CN115065971A - Method for preventing user from accessing internet through private router in local area network - Google Patents

Method for preventing user from accessing internet through private router in local area network Download PDF

Info

Publication number
CN115065971A
CN115065971A CN202210420014.3A CN202210420014A CN115065971A CN 115065971 A CN115065971 A CN 115065971A CN 202210420014 A CN202210420014 A CN 202210420014A CN 115065971 A CN115065971 A CN 115065971A
Authority
CN
China
Prior art keywords
alarm
internet
version
analysis
local area
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210420014.3A
Other languages
Chinese (zh)
Inventor
柳孔枫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Yunguo Information Technology Co ltd
Original Assignee
Shandong Yunguo Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Yunguo Information Technology Co ltd filed Critical Shandong Yunguo Information Technology Co ltd
Priority to CN202210420014.3A priority Critical patent/CN115065971A/en
Publication of CN115065971A publication Critical patent/CN115065971A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for preventing a user from surfing the Internet by a private router in a local area network comprises message analysis and TTL identification, UA analysis, alarm level division and Internet surfing interception, and the method for preventing the user from surfing the Internet by the private router in the local area network comprises the following steps: initializing a created cache, wherein the initialized created cache sequentially comprises an alarm cache list, a user information cache list and a UA cache list; message parsing and TTL identification: circularly capturing the flow of the local area network user accessing the Internet, performing packet capturing analysis, identifying whether TTL is normal or not, and performing UA analysis: the invention is characterized in that the alarm level is divided, the LAN users for message analysis, TTL identification and UA analysis are distinguished according to the alarm level by the internet access interception, and the invention has the following advantages after adopting the structure: the method mainly comprises the following steps: the message analysis and TTL identification, UA analysis, alarm level division and internet interception realize the purpose of preventing a user in the local area network from accessing the router to internet privately through the cooperation of the four modules.

Description

Method for preventing user from accessing internet through private router in local area network
Technical Field
The invention relates to the technical field of information network communication, in particular to a method for preventing a user from surfing the Internet through a router privately connected to a local area network.
Background
With the popularization of mobile intelligent terminals, local area networks of many enterprises have access to various mobile intelligent terminals besides access to office computers, such as: pad, notebook, cell phone, etc. In order to guarantee the network security of enterprises, network administrators require real-name registration of all access terminal devices, but a small number of employees still exist, and the real-name registration of the access terminal devices is avoided in a way of private building of router sharing hotspots. In conclusion, the invention realizes a method for preventing a user from surfing the internet by a router in a private way in the local area network, supports automatic detection of illegal internet surfing behaviors of a router which is built in a private way, and carries out alarming and internet surfing interception, and ensures the network security of the enterprise local area network.
Disclosure of Invention
The present invention provides a method for preventing a user from accessing the internet through a private router in a local area network, which aims to solve the technical problems.
In order to solve the technical problems, the technical scheme provided by the invention is as follows:
a method for preventing a user from accessing the Internet by a private router in a local area network comprises message analysis, TTL (transistor-transistor logic) identification, UA (user agent) analysis, alarm level division and Internet interception, and the method for preventing the user from accessing the Internet by the private router in the local area network comprises the following steps:
s1, initializing the created cache, wherein the initialized created cache sequentially comprises an alarm cache list, a user information cache list and a UA cache list;
s2, message analysis and TTL identification: circularly capturing the flow of the local area network user accessing the Internet, performing packet capturing analysis, extracting and identifying a source MAC address, a source IP address and a TTL value in a message;
s3, identifying whether TTL is normal or not, entering UA analysis normally, and storing the abnormity into an alarm cache list;
s4 and UA analysis: analyzing the 'UA information' in the flow, preferentially searching in a UA cache list, if the 'UA information' does not exist in the cache, calling a regular library to analyze the 'operating system name and version' and the 'APP name and version' in the 'UA information', and storing the analyzed result in the UA cache list;
s5, identifying whether the operating system name and version and the APP name and version of the user information cache list are the same, and respectively storing the operating system name and version of the alarm cache list and the APP name and version of the alarm cache list in different abnormal states;
s6, alarm grade division: the alarm grade division is defined according to the number of the abnormal classes, and the alarm grade is 1-3 grade;
and S7, the Internet surfing interception distinguishes local area network users aiming at message analysis, TTL identification and UA analysis according to the alarm level, grade 3 intercepts, and grade 0-2 calls back to the step S2.
After adopting the structure, the invention has the following advantages: the method mainly comprises the following steps: the message analysis and TTL identification, UA analysis, alarm level division and internet interception realize the purpose of preventing a user in the local area network from accessing the router to internet privately through the cooperation of the four modules.
As an improvement, the alarm cache list comprises a source IP, a source MAC, an alarm state, a TTL alarm, an operating system name and version alarm and an APP name and version alarm.
As an improvement, the user information cache list comprises: the method comprises the steps of a source IP address, a source MAC address, a message timestamp, a TTL value, an operating system name and version and an APP name and version.
As an improvement, the UA cache list includes: source MAC address, source lP address, UA information, operating system name and version, APP name and version.
As an improvement, the interception in step S7 is divided into "TCP packet interception" and "UDP packet interception".
Drawings
Fig. 1 is a flow chart of a method for preventing a user from surfing the internet via a private router in a local area network according to the invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
With reference to fig. 1, a method for preventing a user from accessing a router privately in a local area network includes message parsing and TTL identification, UA parsing, alarm level classification and internet interception, and the method for preventing the user from accessing the router privately in the local area network includes the following steps:
s1, initializing the created cache, wherein the initialized created cache sequentially comprises an alarm cache list, a user information cache list and a UA cache list;
s2, message analysis and TTL identification: circularly capturing the flow of a local area network user accessing the Internet, performing packet capturing analysis, extracting and identifying a source MAC address, a source IP address and a TTL value in a message;
s3, identifying whether the TTL is normal, entering UA analysis normally, and storing the abnormity into an alarm cache list;
s4 and UA analysis: analyzing 'UA information' in the flow, searching in a UA cache list preferentially, calling a regular library to analyze 'operating system name and version', 'APP name and version' in 'UA information' if no 'UA information' exists in the cache, and storing the analyzed result in the UA cache list;
s5, identifying whether the name and version of the operating system and the name and version of the APP in the user information cache list are the same, and if the name and version of the operating system are different, respectively storing the name and version of the operating system in the alarm cache list and storing the name and version of the APP in the alarm cache list;
s6, alarm grade division: the alarm grade division is defined according to the number of the abnormal classes, and the alarm grade is 1-3 grade;
and S7, the Internet surfing interception distinguishes local area network users aiming at message analysis, TTL identification and UA analysis according to the alarm level, grade 3 intercepts, and grade 0-2 calls back to the step S2.
The alarm cache list comprises a source IP, a source MAC, an alarm state, a TTL alarm, an operating system name and version alarm and an APP name and version alarm.
The user information cache list comprises: a source IP address, a source MAC address, a message timestamp, a TTL value, an operating system name and version, and an APP name and version.
The UA cache list comprises: source MAC address, source lP address, UA information, operating system name and version, APP name and version.
The interception in the step S7 is classified into "TCP packet interception" and "UDP packet interception".
Message parsing and TTL identification:
1) performing packet capturing and analysis on the flow of a user in a local area network accessing the Internet, and extracting a source MAC address, a source IP address and a TTL value in a message;
2) using a user 'source Mac address' as an index, creating a user information cache list, wherein fields comprise a 'source IP address', 'source MAC address', 'message timestamp', 'TTL value', 'operating system name and version', 'APP name and version';
3) identifying the TTL value, storing the TTL value in a user information cache, identifying whether the TTL is normal (normally, the default TTL of a mobile phone and a Linux operating system is 64, Windows TTLs of different versions are possibly 128, 64 and 32, and 1 is subtracted from the TTL value of each route under the standard condition), and if the TTL is abnormal, recording the abnormal TTL in an alarm cache list.
UA analysis:
1) analyzing the HTTP protocol in the data message, and extracting user-agent field parameters (UA for short) in the HTTP protocol.
2) Using the UA information as an index of the UA cache list, creating the UA cache list, and storing a source MAC address, a source IP address, UA information, an operating system name and version, and an APP name and version;
3) the 'UA information' extracted from the HTTP message is preferentially retrieved in a UA cache list, if the 'UA information' does not exist in the cache, a regular library is called to analyze the 'operating system name and version' and 'APP name and version' in the 'UA information', and the analyzed result is stored in the UA cache list;
4) extracting fields of 'operating system name and version', 'APP name and version' and 'UA information' in a user information cache list by taking a user 'source MAC address' as an index, respectively comparing the fields with corresponding fields after the 'UA information' is analyzed, and if the operating system name and the version are different, recording 'operating system name and version abnormity' in an alarm cache list; if the APP names and versions are different, recording 'the APP names and versions are abnormal' in the alarm cache list.
Alarm grade division:
1) and (3) taking the source MAC address of the user as an index, creating an alarm cache list, wherein fields comprise a source IP address, a source MAC address, an alarm state, a TTL alarm, a terminal type (operating system) and version alarm, and an APP name and version alarm.
2) Identifying the number of the same user (indexed by MAC address), TTL exception, operating system name and version exception, APP name and version exception which exist simultaneously in an alarm cache list;
3) one type is a first-level alarm, two types coexist to form a second-level alarm, and three types coexist to form a third-level alarm (the higher the alarm level is, the higher the probability that a user privately accesses a router is).
And (3) internet surfing interception:
1) intercepting the flow of the user accessing the internet by the third-level alarm, wherein the intercepting mode can be divided into 'TCP message intercepting' and 'UDP message intercepting'.
2) The TCP message interception is that in the process of three-way handshake for newly establishing connection between TCP of two communication parties, a man-in-the-middle attack is performed in a local area network, the SYN ACK response message of a service end is forged in preference to the response speed of a real service end, and a client is deceived to reply a message which cannot be identified by the real service end, so that the TCP three-way handshake connection establishment fails.
3) The 'UDP message interception' is to forge abnormal data segments at the limited positions of the messages after capturing the UDP protocol messages of both communication parties and give direct reply, thereby causing the abnormal analysis of the application program and realizing the interception of the service based on the UDP message communication.
In conclusion, the aim of intercepting the internet access of a user private access router in the local area network is achieved and the network security of the enterprise local area network is guaranteed based on the ordered cooperation of the four modules of 'message analysis and TTL identification, UA analysis, alarm level division and internet access interception'.
The present invention and its embodiments have been described above, and the description is not intended to be limiting, and the drawings are only one embodiment of the present invention, and the actual structure is not limited thereto. In summary, those skilled in the art should appreciate that they can readily use the disclosed conception and specific embodiments as a basis for designing or modifying other structures for carrying out the same purposes of the present invention without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (5)

1. A method for preventing a user from surfing the Internet by a private router in a local area network is characterized by comprising message analysis, TTL identification, UA analysis, alarm level division and Internet surfing interception, and the method for preventing the user from surfing the Internet by the private router in the local area network comprises the following steps:
s1, initializing the created cache, wherein the initialized created cache sequentially comprises an alarm cache list, a user information cache list and a UA cache list;
s2, message analysis and TTL identification: circularly capturing the flow of a local area network user accessing the Internet, performing packet capturing analysis, extracting and identifying a source MAC address, a source IP address and a TTL value in a message;
s3, identifying whether TTL is normal or not, entering UA analysis normally, and storing the abnormity into an alarm cache list;
s4 and UA analysis: analyzing the 'UA information' in the flow, preferentially searching in a UA cache list, if the 'UA information' does not exist in the cache, calling a regular library to analyze the 'operating system name and version' and the 'APP name and version' in the 'UA information', and storing the analyzed result in the UA cache list;
s5, identifying whether the operating system name and version and the APP name and version of the user information cache list are the same, and respectively storing the operating system name and version of the alarm cache list and the APP name and version of the alarm cache list in different abnormal states;
s6, alarm grade division: the alarm grade division is defined according to the number of the abnormal classes, and the alarm grade is 1-3 grade;
and S7, the Internet surfing interception distinguishes local area network users aiming at message analysis, TTL identification and UA analysis according to the alarm level, grade 3 intercepts, and grade 0-2 calls back to the step S2.
2. The method for preventing the user private router from surfing the internet in the local area network according to claim 1, wherein the method comprises the following steps: the alarm cache list comprises a source IP, a source MAC, an alarm state, a TTL alarm, an operating system name and version alarm and an APP name and version alarm.
3. The method for preventing the user private router from surfing the internet in the local area network according to claim 1, wherein the method comprises the following steps: the user information cache list comprises: the method comprises the steps of a source IP address, a source MAC address, a message timestamp, a TTL value, an operating system name and version and an APP name and version.
4. The method for preventing the user private router from surfing the internet in the local area network according to claim 1, wherein the method comprises the following steps: the UA cache list comprises: source MAC address, source lP address, UA information, operating system name and version, APP name and version.
5. The method for preventing the user private router from surfing the internet in the local area network according to claim 1, wherein the method comprises the following steps: the interception in the step S7 is classified into "TCP packet interception" and "UDP packet interception".
CN202210420014.3A 2022-04-21 2022-04-21 Method for preventing user from accessing internet through private router in local area network Pending CN115065971A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210420014.3A CN115065971A (en) 2022-04-21 2022-04-21 Method for preventing user from accessing internet through private router in local area network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210420014.3A CN115065971A (en) 2022-04-21 2022-04-21 Method for preventing user from accessing internet through private router in local area network

Publications (1)

Publication Number Publication Date
CN115065971A true CN115065971A (en) 2022-09-16

Family

ID=83196385

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210420014.3A Pending CN115065971A (en) 2022-04-21 2022-04-21 Method for preventing user from accessing internet through private router in local area network

Country Status (1)

Country Link
CN (1) CN115065971A (en)

Similar Documents

Publication Publication Date Title
CN114145004B (en) System and method for using DNS messages to selectively collect computer forensic data
US7716472B2 (en) Method and system for transparent bridging and bi-directional management of network data
CN106899612B (en) Method for automatically detecting ARP spoofing of fake host
KR20000054538A (en) System and method for intrusion detection in network and it's readable record medium by computer
CN103368941A (en) User network access scenario-based protection method and device
KR20040106727A (en) Method and apparatus for controlling packet transmission and creating packet charge data on wired and wireless network
CN112738095A (en) Method, device, system, storage medium and equipment for detecting illegal external connection
CN113765846A (en) Intelligent detection and response method and device for network abnormal behavior and electronic equipment
US9961163B2 (en) Method and system for notifying subscriber devices in ISP networks
US11533335B2 (en) Fast internetwork reconnaissance engine
US20220123989A1 (en) Management and resolution of alarms based on historical alarms
CN110912887A (en) Bro-based APT monitoring system and method
EP1758338B1 (en) Secure communication method and equipment for processing SEND data packets
FR2888695A1 (en) DETECTION OF INTRUSION BY MISMATCHING DATA PACKETS IN A TELECOMMUNICATION NETWORK
US20230421466A1 (en) Generating network system maps based on network traffic
CN116723020A (en) Network service simulation method and device, electronic equipment and storage medium
CN116760607A (en) Method and device for establishing honeypot trapping node, medium and equipment
CN111262782B (en) Message processing method, device and equipment
CN115065971A (en) Method for preventing user from accessing internet through private router in local area network
KR101017015B1 (en) Network based high performance contents security system and method thereof
CN114629725A (en) User domain dumb terminal management method, device, system and storage medium
Deri et al. Practical network security: experiences with ntop
US11283823B1 (en) Systems and methods for dynamic zone protection of networks
CN110768983B (en) Message processing method and device
KR101047152B1 (en) Data Driven Traffic Management System and Traffic Management Method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination