CN113660666A - Two-way request response detection method for man-in-the-middle attack - Google Patents
Two-way request response detection method for man-in-the-middle attack Download PDFInfo
- Publication number
- CN113660666A CN113660666A CN202110683508.6A CN202110683508A CN113660666A CN 113660666 A CN113660666 A CN 113660666A CN 202110683508 A CN202110683508 A CN 202110683508A CN 113660666 A CN113660666 A CN 113660666A
- Authority
- CN
- China
- Prior art keywords
- request
- unit
- message
- response
- man
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000004044 response Effects 0.000 title claims abstract description 89
- 238000001514 detection method Methods 0.000 title claims abstract description 68
- 230000006854 communication Effects 0.000 claims abstract description 17
- 238000004891 communication Methods 0.000 claims abstract description 14
- 238000012545 processing Methods 0.000 claims abstract description 7
- 238000013507 mapping Methods 0.000 claims description 13
- 238000003860 storage Methods 0.000 claims description 10
- 239000000203 mixture Substances 0.000 claims 1
- 239000002994 raw material Substances 0.000 claims 1
- 238000000034 method Methods 0.000 abstract description 37
- 230000008569 process Effects 0.000 abstract description 8
- 230000005540 biological transmission Effects 0.000 abstract description 5
- 230000003993 interaction Effects 0.000 abstract description 3
- 230000007123 defense Effects 0.000 description 19
- 230000002457 bidirectional effect Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 6
- 230000003068 static effect Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 238000012360 testing method Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/088—Access security using filters or firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/108—Source integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a two-way request response detection method of man-in-the-middle attack, which comprises the steps of analyzing malicious messages in a wireless communication environment through a message analysis tool; if the analysis result of the message is a request message, detecting through a request message detection module, and processing the request packet according to the detection result; if the analysis result of the message is a response message, detecting through a response message detection module, and processing the ARP buffer area according to the detection result; according to the invention, by adding the judgment condition, the discrimination can be carried out according to the input Hostname, and the messages which do not meet the condition are removed, so that the network information transmission is safer; meanwhile, a linear table is introduced, and the messages can be automatically filtered and deleted according to a time criterion, so that the detection efficiency of the messages is greatly improved; the method has good safety, compatibility and expansibility, has small influence on the performance of the host, does not generate large network flow in the interaction process, and reduces the system and network expenses as much as possible.
Description
Technical Field
The invention relates to the technical field of man-in-the-middle attack detection, in particular to a bidirectional request response detection method of man-in-the-middle attack.
Background
With the excellent transmission performance and the convenient communication method, the wireless lan communication method based on the IEEE 802.11 standard is increasingly important in people's work and daily life. However, in the data transmission process of the wireless local area network, the protection of cable transmission media is lacked, so that the wireless local area network is easy to be attacked by various malicious attacks. Due to the broadcast nature of wireless local area networks, malicious attackers often seek breaches and then launch attacks, which may cause unexpected loss once successful.
The wireless local area network pays attention to reliability and confidentiality in the aspect of a safety mechanism, requires that transmitted data can be reliably and completely transmitted to a target host without loss and tampering, and can completely decode information without change after the target host receives the data. In recent years, because the existing loopholes of the system are not solved in time, man-in-the-middle attack events of the network emerge endlessly, wherein ARP spoofing attack modes are more active. ARP spoofing, also known as ARP poisoning, is mainly due to the fact that when one end sends out a reply message and the other end receives such an ARP reply, the message data is listed in the ARP cache list without checking whether the data is authentic or not. The ARP protocol can improve the network operation efficiency, but the advantage is that all hosts in the network trust each other, and the ARP protocol is used as a data link layer protocol, has no authentication mechanism, has the characteristics of high efficiency and statelessness, does not judge whether an ARP request is sent or not, and does not verify the identity information of a responder, so that the statelessness is reflected in the capability of forging response packets by any host, and can respond even if the ARP request is not received, and the local cache of the ARP is continuously updated along with the sending of forged messages, thereby undoubtedly giving network viruses and hackers a ride for the opportunity.
At present, the principles of ARP spoofing attack are sufficiently researched domestically and abroad, but the defending effect of the ARP spoofing is not ideal. The traditional defense mode is provided with an ARP firewall, although the security of a host can be protected to a certain extent, the traditional defense mode has the advantage of active defense, correct data packets need to be continuously transmitted outwards along with the arrangement of the ARP firewall, so that the burden of a network is increased, the speed of the active defense is limited, and defense failure can be caused once an attacker exceeds the ARP firewall; the ARP server is also a common means, and among all hosts, one host is specially appointed to serve as the ARP server to respond to ARP requests of the rest hosts, but the relation is not unique, and other hosts can still receive ARP responses from other servers; ports and MAC addresses are bound on a switch or a host, a static ARP cache entry is added on each host for comparing the IP address and the MAC address of a data packet, and comparison according to the same principle of the data packet can also play a role in relieving the resistance to ARP attack; the method has the advantages that the attack range of the ARP spoofing can be narrowed, and the defects that the method is not flexible enough and the gateway cannot be prevented from being attacked by hackers are overcome.
Therefore, the traditional prevention means have advantages and disadvantages, the effect of thoroughly preventing man-in-the-middle attack cannot be achieved only by one of the traditional prevention means, several methods need to be combined with each other according to actual needs to play a role respectively, and burden of technicians and waste of resources can be caused at the same time. At present, many attempts are made in the aspect of man-in-the-middle attack detection, and the man-in-the-middle detection can be realized by a single machine based on an ARP cache overtime attack detection method, but the flexibility is not high. The detection research of the widely popular SDN protection man-in-the-middle attack focuses on separating a control interface and a data interface, but the problem that the experimental sampling point is limited is difficult to perfectly solve.
Disclosure of Invention
This section is for the purpose of summarizing some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. In this section, as well as in the abstract and the title of the invention of this application, simplifications or omissions may be made to avoid obscuring the purpose of the section, the abstract and the title, and such simplifications or omissions are not intended to limit the scope of the invention.
The present invention has been made in view of the above-mentioned conventional problems.
Therefore, the invention provides a two-way request response detection method for man-in-the-middle attack, which can solve three means of man-in-the-middle attack and achieve the defense purpose.
In order to solve the technical problems, the invention provides the following technical scheme: analyzing malicious messages in a wireless communication environment by a message analyzing tool; if the analysis result of the message is a request message, detecting through a request message detection module, and processing the request packet according to the detection result; if the analysis result of the message is a response message, detecting through a response message detection module, and processing the ARP buffer area according to the detection result.
As a preferred scheme of the bidirectional request-response detection method for man-in-the-middle attack described in the present invention, wherein: the Request message detection module comprises a message Request receiving unit, a judging unit, a reply Request unit, a calling and sending Request unit, an adding target IP unit, a sending Request unit and a Request linear Request table.
As a preferred scheme of the bidirectional request-response detection method for man-in-the-middle attack described in the present invention, wherein: detecting the request message comprises receiving the request packet through a message request receiving unit and then comparing a target IP address with a local IP address through a judging unit; informing the comparison result to the call sending request unit through a reply request unit, and calling the sending request unit to carry out request sending operation according to the comparison result by the call sending request unit; and when the Request is sent out, storing the analyzed target IP in the Request linear Request table through the target IP adding unit.
As a preferred scheme of the bidirectional request-response detection method for man-in-the-middle attack described in the present invention, wherein: the comparison comprises that if the target IP address is the same as the local IP address, the reply request unit responds to the request packet and calls the sending request unit to carry out the request sending operation; otherwise, the request packet is judged to be a forged message request, and the forged message request is discarded and reports that man-in-the-middle attack has occurred.
As a preferred scheme of the bidirectional request-response detection method for man-in-the-middle attack described in the present invention, wherein: the method also comprises the steps of storing the IP address and the MAC address in a Request packet received or sent by a local computer through the Request linear Request table; and the Request linear Request table filters and deletes messages which are not updated for a long time in the linear table according to a time criterion.
As a preferred scheme of the bidirectional request-response detection method for man-in-the-middle attack described in the present invention, wherein: the response message detection module comprises a reply linear response table, a receiving response unit, a source IP storage unit, an IP-MAC adding mapping unit, an MAC address distinguishing unit and an ARP buffer area updating unit.
As a preferred scheme of the bidirectional request-response detection method for man-in-the-middle attack described in the present invention, wherein: the processing of the ARP buffer area comprises that the receiving response unit stores a source IP in the response linear response table through the source IP storing unit when receiving a response packet; if the response packet has the same source IP address, comparing whether the source MAC address is the same as the MAC address of the corresponding item by judging the MAC address unit, and if not, judging that the response packet is a forged response packet and has the threat of man-in-the-middle attack; otherwise, updating the ARP buffer area through the ARP buffer area updating unit; and then, adding the IP-MAC mapping unit to add the IP-MAC mapping to the Respond linear response table, deleting corresponding items in the Respond linear response table, and updating the ARP buffer area through the ARP buffer area updating unit.
As a preferred scheme of the bidirectional request-response detection method for man-in-the-middle attack described in the present invention, wherein: and the response linear response table automatically filters and deletes the messages which are not updated for a long time in the linear table according to a time criterion.
The invention has the beneficial effects that: the invention breaks through the inflexibility of the traditional man-in-the-middle defense, and can ensure the authenticity and the integrity of the data packet even if the attack strength is gradually enhanced along with the time; by adding the judgment condition, the judgment can be carried out according to the input Hostname, and the messages which do not meet the condition are removed, so that the network information transmission is safer; meanwhile, the linear table is introduced, so that the method has the advantage of real-time updating, and can automatically filter and delete the message according to the time criterion, thereby greatly improving the detection efficiency of the message; the method has good safety, compatibility and expansibility, has small influence on the performance of the host, does not generate large network flow in the interaction process, and reduces the system and network expenses as much as possible.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
fig. 1 is a schematic diagram illustrating a working principle of a request message detection module 100 of a bidirectional request-response detection method for man-in-the-middle attack according to a first embodiment of the present invention;
fig. 2 is a schematic diagram illustrating an operation principle of a response packet detection module 200 of a bidirectional request response detection method for man-in-the-middle attack according to a first embodiment of the present invention;
fig. 3 is a schematic diagram of the overall structure of the request message detection module 100 and the response message detection module 100 of the bidirectional request-response detection method for man-in-the-middle attack according to the first embodiment of the present invention;
fig. 4 is a schematic diagram of an experimental network structure topology of a bidirectional request-response detection method for man-in-the-middle attack according to a second embodiment of the present invention;
fig. 5 is a schematic diagram illustrating successful avoidance of ARP spoofing in a bidirectional request-reply detection method of man-in-the-middle attack according to a second embodiment of the present invention;
FIG. 6 is a schematic diagram illustrating static defense failure of a two-way request-response detection method for man-in-the-middle attack according to a second embodiment of the present invention;
fig. 7 is a schematic diagram illustrating ARP cache recovery of a bidirectional request-response detection method for man-in-the-middle attack according to a second embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, specific embodiments accompanied with figures are described in detail below, and it is apparent that the described embodiments are a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present invention, shall fall within the protection scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those specifically described and will be readily apparent to those of ordinary skill in the art without departing from the spirit of the present invention, and therefore the present invention is not limited to the specific embodiments disclosed below.
Furthermore, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
The present invention will be described in detail with reference to the drawings, wherein the cross-sectional views illustrating the structure of the device are not enlarged partially in general scale for convenience of illustration, and the drawings are only exemplary and should not be construed as limiting the scope of the present invention. In addition, the three-dimensional dimensions of length, width and depth should be included in the actual fabrication.
Meanwhile, in the description of the present invention, it should be noted that the terms "upper, lower, inner and outer" and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of describing the present invention and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation and operate, and thus, cannot be construed as limiting the present invention. Furthermore, the terms first, second, or third are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected and connected" in the present invention are to be understood broadly, unless otherwise explicitly specified or limited, for example: can be fixedly connected, detachably connected or integrally connected; they may be mechanically, electrically, or directly connected, or indirectly connected through intervening media, or may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1
In the established normal communication process, man-in-the-middle attack can cause the change of the ARP cache list, at this time, the MAC address corresponding to the host IP can be changed into the MAC address of an attacker from the real physical address before attack, and the attack machine can usually realize the malicious tampering of the target host by the following three means:
(1) after receiving the ARP request of the attacker, the target host finds that the target IP requested by the message is itself. The attacker sends a false message request to the target host, which just allows the target host to respond to the request message by mistake and updates the ARP buffer of the attacker, so that the man-in-the-middle attack is successful.
(2) Under the condition that the target host does not send an ARP request message to the attacker, the attacker forges a false message and sends the false message to the target host, and at the moment, after the host receives the false message, the ARP table is updated according to the false IP-MAC mapping relation, so that man-in-the-middle attack is successful.
(3) The target host broadcasts the man-in-the-middle request message and sends a request to the MAC address, and the attack mode that the attacker sends the false message after broadcasting can also realize man-in-the-middle attack, thereby updating the ARP cache of the target host.
According to analysis of man-in-the-middle attack, the target host can update the ARP buffer no matter the target host receives the request message firstly or receives the response message sent by the attacker in a delayed mode.
The method specifically comprises the following steps:
s1: and analyzing the malicious message in the wireless communication environment by using a message analyzing tool.
The message is from a wireless communication network environment, man-in-the-middle attack is realized under the condition of normal communication, and therefore the malicious message is obtained.
S2: if the analysis result of the message is a request message, the request message is detected by the request message detection module 100, and the request packet is processed according to the detection result.
The Request message detection module 100 comprises a message Request receiving unit 101, a judging unit 102, a reply Request unit 103, a call sending Request unit 104, an addition target IP unit 105, a sending Request unit 106 and a Request linear Request table 107; the message Request receiving unit 101 is configured to receive a Request packet, the determining unit 102 is configured to compare a target IP address with a local IP address, the reply Request unit 103 is configured to notify a comparison result to the call sending Request unit 104, the call sending Request unit 104 is configured to control the sending Request unit 106, the add target IP unit 105 is configured to add an analyzed target IP to a Request linear Request table 107, the sending Request unit 106 is configured to send a Request, and the Request linear Request table 107 is configured to store an IP address and a MAC address in a Request packet received or sent by the local computer and an automatic filtering message that does not meet a requirement.
The detection method comprises the following specific steps:
(1) a message request receiving unit 101 receives a request packet, and a judging unit 102 compares a target IP address with a local IP address;
if the target IP address is the same as the local IP address, the step (2) is carried out
Otherwise, the request packet is judged to be a forged message request, and the forged message request is discarded and reports that man-in-the-middle attack has occurred.
(2) The reply request unit 103 informs the comparison result to the call sending request unit 104, and the call sending request unit 104 calls the sending request unit 106 to perform request sending operation according to the comparison result;
(3) when a Request is issued, the resolved target IP is put in the Request linear Request table 107 by the add target IP unit 105.
The Request linear Request table 107 is further configured to store an IP address and a MAC address in a Request packet received or sent by the local computer;
(4) the Request linear Request table 107 filters and deletes messages which are not updated for a long time in the linear table according to a time criterion, so that the detection efficiency is improved.
S3: if the analysis result of the message is a response message, the response message detection module 200 detects the message, and processes the ARP buffer area according to the detection result.
The response message detection module 200 comprises a reply linear response table 201, a receiving response unit 202, a source IP storage unit 203, an IP-MAC mapping adding unit 204, a MAC address distinguishing unit 205 and an ARP buffer area updating unit 206; the response linear response table 201 is used to store a source IP, IP-MAC mapping, and automatically filter and delete a message that does not meet the requirement, the response receiving unit 202 is used to receive a response packet, the source IP storing unit 203 is used to store the source IP in the response linear response table 201, the IP-MAC mapping adding unit 204 is used to add the IP-MAC mapping to the response linear response table 201, the MAC address distinguishing unit 205 is used to distinguish the consistency of the source MAC address and the MAC address of the corresponding entry, and the ARP buffer updating unit 206 is used to update the ARP buffer.
The steps of the response message detection module 200 are as follows:
(1) when receiving the response packet, the reception response unit 202 stores the source IP in the response linear response table 201 by the storage source IP unit 203;
(2) if the response packet has the same source IP address, the MAC address determination unit 205 compares whether the source MAC address is the same as the MAC address of the corresponding entry;
if not, judging that the response packet is a forged response packet and has the threat of man-in-the-middle attack; otherwise, the ARP buffer is updated by the ARP buffer updating unit 206;
(3) the IP-MAC mapping is added to the response linear response table 201 by the addition IP-MAC mapping unit 204, the corresponding entry in the response linear response table 201 is deleted, and the ARP buffer is updated by the ARP buffer updating unit 206.
Preferably, the response linear response table 201 can automatically filter and delete the message that has not been updated for a long time in the linear table according to the time criterion, thereby improving the detection efficiency; in addition, the realization of the request message detection part and the response message detection part makes up the 'disorder' and 'stateless' of the ARP protocol, sets corresponding rules for the detection of the ARP protocol message, deletes the unsolicited response and the unauthenticated message, and reports that the user has man-in-the-middle attack.
Example 2
In order to verify and explain the technical effects adopted in the method, the embodiment selects the traditional technical scheme and adopts the method to perform comparison test, and compares the test results by means of scientific demonstration to verify the real effect of the method.
The flexibility of the traditional technical scheme is poor, the traditional defense method faces defense failure along with the increase of the attack strength of a man-in-the-middle, in order to verify that the method has higher flexibility compared with the traditional method and can deal with high-strength ARP attacks, a real wireless communication experimental environment is set up in the embodiment, and the traditional ARP firewall setting and static binding and the method are adopted to respectively test and compare the ARP defense in the wireless communication process.
In order to verify the effectiveness of the method, a defense algorithm is executed, a driftnet sniffing tool is used again for sniffing, at the moment, the interface cannot feed back communication information, repeated tests are carried out until the defense effect is stable, the method is proved to be capable of resisting man-in-the-middle attacks, and the effectiveness verification is successful.
The steps of the defense algorithm are as follows:
(1) firstly, environment configuration is carried out;
the cross-compilation environment (arm-linux-gcc) and the built-essential environment are configured in the Ubuntu environment, and the test is carried out under the Ubuntu (attack engine) and Windows10 (target engine) operating systems.
(2) The number of the data packets is customized, a large number of data packets are forged and output to the target drone so as to reduce the response speed of the host, and then a man-in-the-middle attack program is executed to carry out ARP spoofing.
(3) After a man-in-the-middle attack program is executed, information sniffing is carried out on the ubuntu by using a dritnet sniffing tool, at the moment, the target machine mistakenly regards the attack machine as a gateway, and an attacker steals corresponding user-defined parameters by using the sniffing tool of the attack machine, so that communication information is completely exposed to the attacker, and therefore bidirectional deception is achieved.
The results of comparison are shown in Table 1 and FIGS. 4 to 7,
as shown in fig. 4, in the wireless communication experimental environment of this embodiment, the siemens frequency converter is connected to the frequency conversion motor through the wireless module, and in order to implement normal communication, the wireless module, the client, and the attacker are successfully configured in a local area network, so as to implement interconnection and intercommunication between the wireless module, the client, and the attacker.
Table 1: and (5) ARP attack result.
| Configuration item | Before attack | After attack |
| Attacker IP | 192.168.1.3 | 192.168.1.3 |
| Attacker MAC | 00-0C-29-B8-32-A9 | 00-0C-29-B8-32-A9 |
| Host IP | 192.168.1.2 | 192.168.1.2 |
| Host MAC | AC-B5-7D-E3-66-01 | 00-0C-29-B8-32-A9 |
As shown in table 1, when ARP attack is performed in the wireless communication process in the experimental environment, it can be seen that the ARP cache list is updated, and from the change of spoofing of the ARP cache list, it can be found that the MAC address corresponding to the gateway IP is changed from the real physical address of the gateway IP before the attack to the MAC address of the attacker, thereby achieving the purpose of spoofing by man-in-the-middle attack.
As shown in fig. 5, ARP defense is performed by setting an ARP firewall and a static binding method in the prior art, the man-machine interaction interface is recovered from the stuck state to be normal, and the ARP list is recovered to be normal, which indicates that ARP attack defense is successful.
As shown in fig. 6, at this time, the ARP attack self-defined data packet is added, 10 data packets are sent every second and gradually increased, with the increase of the attack strength, the defense speed of the conventional firewall is lower than the ARP attack speed, at this time, the static binding is changed from static to dynamic, and the conventional defense algorithm fails.
It can be seen that the traditional defense method can not cope with the high-strength ARP attack, the attack strength is kept unchanged, at the moment, after the method is executed, the driftnet sniffing tool is tried to be used again for sniffing, at the moment, an attacker can not obtain the variable frequency motor sensitive information, at the moment, the ARP cache is checked, and the ARP list is restored as shown in figure 7.
It should be recognized that embodiments of the present invention can be realized and implemented by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer-readable storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, according to the methods and figures described in the detailed description. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Further, the operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described herein (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.
Further, the method may be implemented in any type of computing platform operatively connected to a suitable interface, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. Aspects of the invention may be embodied in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optically read and/or write storage medium, RAM, ROM, or the like, such that it may be read by a programmable computer, which when read by the storage medium or device, is operative to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described herein includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein. A computer program can be applied to input data to perform the functions described herein to transform the input data to generate output data that is stored to non-volatile memory. The output information may also be applied to one or more output devices, such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including particular visual depictions of physical and tangible objects produced on a display.
As used in this application, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a component may be, but is not limited to being: a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of example, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component can be localized on one computer and/or distributed between two or more computers. In addition, these components can execute from various computer readable media having various data structures thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.
Claims (8)
1. A two-way request response detection method of man-in-the-middle attack is characterized in that: comprises the steps of (a) preparing a mixture of a plurality of raw materials,
analyzing the malicious message in the wireless communication environment by a message analyzing tool;
if the analysis result of the message is a request message, detecting through a request message detection module (100), and processing the request packet according to the detection result;
if the analysis result of the message is a response message, the response message is detected by a response message detection module (200), and the ARP buffer area is processed according to the detection result.
2. The two-way request-reply detection method of man-in-the-middle attack recited in claim 1, characterized in that: the Request message detection module (100) comprises a message Request receiving unit (101), a judging unit (102), a reply Request unit (103), a call sending Request unit (104), an addition target IP unit (105), a sending Request unit (106) and a Request linear Request table (107).
3. The two-way request-reply detection method of man-in-the-middle attack recited in claim 1, characterized in that: the detection request message includes, in a message,
receiving the request packet through a message request receiving unit (101), and then comparing a target IP address with a local IP address through a judging unit (102);
informing the comparison result to the call sending request unit (104) through a reply request unit (103), wherein the call sending request unit (104) calls the sending request unit (106) to carry out request sending operation according to the comparison result;
when the Request is issued, the resolved target IP is stored in the Request linear Request table (107) by the add target IP unit (105).
4. The two-way request-reply detection method of man-in-the-middle attack recited in claim 1, characterized in that: the alignment comprises the steps of,
if the target IP address is the same as the local IP address, responding to the request packet through the reply request unit (103), and calling the sending request unit (106) to carry out the request sending operation;
otherwise, the request packet is judged to be a forged message request, and the forged message request is discarded and reports that man-in-the-middle attack has occurred.
5. The two-way request-reply detection method of man-in-the-middle attack recited in claim 1, characterized in that: also comprises the following steps of (1) preparing,
storing the IP address and the MAC address in a Request packet received or sent by a local machine through the Request linear Request table (107);
and the Request linear Request table (107) filters and deletes messages which are not updated for a long time in the linear table according to a time criterion.
6. The two-way request-reply detection method of man-in-the-middle attack recited in claim 1, characterized in that: the response message detection module (200) comprises a reply linear response table (201), a receiving response unit (202), a source IP storage unit (203), an IP-MAC mapping adding unit (204), a MAC address distinguishing unit (205) and an ARP buffer area updating unit (206).
7. The two-way request-reply detection method of man-in-the-middle attack recited in claim 1, characterized in that: the processing of the ARP buffer includes,
when the receiving response unit (202) receives a response packet, the storing source IP unit (203) stores a source IP in the response linear response table (201);
if the response packets have the same source IP address, comparing whether the source MAC address is the same as the MAC address of the corresponding item through a judging MAC address unit (205), and if not, judging that the response packets are forged response packets and have the threat of man-in-the-middle attack; otherwise, the ARP buffer is updated by the ARP buffer updating unit (206);
and then, an IP-MAC mapping unit (204) is added to the Respond linear response table (201) through adding IP-MAC mapping, corresponding items in the Respond linear response table (201) are deleted, and the ARP buffer area is updated through the ARP buffer area updating unit (206).
8. The two-way request-reply detection method of man-in-the-middle attack recited in claim 1, characterized in that: also comprises the following steps of (1) preparing,
and the response linear response table (201) automatically filters and deletes messages which are not updated for a long time in the linear table according to a time criterion.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110683508.6A CN113660666B (en) | 2021-06-21 | 2021-06-21 | Bidirectional request response detection method for man-in-the-middle attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110683508.6A CN113660666B (en) | 2021-06-21 | 2021-06-21 | Bidirectional request response detection method for man-in-the-middle attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113660666A true CN113660666A (en) | 2021-11-16 |
| CN113660666B CN113660666B (en) | 2023-12-22 |
Family
ID=78488959
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110683508.6A Active CN113660666B (en) | 2021-06-21 | 2021-06-21 | Bidirectional request response detection method for man-in-the-middle attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113660666B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143248A (en) * | 2011-02-28 | 2011-08-03 | 华为数字技术有限公司 | Method and device for detecting IP (Internet Protocol) address conflict |
| CN105939332A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for preventing ARP attack message |
| CN107689963A (en) * | 2017-09-26 | 2018-02-13 | 杭州迪普科技股份有限公司 | A kind of detection method and device for arp reply message aggression |
| CN109428862A (en) * | 2017-08-29 | 2019-03-05 | 武汉安天信息技术有限责任公司 | A kind of method and apparatus detecting ARP attack in local area network |
| CN109981603A (en) * | 2019-03-07 | 2019-07-05 | 北京华安普特网络科技有限公司 | ARP Attack monitoring system and method |
-
2021
- 2021-06-21 CN CN202110683508.6A patent/CN113660666B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143248A (en) * | 2011-02-28 | 2011-08-03 | 华为数字技术有限公司 | Method and device for detecting IP (Internet Protocol) address conflict |
| CN105939332A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for preventing ARP attack message |
| CN109428862A (en) * | 2017-08-29 | 2019-03-05 | 武汉安天信息技术有限责任公司 | A kind of method and apparatus detecting ARP attack in local area network |
| CN107689963A (en) * | 2017-09-26 | 2018-02-13 | 杭州迪普科技股份有限公司 | A kind of detection method and device for arp reply message aggression |
| CN109981603A (en) * | 2019-03-07 | 2019-07-05 | 北京华安普特网络科技有限公司 | ARP Attack monitoring system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113660666B (en) | 2023-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107888607B (en) | Network threat detection method and device and network management equipment | |
| CN108551446B (en) | Anti-attack SYN message processing method and device, firewall and storage medium | |
| US8490190B1 (en) | Use of interactive messaging channels to verify endpoints | |
| CN111010409B (en) | Encryption attack network flow detection method | |
| US7904518B2 (en) | Apparatus and method for analyzing and filtering email and for providing web related services | |
| CN101594269B (en) | Method, device and gateway device for detecting abnormal connection | |
| US20120255022A1 (en) | Systems and methods for determining vulnerability to session stealing | |
| US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
| KR20000054538A (en) | System and method for intrusion detection in network and it's readable record medium by computer | |
| CN102035793B (en) | Botnet detecting method, device and network security protective equipment | |
| CN111510436B (en) | Network security system | |
| CN113079185B (en) | Industrial firewall control method and equipment for realizing deep data packet detection control | |
| RU2679219C1 (en) | Method of protection of service server from ddos attack | |
| KR101593897B1 (en) | Network scan method for circumventing firewall, IDS or IPS | |
| CN110620773A (en) | TCP flow isolation method, device and related components | |
| US9686311B2 (en) | Interdicting undesired service | |
| Yamada et al. | Using abnormal TTL values to detect malicious IP packets | |
| Khosravifar et al. | An experience improving intrusion detection systems false alarm ratio by using honeypot | |
| CN115174242B (en) | Data safety transmission control method and system between internal network and external network | |
| CN113660666B (en) | Bidirectional request response detection method for man-in-the-middle attack | |
| CN109274638A (en) | A kind of method and router of attack source access automatic identification processing | |
| CN113347136B (en) | Access authentication method, device, equipment and storage medium | |
| KR101687811B1 (en) | Design of Agent Type's ARP Spoofing Detection Scheme which uses the ARP probe Packet and Implementation of the Security Solution | |
| Xiaobing et al. | Detection and protection against network scanning: IEDP | |
| JP2003309607A (en) | Anti-profiling apparatus and its program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |