CN115051867A - Detection method and device for illegal external connection behaviors, electronic equipment and medium - Google Patents

Detection method and device for illegal external connection behaviors, electronic equipment and medium Download PDF

Info

Publication number
CN115051867A
CN115051867A CN202210711219.7A CN202210711219A CN115051867A CN 115051867 A CN115051867 A CN 115051867A CN 202210711219 A CN202210711219 A CN 202210711219A CN 115051867 A CN115051867 A CN 115051867A
Authority
CN
China
Prior art keywords
domain name
detected
external connection
network domain
illegal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210711219.7A
Other languages
Chinese (zh)
Other versions
CN115051867B (en
Inventor
彭雷
张志良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202210711219.7A priority Critical patent/CN115051867B/en
Publication of CN115051867A publication Critical patent/CN115051867A/en
Application granted granted Critical
Publication of CN115051867B publication Critical patent/CN115051867B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method, a device, electronic equipment and a medium for detecting illegal external connection behaviors. Therefore, client software does not need to be installed, DNS flow on a link to be detected is monitored and analyzed to obtain an external network domain name access behavior corresponding to the equipment to be detected, and finally whether the illegal external connection behavior occurs to the equipment to be detected is determined according to the external network domain name access behavior.

Description

Detection method and device for illegal external connection behaviors, electronic equipment and medium
Technical Field
The present application relates to the field of computers, and in particular, to a method and an apparatus for detecting an illegal external connection behavior, an electronic device, and a medium.
Background
With the continuous development of the internet, people pay more and more attention to the security of the network, and therefore, how to maintain the security of the network becomes crucial. In the scenes of state organs, certain enterprise units and the like, in order to ensure the safety of the network and prevent confidential documents and important information from being leaked, the network is divided into an intranet and the internet, and the detection and limitation of the internet behavior of workers are realized by forbidding an intranet host to be connected with the internet.
Illegal external connection refers to the condition that a device illegally connects a network (such as the internet) which is not allowed to be accessed through a third-party internet channel (such as private WIFI, mobile hotspot connection and the like) under the condition of no authorization.
At present, when detecting an illegal external connection behavior, client software is usually installed on a detected device so as to obtain a real-time network access behavior of the detected device, thereby judging whether the device is illegally connected. Or, a sending device and a receiving device are respectively deployed on the internal network and the external network to be scanned, the sending device sends the forged data packet to the detected device, if the detected device can access the internet, the detected device returns corresponding data to the receiving device, and the receiving device receives the data and then completes the illegal external connection confirmation of the detected device.
In the two modes, when the client software is installed on the detected equipment for illegal external connection detection, the cost for installing the client software is high, the client software which is adaptive to each operating system needs to be developed, the realization difficulty is high, and the illegal external connection detection cannot be performed on the scene where the client software cannot be installed. When the sending device and the receiving device are deployed for illegal external connection detection, the method can only be applied to detecting certain specific network traffic (such as HTTP traffic), so the use range is small, and the method can only prove that the detected device has the network environment of illegal external connection and can not determine whether the detected device has the behavior of illegal external connection, so the application range of illegal behavior detection based on data response is narrow and the occurrence of illegal external connection behavior can not be detected in real time.
Therefore, under the condition that client software is not installed, the application range of detecting the illegal external connection behavior is widened, and real-time detection of the illegal external connection behavior is realized, so that the problem to be solved by technical personnel in the field is urgently needed.
Disclosure of Invention
The application aims to provide a method, a device, electronic equipment and a medium for detecting illegal external connection behaviors, client software does not need to be installed, DNS flow on a link to be detected is monitored, DNS flow is analyzed to obtain external network domain name access behaviors, whether the illegal external connection behaviors happen to equipment to be detected is determined according to the obtained external network domain name access behaviors, the technical problems that application range is narrow and the illegal external connection behaviors cannot be detected in real time due to the fact that illegal external connection behavior detection is carried out by deploying sending equipment and receiving equipment are avoided, and network safety is improved.
In order to solve the technical problem, the application provides a method for detecting an illegal external connection behavior, which comprises the following steps:
monitoring DNS traffic generated on a link to be detected;
analyzing the DNS flow to obtain the access behavior of the outer network domain name corresponding to the equipment to be detected;
and determining whether the device to be detected has illegal external connection behaviors according to the external network domain name access behaviors.
Preferably, the extranet domain name access behavior includes: accessing the outer network domain name within a preset time length;
correspondingly, the analyzing the DNS traffic to obtain the access behavior of the external network domain name corresponding to the device to be detected includes:
and analyzing the DNS flow to obtain the corresponding external network domain name access behavior of the equipment to be detected within a preset time.
Preferably, the determining, according to the extranet domain name access behavior, whether the device to be detected has an illegal external connection behavior includes:
and under the condition that the access of the outer network domain name occurs, determining whether the equipment to be detected has illegal external connection behaviors according to whether the sub-domain name corresponding to the outer network domain name is accessed within the preset time after the access of the outer network domain name occurs.
Preferably, the determining whether the device to be detected has the illegal external connection behavior according to whether the sub-domain name corresponding to the external network domain name is accessed within the preset time after the external network domain name is accessed includes:
if the sub-domain name corresponding to the outer network domain name is accessed within a first preset time length, determining that the illegal external connection behavior occurs to the equipment to be detected;
if the sub-domain name corresponding to the outer network domain name is not accessed within a first preset time length and the sub-domain name corresponding to the outer network domain name is accessed within a second preset time length, determining that the illegal external connection behavior occurs to the equipment to be detected; and the second preset time length is greater than the first preset time length.
Preferably, the determining, according to the extranet domain name access behavior, whether the device to be detected has an illegal external connection behavior includes:
and determining whether the equipment to be detected has illegal external connection behaviors or not according to whether a plurality of external network domain names are accessed within the preset time length and at least two of the external network domain names are different pairwise.
Preferably, the extranet domain name access behavior includes: in the case of accessing an extranet, the type of extranet domain name accessed;
correspondingly, the analyzing the DNS traffic to obtain the access behavior of the external network domain name corresponding to the device to be detected includes:
analyzing the DNS flow to obtain the domain name type of the external network accessed by the equipment to be detected under the condition of accessing the external network;
correspondingly, the determining whether the device to be detected has the illegal external connection behavior according to the external network domain name access behavior includes:
and determining whether the equipment to be detected has illegal external connection behaviors or not according to the accessed type of the external network domain name.
Preferably, after determining that the device to be detected has an illegal external connection behavior, the method further includes:
accumulating the times of the illegal external connection behaviors;
and sending prompt information to specified equipment under the condition that the times of the illegal external connection behaviors reach preset times.
In order to solve the above technical problem, the present application further provides a device for detecting an illegal external connection behavior, including:
the monitoring module is used for monitoring DNS traffic generated on a link to be detected;
the analysis module is used for analyzing the DNS flow to obtain the access behavior of the external network domain name corresponding to the equipment to be detected;
and the determining module is used for determining whether the equipment to be detected has illegal external connection behaviors according to the external network domain name access behaviors.
In order to solve the above technical problem, the present application further provides an electronic device, including a memory for storing a computer program;
and the processor is used for realizing the steps of the illegal external connection behavior detection method when executing the computer program.
In order to solve the above technical problem, the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the method for detecting illegal external connection behavior as described above.
The method for detecting the illegal external connection behavior comprises the steps of monitoring DNS flow generated on a link to be detected, analyzing the monitored DNS flow to obtain an external network domain name access behavior corresponding to equipment to be detected, and determining whether the illegal external connection behavior occurs to the equipment to be detected according to the external network domain name access behavior (the external network refers to a network which is not allowed to be accessed, such as the Internet). Therefore, according to the technical scheme provided by the invention, client software does not need to be installed, DNS flow on a monitored link to be detected is directly used, the DNS flow is analyzed to obtain the corresponding domain name access behavior of the equipment to be detected, and finally whether the illegal external connection behavior occurs to the equipment to be detected is determined according to the domain name access behavior.
In addition, the application also provides a detection device, electronic equipment and medium for the illegal external connection behavior, which correspond to the detection method for the illegal external connection behavior, and the effect is the same as the effect.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a schematic diagram of a hardware architecture of a method for detecting an illegal external connection behavior according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for detecting an illegal external connection behavior according to an embodiment of the present invention;
fig. 3 is a structural diagram of an apparatus for detecting an illegal external connection behavior according to an embodiment of the present invention;
fig. 4 is a block diagram of an electronic device according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
The core of the application is to provide a detection method, a device, electronic equipment and a medium for illegal external connection behaviors, the traffic of a Domain Name System (DNS) on a link to be detected is monitored, the DNS traffic is analyzed to obtain the corresponding external network Domain Name access behavior of the equipment to be detected, whether the illegal external connection behaviors happen to the equipment to be detected is determined according to the external network Domain Name access behavior, high cost caused by installation of client software is avoided, the application range is expanded, and meanwhile, the problems that the application range is narrow and the illegal external connection behaviors which are happening in the process of being detected cannot be solved due to deployment of sending equipment and receiving equipment are avoided, and further the safety of a network is improved.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings.
Illegal external connection refers to the condition that a device illegally connects to a network (such as the internet) which is prohibited from accessing through a third-party internet channel (such as private WIFI, mobile hotspot connection and the like) under the condition of no authorization. With the continuous development of the internet, people pay more and more attention to the security of network information, in national units and many enterprises, in order to avoid the leakage of confidential information, the network is generally divided into a network (i.e. an internal network) allowing access and a network (i.e. an external network, such as the internet) forbidding access to the external network through an internal network host, so that the monitoring and the limitation of the internet access behavior are realized by forbidding workers to connect the external network through the internal network host, and further, the security of the network information is improved, so that it becomes very important how to detect whether the equipment to be detected has illegal external connection.
At present, when detecting an illegal external connection behavior, client software is usually installed on a detected device so as to obtain a real-time network access behavior of the detected device, thereby judging whether the device is illegally connected. Or, a sending device and a receiving device are respectively deployed on the internal network and the external network to be scanned, the sending device sends the forged data packet to the detected device, if the detected device can access the internet, the detected device returns corresponding data to the receiving device, and the receiving device receives the data and then completes the illegal external connection confirmation of the detected device.
In the two modes, when the client software is installed on the detected equipment for illegal external connection detection, the cost for installing the client software is high, the client software which is adaptive to each operating system needs to be developed, the realization difficulty is high, and the illegal external connection detection cannot be carried out on the scene where the client software cannot be installed. When the sending device and the receiving device are deployed for illegal external connection detection, the method can only be applied to detection of a certain specific network flow (for example, HTTP flow), so that the use range is small, and the method can only prove that the detected device has an illegal external connection network environment and cannot determine whether the detected device has illegal external connection behaviors, so that the detection efficiency of illegal behavior detection based on data response is low, and the detection result is inaccurate.
In order to achieve the purpose of improving the accuracy of detecting the illegal external connection behavior under the condition of not installing client software, the invention provides a method for detecting the illegal external connection behavior. Fig. 1 is a schematic diagram of a hardware architecture of a detection method for an illegal external connection behavior provided by an embodiment of the present invention, and for convenience of understanding, a hardware architecture to which the technical scheme provided by the present invention is applied will be described below with reference to fig. 1, as shown in fig. 1, an illegal external connection detection device 1 is in communication connection with multiple devices to be detected 2, when an illegal external connection behavior occurs on any one device to be detected 2 in the devices to be detected 2, the device to be detected 2 correspondingly generates DNS traffic, at this time, when the illegal external connection detection device 1 detects the DNS traffic, the DNS traffic is analyzed to obtain an external network domain name access behavior, and a target device in which the illegal external connection behavior occurs is determined according to the external network domain name access behavior. It should be noted that the illegal external connection detection device 1 may be a computer like the device 2 to be detected, or may be any electronic device storing a program for detecting illegal external connection behavior, such as a mobile phone, a tablet, etc., and the present invention is not limited thereto.
As shown in fig. 1, the illegal external connection detection device 1 may be deployed in an internal network accessible by a client, and when the detection device 2 accesses an external network (such as the internet) that is prohibited from accessing, DNS request traffic may be sent through the "other network card" in fig. 1. However, for the PC of the Windows10 version, it supports mirroring the DNS request traffic to all the other network cards to accelerate the DNS resolution speed, so that the illegal external connection detection device 1 deployed in the intranet can acquire the DNS traffic sent by the device to be detected 2 (the DNS traffic described in this application is the DNS request traffic) based on the DNS mirroring characteristic.
It can be understood that a network card using an intranet exists in each device to be detected 2, the illegal external connection detection device 1 is in communication connection with each device to be detected 2, the illegal external connection detection device 1 is used for detecting links of the network of each device to be detected 2, when the device to be detected 2 is in illegal external connection using a wireless network, an ethernet network or a mobile network, corresponding DNS traffic is generated, the generated DNS traffic is mirrored into the network card of the intranet by the system, and at the moment, corresponding DNS traffic is generated on the link to be detected, so that the illegal external connection detection device 1 can monitor the DNS traffic and analyze the DNS traffic to determine whether illegal external connection occurs.
Fig. 2 is a flowchart of a method for detecting an illegal external connection behavior according to an embodiment of the present invention, as shown in fig. 2, the method includes:
s10: and monitoring DNS traffic generated on a link to be detected.
S11: and analyzing the DNS flow to obtain the access behavior of the external network domain name corresponding to the equipment to be detected.
S12: and determining whether the equipment to be detected has illegal external connection behaviors or not according to the external network domain name access behaviors.
In the specific embodiment, the technical scheme provided by the invention does not need to deploy any client software in the device to be detected 2, directly monitors the DNS traffic on the link to be detected through the illegal external connection detection device 1, and analyzes the monitored DNS traffic to obtain the external network domain name access behavior corresponding to the device to be detected 2, and can determine whether the illegal external connection occurs according to the external network domain name access behavior, it needs to be noted that the external network domain name access behavior refers to the behavior characteristics possessed when accessing the external network domain name. For example, after the outer network domain name is accessed, the sub-domain name corresponding to the outer network domain name is also accessed immediately, and such behavior can be regarded as an outer network domain name access behavior (the "outer network domain name" in the "outer network domain name access behavior" described in step S11 is a general finger, that is, as long as the "outer network domain name" is regarded as an outer network domain name, such as the outer network domain name baidu.com, the sub-domain name a.baidu.com of the baidu.com also belongs to the outer network domain name). Therefore, when determining whether the device 2 to be detected has the illegal external connection behavior, determining whether the illegal external connection behavior occurs according to the external network domain name access condition of the device 2 to be detected.
In the embodiment, when determining whether an illegal external connection behavior occurs according to the external network domain name access condition, if the external network domain name access behavior of a certain device to be detected is: and after a preset time length after accessing a certain outer network domain name, accessing the sub-domain name of the outer network domain name, and determining that the equipment to be detected is in illegal external connection. Please note by those skilled in the art that: the access to a certain foreign domain name means that DNS traffic is initiated based on the foreign domain name.
In the present application, S12 may specifically include: and determining whether illegal external connection occurs according to the access behavior of the external network domain name within the preset time length. Of course, S12 may also specifically include: and determining whether illegal external connection occurs according to the type of the accessed external network domain name.
In addition, determining whether an illegal external connection occurs according to the external network domain name access behavior within the preset time length may further include: and under the condition of the occurrence of the access of the outer network domain name, determining whether the equipment to be detected has illegal external connection behaviors according to whether the sub-domain name corresponding to the outer network domain name is accessed within the preset time after the outer network domain name is accessed.
That is, when the device to be detected accesses a domain name server which initiates a DNS request to a certain external network domain name, and within a preset time (for example, 3s) after the DNS request is initiated, a DNS request is initiated to a sub-domain name of the external network domain name, it can be considered that the device to be detected can successfully access the external network, that is, an illegal external connection behavior is occurring to some extent. The following explanation takes the name of the extranet domain of access www.qq.com as an example:
when the device to be detected initiates a DNS request to www.qq.com, which is an external network domain name, if the device to be detected can successfully connect externally, the system will automatically initiate DNS queries to imgcache.qq.com and joke.qq.com in a short time, and after a subsequent user clicks a web link, may also continue to access ping form.qq.com, trace.qq.com, news.qq.com, and the like.
However, if the user cannot successfully perform an external connection, when the device initiates a DNS request to www.qq.com, the device cannot subsequently receive a DNS response or establish a connection with an IP address in the DNS response, and thus cannot initiate a DNS request for sub-domain names such as imgcache.
Therefore, when the access to a certain outer network domain name is detected (namely, the DNS request flow initiated to the certain outer network domain name is detected), the access is initiated to the sub-domain name within the subsequent preset time (namely, the DNS request is initiated), which indicates that the user can successfully access the outer network and illegal external connection is performed.
Specifically, under the condition that the external network domain name access occurs, if the sub-domain name corresponding to the external network domain name is accessed within the first preset time period, it is determined that the device 2 to be detected has an illegal external connection. And if the sub-domain name corresponding to the outer network domain name is not accessed within the first preset time length and the sub-domain name corresponding to the outer network domain name is accessed within the second preset time length, determining that the device 2 to be detected is subjected to illegal external connection, wherein the second preset time length is longer than the first preset time length.
In fact, whether illegal external connection behavior occurs or not is judged according to the first preset time length, and the method is mainly used for detecting whether the system automatically initiates access of the sub-domain name corresponding to the external network domain name or not under the condition that the external network domain name is accessed. If the sub-domain name corresponding to the outer network domain name is not accessed within the first preset time length, it is indicated that the system does not perform the action of automatically accessing the sub-domain name, and at this time, the user is often required to autonomously access the sub-domain name, so that if the sub-domain name corresponding to the outer network domain name is accessed within the second preset time length, it is determined that the illegal external connection action occurs to the device 2 to be detected. It can be understood that the time consumed by the user for autonomously accessing the sub-domain name is longer, and therefore the second preset time duration is longer than the first preset time duration.
It should be noted that, during the first preset time period, when the access to the sub-domain name corresponding to the external domain name is performed, it may be detected whether one sub-domain name access occurs or whether multiple consecutive sub-domain name accesses occur, and if the access is performed for multiple consecutive times, it is determined that an illegal external connection behavior is generated only if multiple consecutive sub-domain names are detected. Of course, the access to the sub-domain name corresponding to the external domain name within the second preset time period may be one time or continuously for multiple times, which is not limited in this application.
Besides, in addition to the above-mentioned determination of whether the illegal external connection occurs by referring to the access behaviors of the external network domain name and the external sub-domain name, when it is determined whether the equipment to be detected 2 has the illegal external connection according to the access behaviors of the external network domain names, if the access to the plurality of external network domain names occurs within the preset time period and at least two external network domain names in the plurality of external network domain names are different, it is determined that the illegal external connection occurs in the equipment to be detected.
That is, if a plurality of outer network domain names are accessed within a preset time period and different domain names exist in the plurality of outer network domain names, the illegal external connection can be considered to exist in the condition. For example, in the case of a user who can successfully access the network, when searching for the Tencent video, www.baidu.com will be accessed first, and then after a hundred degrees return result, v.qq.com will be accessed. Or when the user searches for some entertainment information in the network, the user can jump among a plurality of different domain names to view the related information in a short time. When the user can not successfully access the network, the user often finds that the user can not access the network after accessing a certain domain name, and can not initiate access to other domain names any more.
Therefore, in the present application, if a plurality of domain names are accessed within a short time and different domain names exist in the plurality of domain names, it is considered that the external network can be successfully accessed, i.e. illegal external connection exists. Further, those skilled in the art will note that the meaning of "different domain names" is broad, and in the case of "domain name" and "sub-domain name", they are also considered to belong to different domain names, i.e., "www.qq.com" and "imgcache.
In addition, whether the device 2 to be detected has illegal external connection or not can be determined according to the type of the accessed external network domain name.
This is because a user will only initiate access to certain domain names if the user is able to successfully access the network, for example if the domain name type of access is a mail server type, an illegal external connection is considered to exist. This is believed to be because: it is common to determine that a network is accessible when everyone sends a mail.
In summary, the inventive concept of the present application is: and requesting flow through the DNS to obtain the access behaviors of the domain name of the external network, and presuming whether illegal external connection occurs or not through the behaviors. It should be noted that when the access behavior of the external network domain name corresponding to the device 2 to be detected is obtained, the DNS traffic is analyzed to obtain the feature data in the DNS traffic, each field in the DNS traffic is divided during the analysis, and the feature data corresponding to the DNS traffic is extracted from the divided fields, where the feature data includes domain name information of the external network DNS request, the time frequency of the external network DNS request, the request type of the external network DNS request, and the association relationship between the domain names of the external network requests. And after the characteristic data are obtained, determining the access behavior of the external network domain name corresponding to the equipment to be detected 2 according to the characteristic data.
It can be understood that, except when an illegal external connection occurs, corresponding DNS traffic can be generated, DNS traffic can also be generated when the device to be detected 2 uses an intranet, or some DNS traffic can be generated automatically by itself, when the illegal external connection detection device 1 acquires the DNS traffic, it is determined whether the DNS traffic belongs to the device to be detected 2 before analyzing the acquired DNS traffic, and then, after the DNS traffic is analyzed to obtain feature data in the DNS traffic, the DNS traffic needs to be filtered according to the feature data, and some invalid data are filtered.
Further, in order to avoid the leakage of important information caused by multiple illegal external connections of the user, when the number of times of detecting the illegal external connection behavior of the device to be detected 2 reaches the second preset number of times, the illegal external connection detection device 1 sends prompt information to a specified device (such as the device to be detected 2) so as to remind the user to stop the illegal external connection.
The method for detecting the illegal external connection behavior comprises the steps of monitoring DNS flow generated on a link to be detected, analyzing the monitored DNS flow to obtain an external network domain name access behavior corresponding to equipment to be detected, and determining whether the equipment to be detected has the illegal external connection behavior according to the external network domain name access behavior. Therefore, according to the technical scheme provided by the invention, client software does not need to be installed, DNS flow on a monitored link to be detected is directly used, the DNS flow is analyzed to obtain the corresponding domain name access behavior of the equipment to be detected, and finally whether the illegal external connection behavior occurs to the equipment to be detected is determined according to the domain name access behavior.
In a specific embodiment, the extranet domain name access behavior refers to that whether the equipment to be detected has an illegal external connection behavior or not is determined according to the extranet domain name access behavior after the extranet domain name access behavior corresponding to the equipment to be detected is obtained according to behavior characteristics possessed by the extranet domain name access behavior.
Specifically, after the illegal external connection detection device records the DNS traffic generated on the link of the device to be detected in the running state of the device to be detected, the monitored DNS traffic is analyzed to obtain the access behavior of the external network domain name corresponding to the device to be detected, so that the access condition of the external network domain name corresponding to the DNS traffic is determined. The access condition of the outer network domain name can be recorded in real time, namely the access condition of the outer network domain name is recorded all the time when the device to be detected is in an operating state. Of course, the access condition of the intranet domain name within the preset time period may also be recorded, for example, when the device to be detected is in the operating state, only the access related information of the intranet domain name of the device to be detected within 1 hour before the current time is recorded along with the passage of time, and the access related information of the intranet domain name in the rest time periods is removed, so that the storage space of the illegal external connection detection device is saved.
Under the condition that the equipment to be detected has the access to the outer network domain name, the illegal external connection condition of the equipment to be detected is determined according to the access condition of the outer network domain name within the preset time after the access to the outer network domain name occurs. Under the condition that the equipment to be detected has the access to the outer network domain name, if the sub-domain name corresponding to the outer network domain name is accessed within the first preset time, the illegal external connection behavior of the equipment to be detected is determined. It can be understood that, when an extranet domain name access occurs, it can only be stated that a user accesses a main page corresponding to the extranet domain name, and cannot determine whether an illegal external connection occurs, and therefore, it is necessary to further determine whether a sub-domain name corresponding to the extranet domain name is accessed to determine whether an illegal external connection behavior occurs. And certainly, if the external network domain name is not accessed, immediately determining that the device to be detected is not subjected to illegal external connection. For ease of understanding, the following will be exemplified.
For example, the domain name of the extranet is https:// www.example.com/, and the subdomain name corresponding to the extranet is x.example.com. Under the condition that the device to be detected accesses the www.example.com homepage, it can only be stated that the user inputs the website, and it cannot be determined whether the true access is successful, that is, it cannot be determined whether an illegal external connection behavior occurs by accessing the domain name of the external network, and it is necessary to further determine the access state of the sub-domain name x.example.
Further, if the device to be detected does not access the sub-domain name corresponding to the outer network domain name within the first preset time period under the condition that the outer network domain name is accessed, whether the sub-domain name corresponding to the outer network domain name is accessed within the second preset time period needs to be further judged, and if the sub-domain name is accessed within the second preset time period, it is determined that the device to be detected has an illegal external connection behavior. And if the external network domain name is not accessed, determining that illegal external connection behaviors do not occur, and returning to continuously record the external network domain name access condition of the device to be detected in the running state. For ease of understanding, the following will be exemplified.
It will be appreciated that in particular implementations, when a user accesses the home page of an extranet domain name, it may happen that the system automatically accesses the sub-domain name corresponding to the extranet domain name. At this time, under the condition that the external network domain name access occurs, whether illegal external connection occurs or not can be determined according to the access condition of the sub-domain name corresponding to the internal and external network domain name within the first preset time after the external network domain name access occurs. In fact, when the system automatically accesses the sub-domain name, the time duration consumed is very short, for example, 0.01 second. If the system does not automatically access the sub-domain name corresponding to the outer network domain name, the user is required to autonomously access the sub-domain name corresponding to the outer network domain name, and the time length consumed by the user for autonomously determining which sub-domain name corresponding to the outer network domain name is accessed is relatively long, so that whether illegal external connection behavior occurs or not can be determined according to whether the sub-domain name corresponding to the outer network domain name is accessed within a second preset time length, wherein the second preset time length is longer than the first preset time length.
That is to say, under the condition that the external network domain name access occurs, it is determined whether the sub-domain name corresponding to the external network domain name is accessed within a first preset time period, that is, it is determined whether the system automatically accesses the sub-domain name corresponding to the external network domain name, and if the sub-domain name is accessed, it is determined that an illegal external connection behavior occurs.
If the sub-domain name corresponding to the outer network domain name is not accessed within the first preset time, determining whether the sub-domain name corresponding to the outer network domain name is accessed within the second preset time, namely determining whether the user autonomously accesses the sub-domain name corresponding to the outer network domain name to determine whether the equipment to be detected is in illegal external connection or not when the system does not automatically access the sub-domain name corresponding to the outer network domain name. In order to make those skilled in the art more aware of the technical solution of the present invention, the following examples are given.
For example, the domain name of the extranet is https:// www.example.com/, and the subdomain name corresponding to the extranet is x.example.com. Under the condition that the outer network domain name https:// www.example.com/is accessed, namely under the premise that the device to be detected accesses the www.example.com homepage, the device to be detected may automatically access a certain sub-domain name, and a user using the device to be detected may click the sub-domain name corresponding to the outer network domain name to surf the internet. Therefore, the illegal external connection detection device needs to determine whether the device to be detected accesses the sub-domain name x.example.com automatically within a first preset time, for example, the first preset time is 0.01 second, and if the device to be detected accesses the sub-domain name x.example.com within 0.001 second, the illegal external connection behavior of the device to be detected can be determined.
If the x.example.com is not accessed, further determining whether the x.example.com is accessed within a second preset time, and if the x.example.com is accessed, determining that the user autonomously accesses the sub-domain name corresponding to the outer network domain name, namely determining that the device to be detected is in illegal external connection. For example, if the second preset time period is within 2 minutes, if the x.example.com is not visited within 0.01 seconds, but it is determined that the x.example.com is visited within 2 minutes, it can also be determined that the device to be detected has illegal external connection behavior. It should be noted that the time corresponding to the second preset time period may include the first preset time period, or may not include the first preset time period, which is not limited in this application.
It should be noted that, the access to the foreign domain name may be one time or may be continuous multiple times, which is not limited in this application. In addition, the access to the sub-domain name corresponding to the external domain name within the first preset time period or the second preset time period may be one time or may be continuous multiple times, which is not limited in this application.
According to the detection method for the illegal external connection behavior provided by the embodiment of the invention, any client software is not required to be installed, the DNS flow on the link to be detected is monitored through the illegal external connection detection equipment, after the DNS flow is obtained, the DNS flow is analyzed to obtain the corresponding external network domain name access behavior, the access condition of the external network domain name and the corresponding sub-domain name is obtained, and whether the illegal external connection occurs to the equipment to be detected is determined according to the external network domain name access behavior. Under the condition that the outer network domain name is accessed, if the sub-domain name corresponding to the outer network domain name is accessed within a first preset time, determining that the equipment to be detected has illegal outer connection behaviors, otherwise, continuously judging whether the sub-domain name corresponding to the outer network domain name is accessed within a second preset time, wherein the second preset time is longer than the first preset time, and if the sub-domain name corresponding to the outer network domain name is accessed within the second preset time, determining that the equipment to be detected has illegal outer connection behaviors. Therefore, whether the equipment to be detected has the illegal external connection behavior or not is determined according to the external network domain name access behavior, the low efficiency and the low accuracy rate caused by the fact that the sending equipment and the receiving equipment are adopted for carrying out data interaction to detect the illegal external connection behavior are avoided, and the safety of the network is improved.
In specific implementation, after analyzing the monitored DNS flow to obtain an external network domain name access behavior within a preset time, when determining whether the equipment to be detected has an illegal external connection behavior according to the external network domain name access behavior, determining whether a plurality of external network domain names are accessed within the preset time, wherein at least two external network domain names in the plurality of external network domain names are different to determine whether the equipment to be detected has the illegal external connection behavior.
It can be understood that, within the preset time, if it is determined that the device to be detected accesses a plurality of external network domain names and at least two of the external network domain names are different, it is characterized that the device to be detected accesses different external network domain names for a plurality of times within the preset time, and it can be determined that the device to be detected has an illegal external connection behavior.
It should be noted that when the illegal external connection detection device acquires the DNS traffic, it is necessary to process and analyze the DNS traffic to determine whether the device to be detected has an illegal external connection. When the DNS traffic is processed, the DNS traffic is firstly analyzed to obtain the feature data in the DNS traffic, wherein the feature data comprises domain name information of an external network DNS request, the time frequency of the external network DNS request, the request type of the external network DNS request and the incidence relation among domain names of all the external network requests. In fact, during analysis, each field in the DNS traffic is divided, and information such as domain name information of the external network DNS request, time frequency of the external network DNS request, a request type of the external network DNS request, and an association relationship between domain names of each external network request in the DNS traffic is extracted from the divided fields, and then, an external network domain name access behavior corresponding to the device to be tested is determined based on the characteristic data.
After each field in the DNS flow is divided and extracted to obtain the characteristic data in the DNS flow, the external network domain name access condition of the equipment to be detected can be determined according to the characteristic information, and finally whether illegal external connection occurs or not is determined based on the external network domain name access condition.
In addition, it should be noted that, in implementation, the illegal external connection detection device includes a DNS traffic monitoring unit, a DNS traffic processing unit, and an illegal external connection behavior determination unit. The DNS traffic monitoring unit is used for monitoring DNS traffic on a link to be detected, the DNS traffic processing unit is used for analyzing, filtering and the like the monitored DNS traffic, the processed DNS traffic is transmitted to the illegal external connection behavior determining unit, and the illegal external connection behavior determining unit determines whether illegal external connection behavior is generated according to the external network domain name access condition and the corresponding sub-domain name access condition.
In specific implementation, the illegal external connection detection equipment is prevented from analyzing DNS traffic generated by an internal network or DNS traffic generated by the equipment to be detected, so that the illegal external connection determination efficiency is low, and meanwhile, misjudgment caused by the illegal external connection detection equipment is avoided, and the detection accuracy is reduced. Therefore, after the illegal external connection detection equipment monitors the DNS traffic on the link to be detected and analyzes the DNS traffic to obtain the domain name information of the external network DNS request, the time frequency of the external network DNS request, the request type of the external network DNS request, the incidence relation among all external network request domain names and other characteristic data, invalid data generated by the equipment to be detected are filtered based on the extracted characteristic data, wherein the invalid data comprises external network domain name access behaviors corresponding to the internal network DNS traffic and external network domain name access behaviors corresponding to the DNS traffic generated by the equipment to be detected.
In order to further ensure the detection efficiency and accuracy, before the illegal external connection detection equipment analyzes the DNS traffic to obtain the external network domain name access behavior corresponding to the equipment to be detected, the corresponding relation between the DNS traffic and the equipment to be detected is determined, namely, whether the obtained DNS traffic belongs to the equipment to be detected is determined, if the equipment to be detected is, the DNS traffic is analyzed, otherwise, the DNS traffic is not analyzed and is continuously monitored.
According to the detection method for the illegal external connection behaviors, provided by the embodiment of the invention, under the condition that client software is not installed, the monitored DNS flow is analyzed to obtain the external network domain name access behaviors, if the equipment to be detected accesses a plurality of external network domain names within the preset time length and at least two external network domain names in the plurality of external network domain names are different, the illegal external connection behaviors of the equipment to be detected are determined, the accuracy of illegal external connection detection is improved, and the network security is further improved. The embodiment provides another technical scheme for determining whether illegal external connection occurs according to the access behavior of the external network domain name.
In fact, for some special external network domain names, for example, some mailbox domain names, a successful network connection is often required before a DNS request can be initiated for the mailbox domain name. Therefore, according to the technical scheme provided by the embodiment of the application, when whether the illegal external connection behavior occurs to the equipment to be detected is determined according to the external network domain name access behavior, whether the illegal external connection behavior occurs is determined according to the type of the accessed external network domain name under the condition that the external network domain name is determined to be accessed.
According to the detection method for the illegal external connection behaviors, provided by the embodiment of the invention, when the illegal external connection behaviors of the equipment to be detected are determined through the external network domain name access behaviors, under the condition that the external network domain name access occurs, whether the illegal external connection behaviors of the equipment to be detected occur is determined according to the type of the external network domain name, so that the detection efficiency and accuracy of the illegal external connection behaviors are improved.
In specific implementation, in order to avoid the leakage of important network information caused by multiple illegal external connections of a user, after the illegal external connection behavior is determined, the times of illegal external connections of the equipment to be detected are accumulated, and if the times exceed the preset times, prompt information is sent to the specified equipment so as to remind the user of stopping the illegal external connection behavior. It should be noted that the illegal external connection behavior may be accumulated between each time the device to be detected is turned on and turned off, or may be accumulated for a preset time period, for example, for a time period within three days, or may be accumulated from the time when the first illegal external connection occurs, which is not limited in the present invention.
The detection method for the illegal external connection behaviors, provided by the embodiment of the invention, accumulates the illegal external connection behaviors, and sends prompt information to the equipment to be detected when the number of times of the illegal external connection behaviors reaches the preset number of times so as to remind a user to stop the illegal external connection, thereby improving the network security.
In the above embodiments, a method for detecting an illegal external connection behavior is described in detail, and the present application also provides embodiments corresponding to an illegal external connection behavior detection apparatus. It should be noted that the present application describes the embodiments of the apparatus portion from two perspectives, one is based on the functional module, and the other is based on the hardware structure.
Fig. 3 is a structural diagram of an apparatus for detecting an illegal external connection behavior according to an embodiment of the present invention, as shown in fig. 3, the apparatus includes:
and the monitoring module 10 is configured to monitor DNS traffic generated on a link to be detected.
And the analysis module 11 is configured to analyze the DNS traffic to obtain an external network domain name access behavior corresponding to the device to be detected.
And the determining module 12 is configured to determine whether the device to be detected has an illegal external connection behavior according to the external network domain name access behavior.
Since the embodiment of the apparatus portion and the embodiment of the method portion correspond to each other, please refer to the description of the embodiment of the method portion for the embodiment of the apparatus portion, and details are not repeated here.
The detection device for the illegal external connection behavior can be in the form of an image file, and the image file can be operated in the form of a container or a virtual machine after being executed, so that the detection method for the illegal external connection behavior is realized. Certainly, the method is not limited to the form of an image file, and some software forms that can implement the detection method for the illegal external connection behavior described in the present application are within the protection scope of the present application, for example, the method may also be a software module implemented in a hypervisor (virtual machine monitor) in a cloud computing platform.
The device for detecting the illegal external connection behavior comprises the steps of monitoring DNS flow generated on a link to be detected, analyzing the monitored DNS flow to obtain the external network domain name access behavior corresponding to equipment to be detected, and determining whether the equipment to be detected has the illegal external connection behavior according to the external network domain name access behavior. Therefore, according to the technical scheme provided by the invention, client software does not need to be installed, DNS flow on a monitored link to be detected is directly used, the DNS flow is analyzed to obtain the corresponding domain name access behavior of the equipment to be detected, and finally whether the illegal external connection behavior occurs to the equipment to be detected is determined according to the domain name access behavior.
Fig. 4 is a block diagram of an electronic device according to another embodiment of the present invention, and as shown in fig. 4, the electronic device includes: a memory 20 for storing a computer program;
a processor 21, configured to implement the steps of the method for detecting illegal external connection behavior as mentioned in the above embodiments when executing the computer program.
The electronic device provided by the embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, or a desktop computer.
The processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The Processor 21 may be implemented in at least one hardware form of a Digital Signal Processor (DSP), a Field-Programmable Gate Array (FPGA), and a Programmable Logic Array (PLA). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with an image processor (GPU), and the GPU is responsible for rendering and drawing the content required to be displayed by the display screen. In some embodiments, the processor 21 may further include an Artificial Intelligence (AI) processor for processing computing operations related to machine learning.
The memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 20 is at least used for storing the following computer program 201, wherein after being loaded and executed by the processor 21, the computer program can implement the relevant steps of the detection method for illegal external connection behavior disclosed in any one of the foregoing embodiments. In addition, the resources stored in the memory 20 may also include an operating system 202, data 203, and the like, and the storage manner may be a transient storage manner or a permanent storage manner. Operating system 202 may include, among others, Windows, Unix, Linux, and the like. Data 203 may include, but is not limited to, data involved in detection methods of illegal external connection behavior, and the like.
In some embodiments, the electronic device may further include a display 22, an input/output interface 23, a communication interface 24, a power supply 25, and a communication bus 26.
Those skilled in the art will appreciate that the configuration shown in fig. 4 is not intended to be limiting of electronic devices and may include more or fewer components than those shown.
The electronic device provided by the embodiment of the application comprises a memory and a processor, and when the processor executes a program stored in the memory, the following method can be realized: a detection method of illegal external connection behaviors.
According to the electronic equipment provided by the embodiment of the invention, client software does not need to be installed on the equipment to be detected, the electronic equipment directly obtains the external network domain name access behavior corresponding to the equipment to be detected through monitoring the DNS flow on the link to be detected, and finally determines whether the equipment to be detected has the illegal external connection behavior according to the external network domain name access behavior.
The electronic device described in this application may be an individual hardware device, or may be a cluster formed by a plurality of hardware devices, for example, the electronic device described in this application may be a cloud computing platform.
The cloud computing platform is a platform product which organizes a plurality of independent server physical hardware resources into pooled resources by adopting a virtualization technology, and can provide required resources and services for the outside.
The current cloud computing platform supports several service modes:
SaaS (Software as a Service): the cloud computing platform user does not need to purchase software, but rents the software deployed on the cloud computing platform, the user does not need to maintain the software, and a software service provider can manage and maintain the software in full rights;
PaaS (Platform as a Service): a cloud computing platform user (usually a software developer at this time) can build a new application on a framework provided by the cloud computing platform, or expand an existing application, and does not need to purchase a development, quality control or production server;
IaaS (Infrastructure as a Service): the cloud computing platform provides data centers, infrastructure hardware and software resources through the internet, and the cloud computing platform in the IaaS mode can provide servers, operating systems, disk storage, databases and/or information resources.
Finally, the application also provides a corresponding embodiment of the computer readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps as set forth in the above-mentioned method embodiments.
It is to be understood that if the method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods described in the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The detailed description is given above of a method, an apparatus, an electronic device and a medium for detecting an illegal external connection behavior provided by the present application. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A method for detecting illegal external connection behaviors is characterized by comprising the following steps:
monitoring DNS traffic generated on a link to be detected;
analyzing the DNS flow to obtain the access behavior of the external network domain name corresponding to the equipment to be detected;
and determining whether the device to be detected has illegal external connection behaviors or not according to the external network domain name access behaviors.
2. The illegal external connection behavior detection method according to claim 1, wherein the external network domain name access behavior comprises: accessing the outer network domain name within a preset time length;
correspondingly, the analyzing the DNS traffic to obtain the access behavior of the external network domain name corresponding to the device to be detected includes:
and analyzing the DNS flow to obtain the corresponding access behavior of the external network domain name of the equipment to be detected within the preset time.
3. The method for detecting the illegal external connection behavior according to claim 2, wherein the step of determining whether the equipment to be detected has the illegal external connection behavior according to the external network domain name access behavior comprises the following steps:
and under the condition of the occurrence of the access of the outer network domain name, determining whether the equipment to be detected has illegal external connection behaviors according to whether the sub-domain name corresponding to the outer network domain name is accessed within the preset time after the outer network domain name is accessed.
4. The method for detecting the illegal external connection behavior according to claim 3, wherein the step of determining whether the equipment to be detected has the illegal external connection behavior according to whether the sub-domain name corresponding to the external network domain name is accessed within the preset time period after the external network domain name is accessed comprises the following steps:
if the sub-domain name corresponding to the outer network domain name is accessed within a first preset time length, determining that the illegal external connection behavior occurs to the equipment to be detected;
if the sub-domain name corresponding to the outer network domain name is not accessed within a first preset time length and the sub-domain name corresponding to the outer network domain name is accessed within a second preset time length, determining that the illegal external connection behavior occurs to the equipment to be detected; and the second preset time length is greater than the first preset time length.
5. The method for detecting the illegal external connection behavior according to claim 2, wherein the step of determining whether the equipment to be detected has the illegal external connection behavior according to the external network domain name access behavior comprises the following steps:
and determining whether the equipment to be detected has illegal external connection behaviors or not according to whether a plurality of external network domain names are accessed within the preset time length and at least two of the external network domain names are different pairwise.
6. The method for detecting illegal external connection behavior according to claim 1, wherein the external network domain name access behavior comprises: in the case of accessing an extranet, the type of extranet domain name accessed;
correspondingly, the analyzing the DNS traffic to obtain the access behavior of the external network domain name corresponding to the device to be detected includes:
analyzing the DNS flow to obtain the domain name type of the external network accessed by the equipment to be detected under the condition of accessing the external network;
correspondingly, the determining whether the device to be detected has the illegal external connection behavior according to the external network domain name access behavior includes:
and determining whether the equipment to be detected has illegal external connection behaviors or not according to the accessed type of the external network domain name.
7. The method for detecting the illegal external connection behavior according to any one of claims 1 to 6, characterized by further comprising the following steps after determining that the illegal external connection behavior of the device to be detected occurs:
accumulating the times of the illegal external connection behaviors;
and sending prompt information to specified equipment under the condition that the times of the illegal external connection behaviors reach preset times.
8. An illegal external connection behavior detection device, comprising:
the monitoring module is used for monitoring DNS traffic generated on a link to be detected;
the analysis module is used for analyzing the DNS flow to obtain the access behavior of the outer net domain name corresponding to the equipment to be detected;
and the determining module is used for determining whether the equipment to be detected has illegal external connection behaviors according to the external network domain name access behaviors.
9. An electronic device, comprising a memory for storing a computer program;
a processor for implementing the steps of the method for detecting unlawful outreach as claimed in any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method for detecting unlawful outreach as claimed in any one of claims 1 to 7.
CN202210711219.7A 2022-06-22 2022-06-22 Illegal external connection behavior detection method and device, electronic equipment and medium Active CN115051867B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210711219.7A CN115051867B (en) 2022-06-22 2022-06-22 Illegal external connection behavior detection method and device, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210711219.7A CN115051867B (en) 2022-06-22 2022-06-22 Illegal external connection behavior detection method and device, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN115051867A true CN115051867A (en) 2022-09-13
CN115051867B CN115051867B (en) 2024-04-09

Family

ID=83163900

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210711219.7A Active CN115051867B (en) 2022-06-22 2022-06-22 Illegal external connection behavior detection method and device, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN115051867B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116155549A (en) * 2022-12-23 2023-05-23 武汉雨滴科技有限公司 Terminal external connection detection method and device, electronic equipment and storage medium

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6202158B1 (en) * 1997-04-11 2001-03-13 Hitachi, Ltd. Detection method of illegal access to computer system
CN1750480A (en) * 2005-09-29 2006-03-22 西安交大捷普网络科技有限公司 Detecting method for illegal external connection of inner net computer
JP2006120093A (en) * 2004-10-25 2006-05-11 Kyuden Business Solutions Co Inc Network connection method, network connection device and license management method using the network connection device
JP2006243878A (en) * 2005-03-01 2006-09-14 Matsushita Electric Ind Co Ltd Unauthorized access detection system
CN101257388A (en) * 2008-04-08 2008-09-03 华为技术有限公司 Lawless exterior joint detecting method, apparatus and system
CN102025713A (en) * 2010-02-09 2011-04-20 中国移动通信集团北京有限公司 Access control method, system and DNS (Domain Name Server) server
CN102843445A (en) * 2012-09-29 2012-12-26 北京奇虎科技有限公司 Browser and domain name resolution method thereof
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
US9426171B1 (en) * 2014-09-29 2016-08-23 Amazon Technologies, Inc. Detecting network attacks based on network records
CN106302501A (en) * 2016-08-27 2017-01-04 浙江远望信息股份有限公司 A kind of method of real-time discovery internetwork communication behavior
CN107835149A (en) * 2017-09-13 2018-03-23 杭州安恒信息技术有限公司 Network based on DNS flow analyses is stolen secret information behavioral value method and device
CN108737327A (en) * 2017-04-14 2018-11-02 阿里巴巴集团控股有限公司 Intercept method, apparatus, system, processor and the memory of malicious websites
CN108833412A (en) * 2018-06-20 2018-11-16 国网湖北省电力公司咸宁供电公司 Network termination monitoring and managing method in a kind of illegal external connection
CN108881211A (en) * 2018-06-11 2018-11-23 杭州盈高科技有限公司 A kind of illegal external connection detection method and device
CN109768971A (en) * 2018-12-27 2019-05-17 江苏博智软件科技股份有限公司 A method of based on network flow real-time detection industrial control host state
CN110290154A (en) * 2019-07-23 2019-09-27 北京威努特技术有限公司 A kind of illegal external connection detection device, method and storage medium
CN111917702A (en) * 2020-03-31 2020-11-10 北京融汇画方科技有限公司 Non-client-side mode passive checking off-line illegal external connection technology
CN113315760A (en) * 2021-05-13 2021-08-27 杭州木链物联网科技有限公司 Situation awareness method, system, equipment and medium based on knowledge graph
CN114363059A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Attack identification method and device and related equipment
CN114401129A (en) * 2022-01-04 2022-04-26 烽火通信科技股份有限公司 Internet access behavior control method, DNS (Domain name Server), home gateway and storage medium

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6202158B1 (en) * 1997-04-11 2001-03-13 Hitachi, Ltd. Detection method of illegal access to computer system
JP2006120093A (en) * 2004-10-25 2006-05-11 Kyuden Business Solutions Co Inc Network connection method, network connection device and license management method using the network connection device
JP2006243878A (en) * 2005-03-01 2006-09-14 Matsushita Electric Ind Co Ltd Unauthorized access detection system
CN1750480A (en) * 2005-09-29 2006-03-22 西安交大捷普网络科技有限公司 Detecting method for illegal external connection of inner net computer
CN101257388A (en) * 2008-04-08 2008-09-03 华为技术有限公司 Lawless exterior joint detecting method, apparatus and system
CN102025713A (en) * 2010-02-09 2011-04-20 中国移动通信集团北京有限公司 Access control method, system and DNS (Domain Name Server) server
CN102843445A (en) * 2012-09-29 2012-12-26 北京奇虎科技有限公司 Browser and domain name resolution method thereof
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
US9426171B1 (en) * 2014-09-29 2016-08-23 Amazon Technologies, Inc. Detecting network attacks based on network records
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN106302501A (en) * 2016-08-27 2017-01-04 浙江远望信息股份有限公司 A kind of method of real-time discovery internetwork communication behavior
CN108737327A (en) * 2017-04-14 2018-11-02 阿里巴巴集团控股有限公司 Intercept method, apparatus, system, processor and the memory of malicious websites
CN107835149A (en) * 2017-09-13 2018-03-23 杭州安恒信息技术有限公司 Network based on DNS flow analyses is stolen secret information behavioral value method and device
CN108881211A (en) * 2018-06-11 2018-11-23 杭州盈高科技有限公司 A kind of illegal external connection detection method and device
CN108833412A (en) * 2018-06-20 2018-11-16 国网湖北省电力公司咸宁供电公司 Network termination monitoring and managing method in a kind of illegal external connection
CN109768971A (en) * 2018-12-27 2019-05-17 江苏博智软件科技股份有限公司 A method of based on network flow real-time detection industrial control host state
CN110290154A (en) * 2019-07-23 2019-09-27 北京威努特技术有限公司 A kind of illegal external connection detection device, method and storage medium
CN111917702A (en) * 2020-03-31 2020-11-10 北京融汇画方科技有限公司 Non-client-side mode passive checking off-line illegal external connection technology
CN113315760A (en) * 2021-05-13 2021-08-27 杭州木链物联网科技有限公司 Situation awareness method, system, equipment and medium based on knowledge graph
CN114363059A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Attack identification method and device and related equipment
CN114401129A (en) * 2022-01-04 2022-04-26 烽火通信科技股份有限公司 Internet access behavior control method, DNS (Domain name Server), home gateway and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
宋晓峰;赵卫伟;韩;: "基于大数据引擎的军事信息网络安全防护系统", 电子信息对抗技术, no. 03, pages 30 - 35 *
朱坤华;李莉;: "电力专网非法外联监控系统监控和通讯模块的设计", 河南科技学院学报, no. 02, 15 June 2009 (2009-06-15), pages 61 - 64 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116155549A (en) * 2022-12-23 2023-05-23 武汉雨滴科技有限公司 Terminal external connection detection method and device, electronic equipment and storage medium
CN116155549B (en) * 2022-12-23 2023-12-29 武汉雨滴科技有限公司 Terminal external connection detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN115051867B (en) 2024-04-09

Similar Documents

Publication Publication Date Title
JP6687799B2 (en) Network flow log for multi-tenant environment
US10397236B1 (en) Anamoly detection and recovery of a corrupted computing resource
US9215245B1 (en) Exploration system and method for analyzing behavior of binary executable programs
US20210294896A1 (en) Endpoint detection and response attack process tree auto-play
CN113489713B (en) Network attack detection method, device, equipment and storage medium
US11089024B2 (en) System and method for restricting access to web resources
US10242187B1 (en) Systems and methods for providing integrated security management
CN111404937B (en) Method and device for detecting server vulnerability
CN108134816B (en) Access to data on remote device
US11449637B1 (en) Systems and methods for providing web tracking transparency to protect user data privacy
US9727394B2 (en) Establishing causality order of computer trace records
CN114024764A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
US9313218B1 (en) Systems and methods for providing information identifying the trustworthiness of applications on application distribution platforms
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
TWI610196B (en) Network attack pattern determination apparatus, determination method, and computer program product thereof
CN115051867B (en) Illegal external connection behavior detection method and device, electronic equipment and medium
US9477490B2 (en) Milestone based dynamic multiple watchdog timeouts and early failure detection
US10817601B2 (en) Hypervisor enforcement of cryptographic policy
JP7502385B2 (en) Analytical device, analytical method, and analytical program
US20110282980A1 (en) Dynamic protection of a resource during sudden surges in traffic
CN115828256A (en) Unauthorized and unauthorized logic vulnerability detection method
US11747966B2 (en) Detecting paste and other types of user activities in computer environment
CN114462030A (en) Privacy policy processing and evidence obtaining method, device, equipment and storage medium
CA3172788A1 (en) Endpoint security using an action prediction model
CN113868556A (en) Webpage abnormity early warning method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant