CN113794739B - Double-layer active defense method and device for man-in-the-middle attack - Google Patents
Double-layer active defense method and device for man-in-the-middle attack Download PDFInfo
- Publication number
- CN113794739B CN113794739B CN202111352075.2A CN202111352075A CN113794739B CN 113794739 B CN113794739 B CN 113794739B CN 202111352075 A CN202111352075 A CN 202111352075A CN 113794739 B CN113794739 B CN 113794739B
- Authority
- CN
- China
- Prior art keywords
- client
- address
- communication identifier
- server
- identifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a double-layer active defense method and a device aiming at man-in-the-middle attack, comprising the following steps: after the new address is migrated and the first network identifier is switched to the second network identifier, sending a non-detection frame to the client; switching the first server communication identifier into a second server communication identifier and sending the second server communication identifier to the client; acquiring a second client communication identifier from the client; modifying a pre-stored first client communication identifier into a second client communication identifier; and the second server communication identification and the second client communication identification are used for conversation with the client. The invention combines the network identification jump and the communication identification jump, resists the service-oriented MITM attack and the node-oriented MITM attack through unpredictable rapid change, has good defense effect on man-in-the-middle attack through double random jumps, and has higher confidentiality and safety.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a double-layer active defense method and a double-layer active defense device for man-in-the-middle attack.
Background
Cloud computing has become a key infrastructure supporting the development of digital economies in recent years. Kubernetes gradually becomes a focus for constructing cloud native technology and solutions, and provides a basic environment for applications such as AI and big data. As a production level container cluster management system promoted by Google, the system provides container scheduling service, and provides functions of resource scheduling, balanced disaster tolerance, capacity expansion and capacity reduction and the like for containerized application. However, Kubernetes presents a number of safety concerns. Kubernets may risk the entire tenant environment if they are not effectively protected. On one hand, the static allocation of the IP address enables an attacker to easily find a target through continuous detection, and then attack is initiated; on the other hand, almost every tenant has the fundamental rights to create, edit services and pod. Although the different tenants have the soft isolation based on the name space, man-in-the-middle attacks such as traffic hijacking, data interception and the like still frequently occur. For example CVE-2020-. This vulnerability is a design flaw affecting all K8s versions, where multi-tenant clusters can lead tenants to create and update services and pods, vulnerable. Man-in-the-middle attacks are directed at the end point IP, HTTPS cannot defend, and there is still a possibility to be exploited.
Existing security defense focuses on patches, user configuration, and script monitoring. Patches can only mitigate a particular vulnerability. User security configurations are limited by user security level and awareness, while being subject to potential socio-engineering attacks. Script monitoring relies on security rules. Its defense mechanism is static rigidity and can not cope with 0-day bug. As an active defense, although address hopping can be very good at defending against man-in-the-middle attacks, it relies on network forwarding agents or clock synchronization. This greatly increases the update cost and performance overhead of the network defense. In a Software Defined Network (SDN), a controller may acquire a topology structure of the entire Network, centrally and uniformly manage Network nodes, and implement user-transparent address hopping. However, the application is limited by the coverage of the SDN network, the actual environment deployment is limited, and once address hopping occurs, the TCP-based stateful connection maintenance in the wide area network becomes difficult, and the service quality can be seriously affected.
In summary, there is a need for a defense method against man-in-the-middle attacks to solve the above problems in the prior art.
Disclosure of Invention
Because the existing method has the problems, the invention provides a double-layer active defense method and a device aiming at man-in-the-middle attack.
In a first aspect, the present invention provides a method of double-layer active defense against man-in-the-middle attacks, comprising:
after the new address is migrated and the first network identifier is switched to the second network identifier, sending a non-detection frame to the client;
after the client responds, address verification is completed with the client through a first server communication identifier and a first client communication identifier which are stored in advance;
switching the first server communication identifier into a second server communication identifier and sending the second server communication identifier to the client;
acquiring a second client communication identifier from the client; the second client communication identifier is obtained by the client refreshing the first client communication identifier;
modifying the pre-stored first client communication identifier into the second client communication identifier;
and the second server communication identifier and the second client communication identifier are used for conversation with the client.
Further, the address verification completed with the client through the prestored first server communication identifier and first client communication identifier includes:
acquiring a detection packet from the client; the probe packet includes a first random value;
sending a probe packet containing the first random value to the client;
sending a probe packet containing a second random value to the client;
and judging whether the address verification passes according to the response of the client.
Further, before the migrating to the new address, the method further includes:
and determining a second network identifier corresponding to the new address by adopting a preset address hopping algorithm.
Further, the determining the second network identifier corresponding to the new address by using the preset address hopping algorithm includes:
acquiring a first address set, a reserved address, an occupied address and a risk address;
screening addresses in the first address set according to the reserved address, the occupied address and the risk address to obtain a second address set;
determining an address hopping list of the current moment according to the second address set;
and determining a second network identifier according to the address hopping list.
Further, the address transition list at the current time is generated in advance at a time apart from the address transition interval at the current time.
Further, the first network identifier is switched to the second network identifier by adopting a first switching period, and the first server communication identifier is switched to the second server communication identifier by adopting a second switching period; the first switching period is an integer multiple of the second switching period.
Further, before the determining, by using a preset address hopping algorithm, the second network identifier corresponding to the new address, the method further includes:
and finishing a handshake process with the client based on a QUIC protocol.
In a second aspect, the present invention provides a device for two-level active defense against man-in-the-middle attacks, comprising:
the address hopping module is used for sending a non-detection frame to the client after the new address is migrated and the first network identifier is switched to the second network identifier; after the client responds, address verification is completed with the client through a first server communication identifier and a first client communication identifier which are stored in advance;
the communication identifier hopping module is used for switching the first server communication identifier into a second server communication identifier and sending the second server communication identifier to the client; acquiring a second client communication identifier from the client; the second client communication identifier is obtained by the client refreshing the first client communication identifier; modifying the pre-stored first client communication identifier into the second client communication identifier; and the second server communication identifier and the second client communication identifier are used for conversation with the client.
Further, the address hopping module is specifically configured to:
acquiring a detection packet from the client; the probe packet includes a first random value;
sending a probe packet containing the first random value to the client;
sending a probe packet containing a second random value to the client;
and judging whether the address verification passes according to the response of the client.
Further, the address hopping module is specifically configured to:
and before the new address is migrated, determining a second network identifier corresponding to the new address by adopting a preset address hopping algorithm.
Further, the address hopping module is specifically configured to:
acquiring a first address set, a reserved address, an occupied address and a risk address;
screening addresses in the first address set according to the reserved address, the occupied address and the risk address to obtain a second address set;
determining an address hopping list of the current moment according to the second address set;
and determining a second network identifier according to the address hopping list.
Further, the address hopping module is specifically configured to:
the address hopping list of the current time is generated in advance at a time apart from the address hopping interval of the current time.
Further, the address hopping module is specifically configured to:
switching the first network identifier to the second network identifier by adopting a first switching period, and switching the first server communication identifier to the second server communication identifier by adopting a second switching period; the first switching period is an integer multiple of the second switching period.
Further, the address hopping module is further configured to: before the determining, by using a preset address hopping algorithm, the second network identifier corresponding to the new address, the method further includes: and finishing a handshake process with the client based on a QUIC protocol.
In a third aspect, the present invention also provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the method for two-tier active defense against man-in-the-middle attacks according to the first aspect.
In a fourth aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of double-tiered active defense against man-in-the-middle attacks as described in the first aspect.
According to the technical scheme, the double-layer active defense method and the device for man-in-the-middle attack ensure the continuity of the communication process by combining the network identifier hopping and the communication identifier hopping, and combining a QUIC protocol based on a mobile target defense theory. Through unpredictable rapid changes, service-oriented MITM attacks and node-oriented MITM attacks are resisted, and the method has a good defense effect on man-in-the-middle attacks through double random hopping and has high confidentiality and safety. Meanwhile, extra mapping of virtual IP and actual IP is not needed, and complexity and maintenance difficulty of the network are reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a system framework of the method for two-tier active defense against man-in-the-middle attacks provided by the present invention;
FIG. 2 is a schematic flow chart of a method for double-layer active defense against man-in-the-middle attack according to the present invention;
FIG. 3 is a flow chart of a method for double-layer active defense against man-in-the-middle attacks according to the present invention;
FIG. 4 is a schematic diagram of a method for double-layer active defense against man-in-the-middle attacks provided by the present invention;
FIG. 5 is a diagram illustrating a server-client handshake provided by the present invention;
FIG. 6 is a schematic diagram of a method for double-layer active defense against man-in-the-middle attacks provided by the present invention;
FIG. 7 is a schematic structural diagram of a device for double-layer active defense against man-in-the-middle attacks according to the present invention;
fig. 8 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
The following further describes embodiments of the present invention with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
The double-layer active defense method for man-in-the-middle attacks provided by the embodiment of the invention can be applied to a system architecture shown in fig. 1, wherein the system architecture comprises a server 100 and a client 200.
In the embodiment of the present invention, the server 100 is generated by a kubernets cluster, and may provide a specific service to the outside, and generally includes a plurality of pod copies.
Specifically, the server 100 is configured to send a non-probe frame to the client 200 after migrating to the new address and switching the first network identifier to the second network identifier.
It should be noted that the network identifier is an IP address, and the IP address jumps when the server migrates to a new address, such as switching from IP1 to IP 2.
After the client 200 responds, the server 100 completes address verification with the client 200 through the pre-stored first server communication identifier and first client communication identifier.
It should be noted that the communication identifier CID is a connection id (connection id), and represents a set of unique identifiers of stateful connections established between the service end and a specific client.
Generally speaking, it includes client communication identification and server communication identification, and during the server IP jump, as long as both parties can identify CID, the session connection will not be interrupted.
The server 100 switches from the first server communication identifier to the second server communication identifier and sends the second server communication identifier to the client.
The server 100 obtains a second client communication identifier from the client.
The server 100 modifies the pre-stored first client communication identifier into a second client communication identifier.
The server 100 communicates with the client through the second server communication identifier and the second client communication identifier.
It should be noted that fig. 1 is only an example of a system architecture according to the embodiment of the present invention, and the present invention is not limited to this specifically.
Based on the above illustrated system architecture, fig. 2 is a schematic flow chart corresponding to a method for double-layer active defense against man-in-the-middle attack according to an embodiment of the present invention, as shown in fig. 2, the method includes:
In the embodiment of the invention, the server is generated by a Kubernets cluster, can provide specific services for the outside, and generally comprises a plurality of pod copies. A client refers to a user browser that supports the QUIC protocol, such as Chrome.
It should be noted that the network identifier is an IP address, and the IP address jumps when the server migrates to a new address, such as switching from IP1 to IP 2.
In the embodiment of the invention, the server and the client carry out conversation based on the QUIC protocol.
It should be noted that QUIC (quick UDP Internet connection) is a UDP-based low-latency Internet transport layer protocol.
And step 202, completing address verification with the client through the pre-stored first server communication identifier and first client communication identifier after the client responds.
It should be noted that the communication identifier CID is a connection id (connection id), and represents a set of unique identifiers of stateful connections established between the service end and a specific client.
Generally speaking, it includes client communication identification and server communication identification, and during the server IP jump, as long as both parties can identify CID, the session connection will not be interrupted.
And step 203, switching the first server communication identifier into a second server communication identifier and sending the second server communication identifier to the client.
The embodiment of the invention ensures the secrecy of the service through the dynamic switching of the communication identifier. After address verification is performed during the connection migration process, the CID starts negotiation and handover.
Further, since the CID is a 64-bit unsigned integer, the selection space C of the CIDsIs 1 to 264. Each CID is used to identify one session connection for the server.
It should be noted that the current session number Se is definednWith repetition probability of Sen/Cs. Even if the CID switching number is 220The probability of repetition is also 220/264This is relatively low. Similarly, facing such a range, it is almost impossible for an attacker to guess the session ID.
And step 204, acquiring a second client communication identifier from the client.
It should be noted that the second client communication identifier is obtained by the client refreshing the first client communication identifier.
And 206, the client is conversed with the second server communication identification and the second client communication identification.
In step 202, the flow of steps in the embodiment of the present invention is shown in fig. 3, which specifically includes the following steps:
Note that the probe packet includes a first random value.
For example, the client sends a probe packet containing a Path-Challenge frame, which contains the first random value.
For example, the server side responds with a probe packet containing a Path-Response frame containing the first random value received from Path-Challenge.
And step 304, judging whether the address verification is passed according to the response of the client.
According to the scheme, for IP address migration, after the IP address of the server is changed, the client and the server finish address verification of the client and the server, and the accessibility of a new path of the server is verified to ensure a correct opposite communication terminal.
The connection migration of the embodiment of the invention comprises a switching process of a network identification IP address and a communication identification CID.
As shown in FIG. 4, after the server migrates from IP1 to the new address IP 2:
S1-S2 are the connection migration of the server: and after the server side migrates to the new address, sending a non-detection frame containing data to the client side, and responding by the client side with the non-detection frame.
S3-S4: the client side starts address verification firstly, sends a detection packet containing a Path-Change frame, the frame contains an unpredictable random value, the server side responds with the detection packet containing the Path-Response frame, and the frame contains the random value received from the Path-Change.
S5-S6: the server side then starts address verification, sends a detection packet and the client side responds.
Further, as shown in fig. 4, after the server finishes the IP jump, the CID:
s1: the server side first sends an initialization packet containing the new CID, thereby informing the client to modify the server CID from D1 to D2.
S2: the client also responds with an initialization packet confirming that the server CID was changed to D2. While changing the client CID from C1 to C2.
In the embodiment of the invention, after the two communication parties confirm that the CID is modified through the initialization packet, the new CID is used for conversation.
According to the scheme, the communication identifier is dynamically changed in the session in consideration of the cluster analysis attack of an attacker on the flow, and the continuity and the anonymity of session connection are ensured. Under the support of a QUIC transport layer protocol, http related application can be effectively protected through incremental updating, and the secrecy of services is guaranteed.
In the embodiment of the invention, the first network identifier is switched to the second network identifier by adopting the first switching period, and the first server communication identifier is switched to the second server communication identifier by adopting the second switching period.
It should be noted that the first switching period is an integer multiple of the second switching period, that is, the communication identifier exchange occurs in the network identifier switching interval.
The address hopping of the embodiment of the invention is deployed in an API server of a Master component and is responsible for dynamically changing an access interface. Therefore, it uses different cluster IPs to handle client requests of different address hop intervals. CID identification hopping is deployed based on a QUIC protocol, and therefore the stateful connection is guaranteed not to be interrupted. The connection layer is responsible for dynamically changing the CID of each session connection, thereby obfuscating the communication traffic of multiple sessions.
According to the scheme, the continuity of the communication process is guaranteed by combining network identification hopping and communication identification hopping and combining a QUIC protocol based on a moving target defense theory. Through unpredictable rapid changes, service-oriented MITM attacks and node-oriented MITM attacks are resisted, and the method has a good defense effect on man-in-the-middle attacks through double random hopping and has high confidentiality and safety. Meanwhile, extra mapping of virtual IP and actual IP is not needed, and complexity and maintenance difficulty of the network are reduced.
Further, as shown in fig. 5, before step 201, the server and the client complete a handshake process based on the QUIC protocol according to the embodiment of the present invention.
It should be noted that QUIC (quick UDP Internet connection) is a UDP-based low-latency Internet transport layer protocol.
First, a client performs domain name resolution through a DNS server. In general, the DNS cloud server can implement real-time update of public network IP and domain name mapping. After obtaining the public IP corresponding to the Service IP on the Kubernetes, the client tries to establish connection, which is specifically as follows:
S1-S2 are address verification: the client sends an initial packet to the server, and the server generates a random token and responds to the client through a retry packet.
It should be noted that the QUIC performs address verification before handshaking to ensure that the source address in the request packet is not forged.
S3: the client sends an initial packet containing a token, a version number, a first client communication identifier and a first server communication identifier.
It should be noted that, since the communication identifier of the server is not currently known, the value here is a random value.
S4: and the server responds, and the data packet comprises a handshake packet, a version protocol packet, a first client communication identifier and a first server communication identifier.
S5: the client side performs handshake with the server side through the first server communication identification.
S6: the server side responds to the handshake and sends a data frame, wherein the data frame comprises a handshake completion packet, a token and a data stream.
In the embodiment of the invention, before the new address is migrated, a preset address hopping algorithm is adopted to determine the second network identifier corresponding to the new address.
It should be noted that the Master node of Kubernetes is an address hopping management center for all services, and an address hopping algorithm is designed based on an Api server component in the embodiment of the present invention.
The flow of steps is shown in fig. 6, and specifically as follows:
In particular, a first address set Ua is defined to select a space for a cluster service address, such as a class b address. And defining the second address set Uc as the actual optional space of the cluster service due to various limitations in the address hopping process. The following are constraints set by the address hopping algorithm:
1. ur is the reserved address. Some services in the cluster may require fixed cluster IP. For example, some services in a cluster may wish to obtain a fixed IP address when tested. The algorithm needs to exclude such addresses when selecting new addresses. U shapec1Is the remaining selection space of Ua, the specific calculation formula is as follows:
2. uo is the occupied address. When selecting a new address, it is necessary to exclude the currently used address to prevent address collision. During the jump process, the occupied address is released successively, and new occupied addresses are added into the set continuously. U shapec2Is the remaining selection space of Ua, the specific calculation formula is as follows:
3. ud is the risk address. The cluster IP carries out the conversion of virtual addresses and public network addresses based on iptables. Thus, once a problem arises with a cluster IP, it should not be subsequently allocated to a service unless repaired. U shapec3Is the remaining selection space of Ua, the specific calculation formula is as follows:
In particular, the second set of addresses UcIs particularly shownThe calculation formula is as follows:
It should be noted that the address transition list at the current time is generated in advance at a time apart from the address transition interval at the current time.
And step 604, determining a second network identifier according to the address hopping list.
In one possible embodiment, an IP address is randomly selected from the address hopping list as the second network identification.
In the embodiment of the invention, in order to realize address hopping while keeping network connection, the embodiment of the invention separates the network position represented by the traditional IP from the communication session based on the QUIC protocol. IP only represents the network position, and the man-in-the-middle attack loses the capability of stealing traffic or hijacking IP through jumping.
According to the scheme, the IP which is used by the server and the possibly required fixed IP cluster are considered in the selection range of the random IP by the address hopping algorithm, the IP is updated in real time after hopping, the defending effect on man-in-the-middle attack is good, and the confidentiality and the safety are high.
Further, the embodiment of the present invention defines the service number as NsDefining Ti as the random IP generation time of service i, NsTime T required for service to provide next random IPNsComprises the following steps:
to solve the problem of linear increase of the consumption time, the embodiment of the invention pre-allocates a hop address for each service in the future.
For computing all servicesIn future jump address, preset jump interval:
in the embodiment of the invention, when the jump mechanism is initialized and started, the current time t is calculated1To
IP hopping list of time of day. Then calculates at time i
Address hopping lists for time of day.
It should be noted that the embodiment of the present invention performs incremental update in the Kubernetes existing module. After the module executes IP replacement, the container network module can automatically update the IPVS or iptables data packet forwarding rule, and guarantee smooth outward forwarding of the data packet under the new IP. The binding of the cluster IP to the external IP is also refreshed.
The following embodiment of the invention mainly carries out theoretical analysis on the safety and the performance of the invention from three aspects of unpredictable analysis of IP address hopping, data traffic inverse correlation analysis of the same session and endpoint communication delay analysis.
1. Unpredictable analysis of IP address hopping: in the case of address hopping, the difficulty of the attacker breaking through the defense needs to be analyzed. To launch a MITM attack on a web service, an attacker needs to discover the cluster IP where the server is located first. And intercepting the data packet by man-in-the-middle attack facing the server and man-in-the-middle attack facing the node to realize information stealing.
For services exposed in K8s, it is difficult for an attacker to discover the service target by sending probe messages due to network isolation caused by the namespace. But due to defects inside the cluster, an attacker can guess the location of the service, such as cluster IP and port number. Thus, they launch service-oriented MITM attacks, implementing endpoint-side man-in-the-middle attacks that are agnostic of namespace isolation. Practice of the inventionExample defines the number of container implantable by attacker as k, the jump space of server address for providing service as
。
Although the service port does not change at a later time, it still has a random spacemWhen the probability of the first guess of the attacker is
. Since the server addresses hop continuously, the attacker still needs to guess the correct server IP address at the next moment. Then the probability of the attacker in each successive guess is
. Thus, under the address hopping mechanism, the attacker makes successive roundseHit probability in (1)pIs composed of
The probability of successful guessing by an attacker is inversely proportional to the server address hop space and the service port space. At the same time, it is proportional to the number of pod implanted. As the time goes on, it is possible to,pwill be smaller and thus the attacker will be less and less able to work with our defense mechanism.
2. Data traffic anti-association analysis for the same session: the difficulty of attackers obtaining critical information is mainly discussed here. It is assumed that there is already a spy client that keeps informing the attacker of the address of the cluster IP. Without limiting the attack ability, an attacker may implant a spy client through some means such as social engineering, so as to acquire the server real-time hopping IP. On the other hand, an attacker carries out network traffic interception through illegally invading the key nodes of the network. Under the condition of massive data interaction, whether the data packet can be subjected to correlation analysis is the key of system safety. When routing addressing is realized through IP, a single session is identified by CIDs respectively agreed by a client and a server, and an attacker located at a key path node needs to aggregate data packets belonging to the same session in order to associate data streams.
In the QUIC protocol, a 64-bit header field is used as a communication identifier between the client and the server. According to the handover algorithm, the communication identifier is handed over after each IP hop. If an attacker wants to obtain critical information between the client and the server, the entire session needs to be collected in a huge amount of data, because it cannot determine which packets are packets storing the corresponding session critical information. Suppose there is a current servicesAnd (4) a conversation. After an attacker intercepts a data packet each time, the attacker needs to determine the current time
Data packet and last time
Performs session association on the data packets.
For a session, the probability of success of a single guess by an attacker is
. Then as the number of hops increases, the probability of an attacker guessing success for a session is
WhereinxA hop-round number is identified for the communication. Thus, the more client connections, the longer the communication time, and the higher the system security.
Therefore, even if an attacker acquires the real-time IP address of the server through the internal spy client, the probability of acquiring valid information is extremely low due to the existence of the communication identifier hopping mechanism.
3. Analyzing the communication delay of the end point: communication delay consumption of a defense mechanism is mainly analyzed and mainly divided into time consumption of IP jump and CID jump. For IP jump, the client receives the data packet after each server address jumpTo sense the change in address, this requires 0.5 round trip delays. Namely, the client receives data packets with different server addresses and the same CID communication identification. In addition, after the server address is changed, two round-trip delays are required for the client and the server to perform path verification. For CID handover, the server and the client need to perform data exchange once to implement CID hopping negotiation, so that it will take one round-trip delay. Within a hop interval T, our system needs to perform an IP address hop and CID handover. Then the data transmission efficiency is under the influence of the defense mechanismdIs composed of
Wherein
In order to be a round-trip delay,wrepresents the round-trip delay consumption, including the time consumption of IP hops and SCID hops. The effective rate of data transmission is proportional to the hop interval and inversely proportional to the network round trip delay.
Based on the same inventive concept, fig. 7 exemplarily illustrates a device for double-layer active defense against man-in-the-middle attack, which may be a flow of a method for double-layer active defense against man-in-the-middle attack according to an embodiment of the present invention.
The apparatus, comprising:
an address hopping module 701, configured to send a non-probe frame to the client after migrating to a new address and switching the first network identifier to the second network identifier; after the client responds, address verification is completed with the client through a first server communication identifier and a first client communication identifier which are stored in advance;
a communication identifier hopping module 702, configured to switch the first server communication identifier to a second server communication identifier and send the second server communication identifier to the client; acquiring a second client communication identifier from the client; the second client communication identifier is obtained by the client refreshing the first client communication identifier; modifying the pre-stored first client communication identifier into the second client communication identifier; and the second server communication identifier and the second client communication identifier are used for conversation with the client.
Further, the address hopping module 701 is specifically configured to:
acquiring a detection packet from the client; the probe packet includes a first random value;
sending a probe packet containing the first random value to the client;
sending a probe packet containing a second random value to the client;
and judging whether the address verification passes according to the response of the client.
Further, the address hopping module 701 is specifically configured to:
and before the new address is migrated, determining a second network identifier corresponding to the new address by adopting a preset address hopping algorithm.
Further, the address hopping module 701 is specifically configured to:
acquiring a first address set, a reserved address, an occupied address and a risk address;
screening addresses in the first address set according to the reserved address, the occupied address and the risk address to obtain a second address set;
determining an address hopping list of the current moment according to the second address set;
and determining a second network identifier according to the address hopping list.
Further, the address hopping module 701 is specifically configured to:
the address hopping list of the current time is generated in advance at a time apart from the address hopping interval of the current time.
Further, the address hopping module 701 is specifically configured to:
switching the first network identifier to the second network identifier by adopting a first switching period, and switching the first server communication identifier to the second server communication identifier by adopting a second switching period; the first switching period is an integer multiple of the second switching period.
Further, the address hopping module is further configured to: before the determining, by using a preset address hopping algorithm, the second network identifier corresponding to the new address, the method further includes: and finishing a handshake process with the client based on a QUIC protocol.
Based on the same inventive concept, another embodiment of the present invention provides an electronic device, which specifically includes the following components, with reference to fig. 8: a processor 801, a memory 802, a communication interface 803, and a communication bus 804;
the processor 801, the memory 802 and the communication interface 803 complete mutual communication through the communication bus 804; the communication interface 803 is used for realizing information transmission between devices;
the processor 801 is configured to call a computer program in the memory 802, and the processor executes the computer program to implement all the steps of the above-mentioned method for double-layer active defense against man-in-the-middle attacks, for example, the processor executes the computer program to implement the following steps: after the new address is migrated and the first network identifier is switched to the second network identifier, sending a non-detection frame to the client; after the client responds, address verification is completed with the client through a first server communication identifier and a first client communication identifier which are stored in advance; switching the first server communication identifier into a second server communication identifier and sending the second server communication identifier to the client; acquiring a second client communication identifier from the client; the second client communication identifier is obtained by the client refreshing the first client communication identifier; modifying the pre-stored first client communication identifier into the second client communication identifier; and the second server communication identifier and the second client communication identifier are used for conversation with the client.
Based on the same inventive concept, a further embodiment of the present invention provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs all the steps of the above-mentioned method for two-tier active defense against man-in-the-middle attacks, for example, when the processor executes the computer program, the following steps are performed: after the new address is migrated and the first network identifier is switched to the second network identifier, sending a non-detection frame to the client; after the client responds, address verification is completed with the client through a first server communication identifier and a first client communication identifier which are stored in advance; switching the first server communication identifier into a second server communication identifier and sending the second server communication identifier to the client; acquiring a second client communication identifier from the client; the second client communication identifier is obtained by the client refreshing the first client communication identifier; modifying the pre-stored first client communication identifier into the second client communication identifier; and the second server communication identifier and the second client communication identifier are used for conversation with the client.
In addition, the logic instructions in the memory may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, an apparatus for man-in-the-middle attack, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the above technical solutions may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, an apparatus for man-in-the-middle attack, or a network device, etc.) to execute the method for man-in-the-middle attack described in the embodiments or some parts of the embodiments.
In addition, in the present invention, terms such as "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Moreover, in the present invention, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Furthermore, in the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method of two-tier active defense against man-in-the-middle attacks, comprising:
after the server side migrates to the new address and switches the first network identifier into the second network identifier, a non-detection frame is sent to the client side;
the server side completes address verification with the client side through a first server communication identifier and a first client side communication identifier which are stored in advance after the client side responds;
the server side is switched to a second server communication identifier from the first server communication identifier and sends the second server communication identifier to the client side;
the server side obtains a second client side communication identification from the client side; the second client communication identifier is obtained by the client refreshing the first client communication identifier;
the server side modifies the pre-stored first client side communication identification into the second client side communication identification;
and the server side is conversed with the client side through the second server communication identification and the second client side communication identification.
2. The method of two-tier active defense against man-in-the-middle attacks claimed in claim 1, wherein said performing address verification with said client through a pre-stored first server communication identity and first client communication identity comprises:
acquiring a detection packet from the client; the probe packet includes a first random value;
sending a probe packet containing the first random value to the client;
sending a probe packet containing a second random value to the client;
and judging whether the address verification passes according to the response of the client.
3. The method of two-tier active defense against man-in-the-middle attacks of claim 1, further comprising, prior to said migrating to a new address:
and determining a second network identifier corresponding to the new address by adopting a preset address hopping algorithm.
4. The method for double-layer active defense against man-in-the-middle attacks according to claim 3, wherein the determining the second network identifier corresponding to the new address by using a preset address hopping algorithm comprises:
acquiring a first address set, a reserved address, an occupied address and a risk address;
screening addresses in the first address set according to the reserved address, the occupied address and the risk address to obtain a second address set;
determining an address hopping list of the current moment according to the second address set;
and determining a second network identifier according to the address hopping list.
5. The method for two-tier active defense against man-in-the-middle attacks claimed in claim 4, wherein the address transition list at the current time is pre-generated at a time spaced from the address transition at the current time.
6. The method for two-tier active defense against man-in-the-middle attacks claimed in claim 1, characterized in that a first switching period is employed to switch the first network identity to the second network identity, a second switching period is employed to switch from the first server communication identity to the second server communication identity; the first switching period is an integer multiple of the second switching period.
7. The method for double-layer active defense against man-in-the-middle attacks according to claim 3, further comprising, before the determining the second network identifier corresponding to the new address by using a preset address hopping algorithm, the following steps:
and finishing a handshake process with the client based on a QUIC protocol.
8. An apparatus for double-tiered active defense against man-in-the-middle attacks, comprising:
the address hopping module is used for sending a non-detection frame to the client after the new address is migrated and the first network identifier is switched to the second network identifier; after the client responds, address verification is completed with the client through a first server communication identifier and a first client communication identifier which are stored in advance;
the communication identifier hopping module is used for switching the first server communication identifier into a second server communication identifier and sending the second server communication identifier to the client; acquiring a second client communication identifier from the client; the second client communication identifier is obtained by the client refreshing the first client communication identifier; modifying the pre-stored first client communication identifier into the second client communication identifier; and the second server communication identifier and the second client communication identifier are used for conversation with the client.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 7 are implemented when the processor executes the program.
10. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111352075.2A CN113794739B (en) | 2021-11-16 | 2021-11-16 | Double-layer active defense method and device for man-in-the-middle attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111352075.2A CN113794739B (en) | 2021-11-16 | 2021-11-16 | Double-layer active defense method and device for man-in-the-middle attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113794739A CN113794739A (en) | 2021-12-14 |
| CN113794739B true CN113794739B (en) | 2022-04-12 |
Family
ID=78955387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111352075.2A Active CN113794739B (en) | 2021-11-16 | 2021-11-16 | Double-layer active defense method and device for man-in-the-middle attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113794739B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115225733B (en) * | 2022-02-22 | 2024-04-05 | 北京邮电大学 | Identification analysis method and device based on direct routing and dynamic quantization analysis load |
| CN114968617B (en) * | 2022-04-28 | 2023-09-01 | 杭州未名信科科技有限公司 | API conversion system, access request processing method thereof, electronic equipment and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016039643A1 (en) * | 2014-09-12 | 2016-03-17 | Pickles Samuel Geoffrey | A telecommunications defence system |
| WO2018059480A1 (en) * | 2016-09-29 | 2018-04-05 | 腾讯科技(深圳)有限公司 | Method, device, and system for defending against network attack |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571770B (en) * | 2011-12-27 | 2015-02-04 | 北京神州绿盟信息安全科技股份有限公司 | Man-in-the-middle attack detection method, device, server and system |
| CN102904883B (en) * | 2012-09-25 | 2015-07-08 | 上海交通大学 | Man-in-middle attack defense method of online trading system |
| CN103051633B (en) * | 2012-12-25 | 2016-09-07 | 华为技术有限公司 | A kind of method and apparatus of defensive attack |
| CN103067385B (en) * | 2012-12-27 | 2015-09-09 | 深圳市深信服电子科技有限公司 | The method of defence Hijack Attack and fire compartment wall |
| US20140282891A1 (en) * | 2013-03-15 | 2014-09-18 | Stephen Frechette | Method and system for unique computer user identification for the defense against distributed denial of service attacks |
| US10264001B2 (en) * | 2015-08-12 | 2019-04-16 | Wizard Tower TechnoServices Ltd. | Method and system for network resource attack detection using a client identifier |
| CN110557355B (en) * | 2018-05-31 | 2021-07-27 | 上海连尚网络科技有限公司 | Method and equipment for detecting man-in-the-middle attack through user equipment |
| CN113114701B (en) * | 2021-04-30 | 2023-02-28 | 网络通信与安全紫金山实验室 | QUIC data transmission method and device |
-
2021
- 2021-11-16 CN CN202111352075.2A patent/CN113794739B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016039643A1 (en) * | 2014-09-12 | 2016-03-17 | Pickles Samuel Geoffrey | A telecommunications defence system |
| WO2018059480A1 (en) * | 2016-09-29 | 2018-04-05 | 腾讯科技(深圳)有限公司 | Method, device, and system for defending against network attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113794739A (en) | 2021-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Khan et al. | Topology discovery in software defined networks: Threats, taxonomy, and state-of-the-art | |
| US10375110B2 (en) | Luring attackers towards deception servers | |
| CN113794739B (en) | Double-layer active defense method and device for man-in-the-middle attack | |
| US10630636B1 (en) | Anti-censorship framework using moving target defense systems and methods | |
| WO2019129154A1 (en) | Service request processing method and device | |
| JP6081031B2 (en) | Attack observation device and attack observation method | |
| WO2021057348A1 (en) | Server security defense method and system, communication device, and storage medium | |
| WO2023193513A1 (en) | Honeypot network operation method and apparatus, device, and storage medium | |
| Ma et al. | A mutation-enabled proactive defense against service-oriented man-in-the-middle attack in kubernetes | |
| Hu et al. | IDV: Internet Domain Name Verification Based on Blockchain. | |
| US9930038B1 (en) | Probabilistically expedited secure connections via connection parameter reuse | |
| KR101703491B1 (en) | Method for providing security service in cloud system and the cloud system thereof | |
| US11115435B2 (en) | Local DDOS mitigation announcements in a telecommunications network | |
| EP3989509A1 (en) | Method for realizing network dynamics, system, terminal device and storage medium | |
| KR20200006035A (en) | Scanned triggered using the provided configuration information | |
| Kang et al. | sShield: small DDoS defense system using RIP-based traffic deflection in autonomous system | |
| KR20200006036A (en) | Scanning triggered based on data changes available on the network | |
| US20170289099A1 (en) | Method and Device for Managing Internet Protocol Version 6 Address, and Terminal | |
| Jia et al. | Anonymity in peer-assisted CDNs: Inference attacks and mitigation | |
| Smyth et al. | Attacking distributed software-defined networks by leveraging network state consistency | |
| Popereshnyak et al. | Intrusion detection method based on the sensory traps system | |
| US20230379304A1 (en) | Policy-based dynamic vpn profile selection using dns protocol | |
| US20230269236A1 (en) | Automatic proxy system, automatic proxy method and non-transitory computer readable medium | |
| Huang et al. | A Legacy Infrastructure-based Mechanism for Moving Target Defense | |
| Röthke | A Test Framework for RPKI Prefix Validation in BGP Implementations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |