CN114629828B - Network access detection method and electronic equipment - Google Patents

Network access detection method and electronic equipment Download PDF

Info

Publication number
CN114629828B
CN114629828B CN202210513442.0A CN202210513442A CN114629828B CN 114629828 B CN114629828 B CN 114629828B CN 202210513442 A CN202210513442 A CN 202210513442A CN 114629828 B CN114629828 B CN 114629828B
Authority
CN
China
Prior art keywords
target
address
message
target computer
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210513442.0A
Other languages
Chinese (zh)
Other versions
CN114629828A (en
Inventor
武文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Jiudun Information Technology Co ltd
Original Assignee
Hangzhou Jiudun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Jiudun Information Technology Co ltd filed Critical Hangzhou Jiudun Information Technology Co ltd
Priority to CN202210513442.0A priority Critical patent/CN114629828B/en
Publication of CN114629828A publication Critical patent/CN114629828A/en
Application granted granted Critical
Publication of CN114629828B publication Critical patent/CN114629828B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0811Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity

Abstract

The application provides a network access detection method and electronic equipment, which belong to the technical field of network security, and the method comprises the following steps: acquiring a target mirror image message corresponding to a target request message, wherein the target request message is sent by target computer equipment and is used for requesting to access the Internet, and a source address in the target request message is the address of the target computer equipment; generating a response message according to the target mirror image message, wherein the response message comprises: a source address and an address of an internet server; and sending the response message to the target computer equipment so that the target computer equipment generates host information according to the response message and sends the host information to the Internet server.

Description

Network access detection method and electronic equipment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network access detection method and an electronic device.
Background
In some specific places such as schools and government enterprises, network protection devices such as firewalls are not deployed and the network topology in some areas is simple, computer devices in these areas can only access internal public servers but are prohibited from accessing public networks, and in order to determine whether these computer devices have access to public networks, a detection method is needed to detect the access of the computer devices in these areas.
In the prior art, generally, when detection is needed, a detection device sends a detection data packet to each computer device, detects each computer based on the detection data packet to obtain an access record of the computer, and returns a detection result based on the access record.
However, such methods require active detection of the computer device, and the computer may locally prevent detection in a special way, which results in low flexibility and insufficient accuracy of detection.
Disclosure of Invention
The application aims to provide a network access detection method and electronic equipment, which can improve the security and flexibility of network access detection of computer equipment.
The embodiment of the application is realized as follows:
a network access detection method is applied to flow audit equipment, the flow audit equipment is connected with a switch, and the switch is connected with the Internet and an Internet server through network equipment; the switch is also respectively connected with a local area network server and a plurality of computer devices, and the method comprises the following steps:
acquiring a target mirror image message corresponding to a target request message, wherein the target request message is sent by target computer equipment and is used for requesting to access the Internet, and a source address in the target request message is the address of the target computer equipment;
generating a response message according to the target mirror image message, wherein the response message comprises: a source address and an address of an internet server;
and sending the response message to the target computer equipment so that the target computer equipment generates host information according to the response message and sends the host information to the Internet server.
Optionally, generating a response packet according to the target mirror packet includes:
acquiring address information of a target mirror image message, wherein the address information comprises: a source address of the target mirror image message and a target address of the target mirror image message;
and generating a response message based on the source address of the target mirror image message and the target address of the target mirror image message.
Optionally, the obtaining of the target mirror image packet corresponding to the target request packet includes:
acquiring mirror image messages corresponding to each request message through the switch;
and carrying out Berkely packet filtering processing on each mirror image message to obtain a target mirror image message corresponding to the target request message.
Optionally, the source address comprises: a source internet protocol address, a source port address; the address of the internet server includes: the media access control address of the internet server, the internet protocol address of the internet server and the port address of the internet server.
On the other hand, the method is applied to an internet server, the internet server is connected with a switch through network equipment, and the switch is also connected with the internet through the network equipment; the switch is also respectively connected with the local area network server, a plurality of computer devices and the flow auditing device, and the method comprises the following steps:
acquiring host information sent by target computer equipment, wherein the target computer equipment is equipment which is determined by flow audit equipment based on a target request message and sends a data packet to the Internet from a plurality of computer equipment;
decrypting the host information based on a pre-configured decryption mode to obtain a decryption result;
and determining the address of the target computer based on the decryption result, and updating the address state of the target computer to be in an unreliable state.
Optionally, decrypting the host information based on a preconfigured decryption manner to obtain a decryption result, including:
decrypting the host information based on a pre-configured decryption mode to generate a successful response message, wherein the successful response message comprises a successful identifier;
sending the successful response message to the target computer equipment so that the target computer equipment sends request identification information, wherein the request identification information comprises the address of the target computer;
and acquiring the request identification information, and decrypting the request identification information based on a pre-configured decryption mode to obtain the address of the target computer.
Optionally, the requesting the identification information further includes: a network identification; determining the address of the target computer based on the decryption result, and changing the address of the target computer to an unreliable state, comprising:
judging whether the network identification is in compliance based on a pre-configured decryption mode;
if yes, the address of the target computer is determined based on the decryption result, and the address of the target computer is changed into an unreliable state.
Optionally, the request identification information is message information generated after the target computer device performs compliance verification based on a successful identifier in the successful response message.
On the other hand, the method is applied to the target computer equipment, the target computer equipment is connected with the switch, and the switch is also connected with the internet and an internet server through the network equipment; the switch is also respectively connected with the local area network server and the flow auditing equipment, and the method comprises the following steps:
acquiring a response message sent by flow auditing equipment;
generating host information according to the response message, wherein the host information comprises at least one of the following items: the media access control address, the internet protocol address, the operating system type, the operating system version, the browser type, the browser version, and the language of the browser of the host;
the host information is transmitted to the internet server so that the internet server updates the address status of the target computer to an unreliable status based on the host information.
On the other hand, the embodiment of the application provides a network access detection device, which is applied to flow audit equipment, wherein the flow audit equipment is connected with a switch, and the switch is connected with the internet and an internet server through network equipment; the switch still is connected with LAN server and a plurality of computer equipment respectively, and the device includes: the device comprises a first acquisition module, a first processing module and a first sending module;
the first acquisition module is used for acquiring a target mirror image message corresponding to a target request message, wherein the target request message is sent by target computer equipment and is used for requesting to access the Internet, and a source address in the target request message is the address of the target computer equipment;
the first processing module is used for generating a response message according to the target mirror image message, wherein the response message comprises: a source address and an address of an internet server;
and the first sending module is used for sending the response message to the target computer equipment so that the target computer equipment generates host information according to the response message and sends the host information to the Internet server.
Optionally, the first processing module is specifically configured to obtain address information of the target mirror packet, where the address information includes: a source address of the target mirror image message and a target address of the target mirror image message; and generating a response message based on the source address of the target mirror image message and the target address of the target mirror image message.
Optionally, the first obtaining module is specifically configured to obtain a mirror message corresponding to each request message via the switch; and carrying out Berkely packet filtering processing on each mirror image message to obtain a target mirror image message corresponding to the target request message.
In another aspect of the embodiments of the present application, a network access detection apparatus is provided, where the apparatus is applied to an internet server, the internet server is connected to a switch through a network device, and the switch is further connected to the internet through the network device; the switch still respectively with LAN server, a plurality of computer equipment and flow audit equipment connection, the device includes: the second acquisition module and the second processing module;
the second acquisition module is used for acquiring host information sent by target computer equipment, and the target computer equipment is equipment which is determined by the flow audit equipment based on the target request message and sends a data packet to the Internet from the multiple computer equipment;
the second processing module is used for decrypting the host information based on a pre-configured decryption mode to obtain a decryption result; and determining the address of the target computer based on the decryption result, and updating the address state of the target computer to be in an unreliable state.
Optionally, the second processing module is specifically configured to decrypt the host information based on a preconfigured decryption manner, and generate a successful response message, where the successful response message includes a successful identifier; sending the successful response message to the target computer equipment so that the target computer equipment sends request identification information, wherein the request identification information comprises the address of the target computer; and acquiring the request identification information, and decrypting the request identification information based on a pre-configured decryption mode to obtain the address of the target computer.
Optionally, the second processing module is specifically configured to determine whether the network identifier is compliant based on a preconfigured decryption manner; if yes, the address of the target computer is determined based on the decryption result, and the address of the target computer is changed into an unreliable state.
In another aspect of the embodiments of the present application, a network access detection apparatus is provided, where the apparatus is applied to a target computer device, the target computer device is connected to a switch, and the switch is further connected to the internet and an internet server through a network device; the switch still is connected with LAN server and flow audit equipment respectively, and the device includes: the third acquisition module, the third processing module and the third sending module;
the third acquisition module is used for acquiring a response message sent by the flow audit equipment;
the third processing module is configured to generate host information according to the response packet, where the host information includes at least one of the following: the media access control address, the internet protocol address, the operating system type, the operating system version, the browser type, the browser version, and the language of the browser of the host;
and the third sending module is used for sending the host information to the Internet server so that the Internet server updates the address state of the target computer to be in an unreliable state based on the host information.
In another aspect of the embodiments of the present application, an electronic device is provided, which includes: the network access detection method comprises a memory and a processor, wherein a computer program capable of running on the processor is stored in the memory, and when the computer program is executed by the processor, the steps of the network access detection method applied to any equipment are realized.
In another aspect of the embodiments of the present application, a computer-readable storage medium is provided, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the computer program implements the steps of the network access detection method applied to any one of the apparatuses.
The beneficial effects of the embodiment of the application include:
in the network access detection method and the electronic device provided by the embodiment of the application, a target mirror image message corresponding to a target request message can be acquired, the target request message is sent by a target computer device, the target request message is used for requesting to access the internet, and a source address in the target request message is an address of the target computer device; generating a response message according to the target mirror image message, wherein the response message comprises: a source address and an address of an internet server; and sending the response message to the target computer equipment so that the target computer equipment generates host information according to the response message and sends the host information to the Internet server. The target computer can be determined by obtaining the target mirror image message corresponding to the target request message, and then the response message can be sent to the target computer to perform network access detection on the target computer, so that the flexibility of the network access detection can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a schematic architecture diagram of a network system according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a network access detection method applied to a traffic auditing device according to an embodiment of the present application;
FIG. 3 is a schematic view of a process for generating a response message according to a target mirror message;
fig. 4 is a schematic flow chart of obtaining a target mirror image packet corresponding to a target request packet;
fig. 5 is a schematic flowchart of a network access detection method applied to an internet server according to an embodiment of the present application;
FIG. 6 is a schematic flow chart illustrating a process of decrypting the host information based on a pre-configured decryption manner to obtain a decryption result;
FIG. 7 is a flowchart illustrating the process of determining the address of the target computer based on the decryption result and changing the address of the target computer to an unreliable state;
fig. 8 is a schematic flowchart of a network access detection method applied to a target computer device according to an embodiment of the present application;
fig. 9 is an interaction diagram of information transmission in a network system according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a network access detection apparatus applied to a flow audit device according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a network access detection apparatus applied to an internet server according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a network access detection apparatus applied to a target computer device according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The principles and spirit of the present invention will be described with reference to a number of exemplary embodiments. It is understood that these embodiments are given solely for the purpose of enabling those skilled in the art to better understand and to practice the invention, and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. Reference in the specification to "an embodiment" or "an implementation" may mean either one embodiment or one implementation or some instances of embodiments or implementations.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to an embodiment of the present invention, there is provided a method.
It is to be understood that any number of elements in the figures are provided by way of illustration and not limitation, and that any nomenclature is used for distinction and not limitation.
Technical terms involved in the present invention will be briefly described below so that the related person can better understand the present solution.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the present application, it is noted that the terms "first", "second", "third", and the like are used merely for distinguishing between descriptions and are not intended to indicate or imply relative importance.
It should be noted that, in a government enterprise or a school, some areas have simple network topology and are not provided with network protection devices such as firewalls, and computer devices (which may store more important data information) in these areas may access an internal public server but usually forbid access to a public network.
By integrating the method into a traditional Flow Audit (Flow Audit) system, the Audit capability of the Flow Audit system can be effectively enhanced, the monitoring capability of an intranet host can be enhanced, the dangerous internet surfing behavior of computer equipment in a specified area can be timely and accurately found, and the loss of enterprises, schools and government departments is reduced.
The following specifically explains a specific structure of a network system in which a device to which the network access detection method provided in the embodiment of the present application is applied is located.
A network access detection method, a network structure of which is shown in fig. 1, includes: a plurality of computer devices 110, a switch 120, a local area network server 130, a traffic auditing device 140, a network device 150, the internet 160, an internet server 170.
The plurality of computer devices 110 are respectively connected to the switch 120, the switch 120 is further connected to the lan server 130 and the traffic auditing device 140, and the switch is further connected to the internet 160 and the internet server 170 through the network device 150.
Alternatively, the Computer device 110 may specifically be a Personal Computer (PC), and may be a Computer that can be used in a public place such as an office or a school, for example.
The switch 120 may be an electronic device that provides an exclusive electrical signal path for any two network nodes accessing the switch, and in the network system, the computer device 110 may access a network environment such as a local area network or the internet through the switch 120.
The lan server 130, also called an intranet server, may be a public or private server established within a certain range, such as: for a business entity, a local area network server within the business may be provided.
The flow auditing device 140, which may be a device associated with performing flow auditing calculations, may be specifically configured to read and analyze data flowing through the switch 120.
Network device 150 may specifically be a physical device for assisting switch 120 in accessing internet 160.
The internet server 170 may be an extranet server built in the internet 160, and may be used for detecting network access to the computer device in the network system.
Optionally, in this embodiment of the present application, the traffic auditing device 140 may obtain traffic data, such as: the method comprises the steps of receiving a message, determining a target computer device (the target computer device is one of a plurality of computer devices) based on related information of the message, sending a response message to the target computer device to enable the target computer device to generate host information, and sending the host information to an internet server by the target computer device for reliability verification to realize network access detection.
Optionally, when the network access detection method is executed in the network system to implement information interaction between the devices, an XSS (Cross Site Scripting) technology may be specifically used to implement the information interaction.
The following specifically explains a specific implementation process of the network access detection method applied to the traffic auditing device provided in the embodiment of the present application.
A flow of a network access detection method applied to a traffic audit device is shown in fig. 2, and specifically includes:
s210: and acquiring a target mirror image message corresponding to the target request message.
The target request message is sent by the target computer equipment, the target request message is used for requesting to access the Internet, and the source address in the target request message is the address of the target computer equipment.
Optionally, an execution main body of the method may be the above-mentioned traffic auditing device, where a source address of the target request message may be an address of the target computer device, a target address of the target request message may be an address of an internet server, and the target mirror image message may be a mirror image copy message acquired by the traffic auditing device based on a mirror image port of a switch, that is, a message obtained after the message of the target request is copied in a transmission process.
Optionally, the source address and the destination address of the destination mirror message are the same as those of the destination request message.
Alternatively, the target request message may be message information sent by the target computer device to the internet through the switch and the network device.
Optionally, the switch and the traffic auditing device may be separately configured or may be integrally configured, which is not limited herein, and in the embodiment of the present application, the separate configuration is taken as an example.
S220: and generating a response message according to the target mirror image message.
Wherein, the response message includes: a source address and an address of an internet server.
Optionally, the response message may include data segments, and the source address of the target mirror message and the address of the internet server (the target address of the target mirror message) are recorded in the data segments. The destination address of the response message itself may be the address of the destination computer device.
Optionally, the response packet may specifically be a packet under an HTTP (Hypertext Transfer Prtcl) protocol, for example: an HTML (hypertext Markup Language) page in a web page.
S230: and sending the response message to the target computer equipment so that the target computer equipment generates host information according to the response message and sends the host information to the Internet server.
Optionally, the traffic auditing device may send the generated response message to the target computer device, specifically, may send the response message through a switch. The target computer device is also the computer device that sends the target request message.
Optionally, after receiving the response message, the target computer device may generate host information based on the response message, where the host information may specifically be any one or more of a media access control address, an internet protocol address, an operating system type, an operating system version, a browser type, a browser version, a language of the browser, and the like of the host, and may specifically be set according to an actual requirement, which is not limited specifically herein.
Optionally, after the host information is generated, the target computer device may send the host information to an internet server, specifically, send the host information through a switch and a network device. It should be noted that the host information may specifically be host information encrypted by the target computer device based on a preconfigured encryption method.
Optionally, after sending the host information to the internet server, a network access detection may be performed to perform a hazard record for the target computer device.
In the network access detection method provided by the embodiment of the application, a target mirror image message corresponding to a target request message can be acquired, the target request message is sent by target computer equipment, the target request message is used for requesting to access the internet, and a source address in the target request message is an address of the target computer equipment; generating a response message according to the target mirror image message, wherein the response message comprises: a source address and an address of an internet server; and sending the response message to the target computer equipment so that the target computer equipment generates host information according to the response message and sends the host information to the Internet server. The target computer can be determined by obtaining the target mirror image message corresponding to the target request message, and then the response message can be sent to the target computer to perform network access detection on the target computer, so that the flexibility of the network access detection can be improved.
The process of generating the response message according to the target mirror image message in S220 is shown in fig. 3, and specifically includes:
s310: and acquiring the address information of the target mirror image message.
Wherein the address information includes: the source address of the target mirror message and the target address of the target mirror message.
Optionally, a source address of the target mirror image message and a target address of the target mirror image message may be obtained, where the address information of the target mirror image message is the same as the address information of the target request message, the source address is an address of the target computer device, and the target address is an address of the internet server.
Wherein, the source address includes: a source internet protocol address, a source port address; the address of the internet server includes: the media access control address of the internet server, the internet protocol address of the internet server and the port address of the internet server.
Optionally, the source address and the internet server address may specifically refer to the following table:
Figure GDA0003720296240000151
alternatively, in the above table, the "destination MAC" may be the MAC address of the Internet server; the "destination IP" may be an internet protocol address of an internet server; the 'destination port' is the port address of the internet server; the source IP is the source internet protocol address; the source port is the address of the source port; the payload is the carrier for the transport application.
S320: and generating a response message based on the source address of the target mirror image message and the target address of the target mirror image message.
Optionally, after determining the address information of the target mirror packet, the source address and the target address may be stored in the response packet as a data segment.
The process of obtaining the target mirror image message corresponding to the target request message in S210 is shown in fig. 4, and specifically includes:
s410: and acquiring mirror image messages corresponding to the request messages of the switch.
Optionally, the flow audit device may obtain the mirror image packet corresponding to any request packet through the mirror image port, where the request packets are all packets through the switch, and may specifically obtain the request packets by adopting a high-speed mirror image flow processing manner.
S420: and filtering each mirror image message to obtain a target mirror image message corresponding to the target request message.
Optionally, after performing BPF (Berkeley Packet Filter) rule matching mechanism processing on each mirror image message, matching and capturing a message with a target address being an address of an internet server as a message to be captured, where the captured message is the target mirror image message.
Optionally, when determining the response packet, it may be determined whether the target computer corresponding to the response packet allows access to the external network, and if so, no detection is required; and if not, sending the corresponding message to the target computer equipment.
The following specifically explains a specific implementation procedure of the network access detection method applied to the internet server provided in the embodiment of the present application.
A flow of a network access detection method applied to an internet server is shown in fig. 5, and specifically includes:
s510: and acquiring host information sent by the target computer equipment.
The target computer equipment is equipment which is determined by the flow auditing equipment from a plurality of computer equipment and sends data packets to the Internet based on the target request message.
Optionally, an execution main body of the method may be an internet server, the internet server may obtain, through the switch and the network device, the host information sent by the target computer device, and the content included in the host information is explained in the foregoing, which is not described herein again.
S520: and decrypting the host information based on a pre-configured decryption mode to obtain a decryption result.
Optionally, the preconfigured decryption manner may be a decryption manner corresponding to an ECB (Electronic Codebook) Encryption mode of a Data Encryption Standard (DES) algorithm, and the host information is information encrypted by using the ECB Encryption algorithm.
Optionally, the decryption result may be obtained after decryption, and the decryption result is the specific data content stored in the host information.
S530: and determining the address of the target computer based on the decryption result, and updating the address state of the target computer to be in an unreliable state.
Alternatively, the unreliable state may be one of the address states of the target computer, and when the address of the computer device is in the unreliable state, the target computer may be considered to have accessed the internet, with a security risk.
Optionally, after the unreliable state update is performed, the access record may be recorded in a storage.
Alternatively, the address status of the target computer may be information stored in an internet server, the address status of each computer may be recorded, the address status may be a reliable status in an initial status, and the updated address status may be changed to an unreliable status.
In the network access detection method provided by the embodiment of the application, host information sent by target computer equipment can be obtained, and the target computer equipment is equipment which is determined by flow audit equipment based on target request messages from a plurality of computer equipment and sends data packets to the internet; decrypting the host information based on a pre-configured decryption mode to obtain a decryption result; and determining the address of the target computer based on the decryption result, and updating the address state of the target computer to be in an unreliable state. The host information is encrypted by adopting a pre-configured encryption mode in the host information sending process and is decrypted based on the pre-configured decryption mode, so that the security of host information transmission can be improved, the host information is prevented from being changed in the transmission process, and the security of computer equipment detection in the whole network system is improved.
The process of decrypting the host information based on the preconfigured decryption manner in S520 to obtain the decryption result is shown in fig. 6, and specifically includes:
s610: and decrypting the host information based on a pre-configured decryption mode to generate a successful response message.
Wherein the success response message includes a success identifier.
Optionally, after the host information is decrypted in the above manner, a success response message may be generated, where the success response message includes a success identifier, and the success identifier is used to indicate that the internet server has received the host information.
Optionally, the successful identifier may also be an encrypted identifier, which is prevented from being modified during transmission.
S620: and sending the successful response message to the target computer equipment so that the target computer equipment sends the request identification information.
Wherein the request identification information includes an address of the target computer.
Optionally, the request identification information may be message information generated after the target computer device performs compliance verification based on a successful identifier in the successful response message.
Specifically, in order to ensure the accuracy of the successful identifier, the successful identifier in the response message may be selectively encrypted by using a preconfigured key in a DES encryption manner, and after the target computer device obtains the encrypted identifier, the target computer device may decrypt the DES encrypted by using the preconfigured key and determine the identifier compliance.
Optionally, after the compliance determination is performed, if a preset compliance requirement is met, request identification information may be generated, where the request identification information at least includes an address of the target computer device, and the target computer device may send the request identification information to the internet server through the switch and the network device.
S630: and acquiring the request identification information, and decrypting the request identification information based on a pre-configured decryption mode to obtain the address of the target computer.
Optionally, the request identification information may also be encrypted in the manner described above to prevent the request identification information from being changed during transmission, the internet server may further verify the request identification information after receiving the request identification information to decrypt the request identification information to obtain the address of the target computer, and after determining that the address of the target computer is correct, may determine that the obtained decryption result is correct.
The requesting identification information in S630 further includes: the process of determining the address of the target computer based on the decryption result and changing the address of the target computer to the unreliable state by the network identifier is shown in fig. 7, and specifically includes:
s710: and judging whether the network identification is in compliance based on a pre-configured decryption mode.
Optionally, the DES decryption method may be adopted to determine the network identifier, and determine whether the network identifier is compliant, specifically, whether correct identifier information can be obtained after decryption, and if correct identifier information can be obtained, the network identifier may be determined to be compliant; if the correct identification information cannot be obtained, the network identification can be determined to be not in compliance.
S720: if yes, the address of the target computer is determined based on the decryption result, and the address of the target computer is changed into an unreliable state.
Alternatively, when the network identification is determined to be in compliance, the address of the target computer in the internet server may be changed to an unreliable state based on the address of the target computer in the decryption result.
Optionally, the method explained above is to perform verification based on decryption to realize labeling of an unreliable state, and in an actual implementation, the determination may also be performed based on a time manner (an administrator user may configure a time range for reporting information in an internet server, the host information carries information generation time during reporting, the internet server analyzes the report information, if there is host information generation time in the report information, extracts the time information, determines an absolute value of a difference between the host information generation time and local time of the internet server, and if the report information is analyzed and recorded within the configured time range), which is not limited specifically herein.
The following specifically explains a specific implementation procedure of the network access detection method applied to the target computer device provided in the embodiment of the present application.
A flow of a network access detection method applied to a target computer device is shown in fig. 8, and specifically includes:
s810: and acquiring a response message sent by the flow auditing equipment.
Optionally, after determining the target computer device from the multiple computing devices, the flow audit device may send a response message to the target computer through the switch, where the content included in the response message is explained in detail in the foregoing, and is not described herein again.
S820: and generating host information according to the response message.
Wherein the host information includes at least one of: the media access control address of the host, the internet protocol address, the operating system type, the operating system version, the browser type, the browser version, the language of the browser.
Optionally, the host information may be stored in a form of a table, and the host information may be encrypted in a preconfigured encryption manner to improve the security of the information.
Optionally, in addition to the content of the host information, specific host information, such as a host status, a host name, and the like, may be added according to actual needs.
Host information is explained below by way of specific examples:
Figure GDA0003720296240000211
optionally, the table above is the content in the host information, where the "state of the host" is the situation that the host is online or offline; "host MAC" is the MAC address of the host; the 'host IP' is the internet protocol address of the host; the "operating system" is the operating system of the host; the "browser information" may include a browser type, a browser version, a language of the browser, and the like, and is not particularly limited herein. The above table contents are only an example and are not a limitation on the contents of the host information.
S830: the host information is transmitted to the internet server so that the internet server updates the address status of the target computer to an unreliable status based on the host information.
Optionally, the host information may be encrypted and then sent to an internet server through a switch, a network device, or the like, and the internet server may decrypt and then update the address state of the target computer to an unreliable state.
The following specifically explains an information interaction process between devices in the network system provided in the embodiment of the present application.
As shown in fig. 9, an information interaction process between devices in the network system specifically includes:
s910: the flow auditing equipment acquires the target mirror image message and generates a response message based on the target mirror image message.
S920: and the flow auditing equipment sends the response message to the target computer.
S930: and the target computer generates host information according to the response message.
S940: the target computer sends the host information to the internet server.
S950: the internet server decrypts the host information to obtain a decryption result and updates the address state of the target computer to be an unreliable state.
Optionally, the specific implementation process of the foregoing steps S910 to S950 is already explained in the foregoing, and fig. 9 further explains the interaction relationship among the three devices, where it should be noted that the information interaction between the flow audit device and the target computer is realized through a switch, and the information interaction between the target computer and the internet server is realized through a switch and a network device.
Alternatively, in order to make the description of the present application clearer, the following explains the related contents with a specific example.
Illustratively, the encrypted content of the host information may be:
“9ab68069be0407e8f051643eb6bf6d786e55195063a40e867abfe96dd659881bfcfb433cdb63db0b6eced4e837f6eb67388474d32e2ace6c2c341fd6547b8a7aa4ba98e8a46b48f7aad2a2d9bf1fe4cd2be120fd18c22a9a50096066ba8cdfe4”。
for example, the instruction to change the address of the target computer to the unreliable state may be:
“InAndOutline|192.168.100.11”。
according to a network access detection method applied to a flow audit device, a structure of a network access detection device is provided as shown in fig. 10, and the method includes: a first obtaining module 210, a first processing module 220, a first sending module 230;
a first obtaining module 210, configured to obtain a target mirror image packet corresponding to a target request packet, where the target request packet is sent by a target computer device, the target request packet is used to request to access the internet, and a source address in the target request packet is an address of the target computer device;
the first processing module 220 is configured to generate a response message according to the target mirror image message, where the response message includes: a source address and an address of an internet server;
the first sending module 230 is configured to send the response message to the target computer device, so that the target computer device generates host information according to the response message and sends the host information to the internet server.
Optionally, the first processing module 220 is specifically configured to obtain address information of the target mirror packet, where the address information includes: a source address of the target mirror image message and a target address of the target mirror image message; and generating a response message based on the source address of the target mirror image message and the target address of the target mirror image message.
Optionally, the first obtaining module 210 is specifically configured to obtain a mirror message corresponding to each request message passing through the switch; and carrying out Berkely packet filtering processing on each mirror image message to obtain a target mirror image message corresponding to the target request message.
According to a network access detection method applied to a traffic auditing device, another network access detection device structure is proposed as shown in fig. 11, and the device includes: a second obtaining module 310 and a second processing module 320;
a second obtaining module 310, configured to obtain host information sent by a target computer device, where the target computer device is a device that is determined by a flow auditing device based on a target request packet and has sent a data packet to the internet from multiple computer devices;
the second processing module 320 is configured to decrypt the host information based on a preconfigured decryption manner to obtain a decryption result; and determining the address of the target computer based on the decryption result, and updating the address state of the target computer to be in an unreliable state.
Optionally, the second processing module 320 is specifically configured to decrypt the host information based on a preconfigured decryption manner, and generate a successful response message, where the successful response message includes a successful identifier; sending the successful response message to the target computer equipment so that the target computer equipment sends request identification information, wherein the request identification information comprises the address of the target computer; and acquiring the request identification information, and decrypting the request identification information based on a pre-configured decryption mode to obtain the address of the target computer.
Optionally, the second processing module 320 is specifically configured to determine whether the network identifier is compliant based on a preconfigured decryption manner; if yes, the address of the target computer is determined based on the decryption result, and the address of the target computer is changed into an unreliable state.
According to a network access detection method applied to a target computer device, another network access detection apparatus structure is proposed as shown in fig. 12, and includes: a third obtaining module 410, a third processing module 420, and a third sending module 430;
a third obtaining module 410, configured to obtain a response message sent by the flow audit device;
the third processing module 420 is configured to generate host information according to the response packet, where the host information includes at least one of the following: the media access control address, the internet protocol address, the operating system type, the operating system version, the browser type, the browser version, and the language of the browser of the host;
a third sending module 430, configured to send the host information to the internet server, so that the internet server updates the address status of the target computer to an unreliable status based on the host information.
The above-mentioned device is used for executing the method provided by the foregoing embodiments, and the implementation principle and technical effect thereof are similar.
These above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors, or one or more Field Programmable Gate Arrays (FPGAs), etc. For another example, when one of the above modules is implemented in the form of a Processing element scheduler code, the Processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor capable of calling program code. For another example, these modules may be integrated together and implemented in the form of a system-on-a-chip (SOC).
According to another embodiment of the present invention, an electronic device for detecting network access is provided, as shown in fig. 13, including: the memory 510, the processor 520, the memory 510 storing a computer program that can be run on the processor 520, the processor 520 implementing the steps of the network access detection method applied to any device when executing the computer program.
Optionally, the electronic device may be any of the aforementioned traffic auditing devices, an internet server, or a target computer.
In another aspect of the embodiments of the present application, there is also provided a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the network access detection method applied to any one of the apparatuses.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
The above description is intended to be illustrative of the present invention and not to limit the scope of the invention, which is defined by the claims appended hereto.

Claims (10)

1. A network access detection method is characterized in that a network system architecture comprises computer equipment, a switch, a local area network server, flow auditing equipment, network equipment, the Internet and an Internet server, wherein the flow auditing equipment is connected with the switch, the switch is connected with the Internet and the Internet server through the network equipment, the switch is also respectively connected with the local area network server and the computer equipment, and when the method is applied to the flow auditing equipment, the method comprises the following steps:
acquiring a target mirror image message corresponding to a target request message, wherein the target request message is sent by target computer equipment, the target request message is used for requesting to access the Internet, and a source address in the target request message is the address of the target computer equipment;
generating a response message according to the target mirror image message, wherein the response message comprises: the source address and the address of the internet server;
and sending the response message to the target computer equipment so that the target computer equipment generates host information according to the response message and sends the host information to the Internet server.
2. The method according to claim 1, wherein the generating a response packet according to the target mirror packet comprises:
acquiring address information of the target mirror image message, wherein the address information comprises: a source address of the target mirror image message and a target address of the target mirror image message;
and generating the response message based on the source address of the target mirror image message and the target address of the target mirror image message.
3. The method according to claim 1, wherein the obtaining of the target mirror message corresponding to the target request message comprises:
acquiring mirror image messages corresponding to the request messages of the switch;
and carrying out Berkely packet filtering processing on each mirror image message to obtain a target mirror image message corresponding to the target request message.
4. The method of claim 1, wherein the source address comprises: a source internet protocol address, a source port address; the address of the internet server comprises: the media access control address of the internet server, the internet protocol address of the internet server, and the port address of the internet server.
5. The method according to claim 1, wherein when the method is applied to an internet server, the internet server is connected to a switch through a network device, and the switch is further connected to the internet through the network device; the switch is also respectively connected with a local area network server, a plurality of computer devices and flow auditing equipment, and the method comprises the following steps:
acquiring host information sent by target computer equipment, wherein the target computer equipment is equipment which is determined by the flow audit equipment based on a target request message and sends a data packet to the Internet from a plurality of computer equipment;
decrypting the host information based on a pre-configured decryption mode to obtain a decryption result;
and determining the address of the target computer based on the decryption result, and updating the address state of the target computer to be an unreliable state.
6. The method according to claim 5, wherein decrypting the host information based on the pre-configured decryption method to obtain a decryption result includes:
decrypting the host information based on a pre-configured decryption mode to generate a successful response message, wherein the successful response message comprises a successful identifier;
sending the successful response message to the target computer equipment so that the target computer equipment sends request identification information, wherein the request identification information comprises the address of the target computer;
and acquiring the request identification information, and decrypting the request identification information based on a pre-configured decryption mode to obtain the address of the target computer.
7. The method according to claim 6, wherein the requesting identification information further comprises: a network identification; the determining the address of the target computer based on the decryption result, changing the address of the target computer to an unreliable state, comprising:
judging whether the network identification is in compliance based on a pre-configured decryption mode;
if yes, determining the address of the target computer based on the decryption result, and changing the address of the target computer into an unreliable state.
8. The method according to claim 6, wherein the request identification information is message information generated by the target computer device after performing compliance verification based on a successful identifier in the successful response message.
9. The method according to claim 1, wherein when the method is applied to a target computer device, the target computer device is connected to a switch, and the switch is further connected to the internet and an internet server through a network device; the switch is also respectively connected with a local area network server and flow auditing equipment, and the method comprises the following steps:
acquiring a response message sent by the flow auditing equipment;
generating host information according to the response message, wherein the host information comprises at least one of the following items: the media access control address, the internet protocol address, the operating system type, the operating system version, the browser type, the browser version and the language of the browser of the host;
and sending the host information to the Internet server so that the Internet server updates the address state of the target computer to be in an unreliable state based on the host information.
10. A network access detection electronic device, comprising: memory in which a computer program is stored which is executable on the processor, and a processor which, when executing the computer program, carries out the steps of the method according to any of the preceding claims 1 to 9.
CN202210513442.0A 2022-05-12 2022-05-12 Network access detection method and electronic equipment Active CN114629828B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210513442.0A CN114629828B (en) 2022-05-12 2022-05-12 Network access detection method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210513442.0A CN114629828B (en) 2022-05-12 2022-05-12 Network access detection method and electronic equipment

Publications (2)

Publication Number Publication Date
CN114629828A CN114629828A (en) 2022-06-14
CN114629828B true CN114629828B (en) 2022-08-09

Family

ID=81905273

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210513442.0A Active CN114629828B (en) 2022-05-12 2022-05-12 Network access detection method and electronic equipment

Country Status (1)

Country Link
CN (1) CN114629828B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114244808A (en) * 2021-11-17 2022-03-25 广东电网有限责任公司 Method and device for passively checking offline illegal external connection based on non-client mode

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030182420A1 (en) * 2001-05-21 2003-09-25 Kent Jones Method, system and apparatus for monitoring and controlling internet site content access
US7735140B2 (en) * 2004-06-08 2010-06-08 Cisco Technology, Inc. Method and apparatus providing unified compliant network audit
US8316442B2 (en) * 2008-01-15 2012-11-20 Microsoft Corporation Preventing secure data from leaving the network perimeter
CN101247346A (en) * 2008-04-01 2008-08-20 陈世杰 Method for controlling local area network data message based on gateway mode
CN110213198A (en) * 2018-02-28 2019-09-06 中标软件有限公司 The monitoring method and system of network flow
CN110855699B (en) * 2019-11-18 2022-03-11 北京天融信网络安全技术有限公司 Flow auditing method and device, server and auditing equipment
CN111865990B (en) * 2020-07-23 2023-02-21 上海中通吉网络技术有限公司 Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114244808A (en) * 2021-11-17 2022-03-25 广东电网有限责任公司 Method and device for passively checking offline illegal external connection based on non-client mode

Also Published As

Publication number Publication date
CN114629828A (en) 2022-06-14

Similar Documents

Publication Publication Date Title
US11132464B2 (en) Security systems and methods for encoding and decoding content
US11132463B2 (en) Security systems and methods for encoding and decoding digital content
Burger et al. Taxonomy model for cyber threat intelligence information exchange technologies
US11741264B2 (en) Security systems and methods for social networking
US11184389B2 (en) Security mechanisms for preventing retry or replay attacks
CA2855828C (en) Security systems and methods for encoding and decoding digital content
CN114629828B (en) Network access detection method and electronic equipment
CN112995277B (en) Access processing method and device and proxy server
CN114629671B (en) Data detection system
CN113726781B (en) Message information processing method, device, computer equipment and storage medium
JP2014021509A (en) Fraudulence detection system, terminal unit, fraudulence sensing device, computer program, and fraudulence detection method
Michaud Malicious use of omg data distribution service (dds) in real-time mission critical distributed systems
CN115176443A (en) Techniques for securing computing interfaces

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant