CN113556356A - Service software feature hiding method and system based on communication protocol - Google Patents

Service software feature hiding method and system based on communication protocol Download PDF

Info

Publication number
CN113556356A
CN113556356A CN202110875208.8A CN202110875208A CN113556356A CN 113556356 A CN113556356 A CN 113556356A CN 202110875208 A CN202110875208 A CN 202110875208A CN 113556356 A CN113556356 A CN 113556356A
Authority
CN
China
Prior art keywords
data packet
service software
hiding
type
telnet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110875208.8A
Other languages
Chinese (zh)
Inventor
贾哲
李炳彰
赵海强
高小涵
赵阳阳
贾紫艺
匡春旭
吴巍
焦利彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 54 Research Institute
Original Assignee
CETC 54 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 54 Research Institute filed Critical CETC 54 Research Institute
Priority to CN202110875208.8A priority Critical patent/CN113556356A/en
Publication of CN113556356A publication Critical patent/CN113556356A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Abstract

The invention discloses a service software feature hiding method and system based on a communication protocol, and belongs to the technical field of network space security. Based on the characteristics of the communication protocol, the invention forges the data packet of service software characteristic detection sent from the external network to the internal network and returns false information to the external network, thereby realizing the service software characteristic hiding of the protected host of the internal network. Therefore, the method and the device can not leak the characteristic information of the service software and return the false information of the attacker, have small calculated amount and high running speed, and have the advantages of simple realization, high processing speed, flexible application and the like.

Description

Service software feature hiding method and system based on communication protocol
Technical Field
The invention relates to the technical field of network space security, in particular to a service software feature hiding method and system based on a communication protocol.
Background
With the rapid development of internet technology, network attack behaviors are endless, and how to effectively prevent the leakage of network information is crucial to protecting the security of network information. Before an attacker attacks, information collection is firstly carried out on an attack target. The service software information is the application and service process that the remote computer is running. This is very useful for remote attackers, because when an attacker determines information about the manufacturer and version of the service software, it is in many cases sufficient to initiate the vulnerability study and attack process.
The working principle of service software detection is to establish connection with a remote computer through telnet, ftp and other protocols, so that a vulnerable host responds to information which may contain information used by an attacker to damage the system.
When the system configuration is static, an attacker can always obtain the accurate service software features of the relevant target in enough time so as to carry out effective attack. Therefore, there is a need in the art for a method for dynamically hiding service software features.
Disclosure of Invention
In view of this, the present invention provides a service software feature hiding method and system based on a communication protocol, which can effectively reduce the accuracy rate of detecting service software features in a network, thereby increasing the cost and the cost of an attacker, and realizing the transition of an information network security protection means from passive defense to active defense.
The purpose of the invention is realized as follows:
a service software feature hiding method based on a communication protocol comprises the following steps:
(1) configuring a control strategy, wherein the strategy content comprises: the ip address list of the protected host and the service software disguise type; the service software disguise types comprise an ftp disguise type, a telnet disguise type and an http disguise type, and each disguise type is provided with a corresponding fingerprint library;
(2) when an attacker performs service software detection on a host of an internal network, receiving a data packet sent by the attacker;
(3) judging whether a source ip of a data packet sent by an attacker is in the ip address list in the step (1), if not, sending the data packet to an internal network host; if so, performing the step (4);
(4) judging the source port number of the data packet, and respectively performing the following processing:
1) if the source port number of the data packet is 21, namely the data packet is an ftp data packet, analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type in the step (1) and an ftp fingerprint database, and then going to the step (5);
2) if the source port number of the data packet is 23, that is, the data packet is a telnet data packet, judging whether the data packet is a first telnet data packet of both communication parties, if not, going to the step (5), if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step (1), and going to the step (5);
3) if the source port number of the data packet is 80, namely the data packet is an http data packet, modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step (1), and then turning to the step (5);
4) if the source port number of the data packet is other, go to step (5);
(5) and sending the data packet to an external network.
A service software feature hiding system based on a communication protocol comprises a strategy dynamic control unit, a data interaction unit and a service software hiding unit;
the strategy dynamic control unit provides a hiding strategy for the service software characteristics according to the selection and control of the user, and issues the hiding strategy to the data interaction unit and the service software hiding unit;
the data interaction unit receives a data packet sent by an external network to an internal network or sent by the internal network to the external network; for a data packet sent from an external network to an internal network, according to a hiding strategy received from a strategy dynamic control unit, the data packet is sent to a service software hiding unit, then the data packet returned from the service software hiding unit is received, and the data packet is sent to the internal network; directly forwarding a data packet sent from an internal network to an external network;
the service software hiding unit receives the data packet sent by the data interaction unit according to the hiding strategy received from the strategy dynamic control unit, judges the corresponding protocol type of the data packet, respectively matches ftp protocol fingerprint, telnet protocol fingerprint and http protocol fingerprint, modifies the relevant fields of the data packet sent from the internal protected host to the external network, and realizes hiding the characteristics of ftp, telnet and http service software sent from the external network to the internal protected host.
Further, the service software hiding unit is configured to perform the following steps:
(1) receiving a hidden policy from a policy dynamic control unit, the policy content comprising: the ip address list of the protected host and the service software disguise type; the service software disguise types comprise an ftp disguise type, a telnet disguise type and an http disguise type, and each disguise type is provided with a corresponding fingerprint library;
(2) when an attacker performs service software detection on a host of an internal network, receiving a data packet sent by the attacker;
(3) judging whether a source ip of a data packet sent by an attacker is in the ip address list in the step (1), if not, sending the data packet to an internal network host; if so, performing the step (4);
(4) judging the source port number of the data packet, and respectively performing the following processing:
1) if the source port number of the data packet is 21, namely the data packet is an ftp data packet, analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type in the step (1) and an ftp fingerprint database, and then going to the step (5);
2) if the source port number of the data packet is 23, that is, the data packet is a telnet data packet, judging whether the data packet is a first telnet data packet of both communication parties, if not, going to the step (5), if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step (1), and going to the step (5);
3) if the source port number of the data packet is 80, namely the data packet is an http data packet, modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step (1), and then turning to the step (5);
4) if the source port number of the data packet is other, go to step (5);
(5) and sending the data packet to an external network.
The invention has the beneficial effects that:
(1) based on the characteristics of the communication protocol, the invention forges the data packet of service software characteristic detection sent from the external network to the internal network and returns false information to the external network, thereby realizing the service software characteristic hiding of the protected host of the internal network.
(2) The invention can not reveal the information about the service software characteristics, can effectively reduce the network detection accuracy, has small calculated amount and high running speed, and has the advantages of simple realization, high processing speed, flexible application and the like.
Drawings
FIG. 1 is a flow chart of a method of an embodiment of the present invention.
Fig. 2 is a schematic diagram of a system according to an embodiment of the invention.
Detailed Description
The invention is further described with reference to the following figures and specific embodiments. It is to be understood that the following text is merely illustrative of one or more embodiments of the invention and does not strictly limit the scope of the invention as specifically claimed.
As shown in fig. 2, a service software feature hiding system based on a communication protocol includes a policy dynamic control unit 1, a data interaction unit 2, and a service software hiding unit 3.
The strategy dynamic control unit 1 provides a hiding strategy for service software characteristics according to the selection and control of a user, and issues the hiding strategy to the data interaction unit 2 and the service software hiding unit 3.
The data interaction unit 2 receives a data packet sent by an external network to an internal network or sent by the internal network to the external network; for the data packet sent from the external network to the internal network, according to the hiding strategy received from the strategy dynamic control unit 1, the data packet is sent to the service software hiding unit 3, then the data packet returned from the service software hiding unit 3 is received, and the data packet is sent to the internal network; and directly forwarding the data packet sent from the internal network to the external network.
The service software hiding unit 3 receives the data packet sent by the data interaction unit 2 according to the hiding strategy received from the strategy dynamic control unit 1, judges the corresponding protocol type of the data packet, respectively matches the ftp protocol fingerprint, telnet protocol fingerprint and http protocol fingerprint, modifies the relevant fields of the data packet sent from the internal protected host to the external network, and realizes feature hiding of ftp, telnet and http service software sent from the external network to the internal protected host.
As shown in fig. 1, the service software hiding unit 3 is configured to perform the following steps:
step S101, configuring a control strategy, wherein the strategy content comprises: 1. ip address list of protected host; 2. the service software masquerades the type.
And step S102, when the attacker conducts service software detection on the host of the internal network, receiving a data packet sent by the attacker.
Step S103, judging whether the source ip of the data packet is in the protection address list in the step S101, if not, performing the step S106, and sending the data packet to an internal network host; if yes, go to step S104.
Step S104, determining the source port number of the packet, where the port 21 is an ftp service port, the port 23 is a telnet service port, and the port 80 is an http service port, and performing the following processing:
1) if the packet is an ftp data packet (the source port is 21), analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type and the ftp fingerprint database in the step S101;
2) when the packet is a telnet data packet (source port 23), determining whether the packet is a first telnet data packet of both communication parties, if not, performing the next step, and if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step S101;
3) when the packet is an http data packet (the source port is 80), modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step S101;
4) when the source port of the packet is other, step S105 is performed.
And step S105, sending the processed data packet to an external network.
And step S106, sending the data packet to the internal network host.
The invention can effectively reduce the accuracy of detecting the service software characteristics, thereby increasing the cost and the price of an attacker and realizing the transition of the information network security protection means from passive defense to active defense. Based on the characteristics of the communication protocol, the invention forges the data packet of service software characteristic detection sent from the external network to the internal network and returns false information to the external network, thereby realizing the service software characteristic hiding of the protected host of the internal network. Therefore, the method and the device can not leak the characteristic information of the service software and return the false information of the attacker, have small calculated amount and high running speed, and have the advantages of simple realization, high processing speed, flexible application and the like.

Claims (3)

1. A service software feature hiding method based on a communication protocol is characterized by comprising the following steps:
(1) configuring a control strategy, wherein the strategy content comprises: the ip address list of the protected host and the service software disguise type; the service software disguise types comprise an ftp disguise type, a telnet disguise type and an http disguise type, and each disguise type is provided with a corresponding fingerprint library;
(2) when an attacker performs service software detection on a host of an internal network, receiving a data packet sent by the attacker;
(3) judging whether a source ip of a data packet sent by an attacker is in the ip address list in the step (1), if not, sending the data packet to an internal network host; if so, performing the step (4);
(4) judging the source port number of the data packet, and respectively performing the following processing:
1) if the source port number of the data packet is 21, namely the data packet is an ftp data packet, analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type in the step (1) and an ftp fingerprint database, and then going to the step (5);
2) if the source port number of the data packet is 23, that is, the data packet is a telnet data packet, judging whether the data packet is a first telnet data packet of both communication parties, if not, going to the step (5), if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step (1), and going to the step (5);
3) if the source port number of the data packet is 80, namely the data packet is an http data packet, modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step (1), and then turning to the step (5);
4) if the source port number of the data packet is other, go to step (5);
(5) and sending the data packet to an external network.
2. A service software feature hiding system based on a communication protocol is characterized by comprising a strategy dynamic control unit, a data interaction unit and a service software hiding unit;
the strategy dynamic control unit provides a hiding strategy for the service software characteristics according to the selection and control of the user, and issues the hiding strategy to the data interaction unit and the service software hiding unit;
the data interaction unit receives a data packet sent by an external network to an internal network or sent by the internal network to the external network; for a data packet sent from an external network to an internal network, according to a hiding strategy received from a strategy dynamic control unit, the data packet is sent to a service software hiding unit, then the data packet returned from the service software hiding unit is received, and the data packet is sent to the internal network; directly forwarding a data packet sent from an internal network to an external network;
the service software hiding unit receives the data packet sent by the data interaction unit according to the hiding strategy received from the strategy dynamic control unit, judges the corresponding protocol type of the data packet, respectively matches ftp protocol fingerprint, telnet protocol fingerprint and http protocol fingerprint, modifies the relevant fields of the data packet sent from the internal protected host to the external network, and realizes hiding the characteristics of ftp, telnet and http service software sent from the external network to the internal protected host.
3. The service software feature hiding system based on the communication protocol as claimed in claim 2, wherein the service software hiding unit is configured to perform the following steps:
(1) receiving a hidden policy from a policy dynamic control unit, the policy content comprising: the ip address list of the protected host and the service software disguise type; the service software disguise types comprise an ftp disguise type, a telnet disguise type and an http disguise type, and each disguise type is provided with a corresponding fingerprint library;
(2) when an attacker performs service software detection on a host of an internal network, receiving a data packet sent by the attacker;
(3) judging whether a source ip of a data packet sent by an attacker is in the ip address list in the step (1), if not, sending the data packet to an internal network host; if so, performing the step (4);
(4) judging the source port number of the data packet, and respectively performing the following processing:
1) if the source port number of the data packet is 21, namely the data packet is an ftp data packet, analyzing the tcp data part, and if the first three characters of the data part are 220, modifying the data part according to the ftp masquerading type in the step (1) and an ftp fingerprint database, and then going to the step (5);
2) if the source port number of the data packet is 23, that is, the data packet is a telnet data packet, judging whether the data packet is a first telnet data packet of both communication parties, if not, going to the step (5), if so, modifying the data part according to the telnet camouflage type and the telnet fingerprint database in the step (1), and going to the step (5);
3) if the source port number of the data packet is 80, namely the data packet is an http data packet, modifying a header server field in the http data packet according to the http camouflage type and the http fingerprint library in the step (1), and then turning to the step (5);
4) if the source port number of the data packet is other, go to step (5);
(5) and sending the data packet to an external network.
CN202110875208.8A 2021-07-30 2021-07-30 Service software feature hiding method and system based on communication protocol Pending CN113556356A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110875208.8A CN113556356A (en) 2021-07-30 2021-07-30 Service software feature hiding method and system based on communication protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110875208.8A CN113556356A (en) 2021-07-30 2021-07-30 Service software feature hiding method and system based on communication protocol

Publications (1)

Publication Number Publication Date
CN113556356A true CN113556356A (en) 2021-10-26

Family

ID=78133476

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110875208.8A Pending CN113556356A (en) 2021-07-30 2021-07-30 Service software feature hiding method and system based on communication protocol

Country Status (1)

Country Link
CN (1) CN113556356A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104967628A (en) * 2015-07-16 2015-10-07 浙江大学 Deceiving method of protecting web application safety
CN109495440A (en) * 2018-09-06 2019-03-19 国家电网有限公司 A kind of random device of Intranet dynamic security
US20200059490A1 (en) * 2015-10-22 2020-02-20 Versafe Ltd. Methods for hypertext markup language (html) input field obfuscation and devices thereof
CN111628993A (en) * 2020-05-26 2020-09-04 中国电子科技集团公司第五十四研究所 Network spoofing defense method and device based on host fingerprint hiding
CN111935193A (en) * 2020-10-13 2020-11-13 江苏开博科技有限公司 Automatic safety protection method based on correlation of camouflage agent and dynamic technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104967628A (en) * 2015-07-16 2015-10-07 浙江大学 Deceiving method of protecting web application safety
US20200059490A1 (en) * 2015-10-22 2020-02-20 Versafe Ltd. Methods for hypertext markup language (html) input field obfuscation and devices thereof
CN109495440A (en) * 2018-09-06 2019-03-19 国家电网有限公司 A kind of random device of Intranet dynamic security
CN111628993A (en) * 2020-05-26 2020-09-04 中国电子科技集团公司第五十四研究所 Network spoofing defense method and device based on host fingerprint hiding
CN111935193A (en) * 2020-10-13 2020-11-13 江苏开博科技有限公司 Automatic safety protection method based on correlation of camouflage agent and dynamic technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
贾哲: "《基于虚假响应的主机指纹隐藏方法》", 《无线电通信技术》 *

Similar Documents

Publication Publication Date Title
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
KR101554809B1 (en) System and method for protocol fingerprinting and reputation correlation
CN107426242B (en) Network security protection method, device and storage medium
US9942250B2 (en) Network appliance for dynamic protection from risky network activities
US8949978B1 (en) Efficient web threat protection
JP2020515962A (en) Protection against APT attacks
US7096200B2 (en) System and method for evaluating and enhancing source anonymity for encrypted web traffic
EP2147390B1 (en) Detection of adversaries through collection and correlation of assessments
CN112788034B (en) Processing method and device for resisting network attack, electronic equipment and storage medium
KR102222377B1 (en) Method for Automatically Responding to Threat
US20210194915A1 (en) Identification of potential network vulnerability and security responses in light of real-time network risk assessment
CN114826663B (en) Honeypot identification method, device, equipment and storage medium
CN112995162A (en) Network traffic processing method and device, electronic equipment and storage medium
Fraunholz et al. Cloxy: A context-aware deception-as-a-service reverse proxy for web services
Diwan An investigation and analysis of cyber security information systems: latest trends and future suggestion
Dakhane et al. Active warden for TCP sequence number base covert channel
KR101494329B1 (en) System and Method for detecting malignant process
US11388176B2 (en) Visualization tool for real-time network risk assessment
CN113556356A (en) Service software feature hiding method and system based on communication protocol
CN115603985A (en) Intrusion detection method, electronic device and storage medium
CN112953957B (en) Intrusion prevention method, system and related equipment
CN114726579A (en) Method, apparatus, device, storage medium and program product for defending against network attacks
Gross Detecting and destroying botnets
Mims The Botnet Problem
KR102621652B1 (en) Server computer equipped with DRDoS attack response method, DRDoS attack response program and DRDoS attack response method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20211026