakcet _ len, if the i +1 th byte is a null byte, N is reset to a preset default value, such as 19, and the next packet is continuously grabbed. The default value is to count from the 0 th byte of the ICMP message, because the first 11 bytes of the payload of the ICMP message sent by the host are related to the timestamp and are changing, and the first 19 (equal to 8 (offset unit) +11) bytes of the ICMP message need to be skipped.
Further, as shown in fig. 2 and 4, when determining the IP address of the first ICMP packet, the method includes:
a source IP address and a destination IP address of the first ICMP message are determined.
The target file in this embodiment is a hash table (denoted as HashMap);
the detection method in this embodiment further includes:
determining a transmission protocol corresponding to the first ICMP message;
determining the type of the first ICMP message based on the transmission protocol and the first ICMP message;
determining a corresponding key based on the type, the source IP address and the destination IP address;
determining a corresponding conversation object based at least on the IP address, comprising:
looking up a corresponding conversation object in the hash table based on the key;
if the corresponding conversation object is not found, establishing a conversation object based on the first ICMP message;
and forming a key value pair based on the key and the dialogue object, and storing the key value pair into the hash table.
For example, ICMP traffic between two hosts is defined as a Session object, a HashMap named IP _ sessions _ map is used to store the Session object, and the Session object is used as a value by using a combination of a source IP address and a destination IP address of an ICMP request message as a key (denoted as key). Each Session object contains the above-mentioned attribute information, which is obtained from the first received normal ICMP message, i.e., the second ICMP message. The key is different corresponding to different types of messages. When the first ICMP Message is obtained, taking a Message Type 8/0 Type Message transmitted based on an ICMPv4 protocol as an example for the first ICMP Message and the second ICMP Message, determining a source IP address src _ IP and a destination (destination) IP address dst _ IP of the first ICMP Message, and a Message Type, and if the Type of the first ICMP Message is 8, then key is (src _ IP, dst _ IP); if the type of the first ICMP message is equal to 0, the tuple (source IP, sink IP) of the ICMP request message corresponding to the first message is (dst _ IP, src _ IP), i.e. key ═ dst _ IP, src _ IP. Then, based on the key, the Session object as the value (denoted as value) in the key pair is paired in the ip _ sessions _ map, and the above-mentioned detection process is performed. And if the corresponding Session object is not found, determining attribute information based on the first ICMP message, creating the Session object by the attribute information, finally forming a key value pair by the Session object and the previously determined key, storing the key value pair in the ip _ sessions _ map, and capturing the next data packet.
The detection method in each embodiment described above determines whether data transmission is performed between two hosts using an ICMP hidden tunnel by capturing a network traffic data packet, determining payload data between ICMP Echo/Reply, and determining a time interval of data change between two consecutive echoes. The method can process the tunnel tool with the completely consistent sent request content and received response content, can process the situation of transmitting information by utilizing the Traceroute tool without a response message, has wider application range and higher efficiency and precision, and reduces the consumption of the system when executing the detection method, which is embodied in the following three points:
(1) the ICMP message is stored in the memory in the form of byte array, and the time complexity for searching the ith byte of the ICMP message is O (1). The time complexity of comparing the ith bytes of the adjacent ICMP messages only depends on the number of the ICMP messages, and if the number of the ICMP messages in the Session is N, the time complexity is O (N), so the system operation efficiency is high.
(2) The detection method only uses variable information and ICMP messages contained in the attribute information, the space complexity is O (M), M is the length of the ICMP messages, and the calculation load quantity is low.
(3) And modifying variables such as icmp _ packet _ len, time and the like only when the message payload changes, and reinitializing the Session object. Otherwise, only the variable N and the byte _ i of the Session object are updated, so that the operation of modifying the memory can be effectively reduced, and the operating efficiency of the system is improved.
As shown in fig. 5, another embodiment of the present invention also provides an ICMP covert tunnel detection device, including:
an obtaining module, configured to obtain a first ICMP packet;
a first determining module, configured to determine an IP address of the first ICMP packet;
a second determining module, configured to determine a corresponding session object in an object file at least based on the IP address, where the object file is used to store the session object, the session object is used to represent a second ICMP packet that has obtained the corresponding IP address, the second ICMP packet is a normal packet, and the session object includes attribute information of the second ICMP packet, where the attribute information includes time information, content information, and/or length information of the second ICMP packet;
a third determining module, configured to determine attribute information of the second ICMP packet according to the session object;
and the detection module is used for determining whether an ICMP hidden tunnel exists in the network according to the attribute information of the first ICMP message and the second ICMP message.
Optionally, the attribute information includes a message length of the second ICMP message and a time for obtaining or storing the second ICMP message, and when the first ICMP message and the second ICMP message are both messages of the same type transmitted based on the same process and according to the same version protocol, both messages are normal messages, and the message lengths are equal;
determining whether an ICMP hidden tunnel exists in the network based on the attribute information of the first ICMP message and the second ICMP message, comprising:
determining the length of the first ICMP message;
if the length of the first ICMP message is different from that of the second ICMP message, calculating to obtain the time difference of the first ICMP message and the second ICMP message;
and if the time difference meets the time threshold, determining that the ICMP hidden tunnel exists in the network.
Optionally, the attribute information includes byte offset of a payload in the second ICMP message, content of a target word node, and time for obtaining or storing the second ICMP message, and when the first ICMP message and the second ICMP message are both messages of the same type transmitted based on the same process and according to the same version protocol, both messages are normal messages, and at least the byte offset in the payload and the content of the target node are respectively corresponding to the same;
determining whether an ICMP hidden tunnel exists in the network based on the attribute information of the first ICMP message and the second ICMP message, comprising:
determining a byte offset of a payload in the first ICMP message and a destination word node content of the payload;
if the byte offset of the effective load in the first ICMP message and the target word node content of the effective load are at least partially different from the byte offset of the effective load in the second ICMP message and the target word node content of the effective load, calculating to obtain the time difference of the first ICMP message and the second ICMP message;
and if the time difference meets the time threshold, determining that the ICMP hidden tunnel exists in the network.
Optionally, the attribute information further includes a message length of the second ICMP message, and when the first ICMP message and the second ICMP message are both messages of the same type transmitted based on the same process and according to the same version protocol, both messages are normal messages, and the message lengths are equal;
the detection device further comprises:
a fourth determining module, configured to determine a length of the first ICMP packet;
the detection module is further configured to determine that the first ICMP message and the second ICMP message are messages sent based on the same process when it is determined that the lengths of the first ICMP message and the second ICMP message are the same, and the byte offset of the payload in the first ICMP message and the target word node content of the payload are the same as the byte offset of the payload in the second ICMP message and the target word node content of the payload;
and the updating module is used for updating the attribute information stored in the corresponding conversation object according to the first ICMP message.
Optionally, the updating, by the target word node, attribute information stored in the corresponding session object based on the first ICMP packet, for the ith byte of the payload, includes:
determining the content of the (i + 1) th byte in the effective load of the first ICMP message;
updating the content of the target word node in the attribute information based on the content of the (i + 1) th byte;
determining a byte offset of a payload in the first ICMP message;
updating byte offset information in the attribute information based on the byte offset of the first ICMP message, wherein if the byte offset of the first ICMP message is the same as the message length of the second ICMP message in the attribute information, updating the byte offset information in the attribute information based on a preset default value, wherein the default value is related to the standard length of an effective load in the security ICMP message.
Optionally, determining the IP address of the first ICMP packet includes:
a source IP address and a destination IP address of the first ICMP message are determined.
Optionally, the target file is a hash table;
the detection device further comprises:
a fifth determining module, configured to determine a transmission protocol corresponding to the first ICMP packet;
a sixth determining module, configured to determine a type of the first ICMP packet according to the transmission protocol and the first ICMP packet;
a seventh determining module, configured to determine a corresponding key according to the type, the source IP address, and the destination IP address;
determining a corresponding conversation object based at least on the IP address, comprising:
the corresponding session object is looked up in the hash table based on the key.
Optionally, the detection apparatus further comprises:
the establishing module is used for establishing the conversation object based on the first ICMP message when the corresponding conversation object is not found;
and the storage module is used for forming a key value pair according to the key and the dialogue object and storing the key value pair into the hash table.
Another embodiment of the present application further provides an electronic device, including:
one or more processors;
a memory configured to store one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the detection method described above.
An embodiment of the present application further provides a storage medium, on which a computer program is stored, which when executed by a processor implements the detection method as described above. It should be understood that each solution in this embodiment has a corresponding technical effect in the foregoing method embodiments, and details are not described here.
Embodiments of the present application also provide a computer program product tangibly stored on a computer-readable medium and comprising computer-executable instructions that, when executed, cause at least one processor to perform a detection method such as the embodiments described above. It should be understood that each solution in this embodiment has a corresponding technical effect in the foregoing method embodiments, and details are not described here.
It should be noted that the computer storage media of the present application can be computer readable signal media or computer readable storage media or any combination of the two. The computer readable medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access storage media (RAM), a read-only storage media (ROM), an erasable programmable read-only storage media (EPROM or flash memory), an optical fiber, a portable compact disc read-only storage media (CD-ROM), an optical storage media piece, a magnetic storage media piece, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, antenna, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
It should be understood that although the present application has been described in terms of various embodiments, not every embodiment includes only a single embodiment, and such description is for clarity purposes only, and those skilled in the art will recognize that the embodiments described herein may be combined as suitable to form other embodiments, as will be appreciated by those skilled in the art.
The above embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and the scope of the present invention is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present invention, and such modifications and equivalents should also be considered as falling within the scope of the present invention.
Claims (10)
1. An ICMP hidden tunnel detection method, comprising:
obtaining a first ICMP message;
determining the IP address of the first ICMP message;
determining a corresponding session object in a destination file at least based on the IP address, wherein the destination file is used for storing a session object, the session object is used for representing that a second ICMP message corresponding to the IP address is obtained, and the session object simultaneously contains attribute information of the second ICMP message, wherein the attribute information comprises time information, content information and/or length information of the second ICMP message;
determining attribute information of the second ICMP message based on the conversation object;
and determining whether an ICMP hidden tunnel exists in the network or not based on the attribute information of the first ICMP message and the second ICMP message.
2. The method according to claim 1, wherein the attribute information includes a message length of the second ICMP message and a time for obtaining or storing the second ICMP message, and when the first ICMP message and the second ICMP message are both messages of the same type transmitted according to the same version protocol based on the same process, they are both normal messages and have the same message length;
the determining whether an ICMP hidden tunnel exists in a network based on the attribute information of the first ICMP packet and the second ICMP packet includes:
determining the length of the first ICMP message;
if the length of the first ICMP message is different from that of the second ICMP message, calculating to obtain the time difference of the first ICMP message and the second ICMP message;
and if the time difference meets a time threshold, determining that the ICMP hidden tunnel exists in the network.
3. The method according to claim 1, wherein the attribute information includes byte offset of payload in the second ICMP message, content of target word node, and time for obtaining or storing the second ICMP message, and when the first ICMP message and the second ICMP message are both messages of the same type transmitted according to the same version protocol based on the same process, they are both normal messages, and at least byte offset in payload and content of target node are respectively corresponding to the same;
the determining whether an ICMP hidden tunnel exists in a network based on the attribute information of the first ICMP packet and the second ICMP packet includes:
determining the byte offset of the effective load in the first ICMP message and the target word node content of the effective load;
if the byte offset of the effective load in the first ICMP message and the target word node content of the effective load are at least partially different from the byte offset of the effective load in the second ICMP message and the target word node content of the effective load, calculating to obtain the time difference of the first ICMP message and the second ICMP message;
and if the time difference meets a time threshold, determining that the ICMP hidden tunnel exists in the network.
4. The method according to claim 3, wherein the attribute information further includes a message length of the second ICMP message, and when the first ICMP message and the second ICMP message are both messages of the same type transmitted according to the same version protocol based on the same process, they are both normal messages and have the same message length;
the method further comprises the following steps:
determining the length of the first ICMP message;
if the lengths of the first ICMP message and the second ICMP message are the same, and the byte offset of the effective load in the first ICMP message and the target word node content of the effective load are correspondingly the same as the byte offset of the effective load in the second ICMP message and the target word node content of the effective load, determining that the first ICMP message and the second ICMP message are messages sent based on the same process;
and updating the attribute information stored in the corresponding conversation object based on the first ICMP message.
5. The method of claim 4, wherein the target word node is an i-th byte of a payload, and wherein updating the attribute information stored in the corresponding session object based on the first ICMP message comprises:
determining the content of the (i + 1) th byte in the effective load of the first ICMP message;
updating the content of a target word node in the attribute information based on the content of the (i + 1) th byte;
determining a byte offset of a payload in the first ICMP message;
updating byte offset information in the attribute information based on byte offset of the first ICMP message, wherein if the byte offset of the first ICMP message is the same as the message length of a second ICMP message in the attribute information, updating the byte offset information in the attribute information based on a preset default value, wherein the default value is related to the standard length of a payload in a secure ICMP message.
6. The method of claim 1, wherein said determining an IP address of said first ICMP message comprises:
and determining the source IP address and the destination IP address of the first ICMP message.
7. The method of claim 6, wherein the target file is a hash table;
the method further comprises the following steps:
determining a transmission protocol corresponding to the first ICMP message;
determining the type of the first ICMP message based on the transmission protocol and the first ICMP message;
determining a corresponding key based on the type, the source IP address and the destination IP address;
the determining a corresponding conversation object based at least on the IP address includes:
looking up the corresponding conversation object in the hash table based on the key.
8. The method of claim 7, further comprising:
if the corresponding conversation object is not found, establishing the conversation object based on the first ICMP message;
and forming a key value pair based on the key and the conversation object, and storing the key value pair into the hash table.
9. An ICMP covert tunnel detection device, comprising:
an obtaining module, configured to obtain a first ICMP packet;
a first determining module, configured to determine an IP address of the first ICMP packet;
a second determining module, configured to determine a corresponding session object in a destination file based on at least the IP address, where the destination file is used to store a session object, the session object is used to characterize a second ICMP packet corresponding to the IP address, and the session object simultaneously contains attribute information of the second ICMP packet, where the attribute information includes time information, content information, and/or length information of the second ICMP packet;
a third determining module, configured to determine attribute information of the second ICMP packet according to the session object;
and the detection module is used for determining whether an ICMP hidden tunnel exists in the network according to the attribute information of the first ICMP message and the second ICMP message.
10. A storage medium having stored thereon a computer program for implementing the ICMP covert tunnel detection method of any one of claims 1-8 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110671360.4A CN113364793A (en) | 2021-06-17 | 2021-06-17 | ICMP hidden tunnel detection method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110671360.4A CN113364793A (en) | 2021-06-17 | 2021-06-17 | ICMP hidden tunnel detection method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113364793A true CN113364793A (en) | 2021-09-07 |
Family
ID=77534530
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110671360.4A Pending CN113364793A (en) | 2021-06-17 | 2021-06-17 | ICMP hidden tunnel detection method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113364793A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114499923A (en) * | 2021-11-30 | 2022-05-13 | 北京天融信网络安全技术有限公司 | ICMP (Internet control message protocol) simulation message generation method and device |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016202066A1 (en) * | 2015-06-18 | 2016-12-22 | 中兴通讯股份有限公司 | Information acquisition method, client device and service end device |
| WO2017000790A1 (en) * | 2015-06-29 | 2017-01-05 | 中兴通讯股份有限公司 | Gateway device network connectivity response method and device |
| CN110324210A (en) * | 2019-08-06 | 2019-10-11 | 杭州安恒信息技术股份有限公司 | The detection method and device of private communication channel communication are carried out based on ICMP agreement |
| CN111478920A (en) * | 2020-04-27 | 2020-07-31 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN111988309A (en) * | 2020-08-18 | 2020-11-24 | 深圳市联软科技股份有限公司 | ICMP hidden tunnel detection method and system |
| CN112085039A (en) * | 2019-06-12 | 2020-12-15 | 四川大学 | ICMP hidden channel detection method based on random forest |
| CN112437062A (en) * | 2020-11-10 | 2021-03-02 | 北京天融信网络安全技术有限公司 | ICMP tunnel detection method, device, storage medium and electronic equipment |
| CN112491662A (en) * | 2020-12-14 | 2021-03-12 | 北京亚鸿世纪科技发展有限公司 | ICMP hidden tunnel detection method and device |
| WO2021077991A1 (en) * | 2019-10-22 | 2021-04-29 | 华为技术有限公司 | Message detection method, connectivity negotiation relationship establishment method, and related device |
| CN112769811A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Method and device for updating hidden channel detection model |
| CN112929364A (en) * | 2021-02-05 | 2021-06-08 | 上海观安信息技术股份有限公司 | Data leakage detection method and system based on ICMP tunnel analysis |
-
2021
- 2021-06-17 CN CN202110671360.4A patent/CN113364793A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016202066A1 (en) * | 2015-06-18 | 2016-12-22 | 中兴通讯股份有限公司 | Information acquisition method, client device and service end device |
| WO2017000790A1 (en) * | 2015-06-29 | 2017-01-05 | 中兴通讯股份有限公司 | Gateway device network connectivity response method and device |
| CN112085039A (en) * | 2019-06-12 | 2020-12-15 | 四川大学 | ICMP hidden channel detection method based on random forest |
| CN110324210A (en) * | 2019-08-06 | 2019-10-11 | 杭州安恒信息技术股份有限公司 | The detection method and device of private communication channel communication are carried out based on ICMP agreement |
| WO2021077991A1 (en) * | 2019-10-22 | 2021-04-29 | 华为技术有限公司 | Message detection method, connectivity negotiation relationship establishment method, and related device |
| CN111478920A (en) * | 2020-04-27 | 2020-07-31 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN111988309A (en) * | 2020-08-18 | 2020-11-24 | 深圳市联软科技股份有限公司 | ICMP hidden tunnel detection method and system |
| CN112437062A (en) * | 2020-11-10 | 2021-03-02 | 北京天融信网络安全技术有限公司 | ICMP tunnel detection method, device, storage medium and electronic equipment |
| CN112491662A (en) * | 2020-12-14 | 2021-03-12 | 北京亚鸿世纪科技发展有限公司 | ICMP hidden tunnel detection method and device |
| CN112769811A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Method and device for updating hidden channel detection model |
| CN112929364A (en) * | 2021-02-05 | 2021-06-08 | 上海观安信息技术股份有限公司 | Data leakage detection method and system based on ICMP tunnel analysis |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114499923A (en) * | 2021-11-30 | 2022-05-13 | 北京天融信网络安全技术有限公司 | ICMP (Internet control message protocol) simulation message generation method and device |
| CN114499923B (en) * | 2021-11-30 | 2023-11-10 | 北京天融信网络安全技术有限公司 | ICMP simulation message generation method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10812524B2 (en) | Method, and devices for defending distributed denial of service attack | |
| US10218733B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| EP2434689B1 (en) | Method and apparatus for detecting message | |
| Osanaiye | Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing | |
| US10334445B2 (en) | Accurate detection of rogue wireless access points | |
| US10693908B2 (en) | Apparatus and method for detecting distributed reflection denial of service attack | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| US20080141369A1 (en) | Method, Device and Program for Detecting Address Spoofing in a Wireless Network | |
| CN102655509B (en) | Network attack identification method and device | |
| CN114244570B (en) | Illegal external connection monitoring method and device for terminal, computer equipment and storage medium | |
| CN106656966B (en) | Method and device for intercepting service processing request | |
| KR20150090925A (en) | Method for detecting bypass access through anonymous network using round trip time variation | |
| CN107864110B (en) | Botnet main control terminal detection method and device | |
| CN110958245B (en) | Attack detection method, device, equipment and storage medium | |
| KR101775325B1 (en) | Method and apparatus for detecting network address trnaslation device | |
| CN113364793A (en) | ICMP hidden tunnel detection method, device and storage medium | |
| EP3724807B1 (en) | Echo detection of man-in-the-middle lan attacks | |
| KR102149531B1 (en) | Method for connection fingerprint generation and traceback based on netflow | |
| CN111953810B (en) | Method, device and storage medium for identifying proxy internet protocol address | |
| KR101927100B1 (en) | Method for analyzing risk element of network packet based on recruuent neural network and apparatus analyzing the same | |
| KR102119636B1 (en) | Anonymous network analysis system using passive fingerprinting and method thereof | |
| KR101619371B1 (en) | Method and apparatus for packet processing | |
| CN114050917B (en) | Audio data processing method, device, terminal, server and storage medium | |
| CN114070633A (en) | Address scanning behavior detection method and device | |
| CN112688957B (en) | ICMP message processing method, device, computer equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210907 |