CN113709156A - NIDS network penetration detection method, computer and storage medium - Google Patents

NIDS network penetration detection method, computer and storage medium Download PDF

Info

Publication number
CN113709156A
CN113709156A CN202110994850.8A CN202110994850A CN113709156A CN 113709156 A CN113709156 A CN 113709156A CN 202110994850 A CN202110994850 A CN 202110994850A CN 113709156 A CN113709156 A CN 113709156A
Authority
CN
China
Prior art keywords
message
data
nids
attack
ttl
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110994850.8A
Other languages
Chinese (zh)
Other versions
CN113709156B (en
Inventor
余翔湛
刘立坤
史建焘
叶麟
葛蒙蒙
杨霄璇
韦贤葵
李精卫
石开宇
王久金
冯帅
赵跃
宋赟祖
谭通海
车佳臻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology
Original Assignee
Harbin Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology filed Critical Harbin Institute of Technology
Priority to CN202110994850.8A priority Critical patent/CN113709156B/en
Publication of CN113709156A publication Critical patent/CN113709156A/en
Application granted granted Critical
Publication of CN113709156B publication Critical patent/CN113709156B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Abstract

The invention provides a NIDS network penetration detection method, a computer and a storage medium, and belongs to the technical field of intelligent detection. Firstly, detecting the field value from NIDS to TTL of a service terminal in a TCP state machine attack model; secondly, judging the type of the received message data packet, executing attack detection of the control message data when the message data packet is a control message, and executing attack detection of the data message when the message data packet is a data message; secondly, detecting a control message in a TCP state machine attack model; and finally, detecting a data message data packet in the TCP state machine attack model. The invention solves the technical problem of TCP state machine attack bypassing NIDS detection by identifying the TCP state machine attack pseudo data packet.

Description

NIDS network penetration detection method, computer and storage medium
Technical Field
The application relates to network penetration detection, in particular to a NIDS network penetration detection method, a computer and a storage medium, and belongs to the technical field of intelligent detection.
Background
TCP state machine attacks are mainly based on bypassing NIDS detection. The TCP state machine defines: the TCP protocol stack maintains a state machine of the TCP, a server side operating the TCP protocol stack and a network security device as a middleman have different state machines of the TCP protocol stack, and an attacker utilizes the difference of the TCP protocol stack and the server side to implement network penetration by sending forged data packets, for example, carefully designed messages are inserted into normal TCP streams, and the messages cannot be sent to the server side but can be received and processed by an NIDS system in the middle position of the network.
TCP state machine attack model: an attacker utilizes the difference of TCP state machines of a TCP server and a network security device as a middle person to implement network penetration by inserting forged messages into a normal TCP stream. The message forgery method comprises the following two steps: the first step is to measure the network distance between the client and the server, and set the TTL field to be smaller than the measurement distance; the second step is to tamper the TCP Control Block (TCB) or the data content fills the garbage data, and modify the transmission sequence number or transmission sequence of TCP.
Therefore, aiming at the attack method of the TCP state machine attack model, the invention provides an NIDS network penetration detection method for detecting TCP state machine attack forged messages.
Disclosure of Invention
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. It should be understood that this summary is not an exhaustive overview of the invention. It is not intended to determine the key or critical elements of the present invention, nor is it intended to limit the scope of the present invention. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is discussed later.
In view of this, the present invention provides a NIDS network penetration detection method for solving the technical problem of a TCP state machine attacking NIDS, which includes the following steps:
step one, detecting a TTL field value from an NIDS to a service terminal;
step two, judging the type of the received message, executing step three when the message is a control message, and executing step four when the message is a data message packet;
step three, detecting a control message in the attack of the TCP state machine;
and step four, detecting the data message in the TCP state machine attack.
Preferably, the specific method for detecting the value of the TTL field from the NIDS to the server side in the TCP state machine attack model in the first step includes the following steps:
step one, generating a TTL table containing a TTL threshold field value and a service identification field;
step two, calculating field values hos from the NIDS to a service terminal;
step one, comparing hops of the field values obtained in the step two with TTL threshold values in a TTL Table, and when the hops is less than TableTTLIf yes, updating TTL threshold value in TTL table, and when pkt is reachedTTL<TableTTLThe method is assumed to be an attack message; wherein TableTTLIndicating the value of the TTL threshold field, pkt, in the TTL tableTTLIndicating the value of the TTL field in the message received by the NIDS.
Preferably, the specific method for calculating the field value hos from the NIDS to the service end in the second step is to calculate by the following formula:
Figure BDA0003233617240000021
wherein, hos is the value of NIDS to service end field, baseiIs a radix, takes a value of [64,128,255],PktTTLThe value of the TTL field in the message received for the NIDS.
Preferably, the detecting of the control message in the TCP state machine attack in the third step specifically includes detecting TCB creation, TCB destruction, TCB reversion, and Resync + Desync attack means.
Preferably, the detecting the data packet in the TCP state machine attack in the fourth step specifically includes detecting data overlapping, unordered data overlapping, ordered data overlapping, and data asynchronous attack means.
Preferably, the specific method for detecting the control packet in the TCP state machine attack model in step three includes the following steps:
step three, preventing the NIDS from not discarding the control message when receiving a plurality of same quadruplets and SYN or SYN/ACK with conflicting sequence numbers, and constructing a TCB chain for the message with the same quadruplet sequence number conflict;
step two, a timer is established for each TCB chain, and the timer is updated when a new message arrives;
step three, when the captured control messages have sequence number conflict, storing the conflicting control messages into a TCB chain;
step three, receiving the next message;
step three, when the TCB is in the counterfeit message of the creation stage, checking the serial number of the next message, and if the message in the TCB chain is continuous with the serial number of the next message, indicating that the message is a normal message; discarding other messages in the TCB chain as attack messages;
when the TCB is in a destroying stage, when the TCB timer is overtime, releasing the TCB chain; when the TCB timer is not overtime, the quadruplet data message is received after the RST/FIN message, the RST/FIN message can be determined to be an attack message, the TCB chain is reserved, and the RST/FIN message is discarded;
preferably, the specific method for detecting a data packet in a TCP state machine attack in step four includes the following steps:
step four, constructing an auxiliary buffer area, and storing message pointers with overlapped sending serial numbers;
step two, when the captured data messages have sequence numbers overlapping, if Seqpkt<SeqexpectedIdentified as an attack if Seqpkt>SeqexpectedStoring a first data packet pointer in a common TCP receive buffer, and storing an overlapping data packet pointer in an auxiliary buffer; wherein SeqpktSequence number, Seq, indicating the message currently being processed by NIDSexpectedA sequence number indicating that the NIDS expects to receive the message;
step four and three, after the NIDS finishes processing the current data message, updating the SeqexpectedFor receiving the next data message;
and step four, determining which stored message in the receiving buffer area and the auxiliary buffer area is correct, and discarding the attack message.
Preferably, the specific method for determining which stored message in the receiving buffer and the auxiliary buffer is correct in step four is to determine which stored message in the normal buffer and the auxiliary buffer stores the correct message by receiving the next message, and the specific determination method is:
(1) the correct message is received from the buffer, and the data message from the auxiliary buffer is an attack message
Seqnext+Datanext=Seqbuffer
Wherein SeqnextIndicating the sequence number of the next Data message received by the NIDS, DatanextIndicating the next received NIDSData length of data message, SeqbufferIndicating the expected sequence number of the data message stored in the normal buffer area;
(2) the attack message is received in the buffer, and the normal message is received in the auxiliary buffer
Seqnext=SeqAux_buffer+DataAux_buffer
Wherein SeqAux_bufferIndicating expected sequence numbers, Data, of Data messages stored in the auxiliary bufferAux_bufferIndicating the data length of the data message stored in the auxiliary buffer area.
A computer comprising a memory storing a computer program and a processor implementing the steps of a NIDS network penetration detection method when executing the computer program.
A computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a NIDS network penetration detection method.
The invention has the following beneficial effects: the invention solves the technical problem of TCP state machine attack bypassing NIDS detection by identifying the TCP state machine attack pseudo data packet, and effectively improves the capability of NIDS for resisting attack.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow diagram of a method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of TCB chain construction according to an embodiment of the present invention;
fig. 3 is a schematic diagram of TCP state machine attack according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following further detailed description of the exemplary embodiments of the present application with reference to the accompanying drawings makes it clear that the described embodiments are only a part of the embodiments of the present application, and are not exhaustive of all embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Embodiment 1, referring to fig. 1 to fig. 3, illustrates this embodiment, and the NIDS network penetration detection method of this embodiment includes the following steps:
step one, detecting a TTL field value from an NIDS to a service terminal;
because the network distance between the TCP client and the NIDS is closer than the distance between the TCP client and the NIDS and the server, an attacker intelligently sends the inserted data packet to the NIDS by controlling the TTL field and cannot reach the target server, so that the NIDS is attacked. For the analysis of the attack characteristics, the server is assumed to be credible, and for this reason, a TTL table is generated to record the field value between the NIDS and the server, namely the hop count, so that the hop count from the client to the server is recorded, and the minimum hop count between the NIDS and the server is found according to the recorded value.
Specifically, the step one of detecting the value of the TTL field from the NIDS to the service end includes the following steps:
step one, generating a TTL table containing a TTL threshold field value and a service identification field;
specifically, the TTL threshold field value is the minimum field value from the NIDS to the service end, that is, the minimum hop count from the NIDS to the service end, the TTL threshold is monitored and extracted from the server data packet, and one data packet is sent from different systems, so the TTL threshold is different, but the common point is that the initial value is 2nOr 2n-1。
Step two, calculating the field value hos from the NIDS to the service terminal, and calculating by the following formula:
Figure BDA0003233617240000041
wherein, hos is the value of NIDS to service end field, baseiIs a radix, takes a value of [64,128,255],PktTTLThe value of the TTL field in the message received for the NIDS.
Step three, comparing hops obtained from step two with TTL threshold in TTL Table, when hops is less than TableTTLIf yes, updating TTL threshold value in TTL table, and when pkt is reachedTTL<TableTTLThe method is assumed to be an attack message; wherein TableTTLIndicating the value of the TTL threshold field, pkt, in the TTL tableTTLIndicating the value of the TTL field in the message received by the NIDS.
In particular, the minimum number of hops between the NIDS and the server may change due to dynamic changes in the network path. Therefore, the data message is not enough to be accurately identified to attack, and the NIDS needs to detect whether the data message conforms to the forged data message in order to accurately identify the attack, so that the second step is executed to further identify the attack.
Step two, judging the type of the received message, executing step three when the message is a control message, and executing step four when the message is a data message;
the core of the TCP attack strategy is to destroy or deceive NIDS, and an attacker designs network penetration strategies at different stages in the whole TCP connection process, so the strategies are specifically divided into two attack strategies, namely a control message attack strategy and a data message attack strategy.
Specifically, the control message attack strategy is to identify a control message, and specifically includes detecting TCB creation, TCB destruction, TCB reversal, and Resync + Desync attack means.
Specifically, the data packet attack strategy is to identify the data packet, and specifically includes means for detecting data overlapping, unordered data overlapping, ordered data overlapping, and data asynchronous attack.
Step three, detecting a control message in the attack of the TCP state machine;
the purpose of an attacker is to destroy the TCB by sending an insertion control message, such as injecting a SYN message with a pseudo sequence number before the normal SYN message in the TCB creation phase. To break this intention, the present invention constructs a TCB chain for the same quadruplet for messages with conflicting sequence numbers (as shown in fig. 2), so that the NIDS will not discard the control message when receiving multiple SYN or SYN/ACK with the same quadruplet and conflicting sequence numbers.
Specifically, the detection of the control message in the TCP state machine attack model includes the following steps:
step three, preventing the NIDS from not discarding the control message when receiving a plurality of same quadruplets and SYN or SYN/ACK with conflicting sequence numbers, and constructing a TCB chain for the message with the same quadruplet sequence number conflict;
step two, a timer is established for each TCB chain, and the timer is updated when a new message arrives;
step three, when the captured control messages have sequence number conflict, storing the conflicting control messages into a TCB chain;
and step three, receiving the next data message.
Step three, when the TCB is in the creation stage, checking the serial number of the next message, and if the message in the TCB chain is continuous with the serial number of the next message, indicating that the message is a normal message; discarding other messages in the TCB chain as attack messages;
when the TCB is in a destroying stage, when the TCB timer is overtime, releasing the TCB chain; when the TCB timer is not overtime, the quadruple message is received after the RST/FIN message, the RST/FIN message can be determined to be an attack message, the TCB chain is reserved, and the RST/FIN packet is discarded.
And step four, detecting the data message in the TCP state machine attack.
The attack principle of the forged data message is as follows: the data message-based attack is to protect the attack data by generating garbage data. The attack characteristic is that the data message with the same or wrong sending sequence number is forged and is overlapped with the sending sequence number of the normal data message, the characteristic can cause that the NIDS fails to recombine and restore the TCP data, and the flow behind the attack message is discarded.
Specifically, the specific method for detecting the data message in the TCP state machine attack in the fourth step includes the following steps:
step four, constructing an auxiliary buffer area, and storing message pointers with overlapped sending serial numbers;
step four, when the captured data message existsIf the sequence numbers overlap, if Seqpkt<SeqexpectedIdentified as an attack if Seqpkt>SeqexpectedStoring a first data message pointer in a common TCP receiving buffer area, and storing an overlapped data message pointer in an auxiliary buffer area; wherein SeqpktSequence number, Seq, indicating the message currently being processed by NIDSexpectedA sequence number indicating that the NIDS expects to receive the message;
step four and three, after the NIDS finishes processing the current data message, updating the SeqexpectedFor receiving the next data message;
and step four, determining which stored message in the receiving buffer area and the auxiliary buffer area is correct, and discarding the attack message.
Specifically, the fourth way determines which stored message in the normal buffer area and the auxiliary buffer area stores the correct message by receiving the next data message, and the specific judgment method is as follows:
(1) the data message in the receiving buffer area is the correct message, and the data message in the auxiliary buffer area is the attack message
Seqnext+Datanext=Seqbuffer
Wherein SeqnextIndicating the sequence number of the next Data message received by the NIDS, DatanextIndicates the data length, Seq, of the next data packet received by the NIDSbufferIndicating the expected sequence number of the data message stored in the normal buffer area;
(2) the data message in the receiving buffer area is an attack message, and the data message in the auxiliary buffer area is a normal message
Seqnext=SeqAux_buffer+DataAux_buffer
Wherein SeqAux_bufferIndicating expected sequence numbers, Data, of Data messages stored in the auxiliary bufferAux_bufferIndicating the data length of the data message stored in the auxiliary buffer area.
The computer device of the present invention may be a device including a processor, a memory, and the like, for example, a single chip microcomputer including a central processing unit and the like. And the processor is used for implementing the steps of the recommendation method capable of modifying the relationship-driven recommendation data based on the CREO software when executing the computer program stored in the memory.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
Computer-readable storage medium embodiments
The computer readable storage medium of the present invention may be any form of storage medium that can be read by a processor of a computer device, including but not limited to non-volatile memory, ferroelectric memory, etc., and the computer readable storage medium has stored thereon a computer program that, when the computer program stored in the memory is read and executed by the processor of the computer device, can implement the above-mentioned steps of the CREO-based software that can modify the modeling method of the relationship-driven modeling data.
The computer program comprises computer program code which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.

Claims (10)

1. A NIDS network penetration detection method is characterized by comprising the following steps:
step one, detecting a TTL field value from an NIDS to a service terminal;
step two, judging the type of the received message, executing step three when the message is a control message, and executing step four when the message is a data message;
step three, detecting a control message in the attack of the TCP state machine;
and step four, detecting the data message in the TCP state machine attack.
2. The method of claim 1, wherein the step of detecting the value of the NIDS to the TTL field of the service end specifically comprises the steps of:
step one, generating a TTL table containing a TTL threshold field value and a service identification field;
step two, calculating field values hos from the NIDS to a service terminal;
step one, comparing hops of the field values obtained in the step two with TTL threshold values in a TTL Table, and when the hops is less than TableTTLIf yes, updating TTL threshold value in TTL table, and when pkt is reachedTTL<TableTTLThe method is assumed to be an attack message; wherein TableTTLIndicating the value of the TTL threshold field, pkt, in the TTL tableTTLIndicating the value of the TTL field in the message received by the NIDS.
3. The method of claim 2, wherein the step two of calculating the value hos of the NIDS to the service end field is calculated by the following formula:
Figure FDA0003233617230000011
wherein, hos is the value of NIDS to service end field, baseiIs a radix, takes a value of [64,128,255],PktTTLThe value of the TTL field in the message received for the NIDS.
4. The detection method according to claim 3, wherein the detection of the control packet in the TCP state machine attack in step three specifically includes detection of TCB creation, TCB destruction, TCB reversion and Resync + Desync attack means.
5. The detection method according to claim 4, wherein the detecting the data packet in the TCP state machine attack in the fourth step specifically includes detecting data overlapping, unordered data overlapping, ordered data overlapping and data asynchronous attack means.
6. The detection method according to claim 5, wherein the specific method for detecting the control packet in the TCP state machine attack in step three is that the method comprises the following steps:
step three, preventing the NIDS from not discarding the control message when receiving a plurality of same quadruplets and SYN or SYN/ACK with conflicting sequence numbers, and constructing a TCB chain for the message with the same quadruplet sequence number conflict;
step two, a timer is established for each TCB chain, and the timer is updated when a new message arrives;
step three, when the captured control messages have sequence number conflict, storing the conflicting control messages into a TCB chain;
step three, receiving the next message;
step three, when the TCB is in the creation stage, checking the serial number of the next message, and if the message in the TCB chain is continuous with the serial number of the next message, indicating that the message is a normal message; discarding other messages in the TCB chain as attack messages;
when the TCB is in a destroying stage, when the TCB timer is overtime, releasing the TCB chain; when the TCB timer is not overtime, the quadruple message is received after the RST/FIN message, the RST/FIN message can be determined to be an attack message, the TCB chain is reserved, and the RST/FIN packet is discarded.
7. The detection method according to claim 6, wherein the specific method for detecting the data packet in the TCP state machine attack in the fourth step is to include the following steps:
step four, constructing an auxiliary buffer area, and storing message pointers with overlapped sending serial numbers;
step two, when the captured data messages have sequence numbers overlapping, if Seqpkt<SeqexpectedIdentified as an attack if Seqpkt>SeqexpectedStoring the first datagram pointer in the ordinary TCP receiving buffer area and the overlapped datagram pointerIn the auxiliary buffer area; wherein SeqpktSequence number, Seq, indicating the message currently being processed by NIDSexpectedA sequence number indicating that the NIDS expects to receive the message;
step four and three, after the NIDS finishes processing the current data message, updating the SeqexpectedFor receiving the next data message;
and step four, determining which stored message in the receiving buffer area and the auxiliary buffer area is correct, and discarding the attack message.
8. The detecting method according to claim 7, wherein the specific method for determining which stored message in the receiving buffer and the auxiliary buffer is correct in step four is to determine which stored message in the normal buffer and the auxiliary buffer is the correct message stored by receiving the next data message, and the specific determining method is:
(1) the data message in the receiving buffer area is the correct message, and the data message in the auxiliary buffer area is the attack message
Seqnext+Datanext=Seqbuffer
Wherein SeqnextIndicating the sequence number of the next Data message received by the NIDS, DatanextIndicates the data length, Seq, of the next data packet received by the NIDSbufferIndicating the expected sequence number of the data message stored in the normal buffer area;
(2) the data message in the receiving buffer area is an attack message, and the data message in the auxiliary buffer area is a normal message
Seqnext=SeqAux_buffer+DataAux_buffer
Wherein SeqAux_bufferIndicating expected sequence numbers, Data, of Data messages stored in the auxiliary bufferAux_bufferIndicating the data length of the data message stored in the auxiliary buffer area.
9. A computer comprising a memory storing a computer program and a processor, the processor implementing the steps of a NIDS network penetration detection method according to any one of claims 1 to 8 when executing the computer program.
10. A computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements a NIDS network penetration detection method as recited in any one of claims 1 to 8.
CN202110994850.8A 2021-08-27 2021-08-27 NIDS network penetration detection method, computer and storage medium Active CN113709156B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110994850.8A CN113709156B (en) 2021-08-27 2021-08-27 NIDS network penetration detection method, computer and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110994850.8A CN113709156B (en) 2021-08-27 2021-08-27 NIDS network penetration detection method, computer and storage medium

Publications (2)

Publication Number Publication Date
CN113709156A true CN113709156A (en) 2021-11-26
CN113709156B CN113709156B (en) 2022-09-27

Family

ID=78655861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110994850.8A Active CN113709156B (en) 2021-08-27 2021-08-27 NIDS network penetration detection method, computer and storage medium

Country Status (1)

Country Link
CN (1) CN113709156B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281295A (en) * 2011-08-06 2011-12-14 黑龙江大学 Method for easing distributed denial of service attacks
WO2016177131A1 (en) * 2015-08-17 2016-11-10 中兴通讯股份有限公司 Method, apparatus, and system for preventing dos attacks
CN111031077A (en) * 2020-03-10 2020-04-17 杭州圆石网络安全技术有限公司 Flow cleaning method, flow cleaning system and equipment
CN111212096A (en) * 2020-01-02 2020-05-29 杭州圆石网络安全技术有限公司 Method, device, storage medium and computer for reducing IDC defense cost
US20210092153A1 (en) * 2018-02-05 2021-03-25 Chongqing University Of Posts And Telecommunications Ddos attack detection and mitigation method for industrial sdn network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281295A (en) * 2011-08-06 2011-12-14 黑龙江大学 Method for easing distributed denial of service attacks
WO2016177131A1 (en) * 2015-08-17 2016-11-10 中兴通讯股份有限公司 Method, apparatus, and system for preventing dos attacks
US20210092153A1 (en) * 2018-02-05 2021-03-25 Chongqing University Of Posts And Telecommunications Ddos attack detection and mitigation method for industrial sdn network
CN111212096A (en) * 2020-01-02 2020-05-29 杭州圆石网络安全技术有限公司 Method, device, storage medium and computer for reducing IDC defense cost
CN111031077A (en) * 2020-03-10 2020-04-17 杭州圆石网络安全技术有限公司 Flow cleaning method, flow cleaning system and equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
周慧华: "《基于网络的入侵检测系统及其安全性研究》", 《湖北民族学院学报(自然科学版)》 *

Also Published As

Publication number Publication date
CN113709156B (en) 2022-09-27

Similar Documents

Publication Publication Date Title
CN107749848B (en) Internet of things data processing method and device and Internet of things system
CN108200068B (en) Port monitoring method and device, computer equipment and storage medium
CN107800678B (en) Method and device for detecting abnormal registration of terminal
CN110086780B (en) Method and device for processing tampered transaction based on Ether house and storage medium
CN111262701A (en) Replay attack detection method, system, equipment and storage medium
CN108737110B (en) Data encryption transmission method and device for preventing replay attack
RU2407216C1 (en) Method for message integration into digital image
CN109447809B (en) Video active identification method combined with block chain
CN108712363A (en) A kind of daily record encipher-decipher method
CN113709156B (en) NIDS network penetration detection method, computer and storage medium
US20220092201A1 (en) Authentication of files
CN112788039B (en) DDoS attack identification method, device and storage medium
CN111865924B (en) Method and system for monitoring user side
CN112235329A (en) Method, device and network equipment for identifying authenticity of SYN message
CN115174160B (en) Malicious encryption traffic classification method and device based on stream level and host level
CN112769635A (en) Service identification method and device for multi-granularity feature analysis
US8104092B1 (en) Document integrity assurance
CN116094786A (en) Data processing method, system, device and storage medium based on double-factor protection
CN114697088B (en) Method and device for determining network attack and electronic equipment
CN109509095B (en) Video active identification method combined with block chain
CN114692222A (en) Image processing method and device
CN108073814B (en) Shelling method and system based on static structured shelling parameters and storage medium
US10425233B2 (en) Method for automatically verifying a target computer file with respect to a reference computer file
CN113645176A (en) Method and device for detecting counterfeit flow and electronic equipment
CN111385511A (en) Video data processing method and device and video recording equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant