CN114363087A - Scanner countermeasure method and system based on bypass interference - Google Patents
Scanner countermeasure method and system based on bypass interference Download PDFInfo
- Publication number
- CN114363087A CN114363087A CN202210103520.XA CN202210103520A CN114363087A CN 114363087 A CN114363087 A CN 114363087A CN 202210103520 A CN202210103520 A CN 202210103520A CN 114363087 A CN114363087 A CN 114363087A
- Authority
- CN
- China
- Prior art keywords
- access data
- scanner
- packet
- data packet
- data packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000012544 monitoring process Methods 0.000 claims abstract description 48
- 230000004044 response Effects 0.000 claims abstract description 35
- 239000000523 sample Substances 0.000 claims description 33
- 238000004422 calculation algorithm Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 8
- 230000000903 blocking effect Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 3
- 230000007123 defense Effects 0.000 abstract description 4
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 230000004048 modification Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a scanner countermeasure method and a scanner countermeasure system based on bypass interference, which relate to the technical field of network attack and defense, and the scanner countermeasure method based on bypass interference comprises the following steps: preparing and storing response data packets of a plurality of operating systems, sorting the access data packets to generate access data, judging whether the access data packets are key data packets or not according to the access data, if so, detecting the key data packets, detecting whether the key data packets have the characteristic items of the network scanner or not, and if so, sending the response data packets of any operating system except the local operating system back to the network scanner. The bypass monitoring system has the beneficial effects that when the network scanner accesses, the bypass monitoring system constructs the false back packet according to the response data packet of the appointed operating system, so that the network scanner of an attacker misjudges the operating system as the appointed operating system. The kernel parameters do not need to be modified or the kernel does not need to be recompiled, the operation of system crash is not easy to cause, and the realization is simple.
Description
Technical Field
The application belongs to the technical field of network attack and defense, and particularly relates to a scanner countermeasure method and system based on bypass interference.
Background
In the field of network attack and defense, the first step of all attack/security tests is usually to collect information through network scanning, and an important ring in network scanning is to identify an operating system corresponding to a certain IP. After identifying the operating system, an attacker/security tester can only attack through the vulnerabilities that the operating system has. Therefore, if one operating system is directly forged into another operating system in the detection link of the scanner, a certain degree of defense can be performed. The identification function of the existing scanner operating system is the open source tool nmap which is used in the market in the widest application range, most of other network scanning tools are developed and completed based on the nmap scanner, and the fingerprint identification function of the operating system is even the function of directly multiplexing nmap.
nmap is a network connection end scanning software used for scanning the open network connection end of the online computer. Determine which services are running on which connections and infer which operating system the computer is running for assessing network system security. Just as most of the tools used for network security, nmap is also a popular tool for hackers and hackers. The system administrator may use nmap to probe for unauthorized use of servers in the work environment, but hackers may use nmap to gather network settings of the target computer and thereby plan a method of attack. The current technical solution of countermeasure scanning has the following drawbacks: the kernel parameter modification/kernel recompilation is required, and in an operating system, the kernel parameter modification/kernel recompilation is complex and is easy to cause system crash, so that the implementation is difficult.
Disclosure of Invention
The present application aims to provide a scanner countermeasure method and system based on bypass interference, so as to solve the technical problem that the difficulty of modifying kernel parameters is high and complicated when the network scanner is countered in the prior art.
In order to achieve the technical purpose, the technical scheme adopted by the application is as follows:
a scanner countermeasure method based on bypass interference, comprising the steps of:
preparing and storing response data packets of a plurality of operating systems, monitoring all visitors and receiving access data packets of the visitors;
sorting the access data packet to generate access data, judging whether the access data packet is a key data packet or not according to the access data, and if not, discarding the access data packet;
and if so, detecting the key data packet, detecting whether the key data packet has the characteristic item of the network scanner, and if so, sending a response data packet of any operating system except the local computer back to the network scanner.
Preferably, the method further comprises the steps of:
and adopting bypass blocking operation, extracting the content of the key data packet, modifying a TCP FLAG array of the key data packet, generating a Reset packet, and transmitting the Reset packet to the host.
Preferably, the method further comprises the steps of:
and setting at least two different types of operating systems, wherein one operating system is used for running the service, and the other operating systems are used for preparing and storing response data packets of the operating systems.
Preferably, the monitoring all the visitors and receiving the access data packet of the visitor specifically includes the following steps:
setting a bypass monitoring system, configuring a switch to forward data of one or more ports to a monitoring port, and monitoring all visitors;
and the access data packet of the visitor is mirrored to the monitoring port, and the content of the access data packet is captured.
Preferably, the access data includes source IP, source port, destination IP, destination port, TCP FLAGS array and initial access packet contents.
Preferably, preparing and storing response data packets of a plurality of operating systems, specifically comprising the following steps:
and simulating to receive a system detection probe sent by the network scanner, modifying the data content of the IP packet header and the TCP packet header in response to the system detection probe, and generating and storing a response data packet of the specified operating system.
Preferably, the system probing probes comprise a sequence generation algorithm probe, a TCP protocol probe, a UDP protocol probe, an ICMP echo probe, and an ECN probe.
A scanner countermeasure system based on bypass interference, comprising:
the storage unit stores response data packets of a plurality of operating systems;
the bypass monitoring system is used for monitoring all visitors and receiving access data packets of the visitors, sorting the access data packets to generate access data, judging whether the access data packets are key data packets according to the access data, and detecting whether the key data packets have characteristic items of the network scanner.
And the communication unit is used for sending a response data packet of any operating system except the local operating system back to the network scanner.
An electronic device comprising a memory and a processor, the memory for storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a bypass interference based scanner countermeasure method as described above.
A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method described above.
The application provides beneficial effect lies in:
1. the method includes the steps of preparing and storing response data packets of a plurality of operating systems, monitoring all visitors and receiving access data packets of the visitors, sorting the access data packets to generate access data, judging whether the access data packets are key data packets or not according to the access data, when a network scanner accesses, constructing a false loopback packet according to the response data packets of a specified operating system by a bypass monitoring system, enabling an algorithm of the network scanner to be fixed and unchangeable, and generating specific fingerprints for specific data in the false loopback packet so that the network scanner of an attacker can misjudge that the operating system is the specified operating system. The kernel parameters do not need to be modified or the kernel does not need to be recompiled, the operation of system crash is not easy to cause, and the realization is simple.
2. The method is characterized in that a bypass monitoring system is arranged, a switch is configured to forward data of one or more ports to a monitoring port, all visitors are monitored, an access data packet of the visitor is mirrored to the monitoring port, the content of the access data packet is captured, and in order to not influence the original service on an operating system, the functions of noninductive to scanners and services are realized by adopting methods of bypass monitoring, bypass blocking and false packet construction.
3. The access data comprises a source IP, a source port, a destination IP, a destination port, a TCP FLAGS array and initial access data packet contents, the IP and the port monitored by a service program do not need to be modified, only one set of bypass monitoring system needs to be additionally deployed, the bypass monitoring system is deployed at a port mirror image network port of the switch, and the bypass monitoring system can monitor access data packets of all visitors passing through the switch.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a flowchart of a scanner countermeasure method based on bypass interference in embodiment 1.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example 1:
as shown in fig. 1, the present embodiment includes a scanner countermeasure method based on bypass interference, including the following steps: preparing and storing response data packets of a plurality of operating systems, monitoring all visitors and receiving the access data packets of the visitors.
And sorting the access data packet to generate access data, judging whether the access data packet is a key data packet or not according to the access data, and if not, discarding the access data packet. And if so, detecting the key data packet, detecting whether the key data packet has the characteristic item of the network scanner, and if so, sending a response data packet of any operating system except the local computer back to the network scanner.
Specifically, in order not to affect the original service on the operating system, the functions of noninductivity to the scanner and the service are realized by adopting the methods of bypass monitoring, bypass blocking and false back packet construction. When the network scanner accesses, the bypass monitoring system constructs a false echo packet according to the response data packet of the designated operating system, the algorithm of the network scanner is fixed and unchangeable, and specific fingerprints can be generated for specific data in the false echo packet, so that the network scanner of an attacker can misjudge that the operating system is the designated operating system.
Monitoring all visitors and receiving the visiting data packet of the visitors specifically comprises the following steps: and a bypass monitoring system is arranged, the switch is configured to forward the data of one or more ports to the monitoring port, all visitors are monitored, the access data packet of the visitor is mirrored to the monitoring port, and the content of the access data packet is captured.
In normal network service, an attacker and a normal visitor both directly access a service port, an access data packet of the visitor needs to be forwarded through a switch, and a network scanner of the attacker can directly judge specific information of a current operating system to form a fingerprint as detecting information of a tcp/ip protocol, and can judge the type of the current operating system by comparing the fingerprint with a database.
And setting a bypass monitoring system, wherein the deployment mode of the bypass monitoring system is to insert a network cable into a mirror image port of the switch, configure the switch to forward data of one or more ports to a monitoring port, and monitor all visitors. And the access data packet of the visitor is mirrored to the monitoring port, and the content of the access data packet is captured. According to the method and the device, the IP and the port monitored by the service program do not need to be modified, only one set of bypass monitoring system needs to be additionally deployed, and the bypass monitoring system is deployed at the port mirror image network port of the switch, so that the bypass monitoring system can monitor all the access data packets of all the visitors passing through the switch.
The access data includes source IP, source port, destination IP, destination port, TCP FLAGS array and initial access packet contents.
Specifically, the bypass monitoring system sorts the access data packet to generate access data, where the access data includes a source IP, a source port, a destination IP, a destination port, a TCP FLAGS array, and an initial TCP data packet content. Wherein, the TCP FLAGS array comprises one or more items of [ URG, ACK, PSH, RST, SYN, FIN ]. And judging whether the access data packet is a key data packet or not according to the access data, and if not, discarding the access data packet. If the key data packet is the key data packet, detecting the key data packet to further judge.
When the contents of the access packet include sIP, sprot, dIP, dPORT, [ SYN ], and the contents of the initial TCP packet, then the access packet is a critical packet. sIP denotes the visitor's IP, sPORT denotes the visitor's port, and dIP denotes a host that needs to spoof an operating system type. dPORT indicates that the port of the operating system type host needs to be spoofed, [ SYN ] indicates that the SYN identification is to be included in TCP FLASGS.
Specifically, whether the access data packet is a TCP packet is judged, the bypass monitoring system sorts the data of the TCP packet to generate an access data result, and the access data result comprises sIP, sPORT, dIP, dPORT, [ SYN ] and an initial TCP data packet. If the dIP is the host that needs to forge the OS type and the SYN flag is included in TCP FLASGS, the TCP packet is determined to be a critical packet.
Further comprising the steps of: and setting at least two different types of operating systems, wherein one operating system is used for running the service, and the other operating systems are used for preparing and storing response data packets of the operating systems.
In this embodiment, two operating systems, a first operating system and a second operating system, are prepared. The first operating system is used for running the service, the second operating system is used for preparing and storing the corresponding response data packet, when the network scanner scans the first operating system, the fingerprint of the second operating system is detected, and the first operating system is judged as the second operating system. The method and the device do not affect the service on the first operating system, do not need to install programs on the service host, and do not need to modify the monitoring port for the original service program.
Preparing and storing response data packets of a plurality of operating systems, and specifically comprising the following steps: and simulating to receive a system detection probe sent by the network scanner, responding to the data content of the system detection probe modification IP packet header and TCP packet header, generating a response data packet of the specified operating system and storing the response data packet.
The system detection probe comprises a sequence generation algorithm probe, a TCP protocol probe, a UDP protocol probe, an ICMP echo probe and an ECN probe.
Specifically, the network scanner sends a plurality of specific data packets to the host to be scanned through the characteristics of the tcp/ip protocol stack, different operating systems have different responses to the specific data packets, the network scanner generates different fingerprints according to the different responses, and a fingerprint database is formed.
The data content of the IP packet header and the TCP packet header comprises a sequence generation algorithm of a TCP/IP protocol stack, a maximum common divisor of TCP ISN, an increase rate and SP, a TCP timestamp selection algorithm, a TCP initial window size, a TCP explicit congestion handling mechanism, a UDP reservation header bit, flag bit information and IP packet attributes.
Specifically, the network scanner uses 5 types of specially constructed system probe probes to perform operating system scanning on the specified host, where the 5 types of probes include a sequence generation algorithm probe, a TCP protocol probe, a UDP protocol probe, an ICMP echo probe, and an ECN probe. Further, the network scanner generates a calculation result through a plurality of algorithms according to a data packet returned in response, the calculation result forms a fingerprint, and the returned data packet includes an IP packet header and a TCP packet header.
All data used by the network scanner to generate the fingerprint is derived from the IP packet header and the TCP packet header, and more specifically, the fingerprint information includes a sequence generation algorithm of a TCP/IP protocol stack, a maximum common divisor, an increase rate and SP of a TCP ISN, a TCP timestamp selection algorithm, a TCP initial window size, a TCP explicit congestion handling mechanism, a UDP reserved header bit, and other more detailed flag bit information and IP packet attributes. The effect of deceiving the identification function of the network scanner operating system can be achieved only by modifying the data content of the IP packet header and the TCP packet header.
Specifically, the key data packet is detected, whether the key data packet has the feature item of the network scanner is detected, if the key data packet does not have the feature item of the network scanner, the normal access is determined, the bypass monitoring system does not perform any operation, and the normal business process is continued. If the key data packet has the characteristic item of the network scanner, the method also comprises the following steps: and adopting bypass blocking operation, extracting the content of the key data packet, modifying a TCP FLAG array of the key data packet, generating a Reset packet, and transmitting the Reset packet to the host. Ensuring that the original service program can not continuously respond to the network scanner.
In this embodiment, the bypass monitoring system customizes data such as an IP packet header and a TCP packet header in a return packet according to a response mode of the second operating system, and sends a return packet to the network scanner, that is, when the network scanner scans the first operating system, the network scanner detects a fingerprint of the second operating system and determines the first operating system as the second operating system.
Example 2:
the present embodiment includes a scanner countermeasure system based on bypass interference, comprising: and the storage unit stores response data packets of a plurality of operating systems.
The bypass monitoring system is used for monitoring all visitors and receiving the access data packets of the visitors, sorting the access data packets to generate access data, judging whether the access data packets are key data packets according to the access data, and detecting whether the key data packets have the characteristic items of the network scanner.
And the communication unit is used for sending a response data packet of any operating system except the local operating system back to the network scanner.
The relevant points can be seen in the description of the embodiment 1.
Example 3:
an electronic device comprising a memory and a processor, the memory storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a bypass interference based scanner countermeasure method as described above.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the electronic device described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method of embodiment 1.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that:
reference in the specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the application. Thus, the appearances of the phrase "one embodiment" or "an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
In addition, it should be noted that the specific embodiments described in the present specification may differ in the shape of the components, the names of the components, and the like. All equivalent or simple changes in the structure, characteristics and principles as described in the patent idea are included in the protection scope of the patent. Various modifications, additions and substitutions for the specific embodiments described herein may occur to those skilled in the art without departing from the scope and spirit of the invention as defined by the accompanying claims.
Claims (10)
1. A scanner countermeasure method based on bypass interference, comprising the steps of:
preparing and storing response data packets of a plurality of operating systems, monitoring all visitors and receiving access data packets of the visitors;
sorting the access data packet to generate access data, judging whether the access data packet is a key data packet or not according to the access data, and if not, discarding the access data packet;
and if so, detecting the key data packet, detecting whether the key data packet has the characteristic item of the network scanner, and if so, sending a response data packet of any operating system except the local computer back to the network scanner.
2. The method of claim 1, further comprising the steps of:
and adopting bypass blocking operation, extracting the content of the key data packet, modifying a TCP FLAG array of the key data packet, generating a Reset packet, and transmitting the Reset packet to the host.
3. The method of claim 1, further comprising the steps of:
and setting at least two different types of operating systems, wherein one operating system is used for running the service, and the other operating systems are used for preparing and storing response data packets of the operating systems.
4. The method as claimed in claim 1, wherein the step of monitoring all visitors and receiving the visitor's access data packet includes the following steps:
setting a bypass monitoring system, configuring a switch to forward data of one or more ports to a monitoring port, and monitoring all visitors;
and the access data packet of the visitor is mirrored to the monitoring port, and the content of the access data packet is captured.
5. The bypass interference based scanner countermeasure method of claim 1, wherein the access data comprises a source IP, a source port, a destination IP, a destination port, a TCP FLAGS array, and initial access packet contents.
6. The method as claimed in claim 1, wherein preparing and storing response packets of a plurality of operating systems comprises the following steps:
and simulating to receive a system detection probe sent by the network scanner, modifying the data content of the IP packet header and the TCP packet header in response to the system detection probe, and generating and storing a response data packet of the specified operating system.
7. The method of claim 6, wherein the system probing probes comprise sequence generation algorithm probes, TCP protocol probes, UDP protocol probes, ICMP echo probes, and ECN probes.
8. A scanner countermeasure system based on bypass interference, comprising:
the storage unit stores response data packets of a plurality of operating systems;
the bypass monitoring system is used for monitoring all visitors, receiving access data packets of the visitors, sorting the access data packets to generate access data, judging whether the access data packets are key data packets according to the access data, and detecting whether the key data packets have characteristic items of a network scanner;
and the communication unit is used for sending a response data packet of any operating system except the local operating system back to the network scanner.
9. An electronic device comprising a memory and a processor, the memory configured to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a bypass interference based scanner countermeasure method according to any of claims 1 to 7.
10. A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210103520.XA CN114363087B (en) | 2022-01-27 | 2022-01-27 | Scanner countermeasure method and system based on bypass interference |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210103520.XA CN114363087B (en) | 2022-01-27 | 2022-01-27 | Scanner countermeasure method and system based on bypass interference |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114363087A true CN114363087A (en) | 2022-04-15 |
| CN114363087B CN114363087B (en) | 2024-05-14 |
Family
ID=81093386
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210103520.XA Active CN114363087B (en) | 2022-01-27 | 2022-01-27 | Scanner countermeasure method and system based on bypass interference |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114363087B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
| US20170171221A1 (en) * | 2015-12-15 | 2017-06-15 | Webroot Inc. | Real-time Scanning of IP Addresses |
| US9716727B1 (en) * | 2014-09-30 | 2017-07-25 | Palo Alto Networks, Inc. | Generating a honey network configuration to emulate a target network environment |
| CN110058565A (en) * | 2019-03-01 | 2019-07-26 | 中国电子科技网络信息安全有限公司 | A kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS |
| CN111628993A (en) * | 2020-05-26 | 2020-09-04 | 中国电子科技集团公司第五十四研究所 | Network spoofing defense method and device based on host fingerprint hiding |
| CN111988311A (en) * | 2020-08-18 | 2020-11-24 | 华中科技大学 | Method for detecting NMAP network scanning attack behavior in public network environment |
| CN113055406A (en) * | 2021-04-16 | 2021-06-29 | 中国电子科技集团公司第五十四研究所 | Operating system feature hiding method and system based on communication protocol |
| CN113765846A (en) * | 2020-06-01 | 2021-12-07 | 极客信安(北京)科技有限公司 | Intelligent detection and response method and device for network abnormal behavior and electronic equipment |
-
2022
- 2022-01-27 CN CN202210103520.XA patent/CN114363087B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9716727B1 (en) * | 2014-09-30 | 2017-07-25 | Palo Alto Networks, Inc. | Generating a honey network configuration to emulate a target network environment |
| CN104519068A (en) * | 2014-12-26 | 2015-04-15 | 赵卫伟 | Moving target protection method based on operating system fingerprint jumping |
| US20170171221A1 (en) * | 2015-12-15 | 2017-06-15 | Webroot Inc. | Real-time Scanning of IP Addresses |
| CN110058565A (en) * | 2019-03-01 | 2019-07-26 | 中国电子科技网络信息安全有限公司 | A kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS |
| CN111628993A (en) * | 2020-05-26 | 2020-09-04 | 中国电子科技集团公司第五十四研究所 | Network spoofing defense method and device based on host fingerprint hiding |
| CN113765846A (en) * | 2020-06-01 | 2021-12-07 | 极客信安(北京)科技有限公司 | Intelligent detection and response method and device for network abnormal behavior and electronic equipment |
| CN111988311A (en) * | 2020-08-18 | 2020-11-24 | 华中科技大学 | Method for detecting NMAP network scanning attack behavior in public network environment |
| CN113055406A (en) * | 2021-04-16 | 2021-06-29 | 中国电子科技集团公司第五十四研究所 | Operating system feature hiding method and system based on communication protocol |
Non-Patent Citations (1)
| Title |
|---|
| 俞海;: "基于Nmap网络扫描的场景仿真实验", 绍兴文理学院学报(自然科学), no. 01, 28 April 2017 (2017-04-28) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114363087B (en) | 2024-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6968377B1 (en) | Method and system for mapping a network for system security | |
| Staniford et al. | Practical automated detection of stealthy portscans | |
| US8042182B2 (en) | Method and system for network intrusion detection, related network and computer program product | |
| KR100800370B1 (en) | Network attack signature generation | |
| US20180205746A1 (en) | Network traffic analysis for malware detection and performance reporting | |
| US20070240207A1 (en) | Method of Detecting Anomalous Behaviour in a Computer Network | |
| US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
| CN105554009B (en) | A method of passing through Network Data Capture device operating system information | |
| US7124181B1 (en) | System, method and computer program product for improved efficiency in network assessment utilizing variable timeout values | |
| Albanese et al. | Deceiving attackers by creating a virtual attack surface | |
| Albanese et al. | A deception based approach for defeating OS and service fingerprinting | |
| EP3230886B1 (en) | Operating system fingerprint detection | |
| CN114338068A (en) | Multi-node vulnerability scanning method and device, electronic equipment and storage medium | |
| CN110058565B (en) | Industrial control PLC system fingerprint simulation method based on Linux operating system | |
| KR100772177B1 (en) | Method and apparatus for generating intrusion detection event to test security function | |
| CN114760216B (en) | Method and device for determining scanning detection event and electronic equipment | |
| CN114363087A (en) | Scanner countermeasure method and system based on bypass interference | |
| CN115604162A (en) | Detection method of network security equipment | |
| CN112333174B (en) | Reflection-type DDos IP scanning detection system | |
| CN112153027B (en) | Counterfeit behavior identification method, apparatus, device and computer readable storage medium | |
| CN114465795B (en) | Method and system for interfering network scanner | |
| AbdelallahElhadjº et al. | An experimental sniffer detector: SnifferWall | |
| Albanese et al. | Proactive defense through deception | |
| CN114629689B (en) | IP address fraud recognition method, device, computer equipment and storage medium | |
| CN117395162B (en) | Method, system, device and medium for identifying operating system by using encrypted traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 1st Floor, Building 3, No. 2616, Yuhangtang Road, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province, 311100 Applicant after: HANGZHOU MOAN TECHNOLOGY CO.,LTD. Address before: 311100 10th floor, Block E, building 1, 1378 Wenyi West Road, Cangqian street, Yuhang District, Hangzhou City, Zhejiang Province Applicant before: HANGZHOU MOAN TECHNOLOGY CO.,LTD. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |