CN113556356A - Service software feature hiding method and system based on communication protocol - Google Patents
Service software feature hiding method and system based on communication protocol Download PDFInfo
- Publication number
- CN113556356A CN113556356A CN202110875208.8A CN202110875208A CN113556356A CN 113556356 A CN113556356 A CN 113556356A CN 202110875208 A CN202110875208 A CN 202110875208A CN 113556356 A CN113556356 A CN 113556356A
- Authority
- CN
- China
- Prior art keywords
- data packet
- service software
- hiding
- type
- telnet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
Abstract
The invention discloses a service software feature hiding method and system based on a communication protocol, and belongs to the technical field of network space security. Based on the characteristics of the communication protocol, the invention forges the data packet of service software characteristic detection sent from the external network to the internal network and returns false information to the external network, thereby realizing the service software characteristic hiding of the protected host of the internal network. Therefore, the method and the device can not leak the characteristic information of the service software and return the false information of the attacker, have small calculated amount and high running speed, and have the advantages of simple realization, high processing speed, flexible application and the like.
Description
Technical Field
The invention relates to the technical field of network space security, in particular to a service software feature hiding method and system based on a communication protocol.
Background
With the rapid development of internet technology, network attack behaviors are endless, and how to effectively prevent the leakage of network information is crucial to protecting the security of network information. Before an attacker attacks, information collection is firstly carried out on an attack target. The service software information is the application and service process that the remote computer is running. This is very useful for remote attackers, because when an attacker determines information about the manufacturer and version of the service software, it is in many cases sufficient to initiate the vulnerability study and attack process.
The working principle of service software detection is to establish connection with a remote computer through telnet, ftp and other protocols, so that a vulnerable host responds to information which may contain information used by an attacker to damage the system.
When the system configuration is static, an attacker can always obtain the accurate service software features of the relevant target in enough time so as to carry out effective attack. Therefore, there is a need in the art for a method for dynamically hiding service software features.
Disclosure of Invention
In view of this, the present invention provides a service software feature hiding method and system based on a communication protocol, which can effectively reduce the accuracy rate of detecting service software features in a network, thereby increasing the cost and the cost of an attacker, and realizing the transition of an information network security protection means from passive defense to active defense.
The purpose of the invention is realized as follows:
a service software feature hiding method based on a communication protocol comprises the following steps:
(1) configuring a control strategy, wherein the strategy content comprises: the ip address list of the protected host and the service software disguise type; the service software disguise types comprise an ftp disguise type, a telnet disguise type and an http disguise type, and each disguise type is provided with a corresponding fingerprint library;
(2) when an attacker performs service software detection on a host of an internal network, receiving a data packet sent by the attacker;
(3) judging whether a source ip of a data packet sent by an attacker is in the ip address list in the step (1), if not, sending the data packet to an internal network host; if so, performing the step (4);
(4) judging the source port number of the data packet, and respectively performing the following processing:
1) if the source port number of the data packet is 21, namely the data packet is an ftp data packet, analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type in the step (1) and an ftp fingerprint database, and then going to the step (5);
2) if the source port number of the data packet is 23, that is, the data packet is a telnet data packet, judging whether the data packet is a first telnet data packet of both communication parties, if not, going to the step (5), if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step (1), and going to the step (5);
3) if the source port number of the data packet is 80, namely the data packet is an http data packet, modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step (1), and then turning to the step (5);
4) if the source port number of the data packet is other, go to step (5);
(5) and sending the data packet to an external network.
A service software feature hiding system based on a communication protocol comprises a strategy dynamic control unit, a data interaction unit and a service software hiding unit;
the strategy dynamic control unit provides a hiding strategy for the service software characteristics according to the selection and control of the user, and issues the hiding strategy to the data interaction unit and the service software hiding unit;
the data interaction unit receives a data packet sent by an external network to an internal network or sent by the internal network to the external network; for a data packet sent from an external network to an internal network, according to a hiding strategy received from a strategy dynamic control unit, the data packet is sent to a service software hiding unit, then the data packet returned from the service software hiding unit is received, and the data packet is sent to the internal network; directly forwarding a data packet sent from an internal network to an external network;
the service software hiding unit receives the data packet sent by the data interaction unit according to the hiding strategy received from the strategy dynamic control unit, judges the corresponding protocol type of the data packet, respectively matches ftp protocol fingerprint, telnet protocol fingerprint and http protocol fingerprint, modifies the relevant fields of the data packet sent from the internal protected host to the external network, and realizes hiding the characteristics of ftp, telnet and http service software sent from the external network to the internal protected host.
Further, the service software hiding unit is configured to perform the following steps:
(1) receiving a hidden policy from a policy dynamic control unit, the policy content comprising: the ip address list of the protected host and the service software disguise type; the service software disguise types comprise an ftp disguise type, a telnet disguise type and an http disguise type, and each disguise type is provided with a corresponding fingerprint library;
(2) when an attacker performs service software detection on a host of an internal network, receiving a data packet sent by the attacker;
(3) judging whether a source ip of a data packet sent by an attacker is in the ip address list in the step (1), if not, sending the data packet to an internal network host; if so, performing the step (4);
(4) judging the source port number of the data packet, and respectively performing the following processing:
1) if the source port number of the data packet is 21, namely the data packet is an ftp data packet, analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type in the step (1) and an ftp fingerprint database, and then going to the step (5);
2) if the source port number of the data packet is 23, that is, the data packet is a telnet data packet, judging whether the data packet is a first telnet data packet of both communication parties, if not, going to the step (5), if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step (1), and going to the step (5);
3) if the source port number of the data packet is 80, namely the data packet is an http data packet, modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step (1), and then turning to the step (5);
4) if the source port number of the data packet is other, go to step (5);
(5) and sending the data packet to an external network.
The invention has the beneficial effects that:
(1) based on the characteristics of the communication protocol, the invention forges the data packet of service software characteristic detection sent from the external network to the internal network and returns false information to the external network, thereby realizing the service software characteristic hiding of the protected host of the internal network.
(2) The invention can not reveal the information about the service software characteristics, can effectively reduce the network detection accuracy, has small calculated amount and high running speed, and has the advantages of simple realization, high processing speed, flexible application and the like.
Drawings
FIG. 1 is a flow chart of a method of an embodiment of the present invention.
Fig. 2 is a schematic diagram of a system according to an embodiment of the invention.
Detailed Description
The invention is further described with reference to the following figures and specific embodiments. It is to be understood that the following text is merely illustrative of one or more embodiments of the invention and does not strictly limit the scope of the invention as specifically claimed.
As shown in fig. 2, a service software feature hiding system based on a communication protocol includes a policy dynamic control unit 1, a data interaction unit 2, and a service software hiding unit 3.
The strategy dynamic control unit 1 provides a hiding strategy for service software characteristics according to the selection and control of a user, and issues the hiding strategy to the data interaction unit 2 and the service software hiding unit 3.
The data interaction unit 2 receives a data packet sent by an external network to an internal network or sent by the internal network to the external network; for the data packet sent from the external network to the internal network, according to the hiding strategy received from the strategy dynamic control unit 1, the data packet is sent to the service software hiding unit 3, then the data packet returned from the service software hiding unit 3 is received, and the data packet is sent to the internal network; and directly forwarding the data packet sent from the internal network to the external network.
The service software hiding unit 3 receives the data packet sent by the data interaction unit 2 according to the hiding strategy received from the strategy dynamic control unit 1, judges the corresponding protocol type of the data packet, respectively matches the ftp protocol fingerprint, telnet protocol fingerprint and http protocol fingerprint, modifies the relevant fields of the data packet sent from the internal protected host to the external network, and realizes feature hiding of ftp, telnet and http service software sent from the external network to the internal protected host.
As shown in fig. 1, the service software hiding unit 3 is configured to perform the following steps:
step S101, configuring a control strategy, wherein the strategy content comprises: 1. ip address list of protected host; 2. the service software masquerades the type.
And step S102, when the attacker conducts service software detection on the host of the internal network, receiving a data packet sent by the attacker.
Step S103, judging whether the source ip of the data packet is in the protection address list in the step S101, if not, performing the step S106, and sending the data packet to an internal network host; if yes, go to step S104.
Step S104, determining the source port number of the packet, where the port 21 is an ftp service port, the port 23 is a telnet service port, and the port 80 is an http service port, and performing the following processing:
1) if the packet is an ftp data packet (the source port is 21), analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type and the ftp fingerprint database in the step S101;
2) when the packet is a telnet data packet (source port 23), determining whether the packet is a first telnet data packet of both communication parties, if not, performing the next step, and if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step S101;
3) when the packet is an http data packet (the source port is 80), modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step S101;
4) when the source port of the packet is other, step S105 is performed.
And step S105, sending the processed data packet to an external network.
And step S106, sending the data packet to the internal network host.
The invention can effectively reduce the accuracy of detecting the service software characteristics, thereby increasing the cost and the price of an attacker and realizing the transition of the information network security protection means from passive defense to active defense. Based on the characteristics of the communication protocol, the invention forges the data packet of service software characteristic detection sent from the external network to the internal network and returns false information to the external network, thereby realizing the service software characteristic hiding of the protected host of the internal network. Therefore, the method and the device can not leak the characteristic information of the service software and return the false information of the attacker, have small calculated amount and high running speed, and have the advantages of simple realization, high processing speed, flexible application and the like.
Claims (3)
1. A service software feature hiding method based on a communication protocol is characterized by comprising the following steps:
(1) configuring a control strategy, wherein the strategy content comprises: the ip address list of the protected host and the service software disguise type; the service software disguise types comprise an ftp disguise type, a telnet disguise type and an http disguise type, and each disguise type is provided with a corresponding fingerprint library;
(2) when an attacker performs service software detection on a host of an internal network, receiving a data packet sent by the attacker;
(3) judging whether a source ip of a data packet sent by an attacker is in the ip address list in the step (1), if not, sending the data packet to an internal network host; if so, performing the step (4);
(4) judging the source port number of the data packet, and respectively performing the following processing:
1) if the source port number of the data packet is 21, namely the data packet is an ftp data packet, analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type in the step (1) and an ftp fingerprint database, and then going to the step (5);
2) if the source port number of the data packet is 23, that is, the data packet is a telnet data packet, judging whether the data packet is a first telnet data packet of both communication parties, if not, going to the step (5), if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step (1), and going to the step (5);
3) if the source port number of the data packet is 80, namely the data packet is an http data packet, modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step (1), and then turning to the step (5);
4) if the source port number of the data packet is other, go to step (5);
(5) and sending the data packet to an external network.
2. A service software feature hiding system based on a communication protocol is characterized by comprising a strategy dynamic control unit, a data interaction unit and a service software hiding unit;
the strategy dynamic control unit provides a hiding strategy for the service software characteristics according to the selection and control of the user, and issues the hiding strategy to the data interaction unit and the service software hiding unit;
the data interaction unit receives a data packet sent by an external network to an internal network or sent by the internal network to the external network; for a data packet sent from an external network to an internal network, according to a hiding strategy received from a strategy dynamic control unit, the data packet is sent to a service software hiding unit, then the data packet returned from the service software hiding unit is received, and the data packet is sent to the internal network; directly forwarding a data packet sent from an internal network to an external network;
the service software hiding unit receives the data packet sent by the data interaction unit according to the hiding strategy received from the strategy dynamic control unit, judges the corresponding protocol type of the data packet, respectively matches ftp protocol fingerprint, telnet protocol fingerprint and http protocol fingerprint, modifies the relevant fields of the data packet sent from the internal protected host to the external network, and realizes hiding the characteristics of ftp, telnet and http service software sent from the external network to the internal protected host.
3. The service software feature hiding system based on the communication protocol as claimed in claim 2, wherein the service software hiding unit is configured to perform the following steps:
(1) receiving a hidden policy from a policy dynamic control unit, the policy content comprising: the ip address list of the protected host and the service software disguise type; the service software disguise types comprise an ftp disguise type, a telnet disguise type and an http disguise type, and each disguise type is provided with a corresponding fingerprint library;
(2) when an attacker performs service software detection on a host of an internal network, receiving a data packet sent by the attacker;
(3) judging whether a source ip of a data packet sent by an attacker is in the ip address list in the step (1), if not, sending the data packet to an internal network host; if so, performing the step (4);
(4) judging the source port number of the data packet, and respectively performing the following processing:
1) if the source port number of the data packet is 21, namely the data packet is an ftp data packet, analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type in the step (1) and an ftp fingerprint database, and then going to the step (5);
2) if the source port number of the data packet is 23, that is, the data packet is a telnet data packet, judging whether the data packet is a first telnet data packet of both communication parties, if not, going to the step (5), if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step (1), and going to the step (5);
3) if the source port number of the data packet is 80, namely the data packet is an http data packet, modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step (1), and then turning to the step (5);
4) if the source port number of the data packet is other, go to step (5);
(5) and sending the data packet to an external network.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110875208.8A CN113556356A (en) | 2021-07-30 | 2021-07-30 | Service software feature hiding method and system based on communication protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110875208.8A CN113556356A (en) | 2021-07-30 | 2021-07-30 | Service software feature hiding method and system based on communication protocol |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113556356A true CN113556356A (en) | 2021-10-26 |
Family
ID=78133476
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110875208.8A Pending CN113556356A (en) | 2021-07-30 | 2021-07-30 | Service software feature hiding method and system based on communication protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113556356A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104967628A (en) * | 2015-07-16 | 2015-10-07 | 浙江大学 | Deceiving method of protecting web application safety |
CN109495440A (en) * | 2018-09-06 | 2019-03-19 | 国家电网有限公司 | A kind of random device of Intranet dynamic security |
US20200059490A1 (en) * | 2015-10-22 | 2020-02-20 | Versafe Ltd. | Methods for hypertext markup language (html) input field obfuscation and devices thereof |
CN111628993A (en) * | 2020-05-26 | 2020-09-04 | 中国电子科技集团公司第五十四研究所 | Network spoofing defense method and device based on host fingerprint hiding |
CN111935193A (en) * | 2020-10-13 | 2020-11-13 | 江苏开博科技有限公司 | Automatic safety protection method based on correlation of camouflage agent and dynamic technology |
-
2021
- 2021-07-30 CN CN202110875208.8A patent/CN113556356A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104967628A (en) * | 2015-07-16 | 2015-10-07 | 浙江大学 | Deceiving method of protecting web application safety |
US20200059490A1 (en) * | 2015-10-22 | 2020-02-20 | Versafe Ltd. | Methods for hypertext markup language (html) input field obfuscation and devices thereof |
CN109495440A (en) * | 2018-09-06 | 2019-03-19 | 国家电网有限公司 | A kind of random device of Intranet dynamic security |
CN111628993A (en) * | 2020-05-26 | 2020-09-04 | 中国电子科技集团公司第五十四研究所 | Network spoofing defense method and device based on host fingerprint hiding |
CN111935193A (en) * | 2020-10-13 | 2020-11-13 | 江苏开博科技有限公司 | Automatic safety protection method based on correlation of camouflage agent and dynamic technology |
Non-Patent Citations (1)
Title |
---|
贾哲: "《基于虚假响应的主机指纹隐藏方法》", 《无线电通信技术》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110445770B (en) | Network attack source positioning and protecting method, electronic equipment and computer storage medium | |
KR101554809B1 (en) | System and method for protocol fingerprinting and reputation correlation | |
CN107426242B (en) | Network security protection method, device and storage medium | |
US9942250B2 (en) | Network appliance for dynamic protection from risky network activities | |
US8949978B1 (en) | Efficient web threat protection | |
JP2020515962A (en) | Protection against APT attacks | |
US7096200B2 (en) | System and method for evaluating and enhancing source anonymity for encrypted web traffic | |
EP2147390B1 (en) | Detection of adversaries through collection and correlation of assessments | |
CN112788034B (en) | Processing method and device for resisting network attack, electronic equipment and storage medium | |
KR102222377B1 (en) | Method for Automatically Responding to Threat | |
US20210194915A1 (en) | Identification of potential network vulnerability and security responses in light of real-time network risk assessment | |
CN114826663B (en) | Honeypot identification method, device, equipment and storage medium | |
CN112995162A (en) | Network traffic processing method and device, electronic equipment and storage medium | |
Fraunholz et al. | Cloxy: A context-aware deception-as-a-service reverse proxy for web services | |
Diwan | An investigation and analysis of cyber security information systems: latest trends and future suggestion | |
Dakhane et al. | Active warden for TCP sequence number base covert channel | |
KR101494329B1 (en) | System and Method for detecting malignant process | |
US11388176B2 (en) | Visualization tool for real-time network risk assessment | |
CN113556356A (en) | Service software feature hiding method and system based on communication protocol | |
CN115603985A (en) | Intrusion detection method, electronic device and storage medium | |
CN112953957B (en) | Intrusion prevention method, system and related equipment | |
CN114726579A (en) | Method, apparatus, device, storage medium and program product for defending against network attacks | |
Gross | Detecting and destroying botnets | |
Mims | The Botnet Problem | |
KR102621652B1 (en) | Server computer equipped with DRDoS attack response method, DRDoS attack response program and DRDoS attack response method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211026 |