CN113660144A - Network loopback time-based springboard detection method and system thereof - Google Patents
Network loopback time-based springboard detection method and system thereof Download PDFInfo
- Publication number
- CN113660144A CN113660144A CN202111080659.9A CN202111080659A CN113660144A CN 113660144 A CN113660144 A CN 113660144A CN 202111080659 A CN202111080659 A CN 202111080659A CN 113660144 A CN113660144 A CN 113660144A
- Authority
- CN
- China
- Prior art keywords
- time interval
- springboard
- terminal
- data packet
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
Abstract
The invention discloses a springboard detection method based on network loopback time, which comprises the following steps: the server sends the data packet to the terminal, and the terminal feeds back a return data packet corresponding to the data packet to the server; acquiring a first time interval between a data packet arrival time point and a return data packet arrival time point corresponding to the data packet arrival time point; acquiring a second time interval between arrival time points of adjacent data packets, or acquiring a second time interval between arrival time points of adjacent return data packets; and generating a springboard detection result of the terminal based on the first time interval and the second time interval. The invention completes the springboard detection in real time by collecting the first time interval and the second time interval and utilizing the characteristics of Nagle algorithm and TCP three-way handshake. Meanwhile, specific results can be distinguished based on different conditions contained in the Nalge algorithm, the adaptability of the springboard detection method is effectively improved, and the problems of low detection real-time performance and poor adaptability of the traditional springboard detection method are solved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a springboard detection method and a springboard detection system based on network loopback time.
Background
At present, with continuous popularization of a cloud storage technology and wide use of a cloud host, a data center of internet electronic government affairs has the characteristics of a distributed architecture, the data scale has an expanded trend, and data security exchange has the characteristics of high efficiency, high security and high reliability. Regardless of the principle and the method, most attacks on the cloud host combine the springboard technology to hide the attack source.
Therefore, the springboard detection problem is a popular research problem in the technical field of network security. The existing springboard detection method comprises the following steps: detection and connection channels of interactive terminal sessions, first proposed a Send-acknowledge and Send-reply (Send-Ack/Send-Echo) scheme using RTT to detect springboard; an Improved hardware and its application for intrusion detection, an RTT-hardware fingerprint (RTT-hardware) scheme is established on the assumption that the time delay of adjacent packets is greater than the RTT, so that the transmission packets and the reply packets are required to be in a one-to-one correspondence relationship; a clustering-partitioning algorithm to find TCP packet round-trip time for interrupt detection, a Max-min distance (Max-min distance) scheme is provided, and RTT is calculated more accurately in a clustering mode; how much freedom tools network latency leak? The article proposes a widely applicable measurement method when a TCP session is established, and uses the time interval between the ACK sent by the sender and the first GET request during the three-way handshake of TCP as the characteristic of the detected time interval.
However, the method in the detection of connecting channels of interactive terminal sessions requires a long observation time; a clustering-partitioning algorithm to find TCP packet round-trip time for interrupt detection needs to detect a complete session process, so that real-time response cannot be carried out; improved hardware and its application for interrupt detection cannot be used for conditions such as cumulative transmission mechanism, packet loss, packet recombination and the like; how much freedom tools network latency leak? The scenario where the session initiator uses the Nagle algorithm cannot be used, in which case the detection result may generate a large error.
In summary, the conventional springboard detection method has the problems of low detection real-time performance and poor adaptability.
Disclosure of Invention
In view of this, the present invention provides a method and a system for detecting a springboard based on network loopback time, which solve the problems of low real-time performance and poor adaptability of the traditional springboard detection method.
In order to solve the above problems, the technical scheme of the invention is to adopt a springboard detection method based on network loopback time, which comprises the following steps: the method comprises the steps that a server sends a data packet to a terminal, and the terminal feeds back a return data packet corresponding to the data packet to the server; acquiring a first time interval between the arrival time point of the data packet and the arrival time point of the return data packet corresponding to the arrival time point of the data packet; acquiring a second time interval between the arrival time points of the adjacent data packets, or acquiring the second time interval between the arrival time points of the adjacent return data packets, wherein the first time interval and the second time interval belong to the same session; and generating a springboard detection result of the terminal based on the first time interval and the second time interval.
Optionally, the obtaining the first time interval comprises: calculating the estimated time interval between the arrival time point of the data packet and the arrival time point of the return data packet corresponding to the arrival time point of the data packet; acquiring an interval floating value, and generating an estimated time range based on the interval floating value and the estimated time interval; if the acquired first time interval is within the estimated time range, the first time interval is credible; if the acquired first time interval is not in the estimated time range and the first time interval is not credible, acquiring a first time interval between the arrival time point of the data packet at the next adjacent moment and the arrival time point of the return data packet corresponding to the arrival time point of the data packet and judging the estimated time range until the first time interval is credible.
Optionally, the obtaining the second time interval comprises: judging whether the terminal uses a Nagle algorithm; if the terminal uses a Nagle algorithm, acquiring a time interval between the arrival time points of the adjacent data packets as the second time interval; and if the terminal does not use the Nagle algorithm, acquiring a time interval between the arrival time points of the adjacent return data packets as the second time interval.
Optionally, the springboard detection method further includes: and in the session containing the first time interval and the second time interval, acquiring the data packet load length and the distribution condition of all the return data packets in the session.
Optionally, generating the springboard detection result comprises: under the condition that the terminal uses a Nagle algorithm, if the second time interval is different from the first time interval, the terminal is a springboard; under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load length is one-dimensional distribution, the terminal is not a springboard; under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load length is multidimensional distribution, the terminal is a springboard; under the condition that the terminal does not use a Nagle algorithm, if the second time interval is the same as the first time interval, the terminal is not a springboard; and under the condition that the terminal does not use the Nagle algorithm, if the second time interval is different from the first time interval, the terminal is a springboard.
Correspondingly, the invention provides a springboard detection system based on network loopback time, which comprises: a server: for sending data packets to the terminal; the terminal: the data processing device is used for feeding back a return data packet corresponding to the data packet to the server; a detection unit: and the time interval acquisition module is used for acquiring a first time interval between the arrival time point of the data packet and the arrival time point of the corresponding return data packet, acquiring a second time interval between the arrival time points of the adjacent data packets, or acquiring the second time interval between the arrival time points of the adjacent return data packets, and generating a springboard detection result of the terminal based on the first time interval and the second time interval.
Optionally, the detection unit includes: a packet information extraction module; the session judging module is used for judging the session to which the data packet and the return data packet belong; a first time interval acquisition module, configured to acquire the first time interval; a second time interval obtaining module, configured to obtain the second time interval; and the judging module is used for generating the springboard detection result.
Optionally, the first time interval obtaining module generates an estimated time range based on the interval floating value and the estimated time interval by calculating the estimated time interval between the arrival time point of the data packet and the arrival time point of the return data packet corresponding to the arrival time point of the data packet, and obtaining an interval floating value, wherein if the obtained first time interval is within the estimated time range, the first time interval is trusted; if the acquired first time interval is not in the estimated time range and the first time interval is not credible, acquiring a first time interval between the arrival time point of the data packet at the next adjacent moment and the arrival time point of the return data packet corresponding to the arrival time point of the data packet and judging the estimated time range until the first time interval is credible.
Optionally, the second time interval obtaining module determines whether the terminal uses a Nagle algorithm, and if the terminal uses the Nagle algorithm, obtains a time interval between arrival time points of the adjacent data packets as the second time interval, and if the terminal does not use the Nagle algorithm, obtains a time interval between arrival time points of the adjacent return data packets as the second time interval.
Optionally, in a case that the terminal uses a Nagle algorithm, if the second time interval is different from the first time interval, the deciding module generates a springboard detection result that the terminal is a springboard; under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load lengths is one-dimensional distribution, the judging module generates a springboard detection result that the terminal is not a springboard; under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load length is multidimensional distribution, the judging module generates a springboard detection result that the terminal is a springboard; under the condition that the terminal does not use a Nagle algorithm, if the second time interval is the same as the first time interval, the judging module generates a springboard detection result that the terminal is not a springboard; and under the condition that the terminal does not use a Nagle algorithm, if the second time interval is different from the first time interval, the judging module generates a springboard detection result that the terminal is a springboard.
The invention has the primary improvement that the provided network loopback time-based springboard detection method completes springboard detection in real time by acquiring the first time interval and the second time interval in the same session and utilizing the characteristics of a Nagle algorithm and TCP three-way handshake. Meanwhile, specific results can be distinguished based on different conditions contained in the Nalge algorithm, the adaptability of the springboard detection method is effectively improved, and the problems of low detection real-time performance and poor adaptability of the traditional springboard detection method are solved.
Drawings
FIG. 1 is a simplified flow diagram of a network loop-back time based springboard detection method of the present invention;
fig. 2 is a simplified cell connection diagram of the network loop-back time based springboard detection system of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood by those skilled in the art, the present invention will be further described in detail with reference to the accompanying drawings and specific embodiments.
As shown in fig. 1, a method for detecting a springboard based on a network loopback time includes:
s1: the server sends a data packet to the terminal, and the terminal feeds back a return data packet corresponding to the data packet to the server.
S2: and acquiring a first time interval N _ RTT between the arrival time point of the data packet and the arrival time point of the corresponding return data packet.
Further, an estimated time interval N _ ERTT between the arrival time point of the data packet and the arrival time point of the corresponding return data packet is calculated, where a calculation formula of N _ ERTT is:
N_ERTTi=a*N_ERTTi-1+(1-a)*N_RTTi-1,N_ERTT1=N_RTT1and a can take the value of 0.875.
Acquiring an interval floating value FR, and generating an estimated time range [ N _ ERTT-FR, N _ ERTT + FR ] based on the interval floating value and the estimated time interval, wherein the numerical value of the interval floating value FR can be set by a user according to the system condition;
if the obtained first time interval N _ RTT is within the estimated time range, the first time interval N _ RTT is credible;
if the obtained first time interval N _ RTT is not in the estimated time range and the first time interval N _ RTT is not credible, obtaining the first time interval N _ RTT between the arrival time point of the data packet at the next adjacent moment and the arrival time point of the return data packet corresponding to the arrival time point of the data packet, and judging the estimated time range based on the updated first time interval N _ RTT until the first time interval N _ RTT is credible.
Furthermore, if the obtained N _ RTT is smaller than the estimated time range, discarding the data packet, and recalculating by using the data packet at the next adjacent moment; and if the time interval between two adjacent sending data packets is far larger than the first time interval due to the OF + SFS problem, resetting the stack through a preset time threshold Th. The threshold is determined by the formula:
where b is the amplification factor.
The reliability judgment of the first time interval N _ RTT is carried out by setting the estimated time range, and a large error value caused by problems of delay confirmation, overlapping and staggering and the like is effectively eliminated, so that the matching rate and the accuracy rate are improved.
S3: and acquiring a second time interval between the arrival time points of the adjacent data packets or acquiring the second time interval between the arrival time points of the adjacent return data packets, wherein the first time interval and the second time interval belong to the same session.
Further, obtaining the second time interval comprises: judging whether the terminal uses a Nagle algorithm; if the terminal uses a Nagle algorithm, acquiring a time interval between the arrival time points of the adjacent data packets as the second time interval; and if the terminal does not use the Nagle algorithm, acquiring a time interval between the arrival time points of the adjacent return data packets as the second time interval.
Further, when the terminal uses the Nagle algorithm, and obtains a time interval between arrival time points of adjacent data packets as the second time interval, if the obtained second time interval is not within the estimated time range [ IAT ]MSS-FR,IATMSS+FR]If the second time interval is not credible, acquiring the time interval between the arrival time points of the adjacent data packets at the next moment as the second time interval, and performing the estimated time range [ IAT ] based on the updated second time intervalMSS-FR,IATMSS+FR]Until the second time interval is trusted. Among them, IATMSSIs the maximum time interval between adjacent said transmitted packets. Meanwhile, if the second time interval is greater than the preset time threshold Th, the time interval between the arrival time points of the adjacent data packets at the next time is also acquired as the second time interval.
Further, if the terminal does not use the Nagle algorithm, a time interval between arrival time points of adjacent return data packets is obtained as the second time interval. Specifically, if the terminal does not use the Nagle algorithm, it is determined whether the returned data packet is a SYN/ACK data packet, and if so, an ACK packet from the server and a GET packet from the client are captured, and the second time interval is calculated based on the ACK packet and the GET packet. And if the return data packet is not the SYN/ACK data packet, discarding the return data packet, capturing the return data packet at the next moment and performing the calculation again.
S4: in the session containing the first time interval and the second time interval, acquiring the data packet load length and the distribution condition of all the return data packets in the session;
s5: and generating a springboard detection result of the terminal based on the first time interval and the second time interval.
Further, generating the springboard detection result comprises: under the condition that the terminal uses a Nagle algorithm, if the second time interval is different from the first time interval, the terminal is a springboard; under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load length is one-dimensional distribution, the terminal is not a springboard; under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load length is multidimensional distribution, the terminal is a springboard; under the condition that the terminal does not use a Nagle algorithm, if the second time interval is the same as the first time interval, the terminal is not a springboard; and under the condition that the terminal does not use the Nagle algorithm, if the second time interval is different from the first time interval, the terminal is a springboard.
The invention completes the springboard detection in real time by collecting the first time interval and the second time interval in the same session and utilizing the characteristics of Nagle algorithm and TCP three-way handshake. Meanwhile, specific results can be distinguished based on different conditions contained in the Nalge algorithm, the adaptability of the springboard detection method is effectively improved, and the problems of low detection real-time performance and poor adaptability of the traditional springboard detection method are solved.
Correspondingly, as shown in fig. 2, the present invention provides a system for detecting a springboard based on a network loopback time, including: a server: for sending data packets to the terminal; the terminal: the data processing device is used for feeding back a return data packet corresponding to the data packet to the server; a detection unit: and the time interval acquisition module is used for acquiring a first time interval between the arrival time point of the data packet and the arrival time point of the corresponding return data packet, acquiring a second time interval between the arrival time points of the adjacent data packets, or acquiring the second time interval between the arrival time points of the adjacent return data packets, and generating a springboard detection result of the terminal based on the first time interval and the second time interval. The detection unit can be deployed in the springboard detection system in modes of software components, hardware plug-ins, cluster gateways and the like, so that the system has good universality and expandability.
Further, the detection unit includes: a packet information extraction module; the session judging module is used for judging the session to which the data packet and the return data packet belong; a first time interval acquisition module, configured to acquire the first time interval; a second time interval obtaining module, configured to obtain the second time interval; and the judging module is used for generating the springboard detection result.
Furthermore, the first time interval obtaining module generates an estimated time range based on the interval floating value and the estimated time interval by calculating the estimated time interval between the arrival time point of the data packet and the arrival time point of the return data packet corresponding to the arrival time point of the data packet and obtaining an interval floating value, wherein if the obtained first time interval is within the estimated time range, the first time interval is credible; if the acquired first time interval is not in the estimated time range and the first time interval is not credible, acquiring a first time interval between the arrival time point of the data packet at the next adjacent moment and the arrival time point of the return data packet corresponding to the arrival time point of the data packet and judging the estimated time range until the first time interval is credible.
Further, the second time interval obtaining module determines whether the terminal uses a Nagle algorithm, obtains a time interval between arrival time points of the adjacent data packets as the second time interval if the terminal uses the Nagle algorithm, and obtains a time interval between arrival time points of the adjacent return data packets as the second time interval if the terminal does not use the Nagle algorithm.
Further, under the condition that the terminal uses a Nagle algorithm, if the second time interval is different from the first time interval, the judging module generates a springboard detection result that the terminal is a springboard; under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load lengths is one-dimensional distribution, the judging module generates a springboard detection result that the terminal is not a springboard; under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load length is multidimensional distribution, the judging module generates a springboard detection result that the terminal is a springboard; under the condition that the terminal does not use a Nagle algorithm, if the second time interval is the same as the first time interval, the judging module generates a springboard detection result that the terminal is not a springboard; and under the condition that the terminal does not use a Nagle algorithm, if the second time interval is different from the first time interval, the judging module generates a springboard detection result that the terminal is a springboard.
The method and system for detecting a springboard based on network loopback time provided by the embodiment of the invention are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Claims (10)
1. A springboard detection method based on network loopback time is characterized by comprising the following steps:
the method comprises the steps that a server sends a data packet to a terminal, and the terminal feeds back a return data packet corresponding to the data packet to the server;
acquiring a first time interval between the arrival time point of the data packet and the arrival time point of the return data packet corresponding to the arrival time point of the data packet;
acquiring a second time interval between the arrival time points of the adjacent data packets, or acquiring the second time interval between the arrival time points of the adjacent return data packets, wherein the first time interval and the second time interval belong to the same session;
and generating a springboard detection result of the terminal based on the first time interval and the second time interval.
2. The diving board detection method of claim 1, wherein obtaining the first time interval comprises:
calculating the estimated time interval between the arrival time point of the data packet and the arrival time point of the return data packet corresponding to the arrival time point of the data packet;
acquiring an interval floating value, and generating an estimated time range based on the interval floating value and the estimated time interval;
if the acquired first time interval is within the estimated time range, the first time interval is credible;
if the acquired first time interval is not in the estimated time range and the first time interval is not credible, acquiring a first time interval between the arrival time point of the data packet at the next adjacent moment and the arrival time point of the return data packet corresponding to the arrival time point of the data packet and judging the estimated time range until the first time interval is credible.
3. The diving board detection method of claim 2, wherein obtaining the second time interval comprises:
judging whether the terminal uses a Nagle algorithm;
if the terminal uses a Nagle algorithm, acquiring a time interval between the arrival time points of the adjacent data packets as the second time interval;
and if the terminal does not use the Nagle algorithm, acquiring a time interval between the arrival time points of the adjacent return data packets as the second time interval.
4. The diving board detection method according to claim 3, further comprising:
and in the session containing the first time interval and the second time interval, acquiring the data packet load length and the distribution condition of all the return data packets in the session.
5. The diving board detection method of claim 4, wherein generating the diving board detection result comprises:
under the condition that the terminal uses a Nagle algorithm, if the second time interval is different from the first time interval, the terminal is a springboard;
under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load length is one-dimensional distribution, the terminal is not a springboard;
under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load length is multidimensional distribution, the terminal is a springboard;
under the condition that the terminal does not use a Nagle algorithm, if the second time interval is the same as the first time interval, the terminal is not a springboard;
and under the condition that the terminal does not use the Nagle algorithm, if the second time interval is different from the first time interval, the terminal is a springboard.
6. A springboard detection system based on network loop-back time is characterized by comprising:
a server: for sending data packets to the terminal;
the terminal: the data processing device is used for feeding back a return data packet corresponding to the data packet to the server;
a detection unit: and the time interval acquisition module is used for acquiring a first time interval between the arrival time point of the data packet and the arrival time point of the corresponding return data packet, acquiring a second time interval between the arrival time points of the adjacent data packets, or acquiring the second time interval between the arrival time points of the adjacent return data packets, and generating a springboard detection result of the terminal based on the first time interval and the second time interval.
7. The diving board detection system of claim 6, wherein said detection unit comprises:
a packet information extraction module; the session judging module is used for judging the session to which the data packet and the return data packet belong;
a first time interval acquisition module, configured to acquire the first time interval;
a second time interval obtaining module, configured to obtain the second time interval;
and the judging module is used for generating the springboard detection result.
8. The diving board detection system of claim 7, wherein said first time interval acquisition module generates an estimated time range based on said interval float value and said estimated time interval by calculating an estimated time interval between said data packet arrival time point and said return data packet arrival time point corresponding thereto, and acquiring an interval float value, wherein,
if the acquired first time interval is within the estimated time range, the first time interval is credible; if the acquired first time interval is not in the estimated time range and the first time interval is not credible, acquiring a first time interval between the arrival time point of the data packet at the next adjacent moment and the arrival time point of the return data packet corresponding to the arrival time point of the data packet and judging the estimated time range until the first time interval is credible.
9. The springboard detection system of claim 8, wherein the second time interval obtaining module determines whether the terminal uses a Nagle algorithm, and if the terminal uses the Nagle algorithm, obtains a time interval between arrival time points of the adjacent data packets as the second time interval, and if the terminal does not use the Nagle algorithm, obtains a time interval between arrival time points of the adjacent return data packets as the second time interval.
10. The springboard detection system of claim 9, wherein in a case that the terminal uses a Nagle algorithm, if the second time interval is different from the first time interval, the arbitration module generates a springboard detection result that the terminal is a springboard;
under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load lengths is one-dimensional distribution, the judging module generates a springboard detection result that the terminal is not a springboard;
under the condition that the terminal uses a Nagle algorithm, if the second time interval is the same as the first time interval and the distribution condition of the packet load length is multidimensional distribution, the judging module generates a springboard detection result that the terminal is a springboard;
under the condition that the terminal does not use a Nagle algorithm, if the second time interval is the same as the first time interval, the judging module generates a springboard detection result that the terminal is not a springboard;
and under the condition that the terminal does not use a Nagle algorithm, if the second time interval is different from the first time interval, the judging module generates a springboard detection result that the terminal is a springboard.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111080659.9A CN113660144A (en) | 2021-09-15 | 2021-09-15 | Network loopback time-based springboard detection method and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111080659.9A CN113660144A (en) | 2021-09-15 | 2021-09-15 | Network loopback time-based springboard detection method and system thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113660144A true CN113660144A (en) | 2021-11-16 |
Family
ID=78493991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111080659.9A Pending CN113660144A (en) | 2021-09-15 | 2021-09-15 | Network loopback time-based springboard detection method and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113660144A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812412A (en) * | 2005-01-27 | 2006-08-02 | 国际商业机器公司 | Systems, methods for detecting nagle on a tcp network connection |
| WO2012116761A1 (en) * | 2011-03-01 | 2012-09-07 | Telefonaktiebolaget L M Ericsson (Publ) | Scheduling for delay sensitive packets |
| CN104009986A (en) * | 2014-05-22 | 2014-08-27 | 中国电子科技集团公司第三十研究所 | Network attack springboard detection method and device based on host |
| CN105591843A (en) * | 2016-02-06 | 2016-05-18 | 中国科学院计算技术研究所 | Network performance detection method and system based on receiving end in TCP transmission stream |
-
2021
- 2021-09-15 CN CN202111080659.9A patent/CN113660144A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812412A (en) * | 2005-01-27 | 2006-08-02 | 国际商业机器公司 | Systems, methods for detecting nagle on a tcp network connection |
| WO2012116761A1 (en) * | 2011-03-01 | 2012-09-07 | Telefonaktiebolaget L M Ericsson (Publ) | Scheduling for delay sensitive packets |
| CN104009986A (en) * | 2014-05-22 | 2014-08-27 | 中国电子科技集团公司第三十研究所 | Network attack springboard detection method and device based on host |
| CN105591843A (en) * | 2016-02-06 | 2016-05-18 | 中国科学院计算技术研究所 | Network performance detection method and system based on receiving end in TCP transmission stream |
Non-Patent Citations (1)
| Title |
|---|
| 孙奕等: "基于网络回声的跳板检测系统的设计与实现", 《信息网络安全》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10284594B2 (en) | Detecting and preventing flooding attacks in a network environment | |
| US7266754B2 (en) | Detecting network denial of service attacks | |
| WO2021151300A1 (en) | Secure network attack processing method and apparatus, computer device, and storage medium | |
| US20040123142A1 (en) | Detecting a network attack | |
| CN110839017B (en) | Proxy IP address identification method, device, electronic equipment and storage medium | |
| CN110855717B (en) | Method, device and system for protecting equipment of Internet of things | |
| CN105119942A (en) | Flood attack detection method | |
| US10264004B2 (en) | System and method for connection fingerprint generation and stepping-stone traceback based on netflow | |
| CN112788039B (en) | DDoS attack identification method, device and storage medium | |
| CN113688291A (en) | Method and device for detecting abnormal behavior of streaming media network data | |
| CN113660144A (en) | Network loopback time-based springboard detection method and system thereof | |
| CN112235329A (en) | Method, device and network equipment for identifying authenticity of SYN message | |
| CN109257384B (en) | Application layer DDoS attack identification method based on access rhythm matrix | |
| CN108540347B (en) | Network cable two-end signal delay sequence matching generation method for network signal tracing | |
| CN113542270A (en) | Internet asset fingerprint rapid detection method and system | |
| JP5009200B2 (en) | Network attack detection device and defense device | |
| CN114760216B (en) | Method and device for determining scanning detection event and electronic equipment | |
| CN116915653B (en) | Method and system for detecting number of devices based on network address conversion | |
| CN110875918B (en) | Trojan communication behavior detection method and device and electronic equipment | |
| CN117278307A (en) | Network monitoring method, device, equipment and storage medium | |
| CN115865414A (en) | Proxy forwarding flow detection method and device, electronic equipment and storage medium | |
| Yang et al. | Finding TCP packet round-trip time for intrusion detection: algorithm and analysis | |
| CN115914037A (en) | Network delay detection method and device and computer readable storage medium | |
| Cheng et al. | Real-time stepping stone detection based on RTT |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211116 |