CN115412330A - Method, device, equipment and storage medium for detecting multi-connection protocol message - Google Patents

Method, device, equipment and storage medium for detecting multi-connection protocol message Download PDF

Info

Publication number
CN115412330A
CN115412330A CN202211019726.0A CN202211019726A CN115412330A CN 115412330 A CN115412330 A CN 115412330A CN 202211019726 A CN202211019726 A CN 202211019726A CN 115412330 A CN115412330 A CN 115412330A
Authority
CN
China
Prior art keywords
message
connection
detected
expected
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211019726.0A
Other languages
Chinese (zh)
Other versions
CN115412330B (en
Inventor
崔益豪
王开路
鲍晓玲
孙峰
梁雅静
范雪俭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211019726.0A priority Critical patent/CN115412330B/en
Publication of CN115412330A publication Critical patent/CN115412330A/en
Application granted granted Critical
Publication of CN115412330B publication Critical patent/CN115412330B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/251Translation of Internet protocol [IP] addresses between different IP versions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/14Multichannel or multilink protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure relates to a method, a device, equipment and a storage medium for detecting a multi-connection protocol message, wherein the method comprises the following steps: under the condition that the message to be detected is a father connection message, if the message direction is a request direction and the connection to which the message to be detected belongs has a conversion identifier corresponding to the protocol type, or under the condition that the message to be detected is a son connection message, if the father connection to which the message to be detected belongs has a conversion identifier corresponding to the protocol type, determining that the message to be detected is a first message; restoring the first message to generate a second message, and carrying out security detection on the second message; and executing preset processing operation on the second message according to the safety detection result. According to the technical scheme disclosed by the invention, complete virus searching and killing can be carried out on the multi-connection protocol message in the NAT64 mode, and the accuracy of the detection result is improved.

Description

Method, device, equipment and storage medium for detecting multi-connection protocol message
Technical Field
The present disclosure relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting a multi-connection protocol packet.
Background
With the continuous expansion of user scale, to solve the problem of IPv4 address shortage, IPv6 is widely used. However, due to the problems of compatibility between IPv6 and IPv4, high deployment cost, and the like, IPv4 still occupies a mainstream position, and therefore the transition scheme from IPv4 to IPv6 is particularly important. NAT64 is the primary solution to the problem of IPv4 and IPv6 network interworking. In addition, the virus defense detection technology is used as an important means for network attack detection, and virus defense detection on data messages in the mode has important significance.
At present, there exists a method for detecting protocol messages in address translation modes such as the MAP66 mode, however, the above method is only suitable for detecting messages in address translation in pure IPv6 or IPv4 environment, and since the network layer addresses of the multi-connection protocol messages in the NAT64 mode belong to two different network layer protocols before and after being translated by the NAT64 or the NAT46, the above method cannot realize the multi-connection protocol message detection in the NAT64 mode.
Disclosure of Invention
In order to solve the above technical problems, or at least partially solve the above technical problems, the present disclosure provides a method, an apparatus, a device, and a storage medium for detecting a multi-connection protocol packet.
In a first aspect, an embodiment of the present disclosure provides a method for detecting a multi-connection protocol packet, including:
acquiring a message to be detected;
under the condition that the message to be detected is a father connection message, if the message direction of the message to be detected is a request direction and the connection to which the message to be detected belongs has a conversion identifier corresponding to the protocol type of the message to be detected, determining that the message to be detected is a first message;
under the condition that the message to be detected is a sub-connection message, if a conversion identifier corresponding to the protocol type of the message to be detected exists in the parent connection to which the message to be detected belongs, determining that the message to be detected is a first message;
carrying out reduction processing on the first message according to a request direction quintuple to which the first message belongs, generating a second message, marking a reduction mark, and carrying out security detection on the second message;
and executing preset processing operation on the second message according to the safety detection result.
Optionally, the acquiring the message to be detected includes:
and if the received target message meets the preset condition, performing message conversion on the target message to generate the message to be detected and a conversion identifier.
Optionally, after the message to be detected is obtained, the method further includes:
and if the connection of the message to be detected has the conversion identifier, recording the source address and the source port of the message to be detected before conversion, and the destination address and the destination port after conversion into a designated domain.
Optionally, before performing security detection on the second packet, the method further includes:
establishing a first connection to record quintuple information of the message to be detected;
and establishing the corresponding expected child connection according to the working mode command received on the parent connection.
Optionally, the multiple connection protocol is an FTP protocol, and the establishing of the corresponding expected child connection according to the working mode command received on the parent connection includes:
when the FTP command is PORT, acquiring an IPv4 message of a parent connection before the request direction is converted;
respectively taking a destination address and a designated PORT number of a connection to which the IPv4 message belongs as an expected source address and an expected source PORT, and respectively taking the source address of the connection to which the IPv4 message belongs and a PORT analyzed from a PORT command line as an expected destination address and an expected destination PORT to establish the expected sub-connection;
when the FTP command is PASV, acquiring an IPv4 message converted in the response direction by the parent connection;
and establishing the expected sub-connection by taking the source address of the connection to which the IPv4 message belongs as an expected source address, and taking the destination address of the connection to which the IPv4 message belongs and the port analyzed by the PASV response packet as an expected destination address and an expected destination port respectively.
Optionally, the establishing a corresponding expected child connection according to the working mode received on the parent connection includes:
when the FTP command is EPRT, acquiring an IPv6 message of a parent connection before the request direction conversion;
establishing an expected sub-connection by taking a destination address and a designated port number of a connection to which the IPv6 message belongs as an expected source address and an expected source port respectively, and taking a source address of the connection to which the IPv6 message belongs and a port analyzed from an EPRT command line as an expected destination address and an expected destination port;
when the FTP command is EPSV, acquiring an IPv6 message converted in the response direction by the parent connection;
and establishing the expected sub-connection by taking the source address of the connection to which the IPv6 message belongs as an expected source address, and taking the destination address of the connection to which the IPv6 message belongs and the port analyzed from the EPSV response character string as an expected destination address and an expected destination port respectively.
Optionally, the performing, according to the result of the security detection, a preset handling operation on the second packet includes:
if the safety detection result indicates that a risk exists, respectively sending reset messages to a source end and a destination end of the message to be detected, and recording logs according to the address and the port recorded in the designated domain;
and if the result of the safety detection is safety and a reduction mark is marked, performing message conversion on the second message according to the quintuple group of the connection response direction of the message and releasing the message.
In a second aspect, an embodiment of the present disclosure provides a device for detecting a multi-connection protocol packet, including:
the acquisition module is used for acquiring the message to be detected;
the first determining module is used for determining that the message to be detected is a first message if the message direction of the message to be detected is a request direction and a conversion identifier corresponding to the protocol type of the message to be detected exists in the connection to which the message to be detected belongs under the condition that the message to be detected is a father connection message;
a second determining module, configured to determine that the message to be detected is the first message if a parent connection to which the message to be detected belongs has a conversion identifier corresponding to a protocol type of the message to be detected when the message to be detected is the child connection message;
the detection module is used for carrying out reduction processing on the first message according to a quintuple of a request direction to which the first message belongs, generating a second message, marking a reduction mark, and carrying out safety detection on the second message;
and the sending module is used for executing preset processing operation on the second message according to the safety detection result.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including: a processor; a memory for storing the processor-executable instructions; the processor is configured to read the executable instruction from the memory, and execute the instruction to implement the method for detecting a multi-connection protocol packet according to the first aspect.
In a fourth aspect, an embodiment of the present disclosure provides a computer-readable storage medium, where the storage medium stores a computer program, and the computer program, when executed by a processor, implements the method for detecting a multi-connection protocol packet according to the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages: by carrying out reduction processing on the message to be detected to carry out safety detection if the message direction of the message to be detected is the request direction and the connection to which the message to be detected belongs has the conversion identifier corresponding to the protocol type under the condition that the message to be detected is the father connection message, or if the father connection to which the message to be detected belongs has the conversion identifier corresponding to the protocol type of the message to be detected under the condition that the message to be detected is the son connection message, the method for detecting the multi-connection protocol message under the NAT64 mode is provided, the problem that the multi-connection protocol message under the NAT64 mode cannot be detected by the multi-connection protocol message detecting method under the existing address conversion mode is solved, complete virus killing can be carried out on the multi-connection protocol message under the NAT64 mode, and the accuracy of the detection result is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a method for detecting a multi-connection protocol packet according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of another method for detecting a multi-connection protocol packet according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a device for detecting a multi-connection protocol packet according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
Fig. 1 is a schematic flow chart of a method for detecting a multi-connection protocol packet according to an embodiment of the present disclosure, where the method according to the embodiment of the present disclosure may be executed by a device for detecting a multi-connection protocol packet, and the device may be implemented by software and/or hardware and may be integrated on any electronic device with computing capability, such as a user terminal, e.g., a smart phone, a tablet computer, and the like.
As shown in fig. 1, a method for detecting a multi-connection protocol packet provided in the embodiment of the present disclosure may include:
step 101, obtaining a message to be detected.
The embodiment of the present disclosure provides a method for detecting a multi-connection protocol packet in a NAT64 (network address Translation) mode, so as to implement virus defense detection on the multi-connection protocol packet in an NAT64 environment.
In this embodiment, a NAT64 module, an AV HOOK module, a NAT ALG module, and an AV (Anti Virus) detection module are provided. The NAT64 module is used for converting a received IPv6/IPv4 message into an IPv4/IPv6 message, and under the scene, the received message is divided into a parent connection and a child connection according to the connection type.
As an example, taking NAT64 as an example for description, if the network layer protocol type is an IPv6 message, performing NAT64 policy matching, acquiring a translated IPv4 address and a translated port for the matched message, updating response direction quintuple information of a connection to which the message belongs according to the acquired address and port, performing message translation according to the response direction quintuple information, and performing NAT64 marking on the connection.
In an embodiment of the present disclosure, after acquiring the message to be detected, the method further includes: if the connection of the message to be detected has the conversion identification, recording the source address and the source port of the message to be detected before conversion, and the destination address and the destination port after conversion into the designated domain. If the child connection or the parent connection to which the message belongs has the NAT64 identifier or the NAT46 identifier, the source address and the source port before the message is converted and the destination address and the destination port after the message is converted are recorded in the designated domain, so that the log can be accurately recorded in the detection process.
And 102, under the condition that the message to be detected is the father connection message, if the message direction of the message to be detected is the request direction and the connection of the message to be detected has the conversion identifier corresponding to the protocol type of the message to be detected, determining that the message to be detected is the first message.
In this embodiment, the message direction includes a request direction and a response direction. The protocol type of the message to be detected comprises an IPv6 type and an IPv4 type, wherein the IPv6 type corresponds to the NAT46 identifier, and the IPv4 type corresponds to the NAT64 identifier.
And 103, under the condition that the message to be detected is a child connection message, if the parent connection to which the message to be detected belongs has a conversion identifier corresponding to the protocol type of the message to be detected, determining that the message to be detected is a first message.
As an example, the value of the network layer protocol is determined, and if the protocol is the IPv6 protocol, the processing conditions for the parent connection packet and the child connection packet are as follows: for a father connection message, the connection of the message has an NAT46 identifier and is the request direction, and for a son connection message, the father of the message has an NAT46 identifier. And when the two conditions are met, reducing the message into the IPv4 message before conversion according to the request direction quintuple of the current message, which belongs to the connection, and marking a reduction mark.
As another example, when the protocol is an IPv4 protocol, the processing conditions for the parent connection packet and the child connection packet are as follows: for a father connection message, the message belongs to a connection with an NAT64 identifier and is in a request direction, and for a son connection message, the father of the message is connected with the NAT64 identifier. And when the two conditions are met, reducing the message into the IPv6 message before conversion according to the quintuple in the request direction of the current message, and marking a reduction mark.
Therefore, for the multi-connection protocol message converted by the NAT64, the IPv6 messages are sent in the request direction and the response direction of the parent connection and the child connection, and for the multi-connection protocol message converted by the NAT46, the IPv4 messages are sent in the request direction and the response direction of the parent connection and the child connection, which are specifically as follows:
table 1: FTP (File Transfer Protocol) father connection message processing condition table in NAT64 mode
Figure BDA0003813452940000071
Table 2: FTP sub-connection message processing condition table in NAT64 mode
Figure BDA0003813452940000072
Figure BDA0003813452940000081
And 104, restoring the first message according to the request direction quintuple connected with the first message, generating a second message, marking a restoration mark, and carrying out security detection on the second message.
In this embodiment, the first packet of the IPv6 protocol is reduced to the second packet of the IPv4 protocol, and the first packet of the IPv4 protocol is reduced to the second packet of the IPv6 protocol. And further, the processed message is sent to a corresponding process for virus defense detection.
And 105, executing preset processing operation on the second message according to the safety detection result.
In this embodiment, if the result of the security detection indicates that there is a risk, a reset packet is sent to the source end and the destination end of the packet to be detected, and a log is recorded, and if the result of the security detection indicates that security is achieved and a recovery mark is marked, the second packet is subjected to packet conversion and released.
As an example, after completing the message detection, the process gives the message and the detection result to the kernel again, and performs the following operations: taking NAT64 as an example for explanation, if the packet is an IPv6 packet and there is a restoration flag, NAT64 conversion is performed again according to the quintuple in the connection response direction. And further, if the virus is not detected, the message is directly released, and if the virus is detected, a reset message is respectively sent to a source end and a destination end of the message to alarm.
In an embodiment of the present disclosure, for a third packet that does not satisfy the condition of step 103 in the packets to be detected, security detection is directly performed on the third packet, and a preset handling operation is performed on the third packet according to a result of the security detection. In this embodiment, if the result of the security detection indicates that there is a risk, a reset packet is sent to the source end and the destination end of the packet to be detected, and a log is recorded, and if the result of the security detection indicates that security is available and a recovery flag is not marked, the third packet is directly released.
According to the technical scheme of the embodiment of the disclosure, if the message direction of the message to be detected is the request direction and the connection to which the message to be detected belongs has the conversion identifier corresponding to the protocol type, or if the message to be detected is the child connection message and the parent connection to which the message to be detected belongs has the conversion identifier corresponding to the protocol type of the message to be detected, the message to be detected is subjected to reduction processing for safety detection, so that the multi-connection protocol message detection method in the NAT64 mode is provided, the problem that the multi-connection protocol message detection method in the NAT64 mode cannot detect the multi-connection protocol message in the NAT64 mode in the existing address conversion mode is solved, complete virus killing can be performed on the multi-connection protocol message in the NAT64 mode, and the accuracy of the detection result is improved. In addition, for the multi-connection protocol message converted by the NAT64, the request directions and the response directions of the parent connection and the child connection can be unified into an IPv6 message, and for the multi-connection protocol message converted by the NAT46, the request directions and the response directions of the parent connection and the child connection can be unified into an IPv4 message, so that the AV process can associate the request directions and the response directions of the parent connection and the child connection with each other in this mode.
Based on the above-described embodiment, a security detection process is explained below.
Fig. 2 is a schematic diagram of another method for detecting a multi-connection protocol packet according to the embodiment of the present disclosure, and as shown in fig. 2, the method further includes:
step 201, a first connection is established to record quintuple information of a message to be detected.
In this embodiment, the multi-connection protocol is an FTP protocol as an example. The detection module is realized based on open source software snort and is used for carrying out virus defense detection on the data message sent by the kernel, taking the address recorded in the designated domain before the message is sent as a source address and a destination address of log record, and sending the message and a detection result to the kernel protocol stack. Specifically, a data message submitted by the kernel to the detection process is received through the message transceiver. And analyzing the layer 2, layer 3 and layer 4 protocols of the message through a decoder to check and verify the message header.
Step 202, establishing a corresponding expected child connection according to the working mode received on the parent connection.
In this embodiment, before detecting the message processed in the foregoing steps, preprocessing is performed on different application layer protocols, and for a multi-connection protocol ftp, the ftp protocol first establishes a connection in a preprocessing stage to record information such as a five-tuple of the message, and further establishes a corresponding expected child connection according to an ftp working mode command received on a parent connection.
As an example, when the FTP command is PORT, acquiring an IPv4 message before the parent connection is converted in the request direction; and respectively taking the destination address and the designated PORT number of the connection to which the IPv4 message belongs as an expected source address and an expected source PORT, and respectively taking the source address of the connection to which the IPv4 message belongs and a PORT analyzed from a PORT command line as an expected destination address and an expected destination PORT to establish the expected sub-connection. The PORT corresponds to an active mode, when the FTP command is PORT, the acquired IPv4 message before the conversion of the request direction of the father connection of the NAT46 is the IPv4 message, the PORT number 20 is appointed, and the message received by the equipment from the IPv6 server in the active mode is converted into the IPv4 message through the NAT46, so that the expectation is met, and the aim of associating the FTP father connection with the son connection by the AV process is fulfilled.
As another example, when the FTP command is PASV, acquiring an IPv4 packet after parent connection is converted in the response direction; and taking the source address of the connection to which the IPv4 message belongs as an expected source address, and respectively taking the destination address of the connection to which the IPv4 message belongs and the port analyzed based on the PASV response packet as an expected destination address and an expected destination port to establish the expected sub-connection. The PASV corresponds to the Passive Mode, when the FTP command is PASV, the converted message in the response direction of the parent connection of the AT46 is obtained, because the kernel-state NAT ALG module modifies the command to "EPSV 2" when processing the FTP command PASV in the request direction of the parent connection of the NAT46, so that the IPv6 FTP server recognizes the command, here, the response "229 ending Passive Mode (| | port |)" of the EPSV 2 is received, in order to avoid that the PASV response packet processing logic in the AV process determines it as illegal message processing, an analysis program for "229 ending Passive Mode (| port |)" is added to the PASV response packet processing logic in the AV process, and a port therein is analyzed. Under the passive mode, the message received by the device from the IPv4 client is converted into the IPv6 message through the NAT46, and is restored into the IPv4 message before the NAT46 conversion before uploading, so that the message meets the expectation after reaching the AV process, and the aim that the AV process associates the FTP parent connection and the sub-connection is fulfilled.
As another example, when the FTP command is an EPRT, acquiring an IPv6 message of the parent connection before the request direction conversion; and respectively taking the destination address and the designated port number of the connection to which the IPv6 message belongs as an expected source address and an expected source port, and taking the source address of the connection to which the IPv6 message belongs and the port analyzed from the EPRT command line as an expected destination address and an expected destination port to establish the expected sub-connection. When the FTP command is EPRT, the IPv6 message received by the parent connection of the NAT64 before the conversion of the request direction is received, and the Port number 20 is specified, and the message received by the device from the IPv4 server in the active mode is converted into the IPv6 message by the NAT64, which meets expectations, thereby achieving the purpose of associating the FTP parent connection with the child connection by the AV process.
As another example, when the FTP command is EPSV, acquiring an IPv6 message after parent connection is converted in the response direction; and establishing the expected sub-connection by taking the source address of the connection to which the IPv6 message belongs as an expected source address, and respectively taking the destination address of the connection to which the IPv6 message belongs and the port analyzed from the EPSV response character string as an expected destination address and an expected destination port.
When the FTP command is EPSV, the received message is a message converted in the response direction by the parent connection of the NAT64, the message received by the device in the passive mode from the IPv6 client is converted into an IPv4 message by the NAT64, and is restored to the IPv6 message before being converted by the NAT64 before being sent, so that the message meets expectations after reaching the AV process, and thus, the purpose that the AV process associates the FTP parent connection with the child connection is achieved.
In this embodiment, the detection engine calls the detection plug-in to detect the message according to the rule, the output plug-in records log and alarm information according to the detection result and the address and port information recorded in the designated domain before the upward-sending process, and the message transceiver notifies the kernel of the processed result.
As an example, after receiving a message processed by the detection module, the NAT ALG module analyzes and converts the application layer information of the message according to the FTP working mode command FTP _ cmd, and correspondingly converts and processes the ip address and the port that need address conversion or the field that needs special processing in the load. Specifically, when ftp _ cmd is EPRT, for a message which is subjected to NAT64 and is in the request direction, "EPRT |2 ipv6 port |" command line that exhausts air is changed into "EPRT |1 ipv4 port |". When ftp _ cmd is EPSV, for the message that has been made through NAT64 and is in the response direction, "229 ending Passive Mode (| | port |)" is kept unchanged. When ftp _ cmd is PORT, for the message which is processed by NAT46 and is in the request direction, "PORT IPv4 and PORT" is changed into "EPRT |2 and IPv6 and PORT |". When ftp _ cmd is PASV, the message which is processed by NAT46 and is in the request direction is changed into 'EPSV 2'; for the packet that has made NAT46 and is in the response direction, "227 ending Passive Mode (IPv 4, port)" is changed to "229 ending Passive Mode (| | port |)". And then, sending out the processed message.
In the embodiment of the disclosure, through the association between the request of the parent connection and the child connection and the message sent in the response direction by the AV process in the mode, complete virus defense detection is performed on the message, and the corresponding expected child connection is established through the FTP working mode command, so that the purpose that the AV process associates the FTP parent connection and the FTP child connection is achieved.
Fig. 3 is a schematic structural diagram of a device for detecting a multi-connection protocol packet according to an embodiment of the present disclosure, and as shown in fig. 3, the device for detecting a multi-connection protocol packet includes: the device comprises an acquisition module 31, a first determination module 32, a second determination module 33, a detection module 34 and a sending module 35.
The acquiring module 31 is configured to acquire a message to be detected;
a first determining module 32, configured to determine that the message to be detected is a first message if the message direction of the message to be detected is a request direction and a conversion identifier corresponding to a protocol type of the message to be detected exists in a connection to which the message to be detected belongs, when the message to be detected is a parent connection message;
a second determining module 33, configured to determine that the message to be detected is the first message if a parent connection to which the message to be detected belongs has a conversion identifier corresponding to a protocol type of the message to be detected, when the message to be detected is the child connection message;
the detection module 34 is configured to perform reduction processing on the first packet according to a request direction quintuple to which the first packet belongs, generate a second packet, mark a reduction mark, and perform security detection on the second packet;
a sending module 35, configured to execute a preset handling operation on the second packet according to a result of the security detection.
Optionally, the obtaining module 31 is specifically configured to: and if the received target message meets the preset condition, performing message conversion on the target message to generate the message to be detected and a conversion identifier.
Optionally, the apparatus further comprises: and the recording module is used for recording the source address and the source port of the message to be detected before conversion and the destination address and the destination port after conversion into a specified domain if the connection to which the message to be detected belongs has the conversion identifier.
Optionally, the apparatus further comprises: the establishing module is used for establishing a first connection so as to record quintuple information of the message to be detected; and establishing the corresponding expected child connection according to the working mode command received on the parent connection.
Optionally, the multi-connection protocol is an FTP protocol, and the establishing module is specifically configured to: when the FTP command is PORT, acquiring an IPv4 message before the conversion of the request direction of a parent connection; respectively taking a destination address and a designated PORT number of a connection to which the IPv4 message belongs as an expected source address and an expected source PORT, and respectively taking the source address of the connection to which the IPv4 message belongs and a PORT analyzed from a PORT command line as an expected destination address and an expected destination PORT to establish the expected sub-connection;
when the FTP command is PASV, acquiring an IPv4 message converted in the response direction by the parent connection; and taking the source address of the connection to which the IPv4 message belongs as an expected source address, and respectively taking the destination address of the connection to which the IPv4 message belongs and the port analyzed based on the PASV response packet as an expected destination address and an expected destination port to establish the expected sub-connection.
Optionally, the establishing module is specifically configured to: when the FTP command is EPRT, acquiring an IPv6 message of a parent connection before the request direction conversion; respectively taking a destination address and a designated port number of a connection to which the IPv6 message belongs as an expected source address and an expected source port, and taking a source address of the connection to which the IPv6 message belongs and a port analyzed from an EPRT command line as an expected destination address and an expected destination port to establish the expected sub-connection;
when the FTP command is EPSV, acquiring an IPv6 message converted in the response direction by the parent connection; and taking the source address of the connection to which the IPv6 message belongs as an expected source address, and respectively taking the destination address of the connection to which the IPv6 message belongs and the port analyzed from the EPSV response character string as an expected destination address and an expected destination port to establish the expected sub-connection.
Optionally, the sending module 35 is specifically configured to: if the safety detection result indicates that a risk exists, respectively sending reset messages to a source end and a destination end of the message to be detected, and recording logs according to the address and the port recorded in the designated domain; and if the result of the safety detection is safety and a reduction mark is marked, performing message conversion on the second message according to the quintuple group of the connection response direction of the message and releasing the message.
The device for detecting the multi-connection protocol message provided by the embodiment of the disclosure can execute the method for detecting any multi-connection protocol message provided by the embodiment of the disclosure, and has corresponding functional modules and beneficial effects of the execution method. Reference may be made to the description of any method embodiment of the disclosure for content not explicitly described in the apparatus embodiments of the disclosure.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 4, the electronic device 600 includes one or more processors 601 and memory 602.
The processor 601 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 600 to perform desired functions.
The memory 602 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. Volatile memory can include, for example, random Access Memory (RAM), cache memory (or the like). The non-volatile memory may include, for example, read Only Memory (ROM), a hard disk, flash memory, and the like. One or more computer program instructions may be stored on a computer-readable storage medium and executed by processor 601 to implement the methods of the embodiments of the present disclosure above and/or other desired functionality. Various content such as an input signal, signal components, noise components, etc. may also be stored in the computer readable storage medium.
In one example, the electronic device 600 may further include: an input device 603 and an output device 604, which are interconnected by a bus system and/or other form of connection mechanism (not shown). The input device 603 may also include, for example, a keyboard, a mouse, and the like. The output device 604 may output various information including the determined distance information, direction information, and the like to the outside. The output devices 604 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, among others.
Of course, for simplicity, only some of the components of the electronic device 600 relevant to the present disclosure are shown in fig. 4, omitting components such as buses, input/output interfaces, and the like. In addition, electronic device 600 may include any other suitable components depending on the particular application.
In addition to the methods and apparatus described above, embodiments of the present disclosure may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform any of the methods provided by embodiments of the present disclosure.
The computer program product may write program code for performing the operations of embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform any of the methods provided by the embodiments of the present disclosure.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is noted that, in this document, relational terms such as "first" and "second," and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The previous description is only for the purpose of describing particular embodiments of the present disclosure, so as to enable those skilled in the art to understand or implement the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method for detecting a multi-connection protocol message is characterized by comprising the following steps:
acquiring a message to be detected;
under the condition that the message to be detected is a father connection message, if the message direction of the message to be detected is a request direction and the connection of the message to be detected has a conversion identifier corresponding to the protocol type of the message to be detected, determining that the message to be detected is a first message;
under the condition that the message to be detected is a child connection message, if a parent connection to which the message to be detected belongs has a conversion identifier corresponding to the protocol type of the message to be detected, determining that the message to be detected is a first message;
carrying out reduction processing on the first message according to a request direction quintuple to which the first message belongs, generating a second message, marking a reduction mark, and carrying out security detection on the second message;
and executing preset processing operation on the second message according to the safety detection result.
2. The method of claim 1, wherein the obtaining the message to be detected comprises:
and if the received target message meets the preset condition, performing message conversion on the target message to generate the message to be detected and a conversion identifier.
3. The method of claim 2, after obtaining the message to be detected, further comprising:
and if the connection of the message to be detected has the conversion identifier, recording the source address and the source port of the message to be detected before conversion, and the destination address and the destination port after conversion into a designated domain.
4. The method of claim 1, wherein prior to performing security detection on the second packet, further comprising:
establishing a first connection to record quintuple information of the message to be detected;
and establishing the corresponding expected child connection according to the working mode command received on the parent connection.
5. The method of claim 4, wherein the multi-connection protocol is the FTP protocol, and wherein establishing the corresponding expected child connections based on the operational mode commands received over the parent connection comprises:
when the FTP command is PORT, acquiring an IPv4 message of a parent connection before the request direction is converted;
respectively taking a destination address and a designated PORT number of a connection to which the IPv4 message belongs as an expected source address and an expected source PORT, and respectively taking the source address of the connection to which the IPv4 message belongs and a PORT analyzed from a PORT command line as an expected destination address and an expected destination PORT to establish the expected sub-connection;
when the FTP command is PASV, acquiring an IPv4 message converted in the response direction by the parent connection;
and taking the source address of the connection to which the IPv4 message belongs as an expected source address, and respectively taking the destination address of the connection to which the IPv4 message belongs and the port analyzed based on the PASV response packet as an expected destination address and an expected destination port to establish the expected sub-connection.
6. The method of claim 5, wherein establishing the corresponding expected child connection based on the operational mode received on the parent connection comprises:
when the FTP command is EPRT, acquiring an IPv6 message of a parent connection before the request direction conversion;
respectively taking a destination address and a designated port number of a connection to which the IPv6 message belongs as an expected source address and an expected source port, and taking a source address of the connection to which the IPv6 message belongs and a port analyzed from an EPRT command line as an expected destination address and an expected destination port to establish the expected sub-connection;
when the FTP command is EPSV, acquiring an IPv6 message converted in the response direction by the parent connection;
and taking the source address of the connection to which the IPv6 message belongs as an expected source address, and respectively taking the destination address of the connection to which the IPv6 message belongs and the port analyzed from the EPSV response character string as an expected destination address and an expected destination port to establish the expected sub-connection.
7. The method of claim 3, wherein the performing a predetermined handling operation on the second packet according to the result of the security detection comprises:
if the safety detection result indicates that a risk exists, respectively sending reset messages to a source end and a destination end of the message to be detected, and recording logs according to the address and the port recorded in the designated domain;
and if the result of the safety detection is safety and a reduction mark is marked, performing message conversion on the second message according to the quintuple of the connection response direction of the message and releasing the message.
8. An apparatus for detecting a multi-connection protocol packet, comprising:
the acquisition module is used for acquiring the message to be detected;
the first determining module is used for determining that the message to be detected is a first message if the message direction of the message to be detected is a request direction and a conversion identifier corresponding to the protocol type of the message to be detected exists in the connection to which the message to be detected belongs under the condition that the message to be detected is a father connection message;
a second determining module, configured to determine that the message to be detected is the first message if a parent connection to which the message to be detected belongs has a conversion identifier corresponding to a protocol type of the message to be detected when the message to be detected is the child connection message;
the detection module is used for carrying out reduction processing on the first message according to a quintuple of a request direction to which the first message belongs, generating a second message, marking a reduction mark, and carrying out safety detection on the second message;
and the sending module is used for executing preset processing operation on the second message according to the result of the security detection.
9. An electronic device, comprising:
a processor; a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the method for detecting a multi-connection protocol packet according to any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the storage medium stores a computer program, which when executed by a processor implements the method for detecting a multi-connection protocol packet according to any one of claims 1 to 7.
CN202211019726.0A 2022-08-24 2022-08-24 Method, device, equipment and storage medium for detecting multi-connection protocol message Active CN115412330B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211019726.0A CN115412330B (en) 2022-08-24 2022-08-24 Method, device, equipment and storage medium for detecting multi-connection protocol message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211019726.0A CN115412330B (en) 2022-08-24 2022-08-24 Method, device, equipment and storage medium for detecting multi-connection protocol message

Publications (2)

Publication Number Publication Date
CN115412330A true CN115412330A (en) 2022-11-29
CN115412330B CN115412330B (en) 2023-05-02

Family

ID=84162493

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211019726.0A Active CN115412330B (en) 2022-08-24 2022-08-24 Method, device, equipment and storage medium for detecting multi-connection protocol message

Country Status (1)

Country Link
CN (1) CN115412330B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180167257A1 (en) * 2016-09-08 2018-06-14 Ray W. Sanders Methods and systems for forming network connections
CN111147519A (en) * 2019-12-31 2020-05-12 奇安信科技集团股份有限公司 Data detection method, device, electronic equipment and medium
CN111787010A (en) * 2020-07-01 2020-10-16 深信服科技股份有限公司 Message processing method, device, equipment and readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180167257A1 (en) * 2016-09-08 2018-06-14 Ray W. Sanders Methods and systems for forming network connections
CN111147519A (en) * 2019-12-31 2020-05-12 奇安信科技集团股份有限公司 Data detection method, device, electronic equipment and medium
CN111787010A (en) * 2020-07-01 2020-10-16 深信服科技股份有限公司 Message processing method, device, equipment and readable storage medium

Also Published As

Publication number Publication date
CN115412330B (en) 2023-05-02

Similar Documents

Publication Publication Date Title
US10798222B2 (en) Apparatus for managing SDN-based in-vehicle network and control method thereof
CN106936791B (en) Method and device for intercepting malicious website access
US20050172339A1 (en) Detection of code-free files
US9614866B2 (en) System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
WO2019184664A1 (en) Method, apparatus, and system for detecting malicious file
CN113761527B (en) Rebound shell process detection method, device, equipment and storage medium
US20080034433A1 (en) Intrusion detection apparatus and method using patterns
US10499311B2 (en) Method and apparatus for implementing network sharing
CN112764823B (en) Starting method of NVR (network video recorder) system, host operating system and data communication method
CN112822204A (en) NAT detection method, device, equipment and medium
CN112565229A (en) Hidden channel detection method and device
CN115442259A (en) System identification method and device
CN113992382B (en) Service data processing method and device, electronic equipment and storage medium
JP7156642B2 (en) Identification processing device, identification processing program, and identification processing method
CN115913597A (en) Method and device for determining lost host
WO2024113953A1 (en) C2 server identification method and apparatus, electronic device, and readable storage medium
CN115412330B (en) Method, device, equipment and storage medium for detecting multi-connection protocol message
WO2020170802A1 (en) Detection device and detection method
CN116723020A (en) Network service simulation method and device, electronic equipment and storage medium
CN115442109A (en) Method, device, equipment and storage medium for determining network attack result
CN116028917A (en) Authority detection method and device, storage medium and electronic equipment
WO2023037422A1 (en) Determination device, determination method, and determination program
CN115277586B (en) Pod flow processing method, system, equipment and storage medium
CN114390088B (en) Interaction method and device of EDPS (electronic data transfer protocol) through OPC UA client and OPC UA server
CN115865438B (en) Network attack defending method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant