CN115022010B - Intelligent anti-deception method and system for NTP client - Google Patents

Intelligent anti-deception method and system for NTP client Download PDF

Info

Publication number
CN115022010B
CN115022010B CN202210600698.5A CN202210600698A CN115022010B CN 115022010 B CN115022010 B CN 115022010B CN 202210600698 A CN202210600698 A CN 202210600698A CN 115022010 B CN115022010 B CN 115022010B
Authority
CN
China
Prior art keywords
ntp
hypersphere
server
signal
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210600698.5A
Other languages
Chinese (zh)
Other versions
CN115022010A (en
Inventor
赵陆文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Younitai Information Technology Co ltd
Original Assignee
Nanjing Younitai Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Younitai Information Technology Co ltd filed Critical Nanjing Younitai Information Technology Co ltd
Priority to CN202210600698.5A priority Critical patent/CN115022010B/en
Publication of CN115022010A publication Critical patent/CN115022010A/en
Application granted granted Critical
Publication of CN115022010B publication Critical patent/CN115022010B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/02Details
    • H04J3/06Synchronising arrangements
    • H04J3/0635Clock or time synchronisation in a network
    • H04J3/0638Clock or time synchronisation among nodes; Internode synchronisation
    • H04J3/0658Clock or time synchronisation among packet nodes
    • H04J3/0661Clock or time synchronisation among packet nodes using timestamps
    • H04J3/0667Bidirectional timestamps, e.g. NTP or PTP for compensation of clock drift and for compensation of propagation delays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses an intelligent anti-deception method of an NTP client, which comprises the following steps: s1, data acquisition; s2, feature extraction: respectively extracting characteristics of an NTP normal signal sample and an NTP abnormal signal sample; s3, modeling: obtaining a hypersphere detection model corresponding to the minimum value of the hypersphere detection function; s4, detecting: calculating the distance from the characteristic combination of the NTP time signal to be detected to the sphere center of the hypersphere detection model; s5, fraud countermeasure: after detecting the deception signal, the client puts the corresponding server into a blacklist, shifts to a standby server or goes to a time keeping. According to the invention, the NTP normal signal sample is collected, the super-sphere detection model is constructed, and then the super-sphere detection model is utilized to detect the NTP time signal to be detected, so that the technical approach is convenient and effective. Through practical tests, the recognition rate of more than 92% can be obtained under the condition that the false alarm rate is lower than 10%.

Description

Intelligent anti-deception method and system for NTP client
Technical Field
The invention belongs to the technical field of electronic information, and particularly relates to an intelligent anti-deception method of a Network Time Protocol (NTP) client.
Background
With the rapid development of electronic information technology, electronic information systems in various industries all need a standard clock synchronization signal, so that all terminals in the system can efficiently cooperate. In practical application, the widely used time synchronization device provides reference time for a time consumption terminal in the system, so that the time unification of the whole system is realized.
The network time protocol (NTP, network Time Protocol) and its simplified version, i.e. Simple Network Time Protocol (SNTP), have the outstanding advantages of Simple implementation, low network overhead, high time service precision, etc., and have been widely used for time synchronization of computers in networks and embedded electronic systems such as video monitoring, intelligent gate, fault recording and broadcasting, charging piles, etc.
NTP devices perform time synchronization in the network, and there are 4 operation modes, which are respectively: server/client mode, peer mode, broadcast mode, and multicast mode. In practical use, server/client mode applications with higher synchronization accuracy are most common. As shown in fig. 1, the client first sends an NTP application packet to the server, which includes a timestamp T of the packet leaving the client 1 When the server receives the packet, the time stamp T of the arrival of the packet is sequentially filled in 2 Timestamp T of packet leaving server 3 Then immediately wrap upAnd returning to the client. When the client receives the response packet, the client records the time stamp T returned by the packet 4 . The client can calculate 2 key parameters by using the 4 time parameters: the round trip delay d of NTP packets and the clock skew Δt between client and server. The client uses this clock bias to adjust the local clock so that its time coincides with the server time. Deltat, d are equal to T only 2 、T 1 Difference and T 3 、T 4 The difference is related to T 2 、T 3 The difference is independent, i.e. the final result is independent of the time required by the server to process the request. Therefore, the client can pass through T 1 、T 2 、T 3 、T 4 The time difference Δt is calculated to adjust the local clock to achieve time synchronization.
Since the transport layer protocol used by NTP is UDP, its unreliable connectionless service is very vulnerable to exploitation by attackers, and network attacks against NTP have been more and more frequent in recent years. Attacks against NTP are mainly classified into two types, one type is to attack an NTP server or a client by utilizing the vulnerability of NTP itself, so as to achieve the purpose of paralysis of the attacked device. The second category is attacks against NTP time service. The client is mainly made to obtain the wrong time through spoofing attack. For the first kind of attack, the defending means is mainly universal computer security measures such as timely repairing system loopholes and the like. The second type of attack is more concealed than the first type of attack, and in an unattended embedded system, the consequences of such an attack may be more serious.
The nature of NTP spoofing attacks is that one wants to tamper with the T described above 1 、T 2 、T 3 、T 4 One or more of these four timestamps. Such as a forwarded-type delay attack, essentially increases T 4 A time stamp. T (T) 1 The time stamp is sent by the client, T 2 、T 3 Is sent out by the server, T 4 Is the time when the reply message arrives at the client. Thus, an attacker wants to tamper with dividing T 1 Outside the timestamp, the client is not discoverable. This is also why NTP clients are vulnerable.
The difficulty of NTP for spoofing detection is: as long as the NTP client is synchronized, T 2 -T 1 And T 4 -T 3 The approximate representation may be that the transmission of the NTP application and response is delayed. T (T) 3 -T 2 Representing the NTP server processing delay, which does not affect the time service accuracy. Under normal network environment, T 2 -T 1 And T 4 -T 3 Obeys normal distribution. When a spoofing attack occurs, its value will change. But these delays themselves vary considerably due to the use of different servers and different network environments. For example, in actual measurement, the server and the client are directly connected through a network cable, and the maximum jitter of propagation delay is less than 2 microseconds; within a local area network, the maximum jitter may exceed 1 millisecond; in wide area networks, this jitter will reach tens of milliseconds or even more. In addition, since the time delay actually includes the time service precision of the servers, large differences exist between different servers. Therefore, the spoofing signal detection cannot be performed by setting the threshold.
In the field of time service fraud detection, the existing methods mostly adopt a statistical method to model fraud with known characteristics, and judge whether the fraud signal is a fraud signal by means of setting a threshold value. That is, the current method only detects the preset deception signal, and has a great limitation. In practical application, the client receives normal information under most conditions, attacks are often sporadic, the attack patterns and the time deviation of deception are unknown, modeling cannot be performed, and the set threshold value is meaningless.
Disclosure of Invention
The invention aims to: aiming at the defects of the prior art, the invention provides an intelligent anti-deception method for an NTP client, which uses an artificial intelligent idea to detect deception signals, can effectively identify NTP deception signals and implement effective countermeasure.
The technical scheme is as follows: the intelligent anti-deception method of the NTP client side comprises the following steps:
s1, data acquisition: under the condition of ensuring no fraud in a network, a client continuously sends an NTP time service application to a server, after receiving an NTP response signal, the client acquires a plurality of groups of NTP time signals as NTP normal signal samples, and after artificially adding some abnormal signals, acquires NTP abnormal signal samples;
s2, feature extraction: respectively extracting characteristics of an NTP normal signal sample and an NTP abnormal signal sample;
s3, modeling: establishing a hypersphere detection function with constraint conditions, and correcting parameter values in the hypersphere detection function so that characteristics extracted by NTP normal signal samples and NTP abnormal signal samples can meet the constraint conditions, and obtaining a hypersphere detection model corresponding to the hypersphere detection function with the minimum value;
s4, abnormality detection: receiving an NTP time signal to be detected, extracting characteristics of the NTP time signal to be detected, calculating the distance from the characteristic combination of the NTP time signal to be detected to the sphere center of the hypersphere detection model, if the distance is larger than the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP abnormal signal, and if the distance is smaller than or equal to the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP normal signal;
s5, fraud countermeasure: for the server which detects the NTP abnormal signal, the client does not update the self time, continuously sends 10 NTP applications to the server at 1 second intervals, judges the server as a deception server if the NTP abnormal signal is continuously received for 3 times, brings the server into a blacklist and gives an alarm; if the number of times is less than 3, the normal use is carried out.
The further preferable technical scheme of the invention is that each group of NTP time signals in the step S1 comprises four time stamps, and the time stamps T of the NTP request are respectively sent to the client 1 The server receives the NTP request time stamp T 2 Server reply NTP request timestamp T 3 And the client receives the NTP reply time stamp T 4
Preferably, the features extracted from the NTP normal signal sample and the NTP abnormal signal sample in step S2 include: NTP application frame propagation delay d 1 =|T 2 -T 1 I, NTP response frame propagation timeDelay d 2 =|T 4 -T 3 I and d 1 And d 2 Mean and variance of (c).
Preferably, the features extracted from the NTP normal signal sample and the NTP abnormal signal sample in step S2 include: NTP application frame propagation delay d 1 And standard deviation and response frame propagation delay d 2 Standard deviation, round trip delay d 3 And standard deviation thereof.
Preferably, the hypersphere detection function in step S3 is:
ε struct (R,a)=R 2
wherein a is the sphere center, R is the radius, and the constraint condition of the hypersphere detection function is as follows: for any of i and l, ||x i -a||≤R 2 And x l -a||≥R 2 And minimize R, x i Is characteristic of NTP normal signal sample, x l Is characteristic of NTP abnormal signal samples.
Preferably, the hypersphere detection function in step S3 is:
wherein the sphere center a is the sphere center, the radius R is the radius, and the xi is the radius i And xi l For relaxation variables, C 1 And C 2 Is a coefficient, and the constraint condition of the hypersphere detection function is: for any i and l, ζ i Not less than 0 and xi l ≥0,||x i -a||≤R 2i And x l -a||≥R 2l And minimize R, x i Is characteristic of NTP normal signal sample, x l Is characteristic of NTP abnormal signal samples.
The system for utilizing the intelligent anti-deception method of the NTP client comprises a data receiving and transmitting unit, a feature extraction unit, a modeling unit, a detection unit and a deception countering unit;
the data receiving and transmitting unit is used for sending an NTP application to the NTP server, receiving NTP response data from the NTP server and acquiring 4 time stamps;
the characteristic extraction unit is used for extracting NTP normal signal samples and NTP abnormal signal samples of the receiving unit and transmission characteristics of NTP time signals to be detected;
the modeling unit is used for providing a hypersphere detection function with constraint conditions, correcting parameter values in the hypersphere detection function, enabling the characteristics of the NTP normal signal sample and the NTP abnormal signal sample output by the characteristic extraction unit to meet the constraint conditions, and obtaining a hypersphere detection model corresponding to the hypersphere detection function with the minimum value;
the detection unit is used for inputting the characteristics of the NTP time signal to be detected, which is output by the characteristic extraction unit, into the hypersphere detection model, which is output by the modeling unit, calculating the distance from the characteristics of the NTP time signal to the sphere center of the hypersphere detection model, wherein if the distance is larger than the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP abnormal signal, and if the distance is smaller than or equal to the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP normal signal;
fraud countermeasure unit: after detecting an abnormal NTP signal, the NTP client stops using the update time of the abnormal NTP server, continuously sends out 10 NTP applications to the server at 1 second intervals, judges the server as a deception server if 3 abnormal response signals are continuously received, brings the server into a blacklist and gives an alarm; if the number of times is less than 3, the normal use is carried out.
The beneficial effects are that: (1) According to the method, the NTP normal signal sample is collected, the hypersphere detection model is constructed, and then the hypersphere detection model is used for detecting the NTP time signal to be detected. Because a plurality of NTP servers have wild values in the NTP time service process, after further judging the abnormal situation, the judgment of whether the abnormal situation is deception is made. If the network node judges that the network node is deception, the network node shields the NTP server, and further realizes the countermeasure to the NTP deception. The technical approach is convenient and effective, and through practical tests, the recognition rate of more than 92% can be obtained under the condition that the false alarm rate is lower than 10%.
(2) The invention is applicable to a common NTP client, the existing receiver is not required to be modified, and the detection of deception signals can be realized by only giving the timestamp obtained by the client to a module or a computer running the algorithm, so that the security of NTP time service is improved.
Drawings
Fig. 1 is a schematic diagram of NTP timing in server/client mode in the background art;
fig. 2 is a flowchart of a detection model according to embodiment 2 of the present invention.
Fig. 3 is a flow chart of fraud detection and countermeasure according to embodiment 2 of the present invention.
Detailed Description
The technical scheme of the present invention will be described in detail with reference to the accompanying drawings, but the scope of the present invention is not limited to the embodiments.
Example 1: an intelligent anti-deception system of an NTP client comprises a data receiving and transmitting unit, a feature extraction unit, a modeling unit, a detection unit and a deception countering unit;
a data transceiver unit for receiving NTP time signals from multiple beacon points at multiple target points, each group of NTP time signals including four time stamps, and respectively transmitting NTP request time stamps T for clients 1 The server receives the NTP request time stamp T 2 Server reply NTP request timestamp T 3 And the client receives the NTP reply time stamp T 4
The characteristic extraction unit is used for extracting NTP normal signal samples and NTP abnormal signal samples of the receiving unit and transmission characteristics of NTP time signals to be detected; the extracted features include: NTP application frame propagation delay d 1 =|T 2 -T 1 I, NTP response frame propagation delay d 2 =|T 4 -T 3 I and d 1 And d 2 Mean and variance of (a);
the modeling unit is used for providing a hypersphere detection function with constraint conditions, correcting parameter values in the hypersphere detection function, enabling waveform characteristics of the NTP normal signal sample and the NTP abnormal signal sample output by the characteristic extraction unit to meet the constraint conditions, and obtaining a hypersphere detection model corresponding to the hypersphere detection function with the minimum value;
the hypersphere detection function is:
ε struct (R,a)=R 2
wherein a is the sphere center, R is the radius, and the constraint condition of the hypersphere detection function is as follows: for any of i and l, ||x i -a||≤R 2 And x l -a||≥R 2 And minimize R, x i Is characteristic of NTP normal signal sample, x l Is a characteristic of NTP abnormal signal samples;
the detection unit is used for inputting the characteristics of the NTP time signal to be detected, which is output by the characteristic extraction unit, into the hypersphere detection model, which is output by the modeling unit, calculating the distance from the characteristics of the NTP time signal to the sphere center of the hypersphere detection model, wherein if the distance is larger than the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP abnormal signal, and if the distance is smaller than or equal to the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP normal signal.
And the spoofing countermeasure unit stops updating time by the abnormal NTP server when the abnormal NTP signal is detected. Continuously sending 10 NTP applications to the server at 1 second intervals, judging the server as deception if the server continuously receives 3 abnormal response signals, putting the server into a blacklist, and alarming. If the number of times is less than 3, the normal use is carried out.
The specific steps of detection are as follows:
s1, ensuring no deception signal in a network, and starting up and preheating an NTP client;
s2, waiting for the synchronization of the NTP client and the NTP server;
s3, initializing a count value Cnt and a time difference value d 1 、d 2
S4, the NTP client sends an NTP synchronous application to the NTP server, and after the NTP client receives a server response, the count value is increased by 1;
s5, calculating d 1 =|T 2 -T 1 |,d 2 =|T 4 -T 3 |;
S6, updating d 1 ,d 2 Average value of (2);
s7, calculating d 1 、d 2 Is a variance of (2);
s8, if Cnt is less than 200, turning to S4, otherwise starting S9 to train a detection model;
s9, give d 1 、d 2 Marking the data with a positive type label; if the numerical value exceeding the acceptable error threshold exists in the labeling process, labeling the label with an inverse label;
s10, taking a numerical value between the tolerable time service error and twice the tolerable time service error as an inverse sample, randomly adding 10 inverse samples, and marking the inverse samples on the numbers. For example, if the receivable error is 10ms, 10 numbers are randomly generated between (10 and 20) to be used as inverse samples;
s11, training a detection model by using tagged data and using a hypersphere detection function with constraint conditions to obtain a hypersphere detection model corresponding to the minimum value of the hypersphere detection function, and completing training of the detection model;
s12, inputting the data to be monitored into a trained hypersphere detection model, if the output result is 1, indicating that the data is normal data, and if the output result is 0, indicating that the data is abnormal data;
s13, if the detection result is that the data are normal, modifying the local clock of the NTP client, and resetting an anomaly counter; the data is abnormal, the local clock of the NTP client is not modified, and the data abnormal count is increased by 1; when the anomaly counter is smaller than or equal to 3, turning to S14, and when the data anomaly count is larger than 3, generating a data alarm, and turning to S15;
s14, increasing the application frequency to 1 second or the highest operable frequency, and turning to S12 to continuously detect the next data;
s15, the current NTP server is a deception source and does not perform time synchronization with the current NTP server. And starting to synchronize with the standby NTP server, and switching to a time keeping state if the standby NTP server is not available.
Example 2: an intelligent anti-deception system of an NTP client comprises a data receiving and transmitting unit, a feature extraction unit, a modeling unit, a detection unit and a deception countering unit;
a data transceiver unit for receiving NTP time signals from multiple beacon points at multiple target points, each group of NTP time signals including four time stamps, and respectively transmitting NTP request time stamps T for clients 1 The server receives the NTP request time stamp T 2 Server reply NTP request timestamp T 3 And the client receives the NTP reply time stamp T 4
The characteristic extraction unit is used for extracting NTP normal signal samples and NTP abnormal signal samples of the receiving unit and transmission characteristics of NTP time signals to be detected; the extracted features include: NTP application frame propagation delay d 1 And standard deviation and response frame propagation delay d 2 And standard deviation thereof;
the modeling unit is used for providing a hypersphere detection function with constraint conditions, correcting parameter values in the hypersphere detection function, enabling waveform characteristics of the NTP normal signal sample and the NTP abnormal signal sample output by the characteristic extraction unit to meet the constraint conditions, and obtaining a hypersphere detection model corresponding to the hypersphere detection function with the minimum value;
the hypersphere detection function is:
wherein the sphere center a is the sphere center, the radius R is the radius, and the xi is the radius i And xi l For relaxation variables, C 1 And C 2 Is a coefficient of C 1 =0.01,C 2 =1 or C 1 =0.01,C 2 =2, the constraint of the hypersphere detection function is: for any i and l, ζ i Not less than 0 and xi l ≥0,||x i -a||≤R 2i And x l -a||≥R 2l And minimize R, x i Is characteristic of NTP normal signal sample, x l Is a characteristic of NTP abnormal signal samples;
the abnormal detection unit is used for inputting the characteristics of the NTP time signal to be detected, which is output by the characteristic extraction unit, into the hypersphere detection model, which is output by the modeling unit, calculating the distance from the characteristics of the NTP time signal to the sphere center of the hypersphere detection model, if the distance is larger than the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP deception signal, and if the distance is smaller than or equal to the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP normal signal.
And the spoofing countermeasure unit stops updating time by the abnormal NTP server when the abnormal NTP signal is detected. Continuously sending 10 NTP applications to the server at 1 second intervals, judging the server as deception if the server continuously receives 3 abnormal response signals, putting the server into a blacklist, and alarming. If the number of times is less than 3, the normal use is carried out.
As shown in fig. 2 and 3, the specific steps of detection are as follows:
s1, ensuring no deception signal in a network, and starting up and preheating an NTP client;
s2, waiting for the synchronization of the NTP client and the NTP server;
s3, initializing a count value Cnt and a time difference value d 1 、d 2
S4, the NTP client sends an NTP synchronous application to the NTP server, and after the NTP client receives a server response, the count value is increased by 1;
s5, calculating d 1 =|T 2 -T 1 |,d 2 =|T 4 -T 3 |;
S6, updating d 1 ,d 2 Average value of (2);
s7, calculating d 1 ,d 2 Standard deviation of (2);
s8, if Cnt is less than 200, turning to S4, otherwise starting S9 to train a detection model;
s9, give d 1 ,d 2 Marking the data with a positive type label; if the numerical value exceeding the acceptable error threshold exists in the labeling process, labeling the label with an inverse label;
s10, taking a numerical value from a tolerable time service error to twice the tolerable time service error as an inverse sample, randomly adding 10 inverse samples, and marking the inverse samples; for example, if the acceptable error is 10ms, 10 numbers are randomly generated between 10 and 20 as inverse samples.
S11, training a detection model by using data with labels and using a hypersphere detection function with constraint conditions, adjusting coefficients C1 and C2, and iterating repeatedly until a and R meeting the requirements are obtained, obtaining a hypersphere detection model corresponding to the hypersphere detection function with the minimum value, and finishing training the detection model;
s12, inputting the data to be monitored into a trained hypersphere detection model, if the output result is 1, indicating that the data is normal data, and if the output result is 0, indicating that the data is abnormal data;
s13, if the detection result is that the data are normal, modifying the local clock of the NTP client, and resetting an anomaly counter; the data is abnormal, the local clock of the NTP client is not modified, and the data abnormal count is increased by 1; when the anomaly counter is smaller than or equal to 3, turning to S14, and when the data anomaly count is larger than 3, generating a data alarm, and turning to S15;
s14, the application frequency is increased to 1 second for one time, and the process goes to S12 to continuously detect the next data.
S15, the current NTP server is a deception source and does not perform time synchronization with the current NTP server. And starting to synchronize with the standby NTP server, and switching to a time keeping state if the standby NTP server is not available.
As described above, although the present invention has been shown and described with reference to certain preferred embodiments, it is not to be construed as limiting the invention itself. Various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (7)

1. An intelligent anti-deception method for an NTP client is characterized by comprising the following steps:
s1, data acquisition: under the condition of ensuring no fraud in a network, a client continuously sends an NTP time service application to a server, after receiving an NTP response signal, the client acquires a plurality of groups of NTP time signals as NTP normal signal samples, refers to the normal signals, and then manually adds some abnormal signals to acquire NTP abnormal signal samples;
s2, feature extraction: respectively extracting characteristics of an NTP normal signal sample and an NTP abnormal signal sample;
s3, modeling: establishing a hypersphere detection function with constraint conditions, and correcting parameter values in the hypersphere detection function so that characteristics extracted by NTP normal signal samples and NTP abnormal signal samples can meet the constraint conditions, and obtaining a hypersphere detection model corresponding to the hypersphere detection function with the minimum value;
s4, abnormality detection: receiving an NTP time signal to be detected, extracting characteristics of the NTP time signal to be detected, calculating the distance from the characteristic combination of the NTP time signal to be detected to the sphere center of the hypersphere detection model, if the distance is larger than the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP abnormal signal, and if the distance is smaller than or equal to the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP normal signal;
s5, fraud countermeasure: for the server which detects the NTP abnormal signal, the client does not update the self time, continuously sends 10 NTP applications to the server at 1 second intervals, judges the server as a deception server if the NTP abnormal signal is continuously received for 3 times, brings the server into a blacklist and gives an alarm; if the number of times is less than 3, the normal use is carried out.
2. The intelligent anti-spoofing method of claim 1 wherein each set of NTP time signals in step S1 includes four time stamps, each of which is used to send an NTP request time stamp T for the client 1 The server receives the NTP request time stamp T 2 Server reply NTP request timestamp T 3 And the client receives the NTP reply time stamp T 4
3. The intelligent anti-spoofing method of an NTP client of claim 2 wherein the normal signal is derived from the NTP in step S2The characteristics extracted from the sample and the NTP abnormal signal sample comprise: NTP application frame propagation delay d 1 =|T 2 -T 1 I, NTP response frame propagation delay d 2 =|T 4 -T 3 I and d 1 And d 2 Mean and variance of (c).
4. The NTP client intelligent anti-spoofing method of claim 2 wherein the features extracted from the NTP normal signal samples and NTP abnormal signal samples in step S2 comprise: NTP application frame propagation delay d 1 And standard deviation and response frame propagation delay d 2 Standard deviation, round trip delay d 3 And standard deviation thereof.
5. The intelligent anti-spoofing method of NTP client of claim 3 or 4 wherein the hypersphere detection function in step S3 is:
ε struct (R,a)=R 2
wherein a is the sphere center, R is the radius, and the constraint condition of the hypersphere detection function is as follows: for any of i and l, ||x i -a||≤R 2 And x l -a||≥R 2 And minimize R, x i Is characteristic of NTP normal signal sample, x l Is characteristic of NTP abnormal signal samples.
6. The intelligent anti-spoofing method of NTP client of claim 3 or 4 wherein the hypersphere detection function in step S3 is:
wherein the sphere center a is the sphere center, the radius R is the radius, and the xi is the radius i And xi l For relaxation variables, C 1 And C 2 Is a coefficient, and the constraint condition of the hypersphere detection function is: for any i and l, ζ i Not less than 0 and xi l ≥0,||x i -a||≤R 2i And x l -a||≥R 2l And minimize R, x i Is characteristic of NTP normal signal sample, x l Is characteristic of NTP abnormal signal samples.
7. A system for utilizing the intelligent anti-spoofing method of the NTP client of claim 1, comprising a data transceiver unit, a feature extraction unit, a modeling unit, a detection unit, and a spoofing countering unit;
the data receiving and transmitting unit is used for sending an NTP application to the NTP server, receiving NTP response data from the NTP server and acquiring 4 time stamps;
the characteristic extraction unit is used for extracting NTP normal signal samples and NTP abnormal signal samples of the receiving unit and transmission characteristics of NTP time signals to be detected;
the modeling unit is used for providing a hypersphere detection function with constraint conditions, correcting parameter values in the hypersphere detection function, enabling the characteristics of the NTP normal signal sample and the NTP abnormal signal sample output by the characteristic extraction unit to meet the constraint conditions, and obtaining a hypersphere detection model corresponding to the hypersphere detection function with the minimum value;
the detection unit is used for inputting the characteristics of the NTP time signal to be detected output by the characteristic extraction unit into the hypersphere detection model output by the modeling unit, calculating the distance from the characteristics of the NTP time signal to be detected to the sphere center of the hypersphere detection model, and if the distance is larger than the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP abnormal signal; if the distance is smaller than or equal to the radius of the hypersphere detection model, the NTP time signal to be detected is an NTP normal signal;
fraud countermeasure unit: after detecting an abnormal NTP signal, the NTP client stops using the update time of an abnormal NTP server, continuously sends out 10 NTP applications to the server at 1 second intervals, judges the server as a deception server if 3 abnormal response signals are continuously received, brings the server into a blacklist and gives an alarm; if the number of times is less than 3, the normal use is carried out.
CN202210600698.5A 2022-05-30 2022-05-30 Intelligent anti-deception method and system for NTP client Active CN115022010B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210600698.5A CN115022010B (en) 2022-05-30 2022-05-30 Intelligent anti-deception method and system for NTP client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210600698.5A CN115022010B (en) 2022-05-30 2022-05-30 Intelligent anti-deception method and system for NTP client

Publications (2)

Publication Number Publication Date
CN115022010A CN115022010A (en) 2022-09-06
CN115022010B true CN115022010B (en) 2023-12-15

Family

ID=83071127

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210600698.5A Active CN115022010B (en) 2022-05-30 2022-05-30 Intelligent anti-deception method and system for NTP client

Country Status (1)

Country Link
CN (1) CN115022010B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105487049A (en) * 2014-09-16 2016-04-13 中国人民解放军理工大学 Method and system for detecting and identifying indirect ultra-wideband signal
CN111158024A (en) * 2019-12-31 2020-05-15 中国南方电网有限责任公司超高压输电公司 Anti-cheating method and device for time service terminal
CN111597873A (en) * 2020-03-27 2020-08-28 中国人民解放军海军工程大学 Support vector data description-based ultrashort wave threat signal sensing method
CN114510958A (en) * 2021-12-20 2022-05-17 哈尔滨理工大学 Time series anomaly detection method based on transformation classification

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2007253824A1 (en) * 2006-05-19 2007-11-29 Symmetricom, Inc. Network time protocol precision timestamping service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105487049A (en) * 2014-09-16 2016-04-13 中国人民解放军理工大学 Method and system for detecting and identifying indirect ultra-wideband signal
CN111158024A (en) * 2019-12-31 2020-05-15 中国南方电网有限责任公司超高压输电公司 Anti-cheating method and device for time service terminal
CN111597873A (en) * 2020-03-27 2020-08-28 中国人民解放军海军工程大学 Support vector data description-based ultrashort wave threat signal sensing method
CN114510958A (en) * 2021-12-20 2022-05-17 哈尔滨理工大学 Time series anomaly detection method based on transformation classification

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
载波跟踪环路统计特性分析的欺骗检测方法;刘丁浩;吕晶;索龙龙;胡相誉;计算机应用;第37卷(第9期);2507-2511 *

Also Published As

Publication number Publication date
CN115022010A (en) 2022-09-06

Similar Documents

Publication Publication Date Title
Sagong et al. Cloaking the clock: Emulating clock skew in controller area networks
Ying et al. Shape of the cloak: Formal analysis of clock skew-based intrusion detection system in controller area networks
Gianvecchio et al. Model-based covert timing channels: Automated modeling and evasion
US20110261710A1 (en) Analysis apparatus and method for abnormal network traffic
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN109257358B (en) Vehicle-mounted network intrusion detection method and system based on clock skew
CN111478893B (en) Detection method for slow HTTP attack
CN111988309B (en) ICMP hidden tunnel detection method and system
Zheng et al. Safeguarding building automation networks: THE-driven anomaly detector based on traffic analysis
CN113114618B (en) Internet of things equipment intrusion detection method based on traffic classification recognition
CN110138759A (en) The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment
CN113411183B (en) Synchronous correction vulnerability detection method and device in quantum key distribution system
Tanachaiwiwat et al. Correlation analysis for alleviating effects of inserted data in wireless sensor networks
CN105873085B (en) Node recognition methods is cloned based on physic channel information and the wireless sensor network of degree of belief
Buscemi et al. An intrusion detection system against rogue master attacks on gptp
Li et al. A security management architecture for time synchronization towards high precision networks
CN115022010B (en) Intelligent anti-deception method and system for NTP client
Li et al. Getting the real-time precise round-trip time for stepping stone detection
US20210211360A1 (en) Network Monitoring of Time Synchronization Protocols Using Convolutional Neural Networks
CN113179256A (en) Time information safety fusion method and system for time synchronization system
Gao et al. Multi-channel joint signal quality monitor method for detecting GNSS time synchronization attacks
CN109729084B (en) Network security event detection method based on block chain technology
Hoeve Detecting intrusions in encrypted control traffic
CN108111476B (en) C & C channel detection method
CN111371727A (en) Detection method for NTP protocol covert communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant