CN115051867B - Illegal external connection behavior detection method and device, electronic equipment and medium - Google Patents

Illegal external connection behavior detection method and device, electronic equipment and medium Download PDF

Info

Publication number
CN115051867B
CN115051867B CN202210711219.7A CN202210711219A CN115051867B CN 115051867 B CN115051867 B CN 115051867B CN 202210711219 A CN202210711219 A CN 202210711219A CN 115051867 B CN115051867 B CN 115051867B
Authority
CN
China
Prior art keywords
domain name
external network
detected
network domain
external connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210711219.7A
Other languages
Chinese (zh)
Other versions
CN115051867A (en
Inventor
彭雷
张志良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202210711219.7A priority Critical patent/CN115051867B/en
Publication of CN115051867A publication Critical patent/CN115051867A/en
Application granted granted Critical
Publication of CN115051867B publication Critical patent/CN115051867B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

The application discloses a detection method, a detection device, electronic equipment and a detection medium for illegal external connection behaviors, which comprise the steps of monitoring DNS traffic generated on a link to be detected, analyzing the DNS traffic to obtain external network domain name access behaviors corresponding to the equipment to be detected, and determining whether the equipment to be detected has illegal external connection behaviors according to the external network domain name access behaviors. Therefore, client software is not required to be installed, DNS traffic on a monitored link to be detected is analyzed to obtain external network domain name access behaviors corresponding to equipment to be detected, whether illegal external connection behaviors occur to the equipment to be detected is finally determined according to the external network domain name access behaviors, and compared with the mode that illegal external connection detection is conducted by deploying sending equipment and receiving equipment, only the network environment with illegal external connection of the equipment to be detected can be determined, whether illegal external connection behaviors occur to the equipment to be detected cannot be determined, whether illegal external connection behaviors occur can be directly determined according to the scheme, and detection efficiency and accuracy are improved.

Description

Illegal external connection behavior detection method and device, electronic equipment and medium
Technical Field
The present invention relates to the field of computers, and in particular, to a method, an apparatus, an electronic device, and a medium for detecting illegal external connection behavior.
Background
With the continuous development of the internet, people pay more attention to the security of the network, and therefore, how to maintain the security of the network becomes important. In the scenes of national authorities, certain enterprises and institutions and the like, in order to ensure the safety of a network, confidential files and important information are not revealed, the network is divided into an intranet and the Internet, and the Internet surfing behavior of workers is detected and limited by prohibiting an intranet host from being connected with the Internet.
Illegal external connection refers to that the device connects a network (such as the internet) which is not allowed to be accessed illegally through a third party internet access channel (for example, private WIFI, connecting mobile hot spot and the like) under the condition of unauthorized.
At present, when detecting illegal external connection behaviors, client software is generally installed on a detected device so as to acquire real-time network access behaviors of the detected device, thereby judging whether the device is illegally connected. Or respectively deploying a sending device and a receiving device on the intranet to be scanned and the extranet to be scanned, wherein the sending device sends the fake data packet to the detected device, if the detected device can access the Internet, the detected device returns corresponding data to the receiving device, and the receiving device completes illegal external connection confirmation of the detected device after receiving the data.
In the two modes, when the client software is installed on the detected equipment to perform illegal external connection detection, the cost for installing the client software is high, the client software adapted to each operating system needs to be developed, the implementation difficulty is high, and illegal external connection detection cannot be performed on a scene where the client software cannot be installed. When the sending device and the receiving device are deployed to perform illegal external connection detection, the method is only suitable for detecting certain specific network traffic (such as HTTP traffic), so the application range is small, the method only can prove that the detected device has an illegal external connection network environment, and can not determine whether the detected device has illegal external connection behaviors, so the application range for detecting illegal behaviors based on data response is narrow, and the illegal external connection behaviors can not be detected in real time.
Therefore, under the condition that client software is not installed, the application range of detecting the illegal external connection behaviors is improved, and the real-time illegal external connection behavior detection is realized, so that the method is a problem to be solved by the technicians in the field.
Disclosure of Invention
The purpose of the application is to provide a detection method, a detection device, electronic equipment and a detection medium for illegal external connection behaviors, client software is not required to be installed, DNS traffic on a link to be detected is monitored, the DNS traffic is analyzed to obtain external network domain name access behaviors, whether illegal external connection behaviors occur in equipment to be detected is determined according to the obtained external network domain name access behaviors, the technical problems that the application range is narrow and the illegal external connection behaviors cannot be detected in real time due to the fact that sending equipment and receiving equipment are deployed for illegal external connection behavior detection are avoided, and network safety is further improved.
In order to solve the above technical problems, the present application provides a method for detecting illegal external connection behavior, including:
monitoring DNS traffic generated on a link to be detected;
analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the equipment to be detected;
and determining whether illegal external connection behaviors occur to the equipment to be detected according to the external network domain name access behaviors.
Preferably, the external network domain name access behavior includes: the external network domain name access behavior within a preset duration;
correspondingly, the analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the device to be detected includes:
and analyzing the DNS traffic to obtain the corresponding external network domain name access behavior of the equipment to be detected within the preset duration.
Preferably, the determining whether the device to be detected generates the illegal external connection behavior according to the external network domain name access behavior includes:
and under the condition that the external network domain name access occurs, determining whether the equipment to be detected has illegal external connection behavior according to whether the subdomain name corresponding to the external network domain name is accessed within the preset time period after the external network domain name is accessed.
Preferably, the determining whether the device to be detected has an illegal external connection behavior according to whether the sub-domain name corresponding to the external network domain name is accessed within the preset time period after the external network domain name is accessed includes:
If the subdomain name corresponding to the external network domain name is accessed within a first preset time period, determining that the illegal external connection behavior of the equipment to be detected occurs;
if the subdomain name corresponding to the external network domain name is not accessed within a first preset time period and the subdomain name corresponding to the external network domain name is accessed within a second preset time period, determining that the illegal external connection behavior of the equipment to be detected occurs; wherein the second preset time period is longer than the first preset time period.
Preferably, the determining whether the device to be detected generates the illegal external connection behavior according to the external network domain name access behavior includes:
and determining whether the equipment to be detected has illegal external connection behavior according to whether a plurality of external network domain names are accessed within the preset time length and at least two of the external network domain names are different from each other.
Preferably, the external network domain name access behavior includes: in case of accessing the external network, the type of the domain name of the external network accessed;
correspondingly, the analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the device to be detected includes:
analyzing the DNS traffic to obtain the domain name type of the visited foreign network when the device to be detected accesses the foreign network;
Correspondingly, the determining whether the device to be detected has illegal external connection behaviors according to the external network domain name access behaviors comprises:
and determining whether illegal external connection behaviors occur to the equipment to be detected according to the accessed external network domain name type.
Preferably, after determining that the device to be detected has illegal external connection, the method further comprises:
the times of illegal external connection behavior are accumulated;
and sending prompt information to the appointed equipment under the condition that the times of the illegal external connection behavior reach the preset times.
In order to solve the technical problem, the application further provides a detection device for illegal external connection behavior, which comprises:
the monitoring module is used for monitoring DNS traffic generated on the link to be detected;
the analysis module is used for analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the equipment to be detected;
and the determining module is used for determining whether the equipment to be detected has illegal external connection behaviors according to the external network domain name access behaviors.
In order to solve the technical problem, the application also provides electronic equipment, which comprises a memory for storing a computer program;
and the processor is used for realizing the steps of the illegal external connection behavior detection method when executing the computer program.
In order to solve the above technical problem, the present application further provides a computer readable storage medium, where a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method for detecting illegal external connection behavior as described above.
The method for detecting illegal external connection behavior provided by the invention comprises the steps of monitoring DNS traffic generated on a link to be detected, analyzing the monitored DNS traffic to obtain external network domain name access behavior corresponding to equipment to be detected, and determining whether the equipment to be detected has illegal external connection behavior according to the external network domain name access behavior (the external network refers to a network which is not allowed to be accessed, such as the Internet). Therefore, according to the technical scheme provided by the invention, client software is not required to be installed, the DNS traffic on the monitored link to be detected is directly used, the DNS traffic is analyzed to obtain the external network domain name access behavior corresponding to the equipment to be detected, finally, whether the equipment to be detected is subjected to illegal external connection behavior is determined according to the external network domain name access behavior, and compared with the mode that the sending equipment and the receiving equipment are deployed for illegal external connection detection, only the network environment with illegal external connection of the equipment to be detected can be determined, and whether the equipment to be detected is subjected to illegal external connection behavior cannot be determined.
In addition, the application also provides a detection device, electronic equipment and medium for illegal external connection behavior, which correspond to the detection method for illegal external connection behavior, and have the same effects.
Drawings
For a clearer description of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a hardware architecture of a method for detecting illegal external connection behavior according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for detecting illegal external connection behavior according to an embodiment of the present invention;
FIG. 3 is a block diagram of a detecting device for illegal external connection behavior according to an embodiment of the present invention;
fig. 4 is a block diagram of an electronic device according to another embodiment of the present invention.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments herein without making any inventive effort are intended to fall within the scope of the present application.
The core of the application is to provide a detection method, a detection device, electronic equipment and a detection medium for illegal external connection behaviors, which are characterized in that the method, the device, the electronic equipment and the medium are used for acquiring external network domain name access behaviors corresponding to equipment to be detected by monitoring domain name system (Domain Name System, DNS) traffic on a link to be detected and analyzing the DNS traffic, determining whether the equipment to be detected has illegal external connection behaviors according to the external network domain name access behaviors, avoiding high cost caused by installing client software, expanding the application range, avoiding the problems of narrow application range caused by deploying sending equipment and receiving equipment and incapability of detecting the illegal external connection behaviors in the process of being generated, and further improving the network security.
In order to provide a better understanding of the present application, those skilled in the art will now make further details of the present application with reference to the drawings and detailed description.
Illegal external connection refers to that the device connects a network (such as the internet) which is forbidden to access illegally through a third party internet access channel (for example, private WIFI, connecting mobile hot spot and the like) under the condition of unauthorized. With the continuous development of the internet, people pay more and more attention to the security of network information, in national units and many enterprises, in order to avoid leakage of confidential information, networks are generally divided into networks allowing access (i.e. intranet) and networks prohibiting access (i.e. extranet, such as the internet), and monitoring and limitation of internet surfing behavior are realized by prohibiting workers from connecting the extranet through an intranet host, so that the security of network information is improved, and therefore, how to detect whether illegal extraconnection occurs in equipment to be detected becomes very important.
At present, when detecting illegal external connection behaviors, client software is generally installed on a detected device so as to acquire real-time network access behaviors of the detected device, thereby judging whether the device is illegally connected. Or respectively deploying a sending device and a receiving device on the intranet to be scanned and the extranet to be scanned, wherein the sending device sends the fake data packet to the detected device, if the detected device can access the Internet, the detected device returns corresponding data to the receiving device, and the receiving device completes illegal external connection confirmation of the detected device after receiving the data.
In the two modes, when the client software is installed on the detected equipment to perform illegal external connection detection, the cost for installing the client software is high, the client software which is suitable for each operating system needs to be developed, the implementation difficulty is high, and illegal external connection detection cannot be performed on a scene where the client software cannot be installed. When the transmitting device and the receiving device are deployed to perform illegal external connection detection, the method is only suitable for detecting a certain specific network flow (such as HTTP flow), so that the application range is small, the method only can prove that the detected device has an illegal external connection network environment, and whether the detected device has illegal external connection behaviors cannot be determined, so that the detection efficiency of illegal behavior detection based on data response is low, and the detection result is inaccurate.
In order to achieve the purpose of improving the accuracy of detecting illegal external connection behaviors under the condition that client software is not installed, the invention provides a detection method of illegal external connection behaviors, which comprises the steps of monitoring Domain Name System (DNS) traffic generated on a link to be detected, analyzing the DNS traffic to obtain external network domain name access behaviors corresponding to equipment to be detected, and finally determining whether the external connection behaviors occur to the equipment to be detected according to the external network domain name access behaviors. In order to facilitate understanding, a hardware architecture to which the technical solution provided by the present invention is applicable will be described with reference to fig. 1, where as shown in fig. 1, an illegal external connection detection device 1 is communicatively connected to a plurality of devices to be detected 2, when any one of the devices to be detected 2 generates an illegal external connection, correspondingly, the device to be detected 2 generates DNS traffic, and when the illegal external connection detection device 1 detects the DNS traffic, the DNS traffic is resolved to obtain an external network domain name access behavior, and a target device generating the illegal external connection is determined according to the external network domain name access behavior. It should be noted that the illegal external connection detection device 1 may be the same computer as the device to be detected 2, or may be any electronic device, for example, a mobile phone, a tablet, etc., in which a program for detecting illegal external connection behaviors is stored.
As shown in fig. 1, the illegal external connection detection device 1 may be deployed in an intranet accessible to a client, and when the device to be detected 2 accesses an external network (such as the internet) to which access is prohibited, DNS request traffic may be sent through the "other network card" in fig. 1. However, for the PC with the version of Windows10, it supports mirroring DNS request traffic to all other network cards to accelerate DNS resolution, so the present application is based on the DNS mirroring feature, so that the illegal external connection detection device 1 deployed in the intranet can obtain DNS traffic (DNS traffic in the present application is DNS request traffic) sent by the device 2 to be detected.
It can be understood that the network card using the intranet exists in each device to be detected 2, the illegal external connection detection device 1 is in communication connection with each device to be detected 2, the illegal external connection detection device 1 has links to be detected on the network of each device to be detected 2, when the device to be detected 2 uses the wireless network, the ethernet or the mobile network to perform illegal external connection, corresponding DNS traffic is generated, the generated DNS traffic is mirrored in the network card of the intranet, at this time, corresponding DNS traffic is generated on the links to be detected, and therefore, the illegal external connection detection device 1 can monitor the DNS traffic and analyze the DNS traffic to determine whether illegal external connection occurs.
Fig. 2 is a flowchart of a method for detecting illegal external connection behavior according to an embodiment of the present invention, as shown in fig. 2, where the method includes:
s10: and monitoring DNS traffic generated on the link to be detected.
S11: and analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the equipment to be detected.
S12: and determining whether illegal external connection behaviors occur to the equipment to be detected according to the external network domain name access behaviors.
In a specific embodiment, the technical scheme provided by the invention does not need to deploy any client software in the device to be detected 2, directly monitors the DNS traffic on the link to be detected through the illegal external connection detection device 1, analyzes the monitored DNS traffic to obtain the external network domain name access behavior corresponding to the device to be detected 2, and can determine whether illegal external connection occurs according to the external network domain name access behavior. For example, immediately after the external network domain name is accessed, the sub domain name corresponding to the external network domain name is also accessed, and this behavior may be regarded as an external network domain name access behavior (in the "external network domain name access behavior" described in step S11, the "external network domain name" is a general term, that is, if the "external network domain name" is regarded as an external network domain name, for example, an external network domain name, the sub domain name a.baidu.com of the baidu.com also belongs to an external network domain name). Therefore, when determining whether the illegal external connection behavior occurs to the device to be detected 2, it is determined whether the illegal external connection behavior occurs according to the external network domain name access condition of the device to be detected 2.
In an embodiment, when determining whether an illegal external connection behavior occurs according to an external network domain name access condition, if the external network domain name access behavior of a certain device to be detected is: after accessing a preset time period after accessing a certain external network domain name, accessing a subdomain name of the external network domain name, and considering that the equipment to be detected is illegally connected. Please note by those skilled in the art: by accessing a foreign network domain name, it is meant that DNS traffic is initiated based on the foreign network domain name.
In this application, S12 may specifically include: and determining whether illegal external connection occurs according to the external network domain name access behavior within the preset duration. Of course, S12 may specifically further include: and determining whether illegal external connection occurs according to the type of the accessed external network domain name.
In addition, "determining whether illegal external connection occurs according to external network domain name access behavior within a preset duration" may further include: and under the condition that the external network domain name is accessed, determining whether the equipment to be detected has illegal external connection according to whether the subdomain name corresponding to the external network domain name is accessed within the preset time period after the external network domain name is accessed.
That is, when the device to be detected accesses to initiate a DNS request to a domain name of an external network, and initiates a DNS request to a subdomain name of the domain name of the external network within a preset period (for example, 3 s) after initiating the DNS request, the device to be detected can be considered to be able to successfully access the external network to a certain extent, that is, illegal external connection is occurring. The following is an explanation taking the external domain name of access www.qq.com as an example:
When the device to be detected initiates a DNS request to www.qq.com, if the device to be detected can be successfully connected externally, the system automatically initiates DNS queries to imgcche.qq.com and joke.qq.com in a short time, and after a subsequent user clicks a web page link, the system may still continue to access pin core.qq.com, trace.qq.com, news.qq.com and the like.
However, if the user cannot successfully connect externally, when the device initiates a DNS request to www.qq.com, the subsequent device cannot either receive a DNS response or cannot establish a connection with an IP address in the DNS response, so that the DNS request cannot be initiated for subzone names such as imgcche.
Therefore, by detecting that a certain external network domain name is accessed (i.e. detecting that a DNS request flow is initiated to a certain external network domain name), and then initiating access to the sub domain name (i.e. initiating a DNS request) within a subsequent preset duration, the application indicates that the user can successfully access the external network and illegal external connection is performed.
Specifically, under the condition that the external network domain name access occurs, if the sub domain name corresponding to the external network domain name is accessed within a first preset duration, it is determined that illegal external connection occurs to the device to be detected 2. If the sub-domain name corresponding to the external network domain name is not accessed within the first preset time period and the sub-domain name corresponding to the external network domain name is accessed within the second preset time period, determining that illegal external connection occurs to the equipment 2 to be detected, wherein the second preset time period is longer than the first preset time period.
In fact, whether illegal external connection behavior occurs is judged according to the first preset duration, and the method is mainly used for detecting whether the system automatically initiates access of the subdomain name corresponding to the external network domain name under the condition that the external network domain name access occurs, and it can be understood that the duration of time for the system to automatically access the subdomain name is very short. If the sub domain name corresponding to the external network domain name is not accessed within the first preset duration, the system is not indicated to have the action of automatically accessing the sub domain name, and the user is often required to access the sub domain name independently at the moment, so that if the sub domain name corresponding to the external network domain name is accessed within the second preset duration, the illegal external connection action of the equipment 2 to be detected is determined. It can be appreciated that when the user accesses the sub domain name autonomously, the time required to be spent is longer, so the second preset time period is longer than the first preset time period.
It should be noted that, in the first preset duration, when the access to the sub domain name corresponding to the external network domain name is detected, whether the sub domain name access occurs once or not may be detected, or whether the sub domain name access occurs continuously and repeatedly may be detected, if the sub domain name is detected to be continuously and repeatedly accessed, illegal external connection behavior may be considered to occur. Of course, the access to the sub domain name corresponding to the external network domain name within the second preset duration may also be one time or multiple times continuously.
In addition, in addition to determining whether illegal external connection occurs by referring to the external network domain name and the access behaviors of the external network sub domain name, when determining whether illegal external connection occurs to the device 2 to be detected according to the access behaviors of the external network domain name, if access to a plurality of external network domain names occurs within a preset time period, and at least two external network domain names in the plurality of external network domain names are different, determining that illegal external connection occurs to the device to be detected.
That is, if a plurality of external network domain names are accessed within a preset time period and different domain names exist in the plurality of external network domain names, illegal external connection can be considered to exist in the case. For example, in the case where the user is able to successfully access the network, if the vacation video is searched, it will typically access www.baidu.com first, and then after hundred degrees of return, the vacation video v.qq.com. Or when the network searches some entertainment information, the user can jump among a plurality of different domain names to view related information in a short time. When the user cannot successfully access the network, the user often finds that the network cannot be accessed after accessing a certain domain name, and does not continue to initiate access to other domain names.
Therefore, in the present application, if a plurality of domain names are accessed in a short time, and different domain names exist in the plurality of domain names, it is considered that the external network can be successfully accessed, that is, illegal external connection exists. Furthermore, those skilled in the art will note that the meaning of "different domain names" as described herein is broader, and for the case of "domain name" and "sub domain name" it is also considered to belong to different domain names, i.e. "www.qq.com" and "imgcche" are also considered to belong to different domain names.
In addition, whether illegal external connection of the device 2 to be detected occurs can be determined according to the type of the accessed external network domain name.
This is because a user will initiate access to certain domain names only if they can successfully access the network, such as if the domain name type of access is a mail server type, then an illegitimate external connection is considered to exist. This is considered to be because: typically, when mail is sent by a person, it is determined that the network is accessible.
In summary, the inventive concepts of the present application are: and obtaining the access behaviors of the domain name of the external network through the DNS request flow, and predicting whether illegal external connection occurs or not through the behaviors. It is noted that, when the external network domain name access behavior corresponding to the device 2 to be detected is obtained, the DNS traffic is resolved to obtain feature data in the DNS traffic, each field in the DNS traffic is divided during the resolving, and feature data corresponding to the DNS traffic is extracted from the divided fields, where the feature data includes domain name information of the external network DNS request, time frequency of the external network DNS request, request type of the external network DNS request, and association relation between the domain names of the external network requests. After the feature data are obtained, the external network domain name access behavior corresponding to the equipment 2 to be detected is determined according to the feature data.
It can be understood that, except when illegal external connection occurs, corresponding DNS traffic is generated, when the device to be detected 2 uses the intranet, DNS traffic is also generated, or some DNS traffic is automatically generated, when the device to be detected 1 obtains the DNS traffic, whether the obtained DNS traffic belongs to the device to be detected 2 is determined before analysis is performed on the obtained DNS traffic, and then after analysis is performed on the DNS traffic to obtain characteristic data in the DNS traffic, the DNS traffic needs to be filtered according to the characteristic data to filter some invalid data.
Further, in order to avoid leakage of important information caused by multiple illegal external connection of the user, when the number of times of detecting the illegal external connection behavior of the device to be detected 2 reaches the second preset number of times, the illegal external connection detecting device 1 sends a prompt message to a designated device (such as the device to be detected 2) so as to remind the user to stop the illegal external connection.
The method for detecting illegal external connection behavior provided by the embodiment of the invention comprises the steps of monitoring DNS traffic generated on a link to be detected, analyzing the monitored DNS traffic to obtain external network domain name access behavior corresponding to equipment to be detected, and determining whether the equipment to be detected has illegal external connection behavior according to the external network domain name access behavior. Therefore, the technical scheme provided by the invention does not need to install client software, directly obtains the external network domain name access behavior corresponding to the equipment to be detected through the monitored DNS traffic on the link to be detected, and finally determines whether the equipment to be detected has illegal external connection behavior according to the external network domain name access behavior.
In a specific embodiment, the external network domain name access behavior refers to that after the external network domain name access behavior corresponding to the device to be detected is obtained, the behavior characteristics of the external network domain name access behavior when the external network domain name is accessed determine whether the device to be detected has illegal external connection behavior according to the external network domain name access behavior.
Specifically, the illegal external connection detection equipment records that the DNS traffic generated on a link of the equipment to be detected is monitored in the running state of the equipment to be detected, and then the monitored DNS traffic is analyzed to obtain the external network domain name access behavior corresponding to the equipment to be detected, so that the access condition of the external network domain name corresponding to the DNS traffic is determined. The access condition of the external network domain name can be recorded in real time, namely, when the equipment to be detected is in an operating state, the access condition of the external network domain name is recorded at any time. Of course, the access condition of the external network domain name of the device to be detected in the preset time period may be recorded, for example, when the device to be detected is in an operation state, only the access related information of the external network domain name of the device to be detected in 1 hour before the current time is recorded along with the time, and the access related information of the external network domain name in the other time period is cleared, so that the storage space of the illegal external connection detection device is saved.
Under the condition that the equipment to be detected is accessed by the external network domain name, determining the illegal external connection condition of the equipment to be detected according to the access condition of the external network domain name within the preset time after the external network domain name is accessed. Under the condition that the equipment to be detected accesses the external network domain name, if the sub domain name corresponding to the external network domain name is accessed within the first preset duration, determining that illegal external connection of the equipment to be detected occurs. It will be appreciated that when an external network domain name access occurs, it is generally only able to indicate that the user has accessed the homepage corresponding to the external network domain name, and it cannot be determined whether an illegal external connection occurs, and therefore, it is necessary to further determine whether the sub-domain name corresponding to the external network domain name has been accessed to determine whether an illegal external connection behavior occurs. Of course, if the foreign network domain name is not accessed, immediately determining that illegal external connection does not occur to the equipment to be detected. For ease of understanding, the following will exemplify.
For example, the external network domain name is https:// www.example.com/, and the sub-domain name corresponding to the external network domain name is x.example. In the case that the device to be detected accesses the www.example.com homepage, it can only be explained that the user has entered the website, and it cannot be determined whether the real access is successful, that is, whether the illegal external connection is performed cannot be determined by accessing the external network domain name, it is necessary to further determine the access state of the sub domain name x.example.com within the first preset duration, for example, within 0.001 seconds, and if it is determined that the device to be detected accesses x.example.com, it is determined that the illegal external connection is performed by the device to be detected.
Further, if the device to be detected does not access the sub-domain name corresponding to the external network domain name within the first preset duration under the condition that the external network domain name access occurs, whether the sub-domain name corresponding to the external network domain name is accessed within the second preset duration needs to be further judged, and if the sub-domain name is accessed within the second preset duration, illegal external connection behavior of the device to be detected is determined. Of course, if the device is not accessed, determining that illegal external connection does not occur, and returning to continuously record the external network domain name access condition of the device to be detected under the running state. For ease of understanding, the following will exemplify.
It will be appreciated that in implementations, when a user accesses the home page of a foreign domain name, it may happen that the system automatically accesses the subdomain name corresponding to the foreign domain name. At this time, under the condition that the external network domain name access occurs, whether illegal external connection occurs can be determined according to the access condition of the sub domain name corresponding to the internal and external network domain name within a first preset time period after the external network domain name access occurs. In fact, when the system automatically accesses a sub-domain name, the time taken is very short, e.g., 0.01 seconds. If the system does not automatically access the sub-domain corresponding to the external network domain name, the user is required to access the sub-domain corresponding to the external network domain name independently, and the user independently decides which sub-domain name corresponding to the external network domain name is accessed, which consumes a relatively long time, so that whether illegal external connection is performed can be determined according to whether the sub-domain corresponding to the external network domain name is accessed within a second preset time period, wherein the second preset time period is longer than the first preset time period.
That is, under the condition that the external network domain name access occurs, whether the sub domain name corresponding to the external network domain name is accessed within the first preset time period is firstly determined, that is, whether the system automatically accesses the sub domain name corresponding to the external network domain name is firstly determined, and if the system accesses the sub domain name corresponding to the external network domain name, illegal external connection behavior is determined.
If the sub-domain name corresponding to the external network domain name is not accessed within the first preset duration, determining whether the sub-domain name corresponding to the external network domain name is accessed within the second preset duration, namely determining whether illegal external connection occurs to the equipment to be detected by determining whether the user accesses the sub-domain name corresponding to the external network domain name independently when the system does not access the sub-domain name corresponding to the external network domain name. In order to enable those skilled in the art to better understand the technical solutions of the present invention, the following description will be given by way of example.
For example, the external network domain name is https:// www.example.com/, and the sub-domain name corresponding to the external network domain name is x.example. Under the condition that the external network domain name https is accessed/www.example.com/is accessed, namely, on the premise that the equipment to be detected accesses www.example.com a homepage, the equipment to be detected can automatically access a certain subdomain name, and the user using the equipment to be detected can click on the subdomain name corresponding to the external network domain name to surf the internet. Therefore, the illegal external connection detection device needs to determine whether the device to be detected automatically accesses the sub-domain name x.example.com within a first preset time period, for example, the first preset time period is 0.01 seconds, and if the device to be detected accesses the sub-domain name x.example.com within 0.001 seconds, the illegal external connection behavior of the device to be detected can be determined.
If the x.sample.com is not accessed, further determining whether the x.sample.com is accessed within a second preset time period, and if the x.sample.com is accessed, determining that the user accesses the sub-domain name corresponding to the external network domain name autonomously, so as to determine that illegal external connection occurs to the equipment to be detected. For example, if the second preset duration is within 2 minutes and x.sample.com is not accessed within 0.01 seconds, but x.sample.com is accessed within 2 minutes, it can be determined that the device to be detected has illegal external connection. It should be noted that, the time corresponding to the second preset duration may include the first preset duration, or may not include the first preset duration, which is not limited in this application.
It should be noted that the access to the external network domain name may be one time or may be multiple times in succession, which is not limited in this application. In addition, the access to the sub domain name corresponding to the external network domain name in the first preset duration or the second preset duration may be one time or may be continuous multiple times, which is not limited in this application.
According to the detection method for illegal external connection behavior, provided by the embodiment of the invention, no client software is required to be installed, the DNS traffic on the link to be detected is monitored through the illegal external connection detection equipment, after the DNS traffic is acquired, the DNS traffic is analyzed to obtain the corresponding external network domain name access behavior, namely the external network domain name and the access condition of the corresponding sub domain name are obtained, and whether the illegal external connection of the equipment to be detected occurs is determined according to the external network domain name access behavior. Under the condition that the external network domain name is accessed, if the subdomain name corresponding to the external network domain name is accessed within a first preset time, determining that illegal external connection behavior of the equipment to be detected occurs, otherwise, continuously judging whether the subdomain name corresponding to the external network domain name is accessed within a second preset time length, wherein the second preset time length is longer than the first preset time length, and if the subdomain name corresponding to the external network domain name is accessed within the second preset time length, determining that illegal external connection behavior of the equipment to be detected occurs. Therefore, whether illegal external connection behaviors occur to the equipment to be detected is determined according to the external network domain name access behaviors, low efficiency and low accuracy caused by detecting the illegal external connection behaviors by adopting data interaction of the sending equipment and the receiving equipment are avoided, and the safety of the network is further improved.
In specific implementation, after analyzing the monitored DNS traffic to obtain an external network domain name access behavior within a preset duration, determining whether the device to be detected has an illegal external connection behavior according to the external network domain name access behavior, and determining whether the device to be detected has the illegal external connection behavior according to whether a plurality of external network domain names are accessed within the preset duration, wherein at least two external network domain names in the plurality of external network domain names are different.
It can be understood that if it is determined that the device to be detected accesses a plurality of external network domain names within the preset duration and at least two of the plurality of external network domain names are different, the device to be detected is characterized to access different external network domain names for a plurality of times within the preset duration, and illegal external connection behavior of the device to be detected can be determined.
When the illegal external connection detection device acquires the DNS traffic, the DNS traffic needs to be processed and analyzed to determine whether the device to be detected is illegally connected or not. When the DNS traffic is processed, the DNS traffic is firstly analyzed to obtain characteristic data in the DNS traffic, wherein the characteristic data comprises domain name information of the external network DNS requests, time frequency of the external network DNS requests, request types of the external network DNS requests and association relations among domain names of the external network requests. In fact, when the analysis is performed, the fields in the DNS traffic are divided, and domain name information of the external network DNS requests in the DNS traffic, time frequency of the external network DNS requests, request types of the external network DNS requests, association relations among the domain names of the external network requests and the like are extracted from the divided fields according to the division result, and then external network domain name access behaviors corresponding to the equipment to be detected are determined based on the feature data.
After dividing each field in the DNS traffic and extracting feature data in the DNS traffic, determining the access condition of the external network domain name of the equipment to be detected according to the feature information, and finally determining whether illegal external connection occurs or not based on the access condition of the external network domain name.
Furthermore, it is noted that in implementation, the illegal external connection detection device includes a DNS traffic monitoring unit, a DNS traffic processing unit, and an illegal external connection behavior determining unit. The DNS traffic monitoring unit is used for monitoring the DNS traffic on the link to be detected, the DNS traffic processing unit is used for carrying out processing such as analysis and filtration on the monitored DNS traffic, the processed DNS traffic is transmitted to the illegal external connection behavior determining unit, and the illegal external connection behavior determining unit determines whether illegal external connection behavior is generated according to the external network domain name access condition and the corresponding subdomain name access condition.
In specific implementation, in order to avoid that the illegal external connection detection equipment analyzes the DNS flow generated by the intranet or the DNS flow generated by the equipment to be detected, the illegal external connection determination efficiency is low, and meanwhile, the detection accuracy is reduced by avoiding misjudgment. Therefore, after the illegal external connection detection equipment monitors DNS traffic on a link to be detected and analyzes the DNS traffic to obtain characteristic data such as domain name information of external network DNS requests, time frequency of the external network DNS requests, request types of the external network DNS requests, association relations among all external network request domain names and the like, invalid data generated by the equipment to be detected are filtered based on the extracted characteristic data, wherein the invalid data comprises external network domain name access behaviors corresponding to the internal network DNS traffic and external network domain name access behaviors corresponding to the DNS traffic generated by the equipment to be detected.
In order to further ensure the detection efficiency and accuracy, before the illegal external connection detection equipment analyzes the DNS traffic to obtain the external network domain name access behavior corresponding to the equipment to be detected, determining the corresponding relation between the DNS traffic and the equipment to be detected, namely determining whether the acquired DNS traffic belongs to the equipment to be detected, if the acquired DNS traffic is the equipment to be detected, analyzing the DNS traffic, otherwise, not analyzing and continuously monitoring the DNS traffic.
According to the detection method for illegal external connection behavior, provided by the embodiment of the invention, under the condition that client software is not installed, the external network domain name access behavior is obtained by analyzing the monitored DNS traffic, if the fact that the equipment to be detected accesses a plurality of external network domain names within the preset time period is determined, and at least two external network domain names in the plurality of external network domain names are different, the illegal external connection behavior of the equipment to be detected is determined, the accuracy of illegal external connection detection is improved, and the network security is further improved. The embodiment provides another technical scheme for determining whether illegal external connection occurs according to the domain name access behavior of the external network.
In fact, for some special extranet domain names, e.g., some mailbox domain names, a successful connection to the network is often required to initiate DNS requests for the mailbox domain name. Therefore, in the technical scheme provided by the embodiment of the application, when determining whether the device to be detected has illegal external connection according to the external network domain name access behavior, determining whether the device to be detected has illegal external connection according to the type of the external network domain name access under the condition that the external network domain name is determined to be accessed.
According to the detection method for illegal external connection behavior, when the fact that whether the equipment to be detected has illegal external connection behavior is determined through the external network domain name access behavior, whether the equipment to be detected has illegal external connection behavior is determined according to the external network domain name type under the condition that the external network domain name access occurs, and detection efficiency and accuracy of the illegal external connection behavior are improved.
In a specific implementation, in order to avoid leakage of important network information caused by multiple illegal external connection of a user, after determining the illegal external connection behavior, the number of times that each device to be detected is illegally connected is accumulated, and if the number of times exceeds a preset number of times, prompt information is sent to a designated device so as to remind the user to stop the illegal external connection behavior. It should be noted that the accumulation of illegal external connection actions may be performed between each time of starting up and shutting down the device to be detected, or may be performed by accumulating the times of a preset duration, for example, the times within three days, or may be performed from the moment of occurrence of the first illegal external connection, which is not limited by the present invention.
According to the detection method for illegal external connection behavior, which is provided by the embodiment of the invention, the illegal external connection behavior is accumulated, and when the number of times of illegal external connection behavior reaches the preset number of times, prompt information is sent to the equipment to be detected so as to remind a user to stop illegal external connection, so that the network security is improved.
In the above embodiments, the method for detecting the illegal external connection behavior is described in detail, and the application further provides a corresponding embodiment of the apparatus for detecting the illegal external connection behavior. It should be noted that the present application describes an embodiment of the device portion from two angles, one based on the angle of the functional module and the other based on the angle of the hardware structure.
Fig. 3 is a block diagram of a detection device for illegal external connection behavior according to an embodiment of the present invention, as shown in fig. 3, where the device includes:
and the monitoring module 10 is used for monitoring the DNS traffic generated on the link to be detected.
And the analysis module 11 is used for analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the equipment to be detected.
And the determining module 12 is used for determining whether the equipment to be detected has illegal external connection according to the external network domain name access behavior.
Since the embodiments of the apparatus portion and the embodiments of the method portion correspond to each other, the embodiments of the apparatus portion are referred to the description of the embodiments of the method portion, and are not repeated herein.
The detection device of the illegal external connection behavior can be in the form of an image file, and the image file can be operated in the form of a container or a virtual machine after being executed so as to realize the detection method of the illegal external connection behavior. The method is not limited to the image file form, and some software forms capable of realizing the detection method of illegal external connection behavior described in the application are within the protection scope of the application, for example, the method can also be a software module realized in a hypervi server (virtual machine monitor) in a cloud computing platform.
The detection device for illegal external connection behavior provided by the embodiment of the invention comprises the steps of monitoring DNS traffic generated on a link to be detected, analyzing the monitored DNS traffic to obtain external network domain name access behavior corresponding to equipment to be detected, and determining whether the equipment to be detected has illegal external connection behavior according to the external network domain name access behavior. Therefore, the technical scheme provided by the invention does not need to install client software, directly obtains the external network domain name access behavior corresponding to the equipment to be detected through the monitored DNS traffic on the link to be detected, and finally determines whether the equipment to be detected has illegal external connection behavior according to the external network domain name access behavior.
Fig. 4 is a block diagram of an electronic device according to another embodiment of the present invention, and as shown in fig. 4, the electronic device includes: a memory 20 for storing a computer program;
The processor 21 is configured to implement the steps of the method for detecting illegal external connection behavior as mentioned in the above embodiment when executing the computer program.
The electronic device provided in this embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, or the like.
Processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, etc. The processor 21 may be implemented in hardware in at least one of a digital signal processor (Digital Signal Processor, abbreviated as DSP), a Field programmable gate array (Field-Programmable Gate Array, abbreviated as FPGA), and a programmable logic array (Programmable Logic Array, abbreviated as PLA). The processor 21 may also include a main processor and a coprocessor, the main processor being a processor for processing data in an awake state, also referred to as a central processor (Central Processing Unit, CPU for short); a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 21 may integrate with an image processor (Graphics Processing Unit, GPU for short) for rendering and drawing of the content required to be displayed by the display screen. In some embodiments, the processor 21 may also include an artificial intelligence (Artificial Intelligence, AI) processor for processing computing operations related to machine learning.
Memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 20 is at least used for storing a computer program 201, where the computer program, after being loaded and executed by the processor 21, can implement the relevant steps of the illegal external connection behavior detection method disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 20 may further include an operating system 202, data 203, and the like, where the storage manner may be transient storage or permanent storage. The operating system 202 may include Windows, unix, linux, among others. The data 203 may include, but is not limited to, data involved in a detection method of illegal external connection behavior, and the like.
In some embodiments, the electronic device may further include a display 22, an input-output interface 23, a communication interface 24, a power supply 25, and a communication bus 26.
Those skilled in the art will appreciate that the structure shown in fig. 4 is not limiting of the electronic device and may include more or fewer components than shown.
The electronic device provided by the embodiment of the application comprises a memory and a processor, wherein when the processor executes a program stored in the memory, the processor can realize the following method: a detection method of illegal external connection behavior.
According to the electronic equipment provided by the embodiment of the invention, client software is not required to be installed on the equipment to be detected, the electronic equipment directly obtains the external network domain name access behavior corresponding to the equipment to be detected through the monitored DNS traffic on the link to be detected, and finally determines whether the illegal external connection behavior occurs to the equipment to be detected according to the external network domain name access behavior.
The electronic device described in the application may be a single hardware device, or may be a cluster formed by a plurality of hardware devices, for example, the electronic device described in the application may be a cloud computing platform.
The cloud computing platform is a platform product which adopts a virtualization technology to organize a plurality of independent server physical hardware resources into pooled resources, and can provide needed resources and services to the outside.
Current cloud computing platforms support several service modes:
SaaS (Software as a Service ): the cloud computing platform user does not need to purchase the software, but rents the software deployed on the cloud computing platform instead, the user does not need to maintain the software, and the software service provider can manage and maintain the software in full right;
PaaS (Platform as a Service ): a cloud computing platform user (typically a software developer at this time) may build new applications on the architecture provided by the cloud computing platform or extend existing applications without having to purchase development, quality control, or production servers;
IaaS (Infrastructure as a Service ): the cloud computing platform provides data centers, infrastructure hardware and software resources through the internet, and the cloud computing platform in the IaaS mode can provide servers, operating systems, disk storage, databases and/or information resources.
Finally, the present application also provides a corresponding embodiment of the computer readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps as described in the method embodiments above.
It will be appreciated that the methods of the above embodiments, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored on a computer readable storage medium. With such understanding, the technical solution of the present application, or a part contributing to the prior art or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium, performing all or part of the steps of the method described in the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only memory (ROM), a random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The method, the device, the electronic equipment and the medium for detecting the illegal external connection behavior provided by the application are described in detail. In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section. It should be noted that it would be obvious to those skilled in the art that various improvements and modifications can be made to the present application without departing from the principles of the present application, and such improvements and modifications fall within the scope of the claims of the present application.
It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (9)

1. The detection method of illegal external connection behavior is characterized by comprising the following steps:
monitoring DNS traffic generated on a link to be detected;
analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the equipment to be detected; the external network domain name access behavior is behavior characteristics of the external network domain name when the external network domain name is accessed;
Determining whether illegal external connection behaviors occur to the equipment to be detected according to the external network domain name access behaviors;
the determining whether the device to be detected generates illegal external connection behaviors according to the external network domain name access behaviors comprises:
and under the condition that the external network domain name is accessed, determining whether the equipment to be detected has illegal external connection according to whether the subdomain name corresponding to the external network domain name is accessed within a preset time period after the external network domain name is accessed.
2. The method for detecting illegal external connection behavior according to claim 1, wherein the external network domain name access behavior comprises: the external network domain name access behavior within a preset duration;
correspondingly, the analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the device to be detected includes:
and analyzing the DNS traffic to obtain the corresponding external network domain name access behavior of the equipment to be detected within the preset duration.
3. The method for detecting illegal external connection behavior according to claim 2, wherein determining whether the device to be detected has illegal external connection behavior according to whether the sub-domain name corresponding to the external network domain name is accessed within the preset time period after the external network domain name is accessed includes:
If the subdomain name corresponding to the external network domain name is accessed within a first preset time period, determining that the illegal external connection behavior of the equipment to be detected occurs;
if the subdomain name corresponding to the external network domain name is not accessed within a first preset time period and the subdomain name corresponding to the external network domain name is accessed within a second preset time period, determining that the illegal external connection behavior of the equipment to be detected occurs; wherein the second preset time period is longer than the first preset time period.
4. The method for detecting illegal external connection behavior according to claim 2, wherein the determining whether the device to be detected has an illegal external connection behavior according to the external network domain name access behavior includes:
and determining whether the equipment to be detected has illegal external connection behavior according to whether a plurality of external network domain names are accessed within the preset time length and at least two of the external network domain names are different from each other.
5. The method for detecting illegal external connection behavior according to claim 1, wherein the external network domain name access behavior comprises: in case of accessing the external network, the type of the domain name of the external network accessed; the external network domain name type is a domain name which can initiate access only when the network can be successfully accessed;
Correspondingly, the analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the device to be detected includes:
analyzing the DNS traffic to obtain the domain name type of the external network accessed by the equipment to be detected under the condition of accessing the external network;
correspondingly, the determining whether the device to be detected has illegal external connection behaviors according to the external network domain name access behaviors comprises:
and determining whether illegal external connection behaviors occur to the equipment to be detected according to the accessed external network domain name type.
6. The method for detecting illegal external connection according to any one of claims 1 to 5, further comprising, after determining that the device to be detected has illegal external connection:
the times of illegal external connection behavior are accumulated;
and sending prompt information to the appointed equipment under the condition that the times of the illegal external connection behavior reach the preset times.
7. The utility model provides a detection device of illegal external connection action which characterized in that includes:
the monitoring module is used for monitoring DNS traffic generated on the link to be detected;
the analysis module is used for analyzing the DNS traffic to obtain the external network domain name access behavior corresponding to the equipment to be detected; the external network domain name access behavior is behavior characteristics of the external network domain name when the external network domain name is accessed;
The determining module is used for determining whether the equipment to be detected has illegal external connection behaviors according to the external network domain name access behaviors;
the determining module is specifically configured to determine, when an external network domain name access occurs, whether an illegal external connection behavior occurs to the device to be detected according to whether a subdomain name corresponding to the external network domain name is accessed within a preset duration after the external network domain name is accessed.
8. An electronic device comprising a memory for storing a computer program;
a processor for implementing the steps of the method for detecting illegal external connection behaviour according to any one of claims 1 to 6 when executing said computer program.
9. A computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, which when executed by a processor, implements the steps of the method for detecting illegal external connection behaviour according to any one of claims 1 to 6.
CN202210711219.7A 2022-06-22 2022-06-22 Illegal external connection behavior detection method and device, electronic equipment and medium Active CN115051867B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210711219.7A CN115051867B (en) 2022-06-22 2022-06-22 Illegal external connection behavior detection method and device, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210711219.7A CN115051867B (en) 2022-06-22 2022-06-22 Illegal external connection behavior detection method and device, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN115051867A CN115051867A (en) 2022-09-13
CN115051867B true CN115051867B (en) 2024-04-09

Family

ID=83163900

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210711219.7A Active CN115051867B (en) 2022-06-22 2022-06-22 Illegal external connection behavior detection method and device, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN115051867B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116155549B (en) * 2022-12-23 2023-12-29 武汉雨滴科技有限公司 Terminal external connection detection method and device, electronic equipment and storage medium

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6202158B1 (en) * 1997-04-11 2001-03-13 Hitachi, Ltd. Detection method of illegal access to computer system
CN1750480A (en) * 2005-09-29 2006-03-22 西安交大捷普网络科技有限公司 Detecting method for illegal external connection of inner net computer
JP2006120093A (en) * 2004-10-25 2006-05-11 Kyuden Business Solutions Co Inc Network connection method, network connection device and license management method using the network connection device
JP2006243878A (en) * 2005-03-01 2006-09-14 Matsushita Electric Ind Co Ltd Unauthorized access detection system
CN101257388A (en) * 2008-04-08 2008-09-03 华为技术有限公司 Lawless exterior joint detecting method, apparatus and system
CN102025713A (en) * 2010-02-09 2011-04-20 中国移动通信集团北京有限公司 Access control method, system and DNS (Domain Name Server) server
CN102843445A (en) * 2012-09-29 2012-12-26 北京奇虎科技有限公司 Browser and domain name resolution method thereof
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
US9426171B1 (en) * 2014-09-29 2016-08-23 Amazon Technologies, Inc. Detecting network attacks based on network records
CN106302501A (en) * 2016-08-27 2017-01-04 浙江远望信息股份有限公司 A kind of method of real-time discovery internetwork communication behavior
CN107835149A (en) * 2017-09-13 2018-03-23 杭州安恒信息技术有限公司 Network based on DNS flow analyses is stolen secret information behavioral value method and device
CN108737327A (en) * 2017-04-14 2018-11-02 阿里巴巴集团控股有限公司 Intercept method, apparatus, system, processor and the memory of malicious websites
CN108833412A (en) * 2018-06-20 2018-11-16 国网湖北省电力公司咸宁供电公司 Network termination monitoring and managing method in a kind of illegal external connection
CN108881211A (en) * 2018-06-11 2018-11-23 杭州盈高科技有限公司 A kind of illegal external connection detection method and device
CN109768971A (en) * 2018-12-27 2019-05-17 江苏博智软件科技股份有限公司 A method of based on network flow real-time detection industrial control host state
CN110290154A (en) * 2019-07-23 2019-09-27 北京威努特技术有限公司 A kind of illegal external connection detection device, method and storage medium
CN111917702A (en) * 2020-03-31 2020-11-10 北京融汇画方科技有限公司 Non-client-side mode passive checking off-line illegal external connection technology
CN113315760A (en) * 2021-05-13 2021-08-27 杭州木链物联网科技有限公司 Situation awareness method, system, equipment and medium based on knowledge graph
CN114363059A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Attack identification method and device and related equipment
CN114401129A (en) * 2022-01-04 2022-04-26 烽火通信科技股份有限公司 Internet access behavior control method, DNS (Domain name Server), home gateway and storage medium

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6202158B1 (en) * 1997-04-11 2001-03-13 Hitachi, Ltd. Detection method of illegal access to computer system
JP2006120093A (en) * 2004-10-25 2006-05-11 Kyuden Business Solutions Co Inc Network connection method, network connection device and license management method using the network connection device
JP2006243878A (en) * 2005-03-01 2006-09-14 Matsushita Electric Ind Co Ltd Unauthorized access detection system
CN1750480A (en) * 2005-09-29 2006-03-22 西安交大捷普网络科技有限公司 Detecting method for illegal external connection of inner net computer
CN101257388A (en) * 2008-04-08 2008-09-03 华为技术有限公司 Lawless exterior joint detecting method, apparatus and system
CN102025713A (en) * 2010-02-09 2011-04-20 中国移动通信集团北京有限公司 Access control method, system and DNS (Domain Name Server) server
CN102843445A (en) * 2012-09-29 2012-12-26 北京奇虎科技有限公司 Browser and domain name resolution method thereof
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
US9426171B1 (en) * 2014-09-29 2016-08-23 Amazon Technologies, Inc. Detecting network attacks based on network records
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN106302501A (en) * 2016-08-27 2017-01-04 浙江远望信息股份有限公司 A kind of method of real-time discovery internetwork communication behavior
CN108737327A (en) * 2017-04-14 2018-11-02 阿里巴巴集团控股有限公司 Intercept method, apparatus, system, processor and the memory of malicious websites
CN107835149A (en) * 2017-09-13 2018-03-23 杭州安恒信息技术有限公司 Network based on DNS flow analyses is stolen secret information behavioral value method and device
CN108881211A (en) * 2018-06-11 2018-11-23 杭州盈高科技有限公司 A kind of illegal external connection detection method and device
CN108833412A (en) * 2018-06-20 2018-11-16 国网湖北省电力公司咸宁供电公司 Network termination monitoring and managing method in a kind of illegal external connection
CN109768971A (en) * 2018-12-27 2019-05-17 江苏博智软件科技股份有限公司 A method of based on network flow real-time detection industrial control host state
CN110290154A (en) * 2019-07-23 2019-09-27 北京威努特技术有限公司 A kind of illegal external connection detection device, method and storage medium
CN111917702A (en) * 2020-03-31 2020-11-10 北京融汇画方科技有限公司 Non-client-side mode passive checking off-line illegal external connection technology
CN113315760A (en) * 2021-05-13 2021-08-27 杭州木链物联网科技有限公司 Situation awareness method, system, equipment and medium based on knowledge graph
CN114363059A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Attack identification method and device and related equipment
CN114401129A (en) * 2022-01-04 2022-04-26 烽火通信科技股份有限公司 Internet access behavior control method, DNS (Domain name Server), home gateway and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于大数据引擎的军事信息网络安全防护系统;宋晓峰;赵卫伟;韩;;电子信息对抗技术(03);第30-35页 *
电力专网非法外联监控系统监控和通讯模块的设计;朱坤华;李莉;;河南科技学院学报;20090615(02);第61-64页 *

Also Published As

Publication number Publication date
CN115051867A (en) 2022-09-13

Similar Documents

Publication Publication Date Title
US9215245B1 (en) Exploration system and method for analyzing behavior of binary executable programs
CN109586282B (en) Power grid unknown threat detection system and method
CN110417778B (en) Access request processing method and device
US20130185645A1 (en) Determining repeat website users via browser uniqueness tracking
US11089024B2 (en) System and method for restricting access to web resources
CN112769775B (en) Threat information association analysis method, system, equipment and computer medium
CN111404937B (en) Method and device for detecting server vulnerability
CN113518077A (en) Malicious web crawler detection method, device, equipment and storage medium
US11449637B1 (en) Systems and methods for providing web tracking transparency to protect user data privacy
CN115051867B (en) Illegal external connection behavior detection method and device, electronic equipment and medium
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
CN114157568B (en) Browser secure access method, device, equipment and storage medium
CN113890762B (en) Method and system for detecting web crawler behaviors based on flow data
CN109981533B (en) DDoS attack detection method, device, electronic equipment and storage medium
CN104426836A (en) Invasion detection method and device
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN113923039A (en) Attack equipment identification method and device, electronic equipment and readable storage medium
TW201928746A (en) Method and apparatus for detecting malware
CN114462030A (en) Privacy policy processing and evidence obtaining method, device, equipment and storage medium
CN108133046B (en) Data analysis method and device
CN106603575B (en) Network side-based active internet surfing safety detection and real-time reminding method, device and system
CN112069500A (en) Application software detection method, device and medium
CN110866278A (en) Method and device for blocking real-time intrusion of database
CN113556308B (en) Method, system, equipment and computer storage medium for detecting flow security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant