CN115065971A - Method for preventing user from accessing internet through private router in local area network - Google Patents
Method for preventing user from accessing internet through private router in local area network Download PDFInfo
- Publication number
- CN115065971A CN115065971A CN202210420014.3A CN202210420014A CN115065971A CN 115065971 A CN115065971 A CN 115065971A CN 202210420014 A CN202210420014 A CN 202210420014A CN 115065971 A CN115065971 A CN 115065971A
- Authority
- CN
- China
- Prior art keywords
- alarm
- internet
- version
- analysis
- local area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 230000002159 abnormal effect Effects 0.000 claims description 10
- 230000004044 response Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method for preventing a user from surfing the Internet by a private router in a local area network comprises message analysis and TTL identification, UA analysis, alarm level division and Internet surfing interception, and the method for preventing the user from surfing the Internet by the private router in the local area network comprises the following steps: initializing a created cache, wherein the initialized created cache sequentially comprises an alarm cache list, a user information cache list and a UA cache list; message parsing and TTL identification: circularly capturing the flow of the local area network user accessing the Internet, performing packet capturing analysis, identifying whether TTL is normal or not, and performing UA analysis: the invention is characterized in that the alarm level is divided, the LAN users for message analysis, TTL identification and UA analysis are distinguished according to the alarm level by the internet access interception, and the invention has the following advantages after adopting the structure: the method mainly comprises the following steps: the message analysis and TTL identification, UA analysis, alarm level division and internet interception realize the purpose of preventing a user in the local area network from accessing the router to internet privately through the cooperation of the four modules.
Description
Technical Field
The invention relates to the technical field of information network communication, in particular to a method for preventing a user from surfing the Internet through a router privately connected to a local area network.
Background
With the popularization of mobile intelligent terminals, local area networks of many enterprises have access to various mobile intelligent terminals besides access to office computers, such as: pad, notebook, cell phone, etc. In order to guarantee the network security of enterprises, network administrators require real-name registration of all access terminal devices, but a small number of employees still exist, and the real-name registration of the access terminal devices is avoided in a way of private building of router sharing hotspots. In conclusion, the invention realizes a method for preventing a user from surfing the internet by a router in a private way in the local area network, supports automatic detection of illegal internet surfing behaviors of a router which is built in a private way, and carries out alarming and internet surfing interception, and ensures the network security of the enterprise local area network.
Disclosure of Invention
The present invention provides a method for preventing a user from accessing the internet through a private router in a local area network, which aims to solve the technical problems.
In order to solve the technical problems, the technical scheme provided by the invention is as follows:
a method for preventing a user from accessing the Internet by a private router in a local area network comprises message analysis, TTL (transistor-transistor logic) identification, UA (user agent) analysis, alarm level division and Internet interception, and the method for preventing the user from accessing the Internet by the private router in the local area network comprises the following steps:
s1, initializing the created cache, wherein the initialized created cache sequentially comprises an alarm cache list, a user information cache list and a UA cache list;
s2, message analysis and TTL identification: circularly capturing the flow of the local area network user accessing the Internet, performing packet capturing analysis, extracting and identifying a source MAC address, a source IP address and a TTL value in a message;
s3, identifying whether TTL is normal or not, entering UA analysis normally, and storing the abnormity into an alarm cache list;
s4 and UA analysis: analyzing the 'UA information' in the flow, preferentially searching in a UA cache list, if the 'UA information' does not exist in the cache, calling a regular library to analyze the 'operating system name and version' and the 'APP name and version' in the 'UA information', and storing the analyzed result in the UA cache list;
s5, identifying whether the operating system name and version and the APP name and version of the user information cache list are the same, and respectively storing the operating system name and version of the alarm cache list and the APP name and version of the alarm cache list in different abnormal states;
s6, alarm grade division: the alarm grade division is defined according to the number of the abnormal classes, and the alarm grade is 1-3 grade;
and S7, the Internet surfing interception distinguishes local area network users aiming at message analysis, TTL identification and UA analysis according to the alarm level, grade 3 intercepts, and grade 0-2 calls back to the step S2.
After adopting the structure, the invention has the following advantages: the method mainly comprises the following steps: the message analysis and TTL identification, UA analysis, alarm level division and internet interception realize the purpose of preventing a user in the local area network from accessing the router to internet privately through the cooperation of the four modules.
As an improvement, the alarm cache list comprises a source IP, a source MAC, an alarm state, a TTL alarm, an operating system name and version alarm and an APP name and version alarm.
As an improvement, the user information cache list comprises: the method comprises the steps of a source IP address, a source MAC address, a message timestamp, a TTL value, an operating system name and version and an APP name and version.
As an improvement, the UA cache list includes: source MAC address, source lP address, UA information, operating system name and version, APP name and version.
As an improvement, the interception in step S7 is divided into "TCP packet interception" and "UDP packet interception".
Drawings
Fig. 1 is a flow chart of a method for preventing a user from surfing the internet via a private router in a local area network according to the invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
With reference to fig. 1, a method for preventing a user from accessing a router privately in a local area network includes message parsing and TTL identification, UA parsing, alarm level classification and internet interception, and the method for preventing the user from accessing the router privately in the local area network includes the following steps:
s1, initializing the created cache, wherein the initialized created cache sequentially comprises an alarm cache list, a user information cache list and a UA cache list;
s2, message analysis and TTL identification: circularly capturing the flow of a local area network user accessing the Internet, performing packet capturing analysis, extracting and identifying a source MAC address, a source IP address and a TTL value in a message;
s3, identifying whether the TTL is normal, entering UA analysis normally, and storing the abnormity into an alarm cache list;
s4 and UA analysis: analyzing 'UA information' in the flow, searching in a UA cache list preferentially, calling a regular library to analyze 'operating system name and version', 'APP name and version' in 'UA information' if no 'UA information' exists in the cache, and storing the analyzed result in the UA cache list;
s5, identifying whether the name and version of the operating system and the name and version of the APP in the user information cache list are the same, and if the name and version of the operating system are different, respectively storing the name and version of the operating system in the alarm cache list and storing the name and version of the APP in the alarm cache list;
s6, alarm grade division: the alarm grade division is defined according to the number of the abnormal classes, and the alarm grade is 1-3 grade;
and S7, the Internet surfing interception distinguishes local area network users aiming at message analysis, TTL identification and UA analysis according to the alarm level, grade 3 intercepts, and grade 0-2 calls back to the step S2.
The alarm cache list comprises a source IP, a source MAC, an alarm state, a TTL alarm, an operating system name and version alarm and an APP name and version alarm.
The user information cache list comprises: a source IP address, a source MAC address, a message timestamp, a TTL value, an operating system name and version, and an APP name and version.
The UA cache list comprises: source MAC address, source lP address, UA information, operating system name and version, APP name and version.
The interception in the step S7 is classified into "TCP packet interception" and "UDP packet interception".
Message parsing and TTL identification:
1) performing packet capturing and analysis on the flow of a user in a local area network accessing the Internet, and extracting a source MAC address, a source IP address and a TTL value in a message;
2) using a user 'source Mac address' as an index, creating a user information cache list, wherein fields comprise a 'source IP address', 'source MAC address', 'message timestamp', 'TTL value', 'operating system name and version', 'APP name and version';
3) identifying the TTL value, storing the TTL value in a user information cache, identifying whether the TTL is normal (normally, the default TTL of a mobile phone and a Linux operating system is 64, Windows TTLs of different versions are possibly 128, 64 and 32, and 1 is subtracted from the TTL value of each route under the standard condition), and if the TTL is abnormal, recording the abnormal TTL in an alarm cache list.
UA analysis:
1) analyzing the HTTP protocol in the data message, and extracting user-agent field parameters (UA for short) in the HTTP protocol.
2) Using the UA information as an index of the UA cache list, creating the UA cache list, and storing a source MAC address, a source IP address, UA information, an operating system name and version, and an APP name and version;
3) the 'UA information' extracted from the HTTP message is preferentially retrieved in a UA cache list, if the 'UA information' does not exist in the cache, a regular library is called to analyze the 'operating system name and version' and 'APP name and version' in the 'UA information', and the analyzed result is stored in the UA cache list;
4) extracting fields of 'operating system name and version', 'APP name and version' and 'UA information' in a user information cache list by taking a user 'source MAC address' as an index, respectively comparing the fields with corresponding fields after the 'UA information' is analyzed, and if the operating system name and the version are different, recording 'operating system name and version abnormity' in an alarm cache list; if the APP names and versions are different, recording 'the APP names and versions are abnormal' in the alarm cache list.
Alarm grade division:
1) and (3) taking the source MAC address of the user as an index, creating an alarm cache list, wherein fields comprise a source IP address, a source MAC address, an alarm state, a TTL alarm, a terminal type (operating system) and version alarm, and an APP name and version alarm.
2) Identifying the number of the same user (indexed by MAC address), TTL exception, operating system name and version exception, APP name and version exception which exist simultaneously in an alarm cache list;
3) one type is a first-level alarm, two types coexist to form a second-level alarm, and three types coexist to form a third-level alarm (the higher the alarm level is, the higher the probability that a user privately accesses a router is).
And (3) internet surfing interception:
1) intercepting the flow of the user accessing the internet by the third-level alarm, wherein the intercepting mode can be divided into 'TCP message intercepting' and 'UDP message intercepting'.
2) The TCP message interception is that in the process of three-way handshake for newly establishing connection between TCP of two communication parties, a man-in-the-middle attack is performed in a local area network, the SYN ACK response message of a service end is forged in preference to the response speed of a real service end, and a client is deceived to reply a message which cannot be identified by the real service end, so that the TCP three-way handshake connection establishment fails.
3) The 'UDP message interception' is to forge abnormal data segments at the limited positions of the messages after capturing the UDP protocol messages of both communication parties and give direct reply, thereby causing the abnormal analysis of the application program and realizing the interception of the service based on the UDP message communication.
In conclusion, the aim of intercepting the internet access of a user private access router in the local area network is achieved and the network security of the enterprise local area network is guaranteed based on the ordered cooperation of the four modules of 'message analysis and TTL identification, UA analysis, alarm level division and internet access interception'.
The present invention and its embodiments have been described above, and the description is not intended to be limiting, and the drawings are only one embodiment of the present invention, and the actual structure is not limited thereto. In summary, those skilled in the art should appreciate that they can readily use the disclosed conception and specific embodiments as a basis for designing or modifying other structures for carrying out the same purposes of the present invention without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (5)
1. A method for preventing a user from surfing the Internet by a private router in a local area network is characterized by comprising message analysis, TTL identification, UA analysis, alarm level division and Internet surfing interception, and the method for preventing the user from surfing the Internet by the private router in the local area network comprises the following steps:
s1, initializing the created cache, wherein the initialized created cache sequentially comprises an alarm cache list, a user information cache list and a UA cache list;
s2, message analysis and TTL identification: circularly capturing the flow of a local area network user accessing the Internet, performing packet capturing analysis, extracting and identifying a source MAC address, a source IP address and a TTL value in a message;
s3, identifying whether TTL is normal or not, entering UA analysis normally, and storing the abnormity into an alarm cache list;
s4 and UA analysis: analyzing the 'UA information' in the flow, preferentially searching in a UA cache list, if the 'UA information' does not exist in the cache, calling a regular library to analyze the 'operating system name and version' and the 'APP name and version' in the 'UA information', and storing the analyzed result in the UA cache list;
s5, identifying whether the operating system name and version and the APP name and version of the user information cache list are the same, and respectively storing the operating system name and version of the alarm cache list and the APP name and version of the alarm cache list in different abnormal states;
s6, alarm grade division: the alarm grade division is defined according to the number of the abnormal classes, and the alarm grade is 1-3 grade;
and S7, the Internet surfing interception distinguishes local area network users aiming at message analysis, TTL identification and UA analysis according to the alarm level, grade 3 intercepts, and grade 0-2 calls back to the step S2.
2. The method for preventing the user private router from surfing the internet in the local area network according to claim 1, wherein the method comprises the following steps: the alarm cache list comprises a source IP, a source MAC, an alarm state, a TTL alarm, an operating system name and version alarm and an APP name and version alarm.
3. The method for preventing the user private router from surfing the internet in the local area network according to claim 1, wherein the method comprises the following steps: the user information cache list comprises: the method comprises the steps of a source IP address, a source MAC address, a message timestamp, a TTL value, an operating system name and version and an APP name and version.
4. The method for preventing the user private router from surfing the internet in the local area network according to claim 1, wherein the method comprises the following steps: the UA cache list comprises: source MAC address, source lP address, UA information, operating system name and version, APP name and version.
5. The method for preventing the user private router from surfing the internet in the local area network according to claim 1, wherein the method comprises the following steps: the interception in the step S7 is classified into "TCP packet interception" and "UDP packet interception".
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210420014.3A CN115065971A (en) | 2022-04-21 | 2022-04-21 | Method for preventing user from accessing internet through private router in local area network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210420014.3A CN115065971A (en) | 2022-04-21 | 2022-04-21 | Method for preventing user from accessing internet through private router in local area network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115065971A true CN115065971A (en) | 2022-09-16 |
Family
ID=83196385
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210420014.3A Pending CN115065971A (en) | 2022-04-21 | 2022-04-21 | Method for preventing user from accessing internet through private router in local area network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115065971A (en) |
-
2022
- 2022-04-21 CN CN202210420014.3A patent/CN115065971A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114145004B (en) | System and method for using DNS messages to selectively collect computer forensic data | |
US7716472B2 (en) | Method and system for transparent bridging and bi-directional management of network data | |
CN106899612B (en) | Method for automatically detecting ARP spoofing of fake host | |
KR20000054538A (en) | System and method for intrusion detection in network and it's readable record medium by computer | |
CN103368941A (en) | User network access scenario-based protection method and device | |
KR20040106727A (en) | Method and apparatus for controlling packet transmission and creating packet charge data on wired and wireless network | |
CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
CN113765846A (en) | Intelligent detection and response method and device for network abnormal behavior and electronic equipment | |
US9961163B2 (en) | Method and system for notifying subscriber devices in ISP networks | |
US11533335B2 (en) | Fast internetwork reconnaissance engine | |
US20220123989A1 (en) | Management and resolution of alarms based on historical alarms | |
CN110912887A (en) | Bro-based APT monitoring system and method | |
EP1758338B1 (en) | Secure communication method and equipment for processing SEND data packets | |
FR2888695A1 (en) | DETECTION OF INTRUSION BY MISMATCHING DATA PACKETS IN A TELECOMMUNICATION NETWORK | |
US20230421466A1 (en) | Generating network system maps based on network traffic | |
CN116723020A (en) | Network service simulation method and device, electronic equipment and storage medium | |
CN116760607A (en) | Method and device for establishing honeypot trapping node, medium and equipment | |
CN111262782B (en) | Message processing method, device and equipment | |
CN115065971A (en) | Method for preventing user from accessing internet through private router in local area network | |
KR101017015B1 (en) | Network based high performance contents security system and method thereof | |
CN114629725A (en) | User domain dumb terminal management method, device, system and storage medium | |
Deri et al. | Practical network security: experiences with ntop | |
US11283823B1 (en) | Systems and methods for dynamic zone protection of networks | |
CN110768983B (en) | Message processing method and device | |
KR101047152B1 (en) | Data Driven Traffic Management System and Traffic Management Method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |