CN114448724B - Data processing method and device for network beacon tampering detection - Google Patents
Data processing method and device for network beacon tampering detection Download PDFInfo
- Publication number
- CN114448724B CN114448724B CN202210266542.8A CN202210266542A CN114448724B CN 114448724 B CN114448724 B CN 114448724B CN 202210266542 A CN202210266542 A CN 202210266542A CN 114448724 B CN114448724 B CN 114448724B
- Authority
- CN
- China
- Prior art keywords
- information
- beacon
- node
- value information
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a data processing method and a data processing device for network beacon tamper detection, wherein the method comprises the following steps: acquiring node beacon information of a beacon detection node; calculating a summary value of the node beacon information to obtain first summary value information; comparing and analyzing the first abstract value information to obtain comparison result information; and the comparison result information is used for indicating and judging the tampering condition of the network beacon. Therefore, the invention can obtain the comparison result information for indicating and judging the tampering condition of the network beacon by calculating, comparing and analyzing the abstract value of the node beacon information, is beneficial to realizing the high-efficiency real-time judgment of whether the network beacon is tampered or not, and further improves the efficiency of finding that the network beacon is tampered.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a data processing method and apparatus for network beacon tamper detection.
Background
With the development of internet technology, network attackers pose a great threat to key service networks such as provincial networks and telecommunication networks. In order to hide the flow information and the identity, an attacker avoids tracing and tracing of an attack path in a multi-stage springboard forwarding mode and the like, and the difficulty of tracing and tracing is increased. The existing active attack path tracking and tracing method based on the network beacon usually needs to recover a specifically-implanted beacon at a detection node to judge whether the network beacon is tampered or not, and it is difficult to judge whether the network beacon is tampered or not in real time. Therefore, it is important to provide a data processing method and apparatus for detecting network beacon tampering to efficiently determine whether a network beacon is tampered in real time, so as to improve the efficiency of discovering that the network beacon is tampered.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a data processing method and apparatus for network beacon tampering detection, which can obtain comparison result information for indicating and distinguishing the tampering condition of a network beacon by performing summary value calculation and comparison analysis on node beacon information, and is beneficial to realize efficient real-time distinguishing whether the network beacon is tampered, thereby improving the efficiency of finding that the network beacon is tampered.
In order to solve the foregoing technical problem, a first aspect of an embodiment of the present invention discloses a data processing method for network beacon tamper detection, where the method includes:
acquiring node beacon information of a beacon detection node;
calculating the abstract value of the node beacon information to obtain first abstract value information;
comparing and analyzing the first abstract value information to obtain comparison result information; and the comparison result information is used for indicating and judging the tampering condition of the network beacon.
As an optional implementation manner, in the first aspect of the embodiment of the present invention, the performing digest value calculation on the node beacon information to obtain first digest value information includes:
filling the node beacon information to obtain first intermediate abstract value information;
initializing and setting the first intermediate abstract value information to obtain second intermediate abstract value information; the second intermediate digest value information includes L linked variables; l is a positive integer greater than or equal to 4;
and circularly calculating the second intermediate abstract value information to obtain first abstract value information.
As an optional implementation manner, in the first aspect of the embodiment of the present invention, the performing information padding on the node beacon information to obtain first intermediate digest value information includes:
binary filling is carried out on the node beacon information to obtain filled beacon information;
performing remainder calculation on the filler beacon information and a preset data bit length threshold to obtain remainder result information;
judging whether the remainder result information is matched with a preset remainder threshold value or not to obtain a first matching judgment result;
when the first matching judgment result is negative, updating the node beacon information by using the filling beacon information, and triggering and executing the binary filling of the node beacon information to obtain the filling beacon information;
and when the first matching judgment result is yes, determining that the filling beacon information is first intermediate summary value information.
As an optional implementation manner, in the first aspect of the embodiment of the present invention, the second intermediate digest value information includes several pieces of intermediate sub-digest value information;
the performing cyclic calculation processing on the second intermediate digest value information to obtain first digest value information includes:
for any one piece of intermediate sub-abstract value information, carrying out migration processing on the intermediate sub-abstract value information to obtain first cycle value information corresponding to the intermediate sub-abstract value information;
carrying out nonlinear calculation and migration processing on the first cycle value information to obtain second cycle value information corresponding to the intermediate sub-abstract value information;
and sequentially integrating all the second cycle value information to obtain first abstract value information.
As an optional implementation manner, in the first aspect of the embodiment of the present invention, before the acquiring node beacon information of a beacon detection node, the method further includes:
acquiring network basic information of a target detection network;
determining a beacon implantation node according to the network basic information;
acquiring implanted beacon information corresponding to the beacon implanted node; the implant beacon information is associated with the node beacon information;
calculating the abstract value of the implanted beacon information to obtain second abstract value information; the second summary value information is used for comparative analysis with the first summary value information.
As an optional implementation manner, in the first aspect of the embodiment of the present invention, the comparison result information includes that the web beacon is not tampered, or that the web beacon is tampered;
the comparing and analyzing the first abstract value information to obtain comparison result information includes:
judging whether the first abstract value information is matched with the second abstract value information or not to obtain a second matching judgment result;
when the second matching judgment result is yes, determining that the comparison result information is that the network beacon is not tampered; the network beacon is not tampered with and is used for indicating to trigger the execution of node beacon information of the beacon acquisition detection node;
when the second matching judgment result is negative, determining that the comparison result information is that the network beacon is tampered; the network beacon is tampered to indicate that a network alarm is sent out.
As an optional implementation manner, in the first aspect of the embodiment of the present invention, the node beacon information includes L pieces of node identification information; l is a positive integer greater than or equal to 5; any one of the node identification information is unique in a target detection network corresponding to the beacon detection node.
The second aspect of the embodiment of the present invention discloses a data processing apparatus for network beacon tamper detection, the apparatus comprising:
the first acquisition module is used for acquiring node beacon information of the beacon detection node;
the calculation module is used for calculating the abstract value of the node beacon information to obtain first abstract value information;
the comparison analysis module is used for performing comparison analysis on the first abstract value information to obtain comparison result information; and the comparison result information is used for indicating and judging the tampering condition of the network beacon.
As an optional implementation manner, in the second aspect of the embodiment of the present invention, the calculating module performs digest value calculation on the node beacon information, and a specific manner of obtaining the first digest value information is as follows:
filling the node beacon information to obtain first intermediate abstract value information;
initializing and setting the first intermediate abstract value information to obtain second intermediate abstract value information; the second intermediate digest value information includes L linked variables; l is a positive integer greater than or equal to 4;
and circularly calculating the second intermediate abstract value information to obtain first abstract value information.
As an optional implementation manner, in a second aspect of the embodiment of the present invention, the specific manner of performing information padding on the node beacon information by the calculation module to obtain the first intermediate digest value information is as follows:
binary filling is carried out on the node beacon information to obtain filled beacon information;
performing remainder calculation on the filler beacon information and a preset data bit length threshold to obtain remainder result information;
judging whether the remainder result information is matched with a preset remainder threshold value or not to obtain a first matching judgment result;
when the first matching judgment result is negative, updating the node beacon information by using the filling beacon information, and triggering and executing the binary filling of the node beacon information to obtain the filling beacon information;
and when the first matching judgment result is yes, determining the filling beacon information as first intermediate abstract value information.
As an optional implementation manner, in the second aspect of the embodiment of the present invention, the second intermediate digest value information includes several pieces of intermediate sub-digest value information;
the calculation module performs cyclic calculation processing on the second intermediate abstract value information, and the specific way of obtaining the first abstract value information is as follows:
for any one piece of intermediate sub-abstract value information, carrying out migration processing on the intermediate sub-abstract value information to obtain first cycle value information corresponding to the intermediate sub-abstract value information;
carrying out nonlinear calculation and migration processing on the first cycle value information to obtain second cycle value information corresponding to the intermediate sub-abstract value information;
and sequentially integrating all the second cycle value information to obtain first abstract value information.
As an optional implementation manner, in the second aspect of the embodiment of the present invention, before the first obtaining module obtains the node beacon information of the beacon detection node, the apparatus further includes:
the second acquisition module is used for acquiring network basic information of the target detection network;
the determining module is used for determining the beacon implantation node according to the network basic information;
the second obtaining module is further configured to obtain information of an implanted beacon corresponding to the beacon implanted node; the implant beacon information is associated with the node beacon information;
the obtaining module is used for calculating the abstract value of the implanted beacon information to obtain second abstract value information; the second summary value information is used for comparative analysis with the first summary value information.
As an optional implementation manner, in the second aspect of the embodiment of the present invention, the comparison result information includes that the web beacon is not tampered, or that the web beacon is tampered;
the comparison result information comprises that the network beacon is not tampered or the network beacon is tampered;
the comparison analysis module performs comparison analysis on the first abstract value information, and the specific way of obtaining comparison result information is as follows:
judging whether the first abstract value information is matched with the second abstract value information or not to obtain a second matching judgment result;
when the second matching judgment result is yes, determining that the comparison result information is that the network beacon is not tampered; the network beacon is not tampered with and is used for indicating to trigger the execution of node beacon information of the beacon acquisition detection node;
when the second matching judgment result is negative, determining that the comparison result information is that the network beacon is tampered; the network beacon is tampered to indicate that a network alarm is sent out.
As an optional implementation manner, in the second aspect of the embodiment of the present invention, the node beacon information includes L pieces of node identification information; l is a positive integer greater than or equal to 5; any one of the node identification information is unique in a target detection network corresponding to the beacon detection node.
A third aspect of the present invention discloses another data processing apparatus for network beacon tamper detection, the apparatus comprising:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program code stored in the memory to execute part or all of the steps of the data processing method for network beacon tampering detection disclosed in the first aspect of the embodiments of the present invention.
In a fourth aspect, the present invention discloses a computer storage medium, where the computer storage medium stores computer instructions, and when the computer instructions are called, the computer instructions are used to execute some or all of the steps in the data processing method for network beacon tamper detection disclosed in the first aspect of the embodiments of the present invention.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, node beacon information of a beacon detection node is obtained; calculating the abstract value of the node beacon information to obtain first abstract value information; comparing and analyzing the first abstract value information to obtain comparison result information; and the comparison result information is used for indicating and judging the tampering condition of the network beacon. Therefore, the invention can obtain the comparison result information for indicating and judging the tampering condition of the network beacon by calculating, comparing and analyzing the abstract value of the node beacon information, is beneficial to realizing the high-efficiency real-time judgment of whether the network beacon is tampered or not, and further improves the efficiency of finding that the network beacon is tampered.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a data processing method for network beacon tamper detection according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of another data processing method for network beacon tamper detection according to the embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a data processing apparatus for network beacon tamper detection according to an embodiment of the present disclosure;
FIG. 4 is a schematic structural diagram of another data processing apparatus for network beacon tamper detection according to an embodiment of the disclosure;
fig. 5 is a schematic structural diagram of another data processing apparatus for network beacon tamper detection according to an embodiment of the present disclosure.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
The terms "first," "second," and the like in the description and claims of the present invention and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, product, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements recited, but may alternatively include other steps or elements not expressly listed or inherent to such process, method, product, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the invention. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein may be combined with other embodiments.
The invention discloses a data processing method and a data processing device for network beacon tampering detection, which can obtain comparison result information for indicating and judging the tampering condition of a network beacon by calculating and comparing and analyzing the digest value of node beacon information, are beneficial to realizing the high-efficiency real-time judgment of whether the network beacon is tampered or not, and further improve the efficiency of finding that the network beacon is tampered. The following are detailed below.
Example one
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a data processing method for network beacon tamper detection according to an embodiment of the present invention. The data processing method for detecting tampering of the web beacon described in fig. 1 is applied to a network security management system, such as a local server or a cloud server for data processing management of tampering detection of the web beacon, and the embodiment of the present invention is not limited thereto. As shown in fig. 1, the data processing method for network beacon tamper detection may include the following operations:
101. and acquiring node beacon information of the beacon detection node.
102. And the root calculates the abstract value of the node beacon information to obtain first abstract value information.
103. And comparing and analyzing the first abstract value information to obtain comparison result information.
In the embodiment of the present invention, the comparison result information is used to indicate a tampering condition of the network beacon.
Optionally, after the first digest value information is obtained through calculation, the first digest value information is uploaded to a global monitoring point, and the first digest value information is contrastively analyzed at the global monitoring point.
Therefore, the data processing method for network beacon tampering detection described in the embodiment of the present invention can obtain the comparison result information for indicating and determining the tampering condition of the network beacon by performing digest value calculation and comparison analysis on the node beacon information, which is beneficial to efficiently determining whether the network beacon is tampered in real time, and further improves the efficiency of discovering that the network beacon is tampered.
In an optional embodiment, the calculating a digest value of the node beacon information in step 102 to obtain first digest value information includes:
filling information into the node beacon information to obtain first intermediate abstract value information;
initializing and setting the first intermediate abstract value information to obtain second intermediate abstract value information; the second intermediate digest value information includes L linked variables; l is a positive integer greater than or equal to 4;
and performing cyclic calculation processing on the second intermediate abstract value information to obtain first abstract value information.
Optionally, the number of bits of the link variable is 32.
Optionally, the link variable includes a first link variable, and/or a second link variable, and/or a third link variable, and/or a fourth link variable, which is not limited in the embodiment of the present invention.
Optionally, the first chaining variable is 0x01234567.
Optionally, the second link variable is 0x89abcdef.
Optionally, the third linking variable is 0xfedcba98.
Optionally, the fourth linking variable is 0x76543210.
Therefore, the data processing method for network beacon tampering detection described in the embodiment of the present invention can obtain the first digest value information by performing information filling, initialization setting, and cyclic calculation processing on the node beacon information, which is beneficial to realize efficient real-time judgment on whether the network beacon is tampered, and further improve the efficiency of discovering that the network beacon is tampered.
In another optional embodiment, the padding the node beacon information to obtain the first intermediate digest value information includes:
binary filling is carried out on the node beacon information to obtain filling beacon information;
performing remainder calculation on the filler beacon information and a preset data bit length threshold to obtain remainder result information;
judging whether the remainder result information is matched with a preset remainder threshold value or not to obtain a first matching judgment result;
when the first matching judgment result is negative, updating the node beacon information by using the filling beacon information, and triggering and executing binary filling of the node beacon information to obtain the filling beacon information;
and when the first matching judgment result is yes, determining the filling beacon information as the first intermediate abstract value information.
In this optional embodiment, as an optional implementation manner, the above binary padding is performed on the node beacon information, and a specific manner of obtaining the padded beacon information is as follows:
and filling one 1 and a plurality of 0 at the tail end of the node beacon information to obtain the filling beacon information.
Preferably, the data bit length threshold is 512.
Preferably, the remainder threshold is 448.
Therefore, the data processing method for network beacon tampering detection described in the embodiment of the present invention can obtain the first intermediate digest value information by performing binary filling, remainder calculation, and matching judgment processing on the node beacon information, which is beneficial to realize efficient real-time judgment on whether the network beacon is tampered, and further improve the efficiency of discovering that the network beacon is tampered.
In yet another alternative embodiment, the second intermediate digest value information includes a plurality of intermediate sub-digest value information;
performing cyclic calculation processing on the second intermediate digest value information to obtain first digest value information, including:
for any intermediate sub-abstract value information, carrying out migration processing on the intermediate sub-abstract value information to obtain first cycle value information corresponding to the intermediate sub-abstract value information;
carrying out nonlinear calculation and migration processing on the first cycle value information to obtain second cycle value information corresponding to the intermediate sub-abstract value information;
and sequentially integrating all the second cycle value information to obtain first abstract value information.
In this optional embodiment, as an optional implementation manner, the specific manner of performing migration processing on the middle sub-digest value information to obtain the first cycle value information corresponding to the middle sub-digest value information is as follows:
updating the first cycle variable information by using the intermediate sub-abstract value information; the first loop variable information includes 4 first loop variables;
selecting 3 first cycle variables from the first cycle variable information to generate first function variable information, and selecting the remaining first cycle variables as second function variable information;
performing nonlinear function calculation on the first function variable information to obtain first function result information;
summing the first function result information and the second function variable information to obtain second function result information;
shifting a random number to the right for the second function result information to obtain third function result information;
calculating the third function result information and the first cycle variable information to obtain fourth function result information;
judging whether the fourth function result information meets a loop iteration ending condition or not to obtain a loop judgment result;
when the loop judgment result is yes, updating the intermediate sub-abstract value information by using the fourth function result information, and triggering and executing the updating processing of the first loop variable information by using the intermediate sub-abstract value information;
and when the cycle judgment result is negative, determining first cycle value information corresponding to the intermediate sub-abstract value information according to the fourth function result information and the intermediate sub-abstract value information.
Therefore, the data processing method for network beacon tampering detection, which is described in the embodiment of the present invention, can perform migration processing and nonlinear calculation on the intermediate sub-digest value information to obtain the second cycle value information, and then perform sequential integration processing on the second cycle value information to obtain the first digest value information, which is more beneficial to achieving efficient real-time judgment on whether the network beacon is tampered, so as to improve the efficiency of discovering that the network beacon is tampered.
Example two
Referring to fig. 2, fig. 2 is a schematic flowchart illustrating another data processing method for network beacon tamper detection according to an embodiment of the present invention. The data processing method for network beacon tamper detection described in fig. 2 is applied to a network security management system, such as a local server or a cloud server for data processing management of network beacon tamper detection, and the embodiment of the present invention is not limited thereto. As shown in fig. 2, the data processing method for network beacon tamper detection may include the operations of:
201. and acquiring network basic information of the target detection network.
202. And determining the beacon implantation node according to the network basic information.
203. And acquiring implanted beacon information corresponding to the beacon implanted node.
In this embodiment of the present invention, the above-mentioned beacon information of implantation and the beacon information of the node are associated;
204. and calculating the abstract value of the implanted beacon information to obtain second abstract value information.
In an embodiment of the present invention, the second digest value information is used for a comparison analysis with the first digest value information.
205. And acquiring node beacon information of the beacon detection node.
206. And calculating the abstract value of the node beacon information to obtain first abstract value information.
207. And comparing and analyzing the first abstract value information to obtain comparison result information.
In the embodiment of the present invention, for specific technical details and technical noun explanations of step 205 to step 206, reference may be made to the detailed descriptions of step 101 to step 103 in the first embodiment, and details are not repeated in the embodiment of the present invention.
Optionally, compared with the existing active tracking and tracing method for the attack path based on the network beacon, the method can judge whether the network beacon is tampered or not only when the detection node recovers the specifically-implanted beacon, but also the method provided by the invention can find whether the beacon is tampered or not quickly by comparing whether the second abstract value information of the beacon-implanted node is consistent or not on the premise that the original beacon is not required to be recovered according to the first abstract value information obtained by calculating according to the beacon information in the target detection network, so that the beacon tampering finding efficiency is improved.
Optionally, the network basic information includes a network traffic protocol type of the target detection network and/or a network construction type, which is not limited in the embodiment of the present invention.
Optionally, the node beacon information includes protocol information in a data link layer, and/or protocol information in a network layer, and/or protocol information in a transport layer, and/or protocol information in an application layer, which is not limited in the embodiment of the present invention.
Therefore, the data processing method for network beacon tampering detection described in the embodiment of the present invention can determine the beacon implanted node according to the network basic information, obtain the beacon information implanted by the beacon implanted node, perform the digest value calculation on the beacon information, obtain the second digest value information, and perform the digest value calculation and the comparative analysis on the node beacon information to obtain the comparative result information for indicating and distinguishing the tampering condition of the network beacon, which is beneficial to realize efficient real-time distinguishing whether the network beacon is tampered, and further improve the efficiency of finding that the network beacon is tampered.
In an optional embodiment, the comparison result information includes that the web beacon is not tampered, or that the web beacon is tampered;
the step of comparing and analyzing the first abstract value information to obtain comparison result information comprises the following steps:
judging whether the first abstract value information is matched with the second abstract value information or not to obtain a second matching judgment result;
when the second matching judgment result is yes, determining that the comparison result information is that the network beacon is not tampered; the network beacon is not tampered and used for indicating to trigger execution of node beacon information of the beacon detection node;
when the second matching judgment result is negative, determining that the comparison result information is that the network beacon is tampered; the network beacon is tampered with to indicate that a network alarm is issued.
Optionally, the above-mentioned determining whether the first digest value information matches with the second digest value information is performed at a global monitoring point.
Therefore, the data processing method for network beacon tampering detection described in the embodiment of the present invention can match and determine the first digest value information and the second digest value information to obtain the comparison result information, which is more favorable for implementing efficient real-time determination of whether the network beacon is tampered, and further improves the efficiency of discovering that the network beacon is tampered.
In another optional embodiment, the node beacon information includes L pieces of node identification information; l is a positive integer greater than or equal to 5; any node identification information is unique in the target detection network corresponding to the beacon detection node.
Optionally, the node identification information includes a beacon identifier, and/or a source IP address, and/or a destination IP address, and/or a source MAC address, and/or a destination MAC address, which is not limited in the embodiment of the present invention.
Optionally, the beacon identifier is a unique identifier of the network beacon.
Optionally, the source IP address and the destination IP address are unique identifiers of the target detection network logical address.
Optionally, the source MAC address and the destination MAC address are unique identifiers of different target detection networks in the same link.
Optionally, the unique beacon identifier, the source IP address, the destination IP address, the source MAC address, and the destination MAC address are selected, and digest value calculation is performed on the selected unique beacon identifier, the source IP address, the destination MAC address, and the source MAC address, so that the unique first digest value information of the target detection network can be obtained, accuracy and reliability of finding that the network beacon is tampered are improved, and efficiency of finding that the network beacon is tampered is improved.
Therefore, the data processing method for network beacon tampering detection described in the embodiment of the present invention can screen and determine the node beacon information, and is more favorable for efficiently distinguishing whether the network beacon is tampered in real time, so as to improve the efficiency of discovering that the network beacon is tampered.
EXAMPLE III
Referring to fig. 3, fig. 3 is a schematic structural diagram of a data processing apparatus for network beacon tamper detection according to an embodiment of the present disclosure. The apparatus described in fig. 3 can be applied to a network security management system, such as a local server or a cloud server for data processing management of network beacon tampering detection, and the embodiment of the present invention is not limited thereto. As shown in fig. 3, the apparatus may include:
a first obtaining module 301, configured to obtain node beacon information of a beacon detection node;
a calculating module 302, configured to perform summary value calculation on the node beacon information to obtain first summary value information;
the comparison analysis module 303 is configured to perform comparison analysis on the first digest value information to obtain comparison result information; and the comparison result information is used for indicating and judging the tampering condition of the network beacon.
Therefore, by implementing the data processing device for network beacon tampering detection described in fig. 3, the comparison result information for indicating the tampering condition of the network beacon can be obtained by performing summary value calculation and comparison analysis on the node beacon information, which is beneficial to realizing efficient real-time discrimination of whether the network beacon is tampered, and further improving the efficiency of discovering that the network beacon is tampered.
In another alternative embodiment, as shown in fig. 4, the calculating module 302 performs digest value calculation on the node beacon information to obtain the first digest value information in a specific manner:
filling information into the node beacon information to obtain first intermediate abstract value information;
initializing and setting the first intermediate abstract value information to obtain second intermediate abstract value information; the second intermediate digest value information includes L linked variables; l is a positive integer greater than or equal to 4;
and performing cyclic calculation processing on the second intermediate abstract value information to obtain first abstract value information.
Therefore, by implementing the data processing apparatus for detecting network beacon tampering described in fig. 4, the first digest value information can be obtained by performing information filling, initialization setting, and circular calculation processing on the node beacon information, which is beneficial to achieving efficient and real-time judgment of whether the network beacon is tampered, and further improving the efficiency of discovering that the network beacon is tampered.
In yet another alternative embodiment, as shown in fig. 4, the specific manner of the calculating module 302 performing information padding on the node beacon information to obtain the first intermediate digest value information is as follows:
binary filling is carried out on the node beacon information to obtain filling beacon information;
performing remainder calculation on the filler beacon information and a preset data bit length threshold to obtain remainder result information;
judging whether the remainder result information is matched with a preset remainder threshold value or not to obtain a first matching judgment result;
when the first matching judgment result is negative, updating the node beacon information by using the filling beacon information, and triggering and executing binary filling of the node beacon information to obtain the filling beacon information;
and when the first matching judgment result is yes, determining the filling beacon information as first intermediate abstract value information.
Therefore, by implementing the data processing apparatus for network beacon tamper detection described in fig. 4, the first intermediate digest value information can be obtained by performing binary filling, remainder calculation, and matching judgment processing on the node beacon information, which is beneficial to achieving efficient and real-time judgment on whether the network beacon is tampered, and further improving the efficiency of discovering that the network beacon is tampered.
In yet another alternative embodiment, as shown in fig. 4, the second intermediate digest value information includes several intermediate sub-digest value information;
the calculation module 302 performs cyclic calculation processing on the second intermediate digest value information, and the specific way of obtaining the first digest value information is as follows:
for any intermediate sub-abstract value information, carrying out migration processing on the intermediate sub-abstract value information to obtain first cycle value information corresponding to the intermediate sub-abstract value information;
carrying out nonlinear calculation and migration processing on the first cycle value information to obtain second cycle value information corresponding to the intermediate sub-abstract value information;
and sequentially integrating all the second cycle value information to obtain first abstract value information.
Therefore, by implementing the data processing apparatus for detecting the tampering of the network beacon, which is described in fig. 4, the second cycle value information can be obtained by performing migration processing and nonlinear calculation on the intermediate sub-digest value information, and then the first digest value information can be obtained by performing sequential integration processing on the intermediate sub-digest value information, which is more beneficial to achieving efficient real-time judgment on whether the network beacon is tampered, and further improving the efficiency of finding that the network beacon is tampered.
In yet another optional embodiment, as shown in fig. 4, before the first obtaining module 301 obtains the node beacon information of the beacon detection node, the apparatus further includes:
a second obtaining module 304, configured to obtain network basic information of the target detection network;
a determining module 305, configured to determine a beacon implant node according to the network basic information;
the second obtaining module 304 is further configured to obtain implanted beacon information corresponding to the beacon implanted node; the implant beacon information is associated with the node beacon information;
an obtaining module 306, configured to perform digest value calculation on the beacon implantation information to obtain second digest value information; the second summary value information is used for comparative analysis with the first summary value information.
It can be seen that, with the data processing apparatus for network beacon tampering detection described in fig. 4, a beacon implanted node can be determined according to network basic information, then, the beacon implanted node is obtained corresponding to the implanted beacon information, and the abstract value is calculated to obtain second abstract value information, and then, the node beacon information is subjected to abstract value calculation and comparative analysis to obtain comparative result information for indicating and judging the tampering condition of the network beacon, which is beneficial to realizing efficient real-time judgment of whether the network beacon is tampered, and further, improving the efficiency of finding that the network beacon is tampered.
In yet another alternative embodiment, as shown in fig. 4, the comparison result information includes that the web beacon is not tampered, or that the web beacon is tampered;
the comparison result information comprises that the network beacon is not tampered or the network beacon is tampered;
the comparison and analysis module 303 performs comparison and analysis on the first digest value information, and the specific way of obtaining the comparison result information is as follows:
judging whether the first abstract value information is matched with the second abstract value information or not to obtain a second matching judgment result;
when the second matching judgment result is yes, determining that the comparison result information is that the network beacon is not tampered; the network beacon is not tampered and used for indicating to trigger execution of node beacon information of the beacon detection node;
when the second matching judgment result is negative, determining that the comparison result information is that the network beacon is tampered; the network beacon is tampered with to indicate that a network alarm is sent out.
Therefore, by implementing the data processing device for detecting the network beacon tampering described in fig. 4, the first digest value information and the second digest value information can be matched and judged to obtain the comparison result information, which is more beneficial to efficiently judging whether the network beacon is tampered in real time, and further improves the efficiency of finding that the network beacon is tampered.
In yet another alternative embodiment, as shown in fig. 4, the node beacon information includes L pieces of node identification information; l is a positive integer greater than or equal to 5; any node identification information is unique in the target detection network corresponding to the beacon detection node.
Therefore, the data processing device for network beacon tampering detection described in fig. 4 can screen and determine the node beacon information, which is more beneficial to efficiently and real-timely judging whether the network beacon is tampered, and further improves the efficiency of discovering that the network beacon is tampered.
Example four
Referring to fig. 5, fig. 5 is a schematic structural diagram of another data processing apparatus for network beacon tamper detection according to an embodiment of the disclosure. The apparatus described in fig. 5 can be applied to a network security management system, such as a local server or a cloud server for data processing management of network beacon tamper detection, and the embodiment of the present invention is not limited thereto. As shown in fig. 5, the apparatus may include:
a memory 401 storing executable program code;
a processor 402 coupled to a memory 401;
the processor 402 calls the executable program code stored in the memory 401 for performing the steps in the data processing method for network beacon tamper detection described in the first embodiment or the second embodiment.
EXAMPLE five
The embodiment of the invention discloses a computer-readable storage medium which stores a computer program for electronic data exchange, wherein the computer program enables a computer to execute the steps in the data processing method for network beacon tampering detection described in the first embodiment or the second embodiment.
EXAMPLE six
The embodiment of the invention discloses a computer program product, which comprises a non-transitory computer readable storage medium storing a computer program, and the computer program is operable to make a computer execute the steps in the data processing method for network beacon tampering detection described in the first embodiment or the second embodiment.
The above-described embodiments of the apparatus are merely illustrative, and the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above detailed description of the embodiments, those skilled in the art will clearly understand that the embodiments may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. Based on such understanding, the above technical solutions may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, wherein the storage medium includes a Read-Only Memory (ROM), a Random Access Memory (RAM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), a One-time Programmable Read-Only Memory (OTPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Compact Disc-Read-Only Memory (CD-ROM) or other Memory capable of storing data, a magnetic tape, or any other computer-readable medium capable of storing data.
Finally, it should be noted that: the data processing method and apparatus for network beacon tamper detection disclosed in the embodiments of the present invention are only preferred embodiments of the present invention, and are only used for illustrating the technical solutions of the present invention, rather than limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art; the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (8)
1. A data processing method for network beacon tamper detection, the method comprising:
acquiring node beacon information of a beacon detection node;
calculating the abstract value of the node beacon information to obtain first abstract value information;
wherein, the calculating the abstract value of the node beacon information to obtain the first abstract value information includes:
filling the node beacon information to obtain first intermediate abstract value information;
initializing and setting the first intermediate abstract value information to obtain second intermediate abstract value information; the second intermediate digest value information includes L linked variables; l is a positive integer greater than or equal to 4;
performing cyclic calculation processing on the second intermediate abstract value information to obtain first abstract value information;
wherein, the information filling of the node beacon information to obtain the first intermediate abstract value information includes:
binary filling is carried out on the node beacon information to obtain filled beacon information;
performing remainder calculation on the filler beacon information and a preset data bit length threshold to obtain remainder result information;
judging whether the remainder result information is matched with a preset remainder threshold value or not to obtain a first matching judgment result;
when the first matching judgment result is negative, updating the node beacon information by using the filling beacon information, and triggering and executing the binary filling of the node beacon information to obtain the filling beacon information;
when the first matching judgment result is yes, determining the filling beacon information as first intermediate abstract value information;
comparing and analyzing the first abstract value information to obtain comparison result information; and the comparison result information is used for indicating and judging the tampering condition of the network beacon.
2. The data processing method for network beacon tamper detection according to claim 1, wherein the second intermediate digest value information includes a number of intermediate sub digest value information;
the performing cyclic calculation processing on the second intermediate digest value information to obtain first digest value information includes:
for any one piece of intermediate sub-abstract value information, carrying out migration processing on the intermediate sub-abstract value information to obtain first cycle value information corresponding to the intermediate sub-abstract value information;
carrying out nonlinear calculation and migration processing on the first cycle value information to obtain second cycle value information corresponding to the intermediate sub-abstract value information;
and sequentially integrating all the second cycle value information to obtain first abstract value information.
3. The data processing method for network beacon tamper detection as claimed in claim 1, wherein before the obtaining node beacon information of a beacon detection node, the method further comprises:
acquiring network basic information of a target detection network;
determining a beacon implantation node according to the network basic information;
acquiring implanted beacon information corresponding to the beacon implanted node; the implant beacon information is associated with the node beacon information;
calculating the abstract value of the implanted beacon information to obtain second abstract value information; the second summary value information is used for comparative analysis with the first summary value information.
4. The data processing method for network beacon tamper detection according to claim 3, wherein the comparison result information includes that the network beacon is not tampered, or that the network beacon is tampered;
the comparing and analyzing the first abstract value information to obtain comparison result information includes:
judging whether the first abstract value information is matched with the second abstract value information or not to obtain a second matching judgment result;
when the second matching judgment result is yes, determining that the comparison result information is that the network beacon is not tampered; the network beacon is not tampered with and is used for indicating to trigger the execution of node beacon information of the beacon acquisition detection node;
when the second matching judgment result is negative, determining that the comparison result information is that the network beacon is tampered; the network beacon is tampered to indicate that a network alarm is sent out.
5. The data processing method for network beacon tamper detection as claimed in claim 1, wherein the node beacon information includes L node identification information; l is a positive integer greater than or equal to 5; any one of the node identification information is unique in a target detection network corresponding to the beacon detection node.
6. A data processing apparatus for web beacon tamper detection, the apparatus comprising:
the first acquisition module is used for acquiring node beacon information of the beacon detection node;
the calculation module is used for calculating the abstract value of the node beacon information to obtain first abstract value information;
wherein, the calculating the abstract value of the node beacon information to obtain the first abstract value information includes:
filling the node beacon information with information to obtain first intermediate abstract value information;
initializing and setting the first intermediate abstract value information to obtain second intermediate abstract value information; the second intermediate digest value information includes L linked variables; l is a positive integer greater than or equal to 4;
performing cyclic calculation processing on the second intermediate abstract value information to obtain first abstract value information;
the information filling of the node beacon information to obtain first intermediate abstract value information includes:
binary filling is carried out on the node beacon information to obtain filled beacon information;
performing remainder calculation on the filler beacon information and a preset data bit length threshold to obtain remainder result information;
judging whether the remainder result information is matched with a preset remainder threshold value or not to obtain a first matching judgment result;
when the first matching judgment result is negative, updating the node beacon information by using the filling beacon information, and triggering and executing the binary filling of the node beacon information to obtain the filling beacon information;
when the first matching judgment result is yes, determining the filling beacon information as first intermediate abstract value information;
the comparison analysis module is used for performing comparison analysis on the first abstract value information to obtain comparison result information; and the comparison result information is used for indicating and judging the tampering condition of the network beacon.
7. A data processing apparatus for web beacon tamper detection, the apparatus comprising:
a memory storing executable program code;
a processor coupled with the memory;
the processor invokes the executable program code stored in the memory to perform the data processing method for network beacon tamper detection as claimed in any one of claims 1-5.
8. A computer storage medium storing computer instructions for performing a data processing method for network beacon tamper detection as claimed in any one of claims 1 to 5 when invoked.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210266542.8A CN114448724B (en) | 2022-03-17 | 2022-03-17 | Data processing method and device for network beacon tampering detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210266542.8A CN114448724B (en) | 2022-03-17 | 2022-03-17 | Data processing method and device for network beacon tampering detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114448724A CN114448724A (en) | 2022-05-06 |
| CN114448724B true CN114448724B (en) | 2022-10-14 |
Family
ID=81360364
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210266542.8A Active CN114448724B (en) | 2022-03-17 | 2022-03-17 | Data processing method and device for network beacon tampering detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114448724B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006663A (en) * | 2010-12-03 | 2011-04-06 | 北京工业大学 | Safe positioning method in wireless sensor network |
| CN106407794A (en) * | 2016-11-16 | 2017-02-15 | 杭州微飞胜科技有限公司 | Method for preventing beaconing devices from being forged or copied |
| CN107423639A (en) * | 2017-04-21 | 2017-12-01 | 深圳前海微众银行股份有限公司 | webpage tamper monitoring method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11178540B2 (en) * | 2018-10-31 | 2021-11-16 | Cisco Technology, Inc. | Enabling secure beacon telemetry broadcasts based on battery power state of a beacon device |
| US11432152B2 (en) * | 2020-05-04 | 2022-08-30 | Watchguard Technologies, Inc. | Method and apparatus for detecting and handling evil twin access points |
| CN113065151A (en) * | 2020-08-27 | 2021-07-02 | 开鑫金服(南京)信息服务有限公司 | Relational database information security enhancement method, system, terminal and storage medium |
-
2022
- 2022-03-17 CN CN202210266542.8A patent/CN114448724B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006663A (en) * | 2010-12-03 | 2011-04-06 | 北京工业大学 | Safe positioning method in wireless sensor network |
| CN106407794A (en) * | 2016-11-16 | 2017-02-15 | 杭州微飞胜科技有限公司 | Method for preventing beaconing devices from being forged or copied |
| CN107423639A (en) * | 2017-04-21 | 2017-12-01 | 深圳前海微众银行股份有限公司 | webpage tamper monitoring method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114448724A (en) | 2022-05-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
| US20230092522A1 (en) | Data packet processing method, apparatus, and electronic device, computer-readable storage medium, and computer program product | |
| CN107135093A (en) | A kind of Internet of Things intrusion detection method and detecting system based on finite automata | |
| CN103607385A (en) | Method and apparatus for security detection based on browser | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| CN102123058A (en) | Test equipment and method for testing network protocol decoder | |
| US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN111884989A (en) | Vulnerability detection method and system for power web system | |
| CN111314379B (en) | Attacked domain name identification method and device, computer equipment and storage medium | |
| CN115695031A (en) | Host computer sink-loss detection method, device and equipment | |
| CN112953895B (en) | Attack behavior detection method, device and equipment and readable storage medium | |
| Sukhwani et al. | A survey of anomaly detection techniques and hidden markov model | |
| CN114448724B (en) | Data processing method and device for network beacon tampering detection | |
| CN112448963A (en) | Method, device, equipment and storage medium for analyzing automatic attack industrial assets | |
| CN113704569A (en) | Information processing method and device and electronic equipment | |
| CN114513331B (en) | Mining Trojan detection method, device and equipment based on application layer communication protocol | |
| CN116346434A (en) | Method and system for improving monitoring accuracy of network attack behavior of power system | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log | |
| EP4254241A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN106254375B (en) | A kind of recognition methods of hotspot equipment and device | |
| CN114629917A (en) | Data processing method and device for cross-system communication and electronic equipment | |
| CN115314319A (en) | Network asset identification method and device, electronic equipment and storage medium | |
| CN115604162A (en) | Detection method of network security equipment | |
| CN112422474B (en) | Method for monitoring encrypted data stream, first electronic device and storage medium | |
| CN116070191A (en) | Information processing method and device, storage medium, and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |