CN113660667A - Method and system for rapidly monitoring illegal hijacking for operator network - Google Patents

Method and system for rapidly monitoring illegal hijacking for operator network Download PDF

Info

Publication number
CN113660667A
CN113660667A CN202111206738.XA CN202111206738A CN113660667A CN 113660667 A CN113660667 A CN 113660667A CN 202111206738 A CN202111206738 A CN 202111206738A CN 113660667 A CN113660667 A CN 113660667A
Authority
CN
China
Prior art keywords
illegal
hijacking
data
port
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111206738.XA
Other languages
Chinese (zh)
Other versions
CN113660667B (en
Inventor
傅宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Floating Boat Technology Co ltd
Original Assignee
Sichuan Floating Boat Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Floating Boat Technology Co ltd filed Critical Sichuan Floating Boat Technology Co ltd
Priority to CN202111206738.XA priority Critical patent/CN113660667B/en
Publication of CN113660667A publication Critical patent/CN113660667A/en
Application granted granted Critical
Publication of CN113660667B publication Critical patent/CN113660667B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method and a system for rapidly monitoring illegal hijacking of an operator network relate to the field of network data information security. The monitoring method comprises the step of screening out the ports which are not opened with the URPF. And performing data light splitting on the port without opening the URPF, and filtering out data messages containing http200, http301 and http302 codes in mirror image message data. And analyzing the source IP address of the data message containing the http200, http301 and http302 codes. If the analysis result can be matched with the IP address base of the local operator, the normal data message is judged. And if the analysis result cannot be matched with the IP address base of the local operator, judging that the data message is illegally hijacked. The monitoring system is used for executing the monitoring method. The method is simple and convenient, has high execution efficiency, and can quickly and accurately lock the illegal hijacking phenomenon.

Description

Method and system for rapidly monitoring illegal hijacking for operator network
Technical Field
The invention relates to the field of network data information security, in particular to an illegal hijacking rapid monitoring method and system for an operator network.
Background
In recent years, the problem of illegal hijacking in networks of various operators is more and more emphasized by government departments such as the Ministry of industry and trust, the Ministry of public Security, and the like. The media are frequently found in the event of illegal hijacking of operators. This greatly impairs the image of the telecom operation enterprise, reduces the trust of the user to the telecom operation enterprise, and impairs the benefits of both the operator and the user.
In view of this, the present application is specifically made.
Disclosure of Invention
The first purpose of the present invention is to provide a method for rapidly monitoring the illegal hijacking in the operator network, which is simple and convenient, has high execution efficiency, can rapidly and accurately lock the illegal hijacking phenomenon, and solves the problems that the illegal hijacking phenomenon in the operator network cannot be actively monitored in time and the positioning source is difficult to be checked.
The second objective of the present invention is to provide a rapid monitoring system for illegal hijacking in an operator network, which is simple and convenient, has high execution efficiency, and can rapidly and accurately lock the illegal hijacking phenomenon, thereby solving the problems that the illegal hijacking phenomenon in the operator network cannot be actively monitored in time and the positioning source is difficult to be checked.
The embodiment of the invention is realized by the following steps:
an illegal hijacking fast monitoring method for an operator network, comprising:
and checking and acquiring configuration information of a hardware system in the operator network, and screening out ports which are not opened with URPF.
And performing data light splitting on the port without opening the URPF to obtain mirror image message data, and filtering out data messages containing http200, http301 and http302 codes in the mirror image message data.
And analyzing the source IP address of the data message containing the http200, http301 and http302 codes. If the analysis result can be matched with the IP address base of the local operator, the normal data message is judged. And if the analysis result cannot be matched with the IP address base of the local operator, judging that the data message is illegally hijacked.
Further, the illegal hijacking rapid monitoring method for the operator network further comprises the following steps: if the data message is judged to be illegally hijacked, generating an alarm signal of the illegal hijacked phenomenon, wherein the alarm signal comprises the content of the illegal hijacked data message, the name of source equipment generating the illegal hijacked phenomenon and a source port.
Further, the illegal hijacking rapid monitoring method for the operator network further comprises the following steps: and setting a service white list, and if the analysis result is matched with the service white list, judging the normal data message.
Further, the illegal hijacking rapid monitoring method for the operator network further comprises the following steps: and obtaining the occurrence condition of the illegal hijacking phenomenon of each port according to the historical analysis result, and recording the change condition of the occurrence frequency of the illegal hijacking phenomenon of each port. And predicting the illegal hijacking risk of each port according to the occurrence condition of the illegal hijacking phenomenon of each port and the change condition of the occurrence frequency of the illegal hijacking phenomenon of each port.
Further, the illegal hijacking rapid monitoring method for the operator network further comprises the following steps: and carrying out security processing on the port with the illegal hijacking risk displayed in the prediction result in advance and/or suspending the transmission work of the port with the illegal hijacking risk displayed in the prediction result.
Further, the illegal hijacking rapid monitoring method for the operator network further comprises the following steps: and establishing a machine learning model, comparing the illegal hijacking risk prediction result with the actual illegal hijacking phenomenon occurrence condition, performing machine learning, and optimizing the illegal hijacking risk prediction model.
Further, the illegal hijacking rapid monitoring method for the operator network further comprises the following steps: and selecting a plurality of ports with the lowest occurrence rate of the illegal hijacking phenomenon and carrying out security test on the ports according to the occurrence situation of the illegal hijacking phenomenon of each port and the change situation of the occurrence frequency of the illegal hijacking phenomenon of each port.
The safety test comprises the following steps: and setting a virtual user, sending a test request message through the selected port by using the virtual user, and detecting whether the sent test request message is matched with a feedback message received by the virtual user. If the two are matched, the two are judged to be safe, and if the two are not matched, the two are judged to be unsafe. And if the safety is judged, carrying out data transmission through the corresponding port.
Furthermore, when data transmission is carried out, data is transmitted in an interval mode, and safety testing is continuously carried out in an interval mode. Data transmission and security testing are performed alternately. And if the results of two consecutive security tests are judged to be safe, judging that the data transmission performed between the two security test intervals is safe. If the results of two consecutive security tests are not judged to be safe, the corresponding port is judged to be unsafe, and the data transmission of the port is terminated.
Further, the safety test further comprises: if the verification result is unsafe, sending a verification feedback message to the virtual user through the corresponding port, and detecting whether the sent verification feedback message is matched with the message received by the virtual user. If the risk is matched with the risk, the risk is judged to be a general risk, and if the risk is not matched with the risk, the risk is judged to be a high-level risk.
And verifying that the feedback message is matched with the previous test request message.
An illegal hijacking rapid monitoring system for operator networks, comprising:
and the safety screening module is used for checking and acquiring configuration information of a router system and a switch system in the operator network and screening the port which is not opened with URPF.
And the data analysis module is used for carrying out data light splitting on the port without opening the URPF to obtain mirror image message data and filtering out data messages containing http200, http301 and http302 codes in the mirror image message data.
And the security analysis module is used for analyzing the source IP address of the data message containing the http200, http301 and http302 codes. If the analysis result can be matched with the IP address base of the local operator, the normal data message is judged. And if the analysis result cannot be matched with the IP address base of the local operator, judging that the data message is illegally hijacked.
The embodiment of the invention has the beneficial effects that:
the illegal hijacking rapid monitoring method for the operator network provided by the embodiment of the invention is used for screening the ports which are not opened with URPF after confirming the configuration information of a hardware system in the operator network, filtering the data messages containing http200, http301 and http302 codes aiming at the ports, and checking whether the source IP addresses of the data messages are matched with the IP address base of the local operator, thereby realizing the verification of the safety of the data messages from the aspect of the three-point characteristics and being capable of simply, rapidly and accurately positioning the illegal hijacking data messages.
According to the positioned illegal hijacking data message, the corresponding hardware equipment and the corresponding port are conveniently and safely repaired, the initiative and timeliness of safety maintenance work are greatly improved, the invisible capability of the illegal hijacking phenomenon is weakened, and an active safety strategy is conveniently adopted. The method has positive significance for optimizing user experience, reducing the difficulty and cost of safety maintenance work of operators and improving the pertinence and accuracy of the safety maintenance work of the operators.
Generally, the illegal hijacking rapid monitoring method for the operator network provided by the embodiment of the invention is simple and convenient, has high execution efficiency, can rapidly and accurately lock the illegal hijacking phenomenon, and solves the problems that the illegal hijacking phenomenon in the operator network cannot be actively monitored in time and the positioning source is difficult to investigate. The illegal hijacking rapid monitoring system for the operator network provided by the embodiment of the invention is simple and convenient, has high execution efficiency, can rapidly and accurately lock the illegal hijacking phenomenon, and solves the problems that the illegal hijacking phenomenon in the operator network cannot be actively monitored in time and the positioning source is difficult to investigate.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an electronic device according to embodiment 3 of the present invention;
fig. 2 is a schematic structural diagram of a computer system of a terminal device/server for implementing an embodiment of the present invention.
Reference numerals: 8-an electronic device; 81-a memory; 82-a processor; 800-a computer system; 801-a central processing unit; 802-read only memory; 803-random access memory; 804-a bus; 805-I/O interfaces; 806-an input section; 807-an output section; 808-a storage portion; 809 — a communication section; 810-a driver; 811-removable media.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
The embodiment provides an illegal hijacking rapid monitoring method for an operator network, which comprises the following steps:
s1, checking and obtaining the configuration information of the hardware system in the operator network, and screening the port which does not open the URPF.
And S2, performing data splitting on the port without opening the URPF to obtain mirror image message data, and filtering out data messages containing http200, http301 and http302 codes in the mirror image message data.
And S3, analyzing the source IP address of the data message containing the http200, http301 and http302 codes. If the analysis result can be matched with the IP address base of the local operator, the normal data message is judged. And if the analysis result cannot be matched with the IP address base of the local operator, judging that the data message is illegally hijacked.
The inventor of the present application has found that:
the normal process of a user accessing internet website resources in an operator network is divided into three phases: the first stage is to initiate a website domain name resolution (DNS) request for a user, and an operator DNS server returns an IP address of the user after the website domain name resolution after receiving the DNS request; the second stage is that the user initiates an http get request message to the domain name website through an http protocol, wherein the request message contains a url address which the user needs to access; and the third stage is that the internet website server responds to the user after receiving the http get request of the user, and the response data contains the related resource content required by the user.
Most of the illegal hikers control and utilize the internal system of the operator to perform illegal hijacking through security holes or system password cracking modes, and even some of the illegal hikers are internal managers of the operator system. Except that the hijacked operator network users individually have very professional technical knowledge, most of the users cannot easily detect the network illegal hijacking and cannot actively react the illegal hijacking phenomenon to the operator, so that whether the illegal network hijacking phenomenon exists in the own network environment or not is difficult to find in time by the operator network maintenance department, and the specific investigation cannot be performed in advance.
The current monitoring means is mainly that an operator receives related complaints from a user side or an internet resource side and reflects the condition that own services are hijacked by an illegal network, and the defect is that the operator cannot actively and timely monitor the own network to determine whether the phenomenon of illegal hijacking exists or not, and loss is generated after the complaints of the user occur.
Even in the process of checking, the checking means mainly comprises that an operator carries out service port flow interruption tests one by one aiming at a system with illegal hijacking capability in a self network until the illegal hijacking phenomenon in the network disappears after the flow of a certain service system is interrupted, and finally, whether the illegal hijacking data generated by the system exists or not is judged by analyzing a service port data packet. The disadvantage of this kind of investigation means is that it needs to spend a lot of time and personnel cost to carry out carpet type investigation to a lot of systems and service ports one by one, and the illegal hijack phenomenon may have already been finished in the course of investigation, and it is unable to realize fast monitoring and positioning and in time to obtain evidence.
Therefore, the existing network illegal hijacking monitoring and troubleshooting positioning means of operators at present basically depend on user complaints and enterprise complaint passive responses in the early stage, and the troubleshooting difficulty, the troubleshooting time and the labor cost are increased in proportion along with the increase of self service systems, so that the network illegal hijacking source is difficult to realize and position quickly.
In view of the above problems, the inventors of the present application have conducted a targeted study and found that:
in order to implement the network message hijacking operation, an illegal hijacker usually needs to obtain a mirror message of http get request data of a user at a network outlet of an operator by the following illegal means: the first method is that data light splitting is carried out on an important exit link of an operator through physical light splitting equipment to obtain complete mirror images of all access data of a user, and http get request messages of the user are filtered out from the complete mirror images; the second method is that port mirror image function of router, exchanger, data shunt, data analysis and other devices in the operator network is used to obtain user http get message request in normal service data; and the third is that the service system containing the http get message of the operator user by utilizing the service of the system is illegally obtained by utilizing the management loophole of the system.
After intercepting the http get request message of the user by the three modes, the illegal hijacker analyzes and forges the IP address of the target resource server in the request message, and then initiates a response message with the code of http200, http301 or http302 to the user through the forged IP address, the forged message is transmitted from the network of the operator in advance, and replaces a normal resource website to redirect the user to an illegal resource website specified by the illegal hijacker, usually a fraud website, a phishing website, a gambling website and the like, or any operation which can bring profit to the illegal hijacker is realized through embedding the code in the message, so that great benefit loss is brought to the operator and the network user.
The forged message produced by the illegal hijacker usually has the following characteristics: firstly, the attribution of the IP address of the target resource site forged by the data message is not owned by the operator in the province; and secondly, the data message is normally forwarded to a user side through a local operator router, so that a router port passing along the way cannot start a URPF detection function, otherwise, the message of a forged IP address is discarded by the router. And thirdly, the forged message type is certain to be an http200, http301 or http302 message.
According to the research of the inventor of the application, through the scheme design of the application, after configuration information of a hardware system in an operator network is confirmed, ports which do not open the URPF are screened out, data messages containing http200, http301 and http302 codes are filtered out aiming at the ports, and whether source IP addresses of the data messages are matched with a local operator IP address base is checked, so that the safety of the data messages is verified from the perspective of the three-point characteristics, and the illegal hijacking data messages can be simply, quickly and accurately positioned.
According to the positioned illegal hijacking data message, the corresponding hardware equipment and the corresponding port are conveniently and safely repaired, the initiative and timeliness of safety maintenance work are greatly improved, the invisible capability of the illegal hijacking phenomenon is weakened, and an active safety strategy is conveniently adopted. The method has positive significance for optimizing user experience, reducing the difficulty and cost of safety maintenance work of operators and improving the pertinence and accuracy of the safety maintenance work of the operators.
Generally, the illegal hijacking rapid monitoring method for the operator network is simple and convenient, has high execution efficiency, can rapidly and accurately lock the illegal hijacking phenomenon, and solves the problems that the illegal hijacking phenomenon in the operator network cannot be actively monitored in time and the positioning source is difficult to investigate.
Specifically, in step S1, the hardware system in the operator network includes, but is not limited to, a router, a switch system, and the like.
It should be noted that, in step S3, the local carrier IP address library may be pre-stored in the system, so as to facilitate the comparison of the analysis results quickly.
In this embodiment, the method for rapidly monitoring illegal hijacking for an operator network further includes: and setting a service white list. And if the analysis result is matched with the service white list, judging the normal data message. That is, if the analysis result matches the service white list, even if the analysis result cannot match the local operator IP address base, it will not be determined that the data packet is illegally hijacked.
This is because, considering that a legitimate http hijacking phenomenon still exists in the operator network, for example, in order to provide a better resource response for the user, the operator redirects some user requests, and redirects the external resource request of the user to the cache service system of the operator in a legitimate hijacking manner, so as to provide a better resource response service for the user.
The illegal and legal hijacking phenomena are distinguished in a mode of customizing the white list of the services, a system administrator adds the white list by using the legal hijacking services in an IP address library of a forged source IP, and the added white list services cannot be judged to be illegal hijacking even if the added white list services meet the hijacking characteristic phenomena.
Further, the illegal hijacking rapid monitoring method for the operator network further comprises the following steps: if the data message is judged to be illegally hijacked, generating an alarm signal of the illegal hijacked phenomenon, wherein the alarm signal comprises the content of the illegal hijacked data message, the name of source equipment generating the illegal hijacked phenomenon and a source port. The method can effectively help a manager to quickly locate the source of the illegal hijacking phenomenon and quickly carry out effective safety processing.
Further, in this embodiment, the method for rapidly monitoring the illegal hijacking of the operator network further includes: and obtaining the occurrence condition of the illegal hijacking phenomenon of each port according to the historical analysis result, and recording the change condition of the occurrence frequency of the illegal hijacking phenomenon of each port. And predicting the illegal hijacking risk of each port according to the occurrence condition of the illegal hijacking phenomenon of each port and the change condition of the occurrence frequency of the illegal hijacking phenomenon of each port. These can all be presented in the form of graphs.
Therefore, the manager can conveniently and accurately master the occurrence characteristics of the illegal hijacking phenomenon.
Because the illegal hijacking is initiated manually and is generally developed in a group form, the illegal hijacking method has certain group characteristics, and the illegal hijacking method has certain change rules, which are directly related to the change of network technical means.
Through the analysis, the method is convenient for knowing the selection tendencies of the data message type, the interface type and the like of the illegal person during the illegal hijacking, and summarizing the occurrence rule of the illegal hijacking, and can predict the occurrence condition of the illegal hijacking in a future period of time to a certain extent by combining the distribution condition and the change rule of the illegal hijacking, so that the management person can perform safety inspection and maintenance on network plates with the illegal hijacking risk in the future in a targeted manner in advance, the safety of data transmission is further improved, and the blindness of safety maintenance work is reduced.
According to the prediction result, the security processing of the port with the illegal hijacking risk displayed in the prediction result can be considered in advance and/or the transmission work of the port with the illegal hijacking risk displayed in the prediction result can be suspended, and what kind of measures can be flexibly selected according to actual conditions and requirements.
In order to continuously optimize the prediction accuracy and reliability, a machine learning model can be established, the illegal hijacking risk prediction result is compared with the actual illegal hijacking phenomenon, machine learning is continuously carried out, and the illegal hijacking risk prediction model is optimized.
Further, the illegal hijacking rapid monitoring method for the operator network further comprises the following steps: and selecting a plurality of ports with the lowest occurrence rate of the illegal hijacking phenomenon and carrying out security test on the ports according to the occurrence situation of the illegal hijacking phenomenon of each port and the change situation of the occurrence frequency of the illegal hijacking phenomenon of each port and the prediction result of the illegal hijacking.
The safety test comprises the following steps: and setting a virtual user, sending a test request message through the selected port by using the virtual user, and detecting whether the sent test request message is matched with a feedback message received by the virtual user. And if the matching is carried out, the safety is judged. If not, it is determined to be unsafe, indicating that the port has illegal hijacking phenomenon.
And if the safety is judged, carrying out data transmission through the corresponding port.
When data transmission is carried out, data is transmitted in an interval mode, and safety testing is continuously carried out in an interval mode. Data transmission and security testing are performed alternately.
And if the results of two consecutive security tests are judged to be safe, judging that the data transmission performed between the two security test intervals is safe. If the results of the two continuous security tests are not judged to be safe, the corresponding port is judged to have the security risk and is no longer safe, and the data transmission of the port is stopped.
Through the design, the channel with higher safety can be screened out from the daily data transmission channel, more important data can be conveniently transmitted, and compared with the transmission by using a special transmission line, the cost is lower, and the device is suitable for transmission work with certain requirements on transmission safety.
In the transmission process, the safety of the transmission channel can be monitored in real time through the interval type safety test, and the data safety is further improved.
The interval time of the intermittent transmission of the data transmission and the interval time of the safety test can be flexibly set according to actual conditions and requirements.
Further, in this embodiment, the security test further includes: if the verification result is unsafe, sending a verification feedback message to the virtual user through the corresponding port, and detecting whether the sent verification feedback message is matched with the message received by the virtual user. The verification feedback message is feedback information matched with the previous test request message, namely, the verification feedback message is assumed to be successfully received and fed back without being hijacked illegally by the test request message sent by the previous virtual user, and the verification feedback message is sent to the virtual user actively.
If the sent verification feedback message is matched with the message received by the virtual user, it is indicated that the illegal hijacking means is mainly used for hijacking the request information sent by the user, and is mainly unidirectional hijacking. It is determined as a general risk.
If the sent verification feedback message is not matched with the message received by the virtual user, the condition of bidirectional hijacking is indicated, the condition is not limited to a hijacking request message, the illegal hijacking condition often has the phenomenon of manual real-time intervention, the harmfulness is higher than that of the former one, the data stealing risk is higher, and the condition is judged to be a high-level risk.
Carry out preliminary grading to the risk through above mode, the managers of being convenient for carries out pertinence, selectivity safety maintenance according to particular case, has fine help to improving the rationality and the orderliness of maintaining the work.
In conclusion, the rapid monitoring method for the illegal hijacking of the operator network is simple and convenient, has high execution efficiency, can rapidly and accurately lock the illegal hijacking phenomenon, and solves the problems that the illegal hijacking phenomenon in the operator network cannot be actively monitored in time and the positioning source is difficult to investigate.
Example 2
This embodiment provides an illegal hijacking quick monitoring system for operator network, which includes: the system comprises a security screening module, a data analysis module and a security analysis module.
The security screening module is used for checking and obtaining configuration information of a router system and a switch system in an operator network, and screening ports which are not opened with URPF.
The data analysis module is used for carrying out data light splitting on the port without opening the URPF to obtain mirror image message data, and filtering out data messages containing http200, http301 and http302 codes in the mirror image message data.
And the security analysis module is used for analyzing the source IP address of the data message containing the http200, http301 and http302 codes. If the analysis result can be matched with the IP address base of the local operator, the normal data message is judged. And if the analysis result cannot be matched with the IP address base of the local operator, judging that the data message is illegally hijacked.
In conclusion, the illegal hijacking rapid monitoring system for the operator network is simple and convenient, has high execution efficiency, can rapidly and accurately lock the illegal hijacking phenomenon, and solves the problems that the illegal hijacking phenomenon in the operator network cannot be actively monitored in time and the positioning source is difficult to investigate.
Example 3
Referring to fig. 1, the present embodiment provides an electronic device 8, including: a memory 81 and a processor 82. The memory 81 stores a computer program arranged to execute the fast monitoring method for illegal hijacking of operator networks of embodiment 1 when running. The processor 82 is configured to execute the illegal hijacking rapid monitoring method for the operator network of embodiment 1 by a computer program.
Referring now to FIG. 2, a block diagram of a computer system 800 of a terminal device/server suitable for use in implementing embodiments of the present invention is shown. The terminal device/server shown in fig. 2 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 2, the computer system 800 includes a central processing unit 801 which can perform various appropriate actions and processes in accordance with a program stored in a read only memory 802 or a program loaded from a storage section 808 into a random access memory 803. In the random access memory 803, various programs and data necessary for the operation of the system 800 are also stored. A central processing unit 801 (i.e., CPU), a read only memory 802 (i.e., ROM), and a random access memory 803 (i.e., RAM) are connected to each other via a bus 804. An I/O interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.
According to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program performs the above-described functions defined in the method of the present invention when executed by the central processing unit 801. It should be noted that the computer readable medium of the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software or hardware. As another aspect, the present invention also provides a computer-readable medium, which may be contained in the apparatus described in the above embodiments; or may be present separately and not assembled into the device.
The computer readable medium carries one or more programs which, when executed by the apparatus, cause the apparatus to perform the steps of: s1, checking and acquiring configuration information of a hardware system in an operator network, and screening out ports which are not opened with URPF; s2, carrying out data light splitting on the port without URPF, obtaining mirror image message data, and filtering out data messages containing http200, http301 and http302 codes in the mirror image message data; and S3, analyzing the source IP address of the data message containing the http200, http301 and http302 codes. If the analysis result can be matched with the IP address base of the local operator, the normal data message is judged. And if the analysis result cannot be matched with the IP address base of the local operator, judging that the data message is illegally hijacked.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A fast monitoring method for illegal hijacking of an operator network is characterized by comprising the following steps:
checking and acquiring configuration information of a hardware system in an operator network, and screening out ports which are not opened with URPF;
performing data light splitting on a port without opening a URPF (unified router function), obtaining mirror image message data, and filtering out data messages containing http200, http301 and http302 codes in the mirror image message data;
analyzing a source IP address of a data message containing http200, http301 and http302 codes; if the analysis result can be matched with the IP address base of the local operator, the normal data message is judged; and if the analysis result cannot be matched with the IP address base of the local operator, judging that the data message is illegally hijacked.
2. The illegal hijacking fast monitoring method for operator network according to claim 1, further comprising: and if the data message is judged to be illegally hijacked, generating an alarm signal of the illegal hijacked phenomenon, wherein the alarm signal comprises the content of the illegal hijacked data message, the name of source equipment generating the illegal hijacked phenomenon and a source port.
3. The illegal hijacking fast monitoring method for operator network according to claim 1, further comprising: and setting a service white list, and if the analysis result is matched with the service white list, judging the normal data message.
4. The illegal hijacking fast monitoring method for operator network according to claim 1, further comprising: obtaining the occurrence condition of the illegal hijacking phenomenon of each port according to the historical analysis result, and recording the change condition of the occurrence frequency of the illegal hijacking phenomenon of each port; and predicting the illegal hijacking risk of each port according to the occurrence condition of the illegal hijacking phenomenon of each port and the change condition of the occurrence frequency of the illegal hijacking phenomenon of each port.
5. The illegal hijacking fast monitoring method for operator network according to claim 4, further comprising: and carrying out security processing on the port with the illegal hijacking risk displayed in the prediction result in advance and/or suspending the transmission work of the port with the illegal hijacking risk displayed in the prediction result.
6. The illegal hijacking fast monitoring method for operator network according to claim 4, further comprising: and establishing a machine learning model, comparing the illegal hijacking risk prediction result with the actual illegal hijacking phenomenon occurrence condition, performing machine learning, and optimizing the illegal hijacking risk prediction model.
7. The illegal hijacking fast monitoring method for operator network according to claim 4, further comprising: selecting a plurality of ports with the lowest occurrence rate of the illegal hijacking phenomenon and carrying out security test on the ports according to the occurrence situation of the illegal hijacking phenomenon of each port and the change situation of the occurrence frequency of the illegal hijacking phenomenon of each port;
the security test comprises: setting a virtual user, sending a test request message through a selected port by using the virtual user, and detecting whether the sent test request message is matched with a feedback message received by the virtual user; if the matching is not matched, the judgment is unsafe; and if the safety is judged, carrying out data transmission through the corresponding port.
8. The illegal hijacking rapid monitoring method for operator network according to claim 7, wherein when data transmission is performed, data is transmitted in an intermittent manner, and the security test is continued in an intermittent manner; the data transmission and the safety test are carried out alternately; if the results of the two continuous safety tests are judged to be safe, the data transmission carried out between the two safety test intervals is judged to be safe; if the results of the two consecutive security tests are not judged to be safe, the corresponding port is judged to be unsafe, and the data transmission of the port is terminated.
9. The illegal hijacking fast monitoring method for operator network according to claim 7 or 8, wherein said security test further comprises: if the verification result is unsafe, sending a verification feedback message to the virtual user through a corresponding port, and detecting whether the sent verification feedback message is matched with a message received by the virtual user; if the risk is matched with the risk, the risk is judged to be a general risk, and if the risk is not matched with the risk, the risk is judged to be a high-level risk;
and the verification feedback message is feedback information matched with the previous test request message.
10. An illegal hijacking rapid monitoring system for operator networks, comprising:
the safety screening module is used for checking and acquiring configuration information of a router system and a switch system in an operator network and screening out ports which are not opened with URPF;
the data analysis module is used for carrying out data light splitting on a port without URPF (universal procedure power factor) to obtain mirror image message data and filtering out data messages containing http200, http301 and http302 codes in the mirror image message data;
the security analysis module is used for analyzing a source IP address of the data message containing the http200, the http301 and the http302 codes; if the analysis result can be matched with the IP address base of the local operator, the normal data message is judged; and if the analysis result cannot be matched with the IP address base of the local operator, judging that the data message is illegally hijacked.
CN202111206738.XA 2021-10-18 2021-10-18 Method and system for rapidly monitoring illegal hijacking for operator network Active CN113660667B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111206738.XA CN113660667B (en) 2021-10-18 2021-10-18 Method and system for rapidly monitoring illegal hijacking for operator network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111206738.XA CN113660667B (en) 2021-10-18 2021-10-18 Method and system for rapidly monitoring illegal hijacking for operator network

Publications (2)

Publication Number Publication Date
CN113660667A true CN113660667A (en) 2021-11-16
CN113660667B CN113660667B (en) 2021-12-28

Family

ID=78494541

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111206738.XA Active CN113660667B (en) 2021-10-18 2021-10-18 Method and system for rapidly monitoring illegal hijacking for operator network

Country Status (1)

Country Link
CN (1) CN113660667B (en)

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1750512A (en) * 2005-09-27 2006-03-22 杭州华为三康技术有限公司 Single broadcast reverse path repeating method
CN101945117A (en) * 2010-09-28 2011-01-12 杭州华三通信技术有限公司 Method and equipment for preventing source address spoofing attack
CN103220255A (en) * 2012-01-18 2013-07-24 中兴通讯股份有限公司 Method and device for realizing unicast reverse path forwarding (URPF) examination
US20140355607A1 (en) * 2013-05-30 2014-12-04 Cisco Technology, Inc. Reverse path forwarding router system
CN105812481A (en) * 2016-04-20 2016-07-27 上海斐讯数据通信技术有限公司 Hypertext transfer protocol request identification system and hypertext transfer protocol request identification method
CN108282451A (en) * 2017-01-20 2018-07-13 广州市动景计算机科技有限公司 Hijacking data judgment method, device and user terminal
CN110381006A (en) * 2018-04-12 2019-10-25 中兴通讯股份有限公司 Message processing method, device, storage medium and processor
CN110417721A (en) * 2019-03-07 2019-11-05 腾讯科技(深圳)有限公司 Safety risk estimating method, device, equipment and computer readable storage medium
CN110445743A (en) * 2018-05-02 2019-11-12 福建天晴数码有限公司 A kind of method and system of detection service end illegal request
CN110912853A (en) * 2018-09-15 2020-03-24 华为技术有限公司 Method, equipment and system for checking anti-counterfeiting attack
CN111107008A (en) * 2018-10-25 2020-05-05 深圳市中兴微电子技术有限公司 Reverse path checking method and device
US20210105300A1 (en) * 2019-10-08 2021-04-08 Secure64 Software Corporation Methods and systems that detect and deflect denial-of-service attacks
CN112769694A (en) * 2021-02-02 2021-05-07 新华三信息安全技术有限公司 Address checking method and device
CN113438101A (en) * 2021-06-07 2021-09-24 杭州迪普科技股份有限公司 URPF configuration method, computer program product and frame type equipment

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1750512A (en) * 2005-09-27 2006-03-22 杭州华为三康技术有限公司 Single broadcast reverse path repeating method
CN101945117A (en) * 2010-09-28 2011-01-12 杭州华三通信技术有限公司 Method and equipment for preventing source address spoofing attack
CN103220255A (en) * 2012-01-18 2013-07-24 中兴通讯股份有限公司 Method and device for realizing unicast reverse path forwarding (URPF) examination
US20140355607A1 (en) * 2013-05-30 2014-12-04 Cisco Technology, Inc. Reverse path forwarding router system
CN105812481A (en) * 2016-04-20 2016-07-27 上海斐讯数据通信技术有限公司 Hypertext transfer protocol request identification system and hypertext transfer protocol request identification method
CN108282451A (en) * 2017-01-20 2018-07-13 广州市动景计算机科技有限公司 Hijacking data judgment method, device and user terminal
CN110381006A (en) * 2018-04-12 2019-10-25 中兴通讯股份有限公司 Message processing method, device, storage medium and processor
CN110445743A (en) * 2018-05-02 2019-11-12 福建天晴数码有限公司 A kind of method and system of detection service end illegal request
CN110912853A (en) * 2018-09-15 2020-03-24 华为技术有限公司 Method, equipment and system for checking anti-counterfeiting attack
CN111107008A (en) * 2018-10-25 2020-05-05 深圳市中兴微电子技术有限公司 Reverse path checking method and device
CN110417721A (en) * 2019-03-07 2019-11-05 腾讯科技(深圳)有限公司 Safety risk estimating method, device, equipment and computer readable storage medium
US20210105300A1 (en) * 2019-10-08 2021-04-08 Secure64 Software Corporation Methods and systems that detect and deflect denial-of-service attacks
CN112769694A (en) * 2021-02-02 2021-05-07 新华三信息安全技术有限公司 Address checking method and device
CN113438101A (en) * 2021-06-07 2021-09-24 杭州迪普科技股份有限公司 URPF configuration method, computer program product and frame type equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
DTR/CYBER-0015: "TECHNICAL REPORT CYBER; Network Gateway Cyber Defence", 《ETSI TR 103 421》 *
王鹏等: "交换式网络下HTTP会话的劫持研究及其对策", 《计算机工程》 *
赵国锋等: "针对HTTPS的Web前端劫持及防御研究", 《信息网络安全》 *

Also Published As

Publication number Publication date
CN113660667B (en) 2021-12-28

Similar Documents

Publication Publication Date Title
US11729193B2 (en) Intrusion detection system enrichment based on system lifecycle
RU2679179C1 (en) Systems and methods for creating and modifying access lists
US9282114B1 (en) Generation of alerts in an event management system based upon risk
US10671723B2 (en) Intrusion detection system enrichment based on system lifecycle
US20080183603A1 (en) Policy enforcement over heterogeneous assets
US20210297427A1 (en) Facilitating security orchestration, automation and response (soar) threat investigation using a machine-learning driven mind map approach
CN112926048B (en) Abnormal information detection method and device
CN112787992A (en) Method, device, equipment and medium for detecting and protecting sensitive data
CN109144023A (en) A kind of safety detection method and equipment of industrial control system
CN113868659B (en) Vulnerability detection method and system
US20240114060A1 (en) Remote monitoring of a security operations center (soc)
CN110598431A (en) Internet of things data processing method and device, server and storage medium
CN114238036A (en) Method and device for monitoring abnormity of SAAS (software as a service) platform in real time
CN112650180B (en) Safety warning method, device, terminal equipment and storage medium
CN113868669A (en) Vulnerability detection method and system
CN112765611B (en) Unauthorized vulnerability detection method, device, equipment and storage medium
KR101201629B1 (en) Cloud computing system and Method for Security Management for each Tenant in Multi-tenancy Environment
CN113965355A (en) SOC-based illegal IP (Internet protocol) provincial network plugging method and device
CN113660667B (en) Method and system for rapidly monitoring illegal hijacking for operator network
CN116996249A (en) Domain control fusion authorization control system and method based on zero trust
CN110378120A (en) Application programming interfaces attack detection method, device and readable storage medium storing program for executing
CN114301796B (en) Verification method, device and system for prediction situation awareness
CN114697069A (en) Network security management for building automation systems
CN113868670A (en) Vulnerability detection flow inspection method and system
CN114157464A (en) Network test monitoring method and monitoring system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant