CN115022069B - IP fragment message recombination method and device for network attack detection - Google Patents
IP fragment message recombination method and device for network attack detection Download PDFInfo
- Publication number
- CN115022069B CN115022069B CN202210698565.6A CN202210698565A CN115022069B CN 115022069 B CN115022069 B CN 115022069B CN 202210698565 A CN202210698565 A CN 202210698565A CN 115022069 B CN115022069 B CN 115022069B
- Authority
- CN
- China
- Prior art keywords
- current
- message
- target
- fragment
- fragmentation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 239000012634 fragment Substances 0.000 title claims abstract description 217
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000001514 detection method Methods 0.000 title claims abstract description 35
- 230000006798 recombination Effects 0.000 title claims abstract description 33
- 238000005215 recombination Methods 0.000 title claims abstract description 33
- 238000013467 fragmentation Methods 0.000 claims abstract description 133
- 238000006062 fragmentation reaction Methods 0.000 claims abstract description 133
- 230000008521 reorganization Effects 0.000 claims abstract description 106
- 238000005070 sampling Methods 0.000 claims description 66
- 238000012790 confirmation Methods 0.000 claims description 6
- 238000003780 insertion Methods 0.000 claims description 3
- 230000037431 insertion Effects 0.000 claims description 3
- 240000002044 Rhizophora apiculata Species 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
- H04L49/9057—Arrangements for supporting packet reassembly or resequencing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a device for reorganizing IP (Internet protocol) fragmentation messages for network attack detection, wherein the method comprises the steps of obtaining the identification of a current IP fragmentation message, and judging whether the reorganization strategy of the current IP fragmentation message is appointed according to the identification; if not, the destination IP address of the current IP fragment message is obtained; acquiring a target system type according to the target IP address; acquiring a target recombination strategy according to the type of the target system; inserting the current IP fragment message into a preset reorganization table according to the five-tuple information of the current IP fragment; and recombining all the IP fragment messages corresponding to the identification in the preset recombination table according to the target recombination strategy to obtain recombined messages, and sending the recombined messages to the security analysis equipment. The method can automatically select the corresponding reorganization strategy according to the operating system of the network asset corresponding to the target IP address, improves the accuracy of IP message reorganization, and improves the detection rate of the security analysis equipment on the attack message.
Description
Technical Field
The application relates to the technical field of computer network security, in particular to an IP fragment message reorganizing method and device for network attack detection.
Background
In the field of computer network security technology, security analysis is required to perform security analysis on received IP packets by using security analysis equipment, so as to avoid network attack on user assets. Since the Maximum transmission units (maximums TransmissionUnit, MTU) of the devices in the network transmission are inconsistent, the IP packets are fragmented according to the MTU when they are sent to the destination. Before the security analysis device performs security analysis, the security analysis device reassembles the received IP fragment message and performs security analysis on the reassembled message.
However, the current security analysis equipment generally has only one IP message reorganization strategy. However, different assets use different operating systems, and different operating systems use different IP packet reassembly policies. Therefore, the network attacker uses the point and adopts different IP message slicing strategies to attack, so that the IP message recombined by the security analysis equipment does not have attack load, and the aim of attacking the user asset silently is achieved.
In summary, the current method for reorganizing the IP messages adopted by the security analysis device cannot reorganize the attack messages accurately, which results in low detection rate of the attack messages of the security analysis device.
Disclosure of Invention
In order to solve the problem that the existing IP message reorganization method adopted by the security analysis equipment cannot accurately reorganize the attack message, so that the attack message detection rate of the security analysis equipment is low, the application provides the IP fragment message reorganization method and the device for network attack detection.
The first aspect of the present application provides a method for reorganizing an IP fragment packet for network attack detection, including:
Acquiring an identifier of a current IP fragment message, wherein the identifier is used for indicating a current session to which the current IP message belongs and a corresponding current direction;
judging whether the reorganization strategy of the current IP fragment message is already appointed according to the identification;
If the reorganization strategy of the current IP fragmentation message is not specified, acquiring a target IP address in the current IP fragmentation message;
Acquiring a target system type according to the target IP address, wherein the target system type is the operating system type of the asset corresponding to the target IP address;
Acquiring a target recombination strategy according to the type of the target system;
inserting the current IP fragment message into a preset reorganization table according to the five-tuple information of the current IP fragment message;
According to the target recombination strategy, recombining all IP fragment messages corresponding to the identification in a preset recombination table to obtain recombined messages;
And sending the recombined message to security analysis equipment.
Optionally, before the step of inserting the current IP fragment message into the preset reassembly table according to the five-tuple information of the current IP fragment message, the IP fragment message reassembling method further includes:
Acquiring a target protection level according to the target IP address, wherein the target protection level is the protection level of the asset corresponding to the target IP address;
Acquiring a target sampling frequency according to the target protection level;
Determining a target sampling time period according to the target sampling frequency;
Judging whether the current time is within a target sampling time period or not;
If the current time is within the target sampling time period, continuing to execute the step of inserting the current IP fragment message into a preset reorganization table according to the quintuple information of the current IP fragment message;
if the current time is not within the sampling time period, the current IP fragment message is sent to the security analysis equipment, and the IP fragment message reorganization method is stopped aiming at the current IP fragment message.
Optionally, before the step of inserting the current IP fragment message into the preset reassembly table according to the five-tuple information of the current IP fragment message, the IP fragment message reassembling method further includes:
Judging whether the type of the current session is a TCP session or not;
if the type of the current session is TCP session, judging whether the TCP connection state is established in a first number of first messages before the current IP fragmentation message, wherein the first messages and the current IP fragmentation message belong to the same session;
if the TCP connection state is established in the first number of first messages before the current IP fragmentation message, judging whether the application connection state is established in the second number of first messages before the current IP fragmentation message;
If the application connection state is established in the second number of first messages before the current IP fragmentation message, continuing to execute the steps, and inserting the current IP fragmentation message into a preset reorganization table according to the five-tuple information of the current IP fragmentation message;
if the type of the current session is not TCP session, executing step to judge whether the application connection state is established in the second number of first messages before the current IP fragment message;
If the TCP connection state is not established in the first number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to safety analysis equipment, and the IP fragmentation message reorganization method is stopped aiming at the current IP fragmentation message;
If the application connection state is not established in the second number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to the security analysis equipment, and the execution of the IP fragmentation message reorganization method is stopped aiming at the current IP fragmentation message.
Optionally, the preset reorganization table includes a hash table, a hash bucket linked list and a red-black tree data structure table;
The hash table comprises at least one hash bucket, and one hash bucket corresponds to one hash bucket linked list;
the hash bucket chain table comprises at least one hash bucket chain table item, and one hash bucket chain table item corresponds to one red-black tree data structure table;
The method for inserting the current IP fragment message into the preset reorganization table according to the five-tuple information of the current IP fragment message comprises the following steps:
calculating according to five-tuple information of the current IP fragment message to obtain a hash key value of the current IP fragment message;
acquiring a target hash bucket chain table according to the hash key value;
Traversing all hash bucket chain table items in the target hash bucket chain table, and acquiring the target hash bucket chain table items according to quintuple information of the current IP fragment message;
and inserting the current IP fragment message into a red-black tree data structure table corresponding to the target hash bucket chain table entry.
Optionally, in the step of recombining all the IP fragment messages correspondingly identified in the preset recombination table according to the target recombination policy to obtain a recombined message:
And if the recombined message is not obtained, acquiring the next IP fragment message.
Optionally, before the step of sending the reassembled message to the security analysis device, the IP fragment message reassembly method further includes:
acquiring the overlapping part of the offset positions of any two IP fragment messages in all the IP fragment messages of the corresponding identifiers;
Judging whether the content of the overlapped part of the offset positions of any two IP fragment messages is the same or not;
If the contents of the overlapping parts of the offset positions of any two IP fragment messages are different, setting the target sampling frequency to be 100%.
The second aspect of the present application provides an IP-fragmentation message reassembling apparatus for network attack detection, where the IP-fragmentation message reassembling apparatus executes the IP-fragmentation message reassembling method for network attack detection according to the first aspect of the present application, and the IP-fragmentation message reassembling apparatus includes:
An identification acquisition unit configured to: acquiring an identifier of a current IP fragment message, wherein the identifier is used for indicating a current session to which the current IP message belongs and a corresponding current direction;
a reorganization policy acquisition unit configured to perform:
judging whether the reorganization strategy of the current IP fragment message is already appointed according to the identification;
If the reorganization strategy of the current IP fragmentation message is not specified, acquiring a target IP address in the current IP fragmentation message;
Acquiring a target system type according to the target IP address, wherein the target system type is the operating system type of the asset corresponding to the target IP address;
Acquiring a target recombination strategy according to the type of the target system;
The message storage unit is used for storing the current IP fragment message according to the structure of the preset reorganization table;
A reorganization execution unit configured to perform the following operations: inserting the current IP fragment message into a preset reorganization table in a message storage unit according to the five-tuple information of the current IP fragment message;
According to the target recombination strategy, recombining all IP fragment messages corresponding to the identification in a preset recombination table to obtain recombined messages;
And sending the recombined message to security analysis equipment.
Optionally, the system further comprises a sampling strategy acquisition unit; the sampling strategy acquisition unit is configured to perform the following operations: acquiring a target protection level according to the target IP address, wherein the target protection level is the protection level of the asset corresponding to the target IP address;
Acquiring a target sampling frequency according to the target protection level;
Determining a target sampling time period according to the target sampling frequency;
Judging whether the current time is within a target sampling time period or not;
If the current time is within the target sampling time period, continuing to execute the step of inserting the current IP fragment message into a preset reorganization table according to the quintuple information of the current IP fragment message;
if the current time is not within the sampling time period, the current IP fragment message is sent to the security analysis equipment, and the IP fragment message reorganization method is stopped aiming at the current IP fragment message.
Optionally, the device further comprises a connection state confirmation unit; a connection state confirmation unit configured to perform the following operations:
Judging whether the type of the current session is a TCP session or not;
If the type of the current session is a TCP session, judging whether a TCP connection state is established in a first number of first messages before the current IP fragmentation message, wherein the first messages and the current IP fragmentation message belong to the same session;
if the TCP connection state is established in the first number of first messages before the current IP fragmentation message, judging whether the application connection state is established in the second number of first messages before the current IP fragmentation message;
If the application connection state is established in the second number of first messages before the current IP fragmentation message, continuing to execute the steps, and inserting the current IP fragmentation message into a preset reorganization table according to the five-tuple information of the current IP fragmentation message;
if the type of the current session is not TCP session, executing step to judge whether the application connection state is established in the second number of first messages before the current IP fragment message;
If the TCP connection state is not established in the first number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to safety analysis equipment, and the IP fragmentation message reorganization method is stopped aiming at the current IP fragmentation message;
If the application connection state is not established in the second number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to the security analysis equipment, and the execution of the IP fragmentation message reorganization method is stopped aiming at the current IP fragmentation message.
Optionally, the preset reorganization table in the message storage unit includes a hash table, a hash bucket linked list and a red-black tree data structure table; wherein,
The hash table comprises at least one hash bucket, and one hash bucket corresponds to one hash bucket linked list;
the hash bucket chain table comprises at least one hash bucket chain table item, and one hash bucket chain table item corresponds to one red-black tree data structure table;
The reorganization execution unit is further configured to, when executing the insertion of the current IP fragment message into the preset reorganization table according to the quintuple information of the current IP fragment message:
calculating according to five-tuple information of the current IP fragment message to obtain a hash key value of the current IP fragment message;
acquiring a target hash bucket chain table according to the hash key value;
Traversing all hash bucket chain table items in the target hash bucket chain table, and acquiring the target hash bucket chain table items according to quintuple information of the current IP fragment message;
and inserting the current IP fragment message into a red-black tree data structure table corresponding to the target hash bucket chain table entry.
The application provides a method and a device for reorganizing IP (Internet protocol) fragmentation messages for network attack detection, wherein the method comprises the steps of obtaining the identification of a current IP fragmentation message, and judging whether the reorganization strategy of the current IP fragmentation message is appointed according to the identification; if not, the destination IP address of the current IP fragment message is obtained; acquiring a target system type according to the target IP address; acquiring a target recombination strategy according to the type of the target system; inserting the current IP fragment message into a preset reorganization table according to the five-tuple information of the current IP fragment; and recombining all the IP fragment messages corresponding to the identification in the preset recombination table according to the target recombination strategy to obtain recombined messages, and sending the recombined messages to the security analysis equipment. The method can automatically select the corresponding reorganization strategy according to the operating system of the network asset corresponding to the target IP address, improves the accuracy of IP message reorganization, and improves the detection rate of the security analysis equipment on the attack message.
Drawings
Fig. 1 is a schematic workflow diagram of an IP fragment message reassembly method for network attack detection according to an embodiment of the present application;
FIG. 2 is an example of a different IP fragment message reassembly policy;
FIG. 3 is a schematic workflow diagram of an IP fragment message reorganizing method for network attack detection according to an embodiment of the present application in an implementation manner;
fig. 4 is a schematic workflow diagram of an IP fragment packet reassembly method for network attack detection in an implementation manner according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a preset reassembly table in an IP fragment message reassembly method for network attack detection according to an embodiment of the present application.
Detailed Description
In order to solve the problem that the existing IP message reorganization method adopted by the security analysis equipment cannot accurately reorganize the attack message, so that the attack message detection rate of the security analysis equipment is low, the application provides the IP fragment message reorganization method and the device for network attack detection through the following embodiments.
The first embodiment of the application provides an IP fragment message reorganizing method for network attack detection, which is applied to an IP fragment message reorganizing device for network attack detection. The IP fragment message reassembling apparatus may be a module in the security analysis device, configured to determine whether the current fragment message needs to be reassembled, and transmit the reassembled message to a subsequent analysis module in the security analysis device. The IP fragment message reassembling apparatus may also be an independent module outside the security analysis device, configured to determine and reassemble all the IP messages, and then output a message without reassembling or a reassembled message to the security analysis device for analysis.
Referring to fig. 1, a method for reorganizing IP fragmentation messages for network attack detection according to a first embodiment of the present application includes steps 101 to 108.
Step 101, obtaining an identifier of the current IP fragment message, where the identifier is used to indicate a current session to which the current IP message belongs and a corresponding current direction.
In this embodiment, when receiving an IP packet, the IP fragment packet reassembly apparatus first determines whether the IP fragment packet is an IP fragment packet, and if so, starts to execute step 101; if the message is not the IP fragment message, the IP message is directly sent to security analysis equipment for security analysis.
And 102, judging whether the recombination strategy of the current IP fragment message is already designated according to the identification.
The IP fragment message reorganization is carried out by session. Each session has two directions, an uplink direction and a downlink direction; IP fragmentation messages in the same direction for the same session have the same identity. In this embodiment, the identity in the IP fragmentation message is used to determine whether the reassembly policy has been specified.
Step 103, if the reorganization strategy of the current IP fragmentation message is not specified, the destination IP address in the current IP fragmentation message is obtained.
The IP fragment messages in the same session and the same direction are prepared with the same five-tuple information, wherein the five-tuple information comprises a source IP address, a destination IP address, a protocol number, a source port and a destination port. The destination asset of the current IP fragment message can be determined according to the destination IP address.
Step 104, obtaining a target system type according to the destination IP address, wherein the target system type is the operating system type of the asset corresponding to the destination IP address.
In this embodiment, the types of operating systems corresponding to the assets in the network are counted in advance to form an asset library. If the reorganization strategy of the current IP fragmentation message is not specified, the operation system type of the corresponding asset is inquired in the asset library through the destination IP address in the IP fragmentation message.
Common operating systems include, but are not limited to Windows, BSD, linux, HP-UX, sun, macOS, cisco IOS.
And 105, acquiring a target recombination strategy according to the type of the target system.
Different operating systems correspond to different reorganization strategies. For example, referring to fig. 2 (a), two fragmented messages are received in succession, where the offset position (offset) of fragmented message a is 100 and the length (len) is 100; the offset position of the fragment message B is 150, and the length is 100; the fragmented message B arrives firstly, and the fragmented message A arrives later; the part 3 of the fragment message B and the part 2 of the fragment message A are overlapped.
The IP fragment message reorganization strategy in the operating systems such as BSD, linux and the like is as follows: the overlapping portion in the fragmented message with smaller offset is preferentially reserved. That is, because the offset of the fragment message a is smaller, the part No.2 of the fragment message a is reserved, the part No.3 of the fragment message B is cut, and the reassembled message is shown in fig. 2 (B).
The IP fragment message reorganization strategy in Windows, macOS, SUN, HP-UX and other operating systems is as follows: a first-come strategy, i.e. which block of overlapping parts comes first and which part is reserved. That is, since the fragmented packet B arrives first, the No. 3 part of the fragmented packet is reserved, the No. 2 part of the fragmented packet a is cut, and the reassembled packet is shown in fig. 2 (c).
The IP fragment message reassembly strategy in the Cisco IOS operating system is: the last-first-come strategy, i.e. which blocks overlap and which parts remain. That is, since the fragmented packet a arrives, the part No. 2 of the fragmented packet a is reserved, the part No. 3 of the fragmented packet B is cut off, and the reassembled packet is shown in fig. 2 (d).
It should be noted that the above operating system and corresponding reorganization policy are only exemplary. Specifically, according to practical application, the corresponding reorganization strategy is set according to the operation types corresponding to different network assets, and is not limited to the above example.
And step 106, inserting the current IP fragment message into a preset reorganization table according to the five-tuple information of the current IP fragment message.
And step 107, reorganizing all the IP fragment messages corresponding to the identification in the preset reorganization table according to the target reorganization strategy to obtain reorganized messages.
And step 108, sending the recombined message to security analysis equipment.
In this embodiment, if the reassembly policy of the current IP fragment message has been specified, the step is skipped to step 106, and the IP fragment is inserted into a preset reassembly table according to the quintuple information; and carrying out recombination according to the specified recombination strategy.
In the existing IP fragment message reorganization strategy, reorganization is carried out for each fragment message. This approach, while safe, severely reduces the processing performance of the IP fragment message reassembly apparatus in scenarios where there are more IP fragment messages. To this end, in some embodiments, the method for reassembling IP fragmentation messages for network attack detection further includes steps 301-305 before step 106.
Step 301, obtaining a target protection level according to the destination IP address, where the target protection level is a protection level of an asset corresponding to the destination IP address.
Step 302, obtaining a target sampling frequency according to the target protection level.
In some embodiments, the asset library mentioned in step 104 further includes a protection level corresponding to the target IP address. In this embodiment, the corresponding protection level is determined according to the importance level of the asset; different protection levels correspond to different frequencies of use.
By way of example, the sampling frequency of a very important asset is set to 100%, the sampling patch frequency of an important asset is 80%, and the sampling frequency of a normal asset is 50%. The sampling period is determined in units of time. Illustratively, the sampling frequency is 100%, then all times are sampling periods. The sampling frequency is 80%, then the last 80% of the unit time is the sampling period, and illustratively, the last 48 seconds per minute is the sampling period; the sampling frequency is 50%, then the last 50% of the unit time is the sampling period, and the last 30 seconds per minute is the sampling period, for example. It should be noted that the above asset level division, sampling frequency division, and sampling time period determination may all be adjusted according to practical applications, and the present application does not limit specific numerical values.
Step 303, determining a target sampling time period according to the target sampling frequency.
Step 304, determining whether the current time is within the target sampling time period.
If the current time is within the target sampling time period, continuing to execute the step of inserting the current IP fragment message into a preset reorganization table according to the quintuple information of the current IP fragment message.
If the current time is not within the sampling time period, step 305 is executed, and the execution of the IP fragment message reassembly method is terminated for the current IP fragment message.
And step 305, sending the current IP fragment message to security analysis equipment.
For example, the target sampling frequency is 50%, that is, the last 30 seconds of each minute is a sampling time period, if the receiving time of the current IP fragment message, that is, the current time, is in the sampling time period, then executing a subsequent reorganization method on the current IP fragment message; if the receiving time of the current IP fragmentation message, namely the current time, is not in the target sampling time period, the current IP fragmentation message is directly sent to the security analysis equipment and is processed by the security analysis equipment, and the current IP fragmentation message reorganization method is not executed for the current IP fragmentation message.
Steps 301-304 described above, sample policies of different levels are performed on IP fragment messages based on the importance level of the protected network asset. Under the condition of guaranteeing the upper layer service requirement, the total amount of the IP fragment message recombination is reduced, and the processing efficiency of the IP fragment message recombination is improved.
In order to ensure the detection rate of attack messages, in the recombination process, if the coincidence part of any two IP fragment messages is detected to be the same as the coincidence part of any other two IP fragment messages, judging that the corresponding session is abnormal, and setting the corresponding target sampling frequency to be 100%. And then sampling and reorganizing all the fragment messages of the session.
In some embodiments, before step 108, the IP fragment packet reassembly method for network attack detection further includes:
step 305, obtaining the overlapping part of the offset positions of any two IP fragment messages in all the IP fragment messages corresponding to the identifier.
Step 306, determining whether the contents of the overlapping portions of the offset positions of the arbitrary two IP fragment messages are the same.
Step 307, if the contents of the overlapping portions of the offset positions of the two arbitrary IP fragment messages are different, setting the target sampling frequency to 100%.
For example, referring to fig. 2, the part No. 2 of the IP fragment packet a and the part No. 3 of the IP fragment packet belonging to the same session overlap each other. The contents of the two parts should be identical for normal IP fragmentation messages. That is, if the contents of the two parts are different, the IP fragment message a and the IP fragment message B are likely to be attack messages. At this time, the target sampling frequency of the corresponding identifiers of the IP fragment message a and the IP fragment message B is set to 100%, so that the detection rate of the attack message is improved.
In order to reduce the number of unnecessary fragmented messages and improve the recombination efficiency of the IP message recombination device, the method for recombining the IP fragmented messages according to the embodiment may further determine whether the current IP fragmented message needs to be recombined based on the connection state of the TCP network control layer and the network application layer.
In some embodiments, the method for reorganizing IP fragmentation messages for network attack detection includes steps 401-404 before step 106.
Step 401, determining whether the type of the current session is a TCP session. TCP (Transmission Control Protocol ) is a connection-oriented, reliable, byte-stream based transport layer communication protocol.
Step 402, if the type of the current session is a TCP session, determining whether a TCP connection state has been established in a first number of first messages before the current IP fragmentation message, where the first messages and the current IP fragmentation message belong to the same session.
For example, if the type of the current session is a TCP connection, it is determined whether 3 fragmented messages or common messages in 10 fragmented messages or common messages (i.e., messages that are not fragmented) that precede the current IP fragmented message and belong to the same session have completed three-way handshake, i.e., establish a TCP connection state. Wherein the first number is 10. In practical applications, the first number is set according to the specific situation. The present application is not particularly limited to the value of the first number.
Step 403, if the TCP connection state has been established in the first number of first messages before the current IP fragmentation message, determining whether the application connection state has been established in the second number of first messages before the current IP fragmentation message.
In the HTTP application, the Request message and the Response message in the second number of first messages are established only when the application connection state is established; in the DNS application, only if the application connection state is established in the first number of messages, qurey messages and Response messages. In some embodiments, the second number may be set to 15, or may be set according to a specific situation or an empirical value.
If the application connection state is established in the second number of first messages before the current IP fragmentation message, continuing to execute the step, and inserting the current IP fragmentation message into a preset reorganization table according to the five-tuple information of the current IP fragmentation message.
If the current session type is not a TCP session, step 404 is executed, i.e. it is determined whether an application connection state has been established in a second number of first messages preceding the current IP fragment message.
If no TCP connection state is established in the first number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to the security analysis device (i.e. step 404 in fig. 4), and the execution of the IP fragmentation message reassembly method is terminated for the current IP fragmentation message.
If no application connection state is established in the second number of first messages before the current IP fragment message, the current IP fragment message is sent to the security analysis device (i.e. step 404 in fig. 4), and the execution of the IP fragment message reorganization method is terminated for the current IP fragment message.
The steps 401-404 determine whether to continue reassembling based on the connection states of the TCP network control layer and the network application layer, so as to reduce the number of unnecessary reassembling of the IP fragmentation messages and improve the processing efficiency of the IP fragmentation message reassembling device.
In some embodiments, referring to fig. 5, the preset reassembly table includes a hash table, a hash bucket linked list, and a mangrove data structure table. The hash table comprises at least one hash bucket, and one hash bucket corresponds to one hash bucket linked list; the hash bucket chain table comprises at least one hash bucket chain table item, and one hash bucket chain table item corresponds to one red-black tree data structure table.
Wherein, RWLock represents a read-write lock in the preset reorganization table shown in fig. 5; head represents the hash bucket chain header; next represents a pointer to the Next linked list item; the Five-Tuple is used for recording Five-Tuple information in the IP fragmentation message; RBTree _root represents a mangrove Root node for storing the IP fragment message; parent represents a pointer in the mangrove node to the Parent; left_child represents the pointer to the Left node in the red black tree node; right_child represents the pointer to the Right node in the red black tree node; the flag represents a pointer to an IP fragment message in a red-black tree node.
In some embodiments, step 106 further comprises steps 601-604.
And step 601, calculating according to the five-tuple information of the current IP fragmentation message to obtain the hash key value of the current IP fragmentation message.
Step 602, obtaining a target hash bucket linked list according to the hash key value.
In one implementation, a corresponding hash bucket is found according to the hash key value; and finding a corresponding hash bucket linked list according to the corresponding hash bucket.
And 603, traversing all hash bucket chain entries in the target hash bucket chain table, and acquiring the target hash bucket chain entries according to quintuple information of the current IP fragment message.
Step 604, inserting the current IP fragment message into a red-black tree data structure table corresponding to the target hash bucket chain table entry.
Storing IP fragment messages sequentially (complexity of query time is O (n)) as opposed to using a linked list; the structure of the hash table, the hash bucket chain table and the red black tree data structure table is adopted to store the IP fragment message (the complexity of the query time is O (logn)), so that the search speed of the IP fragment message recombination is improved.
It should be noted that, in other embodiments, other binary tree data structures may be used in the red-black tree data structure table in the preset reorganization table.
The method for reorganizing the IP fragmentation messages for network attack detection provided by the first embodiment of the application comprises the steps of obtaining the identification of the current IP fragmentation message, and judging whether the reorganization strategy of the current IP fragmentation message is already appointed according to the identification; if the reorganization strategy of the current IP fragmentation message is not specified, acquiring a target IP address in the current IP fragmentation message; acquiring a target system type according to the target IP address; acquiring a target recombination strategy according to the type of the target system; inserting the current IP fragment message into a preset reorganization table according to the five-tuple information of the current IP fragment, reorganizing all the IP fragment messages correspondingly identified in the preset reorganization table according to a target reorganization strategy to obtain reorganized messages, and sending the reorganized messages to safety analysis equipment. The method can automatically select the corresponding reorganization strategy according to the operating system of the network asset corresponding to the target IP address, improves the accuracy of IP message reorganization, and improves the detection rate of the security analysis equipment on the attack message.
The second embodiment of the present application provides an IP fragment packet reassembly apparatus for network attack detection, where the IP fragment packet reassembly apparatus executes the IP fragment packet reassembly method for network attack detection provided by the first embodiment of the present application. The IP fragment message reorganizing device comprises:
An identification acquisition unit configured to: acquiring an identifier of a current IP fragment message, wherein the identifier is used for indicating a current session to which the current IP message belongs and a corresponding current direction;
A reorganization policy acquisition unit configured to perform: judging whether the recombination strategy of the current IP fragment message is appointed according to the identification; if the reorganization strategy of the current IP fragmentation message is not specified, acquiring a destination IP address in the current IP fragmentation message; acquiring a target system type according to the target IP address, wherein the target system type is an operating system type of an asset corresponding to the target IP address; and acquiring a target recombination strategy according to the type of the target system.
And the message storage unit is used for storing the current IP fragment message according to the structure of a preset reorganization table.
A reorganization execution unit configured to perform the following operations: inserting the current IP fragment message into the preset reorganization table in the message storage unit according to the five-tuple information of the current IP fragment message; according to the target reorganization strategy, reorganizing all IP fragment messages corresponding to the identification in the preset reorganization table to obtain reorganized messages; and sending the recombined message to security analysis equipment.
In some embodiments, the IP fragment message reassembly apparatus further includes a sampling policy obtaining unit; the sampling strategy acquisition unit is configured to perform the following operations: acquiring a target protection level according to the target IP address, wherein the target protection level is the protection level of the asset corresponding to the target IP address; acquiring a target sampling frequency according to the target protection level; determining a target sampling time period according to the target sampling frequency; judging whether the current time is within the target sampling time period or not; if the current time is within the target sampling time period, continuing to execute the step of inserting the current IP fragment message into a preset reorganization table according to the quintuple information of the current IP fragment message; and if the current time is not in the sampling time period, sending the current IP fragment message to security analysis equipment, and stopping executing the IP fragment message reorganization method aiming at the current IP fragment message.
In some embodiments, the IP fragment message reassembly apparatus further includes a connection status confirmation unit; the connection state confirmation unit is configured to perform the following operations: judging whether the type of the current session is a TCP session or not; if the current session type is TCP session, judging whether a TCP connection state is established in a first number of first messages before the current IP fragmentation message, wherein the first messages and the current IP fragmentation message belong to the same session; if the TCP connection state is established in the first number of first messages before the current IP fragmentation message, judging whether the application connection state is established in the second number of first messages before the current IP fragmentation message; if the application connection state is established in the second number of first messages before the current IP fragmentation message, continuing to execute the steps, and inserting the current IP fragmentation message into a preset reorganization table according to the five-tuple information of the current IP fragmentation message; if the type of the current session is not TCP session, executing step to judge whether the application connection state is established in the second number of first messages before the current IP fragmentation message; if the TCP connection state is not established in a first number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to the security analysis equipment, and the execution of the IP fragmentation message reorganization method is stopped aiming at the current IP fragmentation message; if no application connection state is established in the second number of first messages before the current IP fragment message, the current IP fragment message is sent to the security analysis equipment, and the execution of the IP fragment message reorganization method is stopped aiming at the current IP fragment message.
In some embodiments, the preset reassembly table in the message storage unit in the IP fragment message reassembly apparatus includes a hash table, a hash bucket linked list, and a mangrove data structure table; the hash table comprises at least one hash bucket, and one hash bucket corresponds to one hash bucket linked list; the hash bucket chain table comprises at least one hash bucket chain table item, and one hash bucket chain table item corresponds to one red-black tree data structure table.
The reorganization execution unit is further configured to, when executing the insertion of the current IP fragment message into a preset reorganization table according to the five-tuple information of the current IP fragment message: calculating according to five-tuple information of the current IP fragment message to obtain a hash key value of the current IP fragment message; acquiring a target hash bucket chain table according to the hash key value; traversing all hash bucket chain table items in the target hash bucket chain table, and acquiring the target hash bucket chain table items according to quintuple information of the current IP fragment message; and inserting the current IP fragment message into a red-black tree data structure table corresponding to the target hash bucket chain table entry.
The role and effect of the above-mentioned IP fragment message reassembly apparatus in executing the IP fragment message reassembly method for network attack detection are described in the first embodiment of the present application, and are not repeated here.
The application has been described in detail in connection with the specific embodiments and exemplary examples thereof, but such description is not to be construed as limiting the application. It will be understood by those skilled in the art that various equivalent substitutions, modifications or improvements may be made to the technical solution of the present application and its embodiments without departing from the spirit and scope of the present application, and these fall within the scope of the present application. The scope of the application is defined by the appended claims.
Similar and identical parts are provided for each embodiment in this specification.
Claims (6)
1. The IP fragment message reorganizing method for network attack detection is characterized by comprising the following steps:
acquiring an identifier of a current IP fragmentation message, wherein the identifier is used for indicating a current session to which the current IP fragmentation message belongs and a corresponding current direction;
Judging whether the recombination strategy of the current IP fragment message is appointed according to the identification;
If the reorganization strategy of the current IP fragmentation message is not specified, acquiring a destination IP address in the current IP fragmentation message;
acquiring a target system type according to the target IP address, wherein the target system type is an operating system type of an asset corresponding to the target IP address;
Acquiring a target recombination strategy according to the type of the target system;
Inserting the current IP fragment message into a preset reorganization table according to the five-tuple information of the current IP fragment message;
According to the target reorganization strategy, reorganizing all IP fragment messages corresponding to the identification in the preset reorganization table to obtain reorganized messages;
Sending the recombined message to security analysis equipment;
Before the step of inserting the current IP fragment message into a preset reorganization table according to the five-tuple information of the current IP fragment message, the IP fragment message reorganization method further comprises the following steps:
Judging whether the type of the current session is a TCP session or not;
If the current session type is a TCP session, judging whether a TCP connection state is established in a first number of first messages before the current IP fragmentation message, wherein the first messages and the current IP fragmentation message belong to the same session;
if the TCP connection state is established in the first number of first messages before the current IP fragmentation message, judging whether the application connection state is established in the second number of first messages before the current IP fragmentation message;
If the application connection state is established in the second number of first messages before the current IP fragmentation message, continuing to execute the steps, and inserting the current IP fragmentation message into a preset reorganization table according to the five-tuple information of the current IP fragmentation message;
If the type of the current session is not TCP session, executing step to judge whether the application connection state is established in the second number of first messages before the current IP fragmentation message;
If the TCP connection state is not established in a first number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to the security analysis equipment, and the execution of the IP fragmentation message reorganization method is stopped aiming at the current IP fragmentation message;
If no application connection state is established in the second number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to the security analysis equipment, and the execution of the IP fragmentation message reorganization method is stopped aiming at the current IP fragmentation message;
the preset reorganization table comprises a hash table, a hash bucket linked list and a red-black tree data structure table;
The hash table comprises at least one hash bucket, and one hash bucket corresponds to one hash bucket linked list;
the hash bucket chain table comprises at least one hash bucket chain table item, and one hash bucket chain table item corresponds to one red-black tree data structure table;
The inserting the current IP fragment message into a preset reassembly table according to the quintuple information of the current IP fragment message includes:
calculating according to five-tuple information of the current IP fragment message to obtain a hash key value of the current IP fragment message;
acquiring a target hash bucket chain table according to the hash key value;
traversing all hash bucket chain table items in the target hash bucket chain table, and acquiring the target hash bucket chain table items according to quintuple information of the current IP fragment message;
And inserting the current IP fragment message into a red-black tree data structure table corresponding to the target hash bucket chain table entry.
2. The method for reorganizing an IP fragment message according to claim 1, wherein before inserting the current IP fragment message into a preset reorganization table according to five-tuple information of the current IP fragment message, the method further comprises:
Acquiring a target protection level according to the target IP address, wherein the target protection level is the protection level of the asset corresponding to the target IP address;
acquiring a target sampling frequency according to the target protection level;
determining a target sampling time period according to the target sampling frequency;
judging whether the current time is within the target sampling time period or not;
if the current time is within the target sampling time period, continuing to execute the step of inserting the current IP fragment message into a preset reorganization table according to the quintuple information of the current IP fragment message;
And if the current time is not within the sampling time period, sending the current IP fragment message to security analysis equipment, and stopping executing the IP fragment message reorganization method aiming at the current IP fragment message.
3. The method for reassembling IP fragmented messages according to claim 1, wherein in the step of reassembling all IP fragmented messages correspondingly identified in the preset reassembly table according to the target reassembly policy, a reassembled message is obtained:
And if the recombined message is not obtained, acquiring the next IP fragment message.
4. The method for reassembling IP fragmented messages according to claim 2, wherein before the step of sending the reassembled messages to a security analysis device, the method for reassembling IP fragmented messages further comprises:
acquiring the overlapping part of the offset positions of any two IP fragment messages in all the IP fragment messages corresponding to the identification;
Judging whether the content of the overlapped part of the offset positions of any two IP fragment messages is the same or not;
and if the contents of the overlapped parts of the offset positions of the arbitrary two IP fragment messages are different, setting the target sampling frequency to be 100%.
5. An IP fragment message reassembly apparatus for network attack detection, wherein the IP fragment message reassembly apparatus performs the IP fragment message reassembly method for network attack detection according to any one of claims 1-4, the IP fragment message reassembly apparatus comprising:
An identification acquisition unit configured to: acquiring an identifier of a current IP fragmentation message, wherein the identifier is used for indicating a current session to which the current IP fragmentation message belongs and a corresponding current direction;
a reorganization policy acquisition unit configured to perform:
Judging whether the recombination strategy of the current IP fragment message is appointed according to the identification;
If the reorganization strategy of the current IP fragmentation message is not specified, acquiring a destination IP address in the current IP fragmentation message;
acquiring a target system type according to the target IP address, wherein the target system type is an operating system type of an asset corresponding to the target IP address;
Acquiring a target recombination strategy according to the type of the target system;
the message storage unit is used for storing the current IP fragment message according to the structure of a preset reorganization table;
A reorganization execution unit configured to perform the following operations: inserting the current IP fragment message into the preset reorganization table in the message storage unit according to the five-tuple information of the current IP fragment message;
According to the target reorganization strategy, reorganizing all IP fragment messages corresponding to the identification in the preset reorganization table to obtain reorganized messages;
Sending the recombined message to security analysis equipment;
the device also comprises a connection state confirmation unit; the connection state confirmation unit is configured to perform the following operations:
Judging whether the type of the current session is a TCP session or not;
If the current session type is a TCP session, judging whether a TCP connection state is established in a first number of first messages before the current IP fragmentation message, wherein the first messages and the current IP fragmentation message belong to the same session;
if the TCP connection state is established in the first number of first messages before the current IP fragmentation message, judging whether the application connection state is established in the second number of first messages before the current IP fragmentation message;
If the application connection state is established in the second number of first messages before the current IP fragmentation message, continuing to execute the steps, and inserting the current IP fragmentation message into a preset reorganization table according to the five-tuple information of the current IP fragmentation message;
If the type of the current session is not TCP session, executing step to judge whether the application connection state is established in the second number of first messages before the current IP fragmentation message;
If the TCP connection state is not established in a first number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to the security analysis equipment, and the execution of the IP fragmentation message reorganization method is stopped aiming at the current IP fragmentation message;
If no application connection state is established in the second number of first messages before the current IP fragmentation message, the current IP fragmentation message is sent to the security analysis equipment, and the execution of the IP fragmentation message reorganization method is stopped aiming at the current IP fragmentation message;
The preset reorganization table in the message storage unit comprises a hash table, a hash bucket linked list and a red-black tree data structure table; wherein,
The hash table comprises at least one hash bucket, and one hash bucket corresponds to one hash bucket linked list;
the hash bucket chain table comprises at least one hash bucket chain table item, and one hash bucket chain table item corresponds to one red-black tree data structure table;
The reorganization execution unit is further configured to, when executing the insertion of the current IP fragment message into a preset reorganization table according to the five-tuple information of the current IP fragment message:
calculating according to five-tuple information of the current IP fragment message to obtain a hash key value of the current IP fragment message;
acquiring a target hash bucket chain table according to the hash key value;
traversing all hash bucket chain table items in the target hash bucket chain table, and acquiring the target hash bucket chain table items according to quintuple information of the current IP fragment message;
And inserting the current IP fragment message into a red-black tree data structure table corresponding to the target hash bucket chain table entry.
6. The IP fragment message reassembly apparatus of claim 5, further comprising a sampling policy acquisition unit; the sampling strategy acquisition unit is configured to perform the following operations: acquiring a target protection level according to the target IP address, wherein the target protection level is the protection level of the asset corresponding to the target IP address;
acquiring a target sampling frequency according to the target protection level;
determining a target sampling time period according to the target sampling frequency;
judging whether the current time is within the target sampling time period or not;
if the current time is within the target sampling time period, continuing to execute the step of inserting the current IP fragment message into a preset reorganization table according to the quintuple information of the current IP fragment message;
And if the current time is not in the sampling time period, sending the current IP fragment message to security analysis equipment, and stopping executing the IP fragment message reorganization method aiming at the current IP fragment message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210698565.6A CN115022069B (en) | 2022-06-20 | 2022-06-20 | IP fragment message recombination method and device for network attack detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210698565.6A CN115022069B (en) | 2022-06-20 | 2022-06-20 | IP fragment message recombination method and device for network attack detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115022069A CN115022069A (en) | 2022-09-06 |
| CN115022069B true CN115022069B (en) | 2024-04-26 |
Family
ID=83077375
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210698565.6A Active CN115022069B (en) | 2022-06-20 | 2022-06-20 | IP fragment message recombination method and device for network attack detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115022069B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116610485B (en) * | 2023-07-21 | 2024-04-30 | 深圳市城市交通规划设计研究中心股份有限公司 | Isolation gateway data verification method, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863158A (en) * | 2005-10-31 | 2006-11-15 | 华为技术有限公司 | IP message fragment cache memory and forwarding method |
| CN101771575A (en) * | 2008-12-29 | 2010-07-07 | 华为技术有限公司 | Method, device and system for processing IP partitioned message |
| CN103888449A (en) * | 2014-03-05 | 2014-06-25 | 亿赞普(北京)科技有限公司 | Method and device for packet reassembly |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2493139A1 (en) * | 2011-02-22 | 2012-08-29 | Voipfuture GmbH | VoIP quality measurement enhancements using the internet control message protocol |
| US20200128113A1 (en) * | 2018-10-23 | 2020-04-23 | Nxp Usa, Inc. | Efficient reassembly of internet protocol fragment packets |
-
2022
- 2022-06-20 CN CN202210698565.6A patent/CN115022069B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1863158A (en) * | 2005-10-31 | 2006-11-15 | 华为技术有限公司 | IP message fragment cache memory and forwarding method |
| CN101771575A (en) * | 2008-12-29 | 2010-07-07 | 华为技术有限公司 | Method, device and system for processing IP partitioned message |
| CN103888449A (en) * | 2014-03-05 | 2014-06-25 | 亿赞普(北京)科技有限公司 | Method and device for packet reassembly |
Non-Patent Citations (2)
| Title |
|---|
| 《网络数据流还原重组技术研究》;李芳馨, 刘嘉勇;《信息科技》;20110710;第44卷(第07期);全文 * |
| Martine S. Lenders ; Thomas C. Schmidt ; Matthias Wählisch.《Fragment Forwarding in Lossy Networks》.《 IEEE Access ( Volume: 9)》.2021,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115022069A (en) | 2022-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180309784A1 (en) | Method, and devices for defending distributed denial of service attack | |
| US10834126B2 (en) | Method and system for processing forged TCP packet | |
| CN111212096B (en) | Method, device, storage medium and computer for reducing IDC defense cost | |
| CN107612890B (en) | Network monitoring method and system | |
| US7478168B2 (en) | Device, method and program for band control | |
| CN115022069B (en) | IP fragment message recombination method and device for network attack detection | |
| CN105634660B (en) | Data packet detection method and system | |
| CN112165447A (en) | WAF equipment-based network security monitoring method, system and electronic device | |
| CN111756713B (en) | Network attack identification method and device, computer equipment and medium | |
| CN106878326A (en) | The guard method of IPv6 neighbor caches and its device based on inverse detection | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| CN102271086B (en) | Data transmission method and device | |
| CN108400984B (en) | MQTT message filtering method and system based on dynamic rule matching | |
| US8307415B2 (en) | Safe hashing for network traffic | |
| US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN115277262B (en) | Unidirectional data transmission method, system, equipment and storage medium | |
| EP1838038B1 (en) | Method for transfering network event protocol messages | |
| EP3618396A1 (en) | Protection method and system for http flood attack | |
| CN113472736B (en) | Method, device, equipment and readable medium for transmitting data of internal and external networks | |
| CN114697088A (en) | Method and device for determining network attack and electronic equipment | |
| US9912643B2 (en) | Attack defense processing method and protection device | |
| CN114257456B (en) | Control method and system for breakpoint continuous file transfer based on FTP protocol | |
| CN114567484B (en) | Message processing method and device, electronic equipment and storage medium | |
| CN118413356B (en) | Optimization method and system for resisting SYN FLOOD attack | |
| CN117857092A (en) | Network asset port scanning method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |