CN115913592A - Replay attack detection method and device and electronic equipment - Google Patents
Replay attack detection method and device and electronic equipment Download PDFInfo
- Publication number
- CN115913592A CN115913592A CN202111150805.0A CN202111150805A CN115913592A CN 115913592 A CN115913592 A CN 115913592A CN 202111150805 A CN202111150805 A CN 202111150805A CN 115913592 A CN115913592 A CN 115913592A
- Authority
- CN
- China
- Prior art keywords
- target
- protocol packet
- sequence number
- window
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a replay attack detection method, a replay attack detection device and electronic equipment, wherein the method comprises the following steps: acquiring a target protocol packet; under the condition that the target protocol packet has no sequence number, determining a target load and determining at least one historical load; comparing whether the first n bytes of data of the target load is the same as the first n bytes of data of any historical load; if the two are different, receiving a target protocol packet; if the historical data is the same as at least one of the previous n bytes of data of the target load, comparing whether the residual byte data of the historical load which is the same as the previous n bytes of data of the target load is the same as the residual byte data of the target load or not; if the difference is not the same, receiving the target protocol packet; if the two are the same, the target protocol packet is determined to be replay attack. By the replay attack detection method, the replay attack detection device and the electronic equipment, the target protocol packet can be directly determined to be a normal protocol packet to be accepted during preliminary judgment, the detection result can be quickly obtained, and the efficiency is high; and the identification process is simplified by dividing the historical protocol packets.
Description
Technical Field
The invention relates to the technical field of computer network security, in particular to a replay attack detection method, a replay attack detection device, electronic equipment and a computer readable storage medium.
Background
The encryption processing method for the application can effectively prevent the data transmitted between networks from being hijacked, but cannot prevent replay attack. The replay attack is an attack behavior that an attacker cheats a host by replaying messages or message fragments, and is mainly used for the process of identity authentication between networks to destroy the correctness of the identity authentication. The existing replay attack detection scheme generally adopts a challenge-response method, when a client requests a server, the server firstly generates a random number and returns the random number to the client, then the client takes the random number to access the server, and the server compares the parameter of the client, if the parameter is consistent, the client is not the replay attack, and the access is allowed. However, in the challenge-response method, each time a client requests a service, the client needs to request the server to generate a challenge code, and then the client carries the response code and performs service access, that is, the client and the server need to perform two interactions, so that the detection speed is slow, the efficiency is low, and the challenge is very large for high-speed concurrent systems such as servers in a network.
Disclosure of Invention
In order to solve the existing technical problem, embodiments of the present invention provide a replay attack detection method, apparatus, electronic device, and computer-readable storage medium.
In a first aspect, an embodiment of the present invention provides a replay attack detection method, including: acquiring a target protocol packet to be identified; under the condition that the target protocol packet has no sequence number, determining a target load in the target protocol packet, and determining a historical load in at least one historical protocol packet, wherein the historical protocol packet is a previously received protocol packet, and the interval between the historical protocol packet and the target protocol packet is smaller than a preset threshold value; comparing whether the first n bytes of data of the target load is the same as the first n bytes of data of any one of the historical loads; if the first n bytes of data of the target load are different from the first n bytes of data of any historical load, receiving the target protocol packet; if the first n bytes of data of the target load are the same as the first n bytes of data of at least one historical load, comparing whether the residual bytes of data of the historical load which are the same as the first n bytes of data of the target load are the same as the residual bytes of data of the target load; if the residual byte data are different, receiving the target protocol packet; and if the residual byte data are the same, determining that the target protocol packet is replay attack.
Optionally, the method further comprises: under the condition that the sequence number of the target protocol packet is present, adjusting the size of a window according to the flow rate of the target protocol packet, wherein the window comprises a plurality of sequence numbers, and the maximum sequence number in the window is the sequence number of the protocol packet which is received before the target protocol packet; comparing whether the target sequence number is larger than the maximum sequence number of the window, wherein the target sequence number is the sequence number of the target protocol packet; if the target sequence number is larger than the maximum sequence number of the window, receiving the target protocol packet, and taking the target sequence number as the maximum sequence number of the window; if the target sequence number is not larger than the maximum sequence number of the window, comparing whether the target sequence number is larger than the minimum sequence number of the window or not; if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is not accepted, accepting the target protocol packet; if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is accepted, determining that the target protocol packet is a replay attack; and if the target sequence number is smaller than the minimum sequence number of the window, determining that the target protocol packet is replay attack.
Optionally, adjusting the size of the window according to the traffic rate for transmitting the target protocol packet includes: adjusting the size of the window based on a preset initial value of the size of the window and the flow rate of transmitting the target protocol packet; the adjusted window size is:
P=max(P min ,P 0 -(V-V 0 )*100%);
wherein P represents the adjusted window size, P 0 An initial value representing the size of the preset window, V represents the flow rate of transmitting the target protocol packet, V 0 Representing a preset base traffic rate, P min Representing a preset minimum value.
Optionally, after the determining that the target protocol packet is a replay attack, the method further includes: and updating a preset replay attack counter, wherein the replay attack counter is used for accumulating the acquired target protocol packets as the replay attack number.
Optionally, after the obtaining of the target protocol packet to be identified, the method further includes: and determining the protocol type of the target protocol packet, and determining whether the target protocol packet has a sequence number according to the protocol type of the target protocol packet.
In a second aspect, an embodiment of the present invention provides a replay attack detection apparatus, including: the device comprises an acquisition module, a determination module, a first comparison module, a first processing module and a first identification module.
The acquisition module is used for acquiring a target protocol packet to be identified.
The determining module is used for determining a target load in the target protocol packet and determining a historical load in at least one historical protocol packet under the condition that the target protocol packet has no sequence number, wherein the historical protocol packet is a protocol packet which is received before and has an interval with the target protocol packet smaller than a preset threshold value.
The first comparison module is used for comparing whether the first n bytes of data of the target load is the same as the first n bytes of data of any historical load.
The first processing module is used for receiving the target protocol packet if the first n bytes of data of the target load are different from the first n bytes of data of any historical load; and if the first n bytes of data of the target load are the same as the first n bytes of data of at least one historical load, comparing whether the residual bytes of data of the historical load, which are the same as the first n bytes of data of the target load, are the same as the residual bytes of data of the target load.
The first identification module is used for receiving the target protocol packet if the residual byte data are different; and if the residual byte data are the same, determining that the target protocol packet is replay attack.
Optionally, the apparatus further comprises: the device comprises an adjusting module, a second comparing module, a second processing module and a second identifying module.
The adjusting module is used for adjusting the size of a window according to the flow rate of the target protocol packet under the condition of the sequence number of the target protocol packet, wherein the window comprises a plurality of sequence numbers, and the maximum sequence number in the window is the sequence number of the protocol packet which is received latest before the target protocol packet.
And the second comparison module is used for comparing whether the target sequence number is greater than the maximum sequence number of the window, wherein the target sequence number is the sequence number of the target protocol packet.
The second processing module is used for receiving the target protocol packet and taking the target sequence number as the maximum sequence number of the window if the target sequence number is larger than the maximum sequence number of the window; and if the target sequence number is not larger than the maximum sequence number of the window, comparing whether the target sequence number is larger than the minimum sequence number of the window.
The second identification module is used for receiving the target protocol packet if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is not received; if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is accepted, determining that the target protocol packet is a replay attack; and if the target sequence number is smaller than the minimum sequence number of the window, determining that the target protocol packet is replay attack.
Optionally, the adjusting module is configured to adjust the size of the window based on a preset initial value of the size of the window and a traffic rate at which the target protocol packet is transmitted; the adjusted window size is: p = max (P) min ,P 0 -(V-V 0 ) 100%) of the substrate; wherein P represents the adjusted window size, P 0 An initial value representing the size of the window, V representing the traffic rate of the transmission of the target protocol packet, V 0 Representing a preset base traffic rate, P min Representing a preset minimum value.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a bus, a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor; the transceiver, the memory and the processor are connected via the bus, and the computer program, when executed by the processor, implements the steps in the replay attack detection method as described above.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, including: a computer program stored on a readable storage medium; the computer program, when executed by a processor, implements the steps in a replay attack detection method as described above.
The replay attack detection method, the replay attack detection device, the electronic equipment and the computer readable storage medium provided by the embodiment of the invention can identify a target protocol packet without a sequence number, can compare first n bytes of data of a target load carried by the target protocol packet with first n bytes of data of a historical load carried by a historical protocol packet, can quickly identify a brand new protocol packet which is never accepted before, and only when the first n bytes of data of the target load is completely the same as the first n bytes of data of a certain historical load, needs to further compare whether the two residual bytes of data are the same, so as to accurately identify that the target protocol packet corresponding to the target load completely the same as the historical load carried by the historical protocol packet is a replay attack. The method divides the detection of replay attack into two stages, and can directly determine that the target protocol packet is a normal protocol packet to be accepted during primary judgment of the first stage, so that the detection result can be quickly obtained, and the efficiency is high; in addition, the method does not utilize the comparison of all the received protocol packets with the target protocol packet respectively, but divides a part of the received protocol packets as historical protocol packets in a mode of determining intervals by a preset threshold value, thereby reducing the number of objects needing to be compared with the target protocol packets in the whole identification process, simplifying the identification process and reducing the occupied network resources used in the process.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or the background art of the present invention, the drawings required to be used in the embodiments or the background art of the present invention will be described below.
FIG. 1 is a flow chart illustrating a replay attack detection method provided by an embodiment of the present invention;
fig. 2 is a flowchart illustrating a specific method in the presence of a sequence number of a target protocol packet in the replay attack detection method provided in the embodiment of the present invention;
FIG. 3A is a flow chart showing a detailed replay attack detection method in the case where a target protocol packet has no sequence number;
FIG. 3B is a flowchart showing the sequence number of a target protocol packet in a detailed replay attack detection method;
fig. 4 is a schematic structural diagram illustrating a replay attack detection apparatus provided in an embodiment of the present invention;
fig. 5 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention will be described below with reference to the drawings.
Fig. 1 shows a flowchart of a replay attack detection method according to an embodiment of the present invention. As shown in fig. 1, the method includes the following steps 101-105.
Step 101: and acquiring a target protocol packet to be identified.
In the embodiment of the present invention, a protocol packet represents a data packet transmitted between two network ports (such as a client and a server) participating in a session in a network session, and when it is required to identify whether a certain protocol packet is a replay attack, the protocol packet is taken as a target protocol packet.
Optionally, after obtaining the target protocol packet to be identified, the method further includes:
and determining the protocol type of the target protocol packet, and determining whether the target protocol packet has a sequence number according to the protocol type of the target protocol packet.
In order to prevent the protocol packets in the network session from being hijacked, the protocol packets are usually encrypted by using an encryption protocol to obtain encrypted protocol packets. The common types of protocols are mainly: IPsec ESP (IP Security Encapsulating Security Payload) Protocol, ISAKMP (internet Security association and key management) Protocol, SSH (Secure Shell) Protocol, SSL (Secure Sockets Layer) Protocol, RDP (Remote Desktop) Protocol, and the like. Moreover, the protocol packets of different protocol types have different characteristics, such as whether the protocol packets have sequence numbers or not. Wherein, the protocol packet encrypted by adopting the IPsec ESP protocol is a protocol packet with an order number; and the protocol packet encrypted by using ISAKMP, SSH or SSL protocol is a protocol packet without sequence numbers. According to the embodiment of the invention, after the target protocol packet to be identified is obtained, the protocol type of the target protocol packet can be determined, whether the target protocol packet has a serial number is determined based on the protocol type of the target protocol packet, and whether the target protocol packet is a replay attack can be identified according to different identification modes. The method can select the optimal identification scheme to quickly identify the protocol packets facing different protocol types.
Step 102: and under the condition that the target protocol packet has no sequence number, determining the target load in the target protocol packet, and determining the historical load in at least one historical protocol packet, wherein the historical protocol packet is a previously accepted protocol packet of which the interval with the target protocol packet is smaller than a preset threshold value.
In a network session, a certain end (e.g., a server) usually receives a large number of protocol packets, and the server accepts the currently received protocol packets after recognizing that the currently received protocol packets can be determined not to be a replay attack. In order to save resources occupied by the identification process and improve the identification rate, the embodiment of the invention can take each protocol packet which is received before the target protocol packet and is within the range of the preset threshold value as a historical protocol packet in a mode of presetting the threshold value because the number of the protocol packets transmitted in the network transmission process is huge. The interval between two protocol packets refers to a time interval or a number interval between two protocol packets. The preset threshold is used for determining which protocol packets previously accepted by the target protocol packet are historical protocol packets. For example, if the interval represents a number interval and the preset threshold is 5, 5 accepted protocol packets before the target protocol packet is received may be taken as the historical protocol packets.
In general, the payload may represent data carried by each protocol packet, and the payload has randomness, and in the embodiment of the present invention, in the case that the target protocol packet has no sequence number (for example, the target protocol packet is a protocol packet encrypted by using ISAKMP, SSH, or SSL protocol), it is determined whether the target protocol packet is a replay attack by comparing the payloads. In this embodiment, the loads in the target protocol packet and the historical protocol packets need to be determined, for example, the load in the target protocol packet and the load in at least one historical protocol packet are determined; for convenience of description, data carried by the target protocol packet may be referred to as a target load, and data carried by the historical protocol packet may be referred to as a historical load.
Step 103: and comparing whether the first n bytes of data of the target load is the same as the first n bytes of data of any historical load.
The data carried by the protocol packet usually has several hundred bytes, and directly comparing the complete data carried in the protocol packet makes the whole processing process complicated and time-consuming, which is low in efficiency in practical application. In the embodiment of the present invention, the first n bytes of data of the target payload and any one of the historical payloads may be compared first, and a preliminary determination may be made as to whether the target protocol packet is a replay attack by determining whether the first n bytes of the target payload and the first n bytes of any one of the historical payloads are the same. Where n is a predetermined number, which is generally less than the total number of bytes contained in the protocol packet. For example, n can be 8, 16, etc.
When the protocol packet is obtained, the data is generally obtained in sequence, in this embodiment, the first n bytes of data of the target load are used as a comparison basis, and in the case that the target load is not completely received, the step 103 may be executed after the first n bytes of data of the target load are received, so that the comparison process may be advanced, and the identification rate is increased; and because the loads have randomness, the first n bytes of different loads are generally different, and the loads with randomness are used for comparison, if the first n bytes of data of the two loads are the same, the two loads have higher probability of being completely the same, so that the target protocol packet with higher replay attack suspicion can be more accurately extracted by comparing the first n bytes of data.
Step 104: if the first n bytes of data of the target load are different from the first n bytes of data of any historical load, receiving a target protocol packet; and if the first n bytes of data of the target load are the same as the first n bytes of data of the at least one historical load, comparing whether the residual bytes of data of the historical load which are the same as the first n bytes of data of the target load are the same as the residual bytes of data of the target load.
When the first n bytes of data of the target load are different from the first n bytes of data of any one historical load, the target protocol packet carrying the target load is different from each historical protocol packet within a preset threshold, and at this time, the target protocol packet is considered to be not accepted and is not a replay attack, so that the target protocol packet can be accepted. When the first n bytes of data of the target packet are the same as the first n bytes of data of at least one historical packet, that is, the first n bytes of data of the historical packet carried by one historical protocol packet may be the same as the first n bytes of data of the historical packet carried by one historical protocol packet, or the first n bytes of data of the historical packet carried by a plurality of historical protocol packets may be the same as the first n bytes of data of the historical packet carried by one historical protocol packet, it may be accepted that the target protocol packet is a replay attack, and therefore, the target protocol packet may not be accepted temporarily, and it is also necessary to compare whether the residual bytes of data of the target packet carried by the target protocol packet and the residual bytes of data of the historical packet carried by the target protocol packet are the same as each other, so as to determine whether the target protocol packet is a replay attack.
For example, n =8, when the first 8 bytes of data of the target payload are different from the first 8 bytes of data of each historical payload, it indicates that the target protocol packet has not been accepted, and thus it can be determined that the target protocol packet is not a replay attack and is accepted. When the first 8 bytes of data of the target load is the same as the first 8 bytes of data of a historical load, it cannot be determined whether the target protocol packet corresponding to the target load is a replay attack, and therefore, it is necessary to further determine whether the remaining bytes of data of the historical load are the same as the remaining bytes of data of the target load, so as to identify an accurate result.
Step 105: if the residual byte data are different, receiving a target protocol packet; and if the residual byte data are the same, determining that the target protocol packet is replay attack.
When the remaining byte data of the target payload is different from the remaining byte data of the historical payload, it indicates that the target protocol packet is not completely identical to the historical protocol packet, and the target protocol packet has not been accepted before and is not a replay attack, so that the target protocol packet can be accepted. When the remaining byte data of the target load is the same as that of the historical load, it indicates that the target protocol packet is identical to the historical protocol packet, so that it can be determined that the target protocol packet is a replay attack.
The embodiment of the invention can identify the target protocol packet without sequence numbers, can compare the first n bytes of data of the target load carried by the target protocol packet with the first n bytes of data of the historical load carried by the historical protocol packet, can quickly identify the brand new protocol packet which is never accepted before, and only when the first n bytes of data of the target load is completely the same as the first n bytes of data of a certain historical load, needs to further compare whether the two residual bytes of data are the same so as to accurately identify that the target protocol packet corresponding to the target load which is completely the same as the historical load carried by the historical protocol packet is a replay attack. The method divides the detection of replay attack into two stages, can directly determine that a target protocol packet is a normal protocol packet to be accepted during primary judgment in the first stage, can quickly obtain a detection result, and has high efficiency; in addition, the method does not utilize the comparison of all the received protocol packets with the target protocol packet respectively, but divides a part of the received protocol packets as historical protocol packets in a mode of determining intervals by a preset threshold value, thereby reducing the number of objects needing to be compared with the target protocol packets in the whole identification process, simplifying the identification process and reducing the occupied network resources used in the process.
Optionally, after the step 101, the method may further include the following steps 201-204.
Step 201: under the condition of the sequence number of the target protocol packet, the size of a window is adjusted according to the flow rate of the transmission target protocol packet, the window comprises a plurality of sequence numbers, and the maximum sequence number in the window is the sequence number of the protocol packet which is received latest before the target protocol packet.
The sequence number of a protocol packet with an order number (such as a protocol packet encrypted by using the IPsec ESP protocol) may be recorded in a preset window, and the maximum sequence number in the window is the sequence number of the protocol packet last received before the target protocol packet is received, that is, the maximum sequence number is the sequence number of the latest received protocol packet. The window may include a plurality of consecutive serial numbers, for example, the window includes 50 consecutive serial numbers 51, 52, 53 \ 8230 \ 8230, 100, and the window has a size, and the number of serial numbers included in the window may be taken as the size of the window in this embodiment.
If a protocol packet with a certain sequence number is not accepted, the sequence number may also be included in the window. For example, a newly accepted protocol packet has a sequence number of 100 and a window size of 50, and if a protocol packet with a sequence number of 95 is not previously accepted, the window may still include 50 sequence numbers of 51, 52, \8230;, 95, \8230; 100.
Alternatively, the sequence numbers included in the window must be the sequence numbers of the protocol packets that have been accepted. For example, the serial numbers of the accepted protocol packets are 51, 52 \8230, 823094, 96, \8230, and 100, i.e. the protocol packet with the serial number of 95 is not accepted before, and the serial number of the latest accepted protocol packet is 100, if the size of the window is 49, the window can comprise 49 serial numbers of 51, 52 \8230, 823094, 96, \8230, and 100; if the window size is 50, the window may include 50 serial numbers 50, 51, 52, 823060, 823094, 96, 8230, 100, and 50 serial numbers.
In the embodiment of the present invention, under the condition of the sequence number of the target protocol packet, the size of the window may be adjusted according to the traffic rate of transmitting the target protocol packet, for example, the number of the sequence numbers included in the window is adjusted. For example, the window may be adjusted from 100 sequence numbers to 50 sequence numbers based on the traffic rate at which the target protocol packet is transmitted. The size of the window and the flow rate are in a negative correlation relationship, that is, the larger the flow rate is, the smaller the size of the window is.
Step 202: and comparing whether the target sequence number is greater than the maximum sequence number of the window, wherein the target sequence number is the sequence number of the target protocol packet.
In the embodiment of the invention, the sequence number of the target protocol packet with the sequence number is called as the target sequence number, and the size of the target sequence number is compared with the maximum sequence number in the window, so that whether the target protocol packet with the target sequence number is a replay attack or not can be preliminarily judged.
Step 203: if the target sequence number is larger than the maximum sequence number of the window, receiving a target protocol packet, and taking the target sequence number as the maximum sequence number of the window; and if the target sequence number is not larger than the maximum sequence number of the window, comparing whether the target sequence number is larger than the minimum sequence number of the window.
When the target sequence number of the target protocol packet is greater than the maximum sequence number of the window, the target sequence number is not recorded in the window, that is, the target protocol packet with the sequence number greater than the latest accepted historical protocol packet is not accepted, and the target protocol packet is not a replay attack. Therefore, the target protocol packet can be accepted, and the target sequence number is recorded as the maximum sequence number of the window, so that comparison and judgment can be performed when the next protocol packet is received subsequently. When the target sequence number of the target protocol packet is not greater than the maximum sequence number of the window, that is, the target sequence number is less than or equal to the maximum sequence number of the window, it cannot be directly determined that the target protocol packet is a normal protocol packet to be accepted, which may be a replay attack. Wherein the minimum sequence number of the window is determined by the size of the window and the maximum sequence number. For example, 100 protocol packets are accepted before the target protocol packet is accepted, and the 100 protocol packets can be recorded as the protocol packet group with sequence numbers of 1, 2 and 3 \8230; 100 in the acceptance order, wherein the sequence number 100 is the maximum sequence number; if the size of the window is 50, it can be determined that the sequence numbers of the last accepted 50 protocol packets before the target protocol packet are in the window, i.e. 50 sequence numbers between sequence number 51 and sequence number 100 are the sequence numbers recorded in the window, based on which it can be determined that sequence number 51 is the minimum sequence number of the window.
Step 204: if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is not received, receiving the target protocol packet; if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is received, determining the target protocol packet as a replay attack; and if the target sequence number is smaller than the minimum sequence number of the window, determining that the target protocol packet is replay attack.
In this embodiment of the present invention, if the target sequence number is smaller than or equal to the maximum sequence number of the window, the target sequence number is also greater than the minimum sequence number of the window, and a protocol packet with the target sequence number is not accepted within the window range (which refers to a range between the minimum sequence number and the maximum sequence number), it may be determined that the target protocol packet with the target sequence number is a normal protocol packet to be accepted, and the target protocol packet is accepted. If the target sequence number is smaller than or equal to the maximum sequence number of the window, the target sequence number also satisfies that the target sequence number is larger than the minimum sequence number of the window, and the protocol packet with the target sequence number is accepted in the window range, that is, the sequence number identical to the target sequence number is recorded in the window range, then the target protocol packet with the target sequence number can be determined to be a replay attack. If the target sequence number satisfies a sequence number smaller than the minimum sequence number of the window, the target protocol packet corresponding to the target sequence number is a protocol packet that is very early and is most likely to be an accepted protocol packet. In addition, when the target sequence number satisfies the minimum sequence number equal to the window, the target protocol packet may be identified as a replay attack or an acceptable normal protocol packet, which may be determined according to actual conditions. In the embodiment of the invention, the range of the protocol packet sequence number compared with the target sequence number can be determined by adopting a mode of dynamically adjusting the window size aiming at the protocol packet with the sequence number, so that the replay attack can be quickly identified.
Optionally, adjusting the size of the window according to the traffic rate of the transmission target protocol packet includes:
adjusting the size of the window based on the initial value of the size of the preset window and the flow rate of the transmission target protocol packet; the adjusted window size is:
P=max(P min ,P 0 -(V-V 0 )*100%);
wherein P represents the adjusted window size, P 0 An initial value representing the size of a predetermined window, V representing the traffic rate of a transmission target protocol packet, V 0 Representing a preset base traffic rate, P min Representing a preset minimum value.
The embodiment of the invention can dynamically adjust the size of the window in real time by utilizing the size of the preset window and according to the flow rate occupied by the actual transmission of the target protocol packet, and is based on the formula P = max (P = max) min ,P 0 -(V-V 0 ) 100%) may determine the value of the window size after adjustment. Wherein, P represents the adjusted window size, and when receiving the target protocol packet, the window size P can be used to determine the range of the target sequence number of the target protocol packet to be compared; p 0 Initial value, V, representing the size of a preset window 0 Represents a preset basic flow rate, or represents a flow rate of transmitting a last accepted protocol packet, V represents a flow rate of a currently received target protocol packet during transmission, P min Represents the lower limit of the preset window size, i.e., the minimum value of the window size, and max (a, B) represents taking the larger of a and B. When adjusting the window size according to the traffic rate of the transmission target protocol packet, it is necessary to ensure that the window size is the current calculated window size value and the minimum value P of the window size min The largest value among these is done to avoid setting a window too small, resulting in too few sequence numbers to be compared with the target sequence number, and thus failing to accurately identify a replay attack.
For example, when the traffic rate of the transmission target protocol packet is the same as the traffic rate of the last accepted protocol packet, it can be determined that the window size does not change based on the above formula, and this identificationWhen the target protocol packet is received, a window with the same size as the last accepted protocol packet can be used; when the flow rate of the transmission target protocol packet is greater than the flow rate of the last accepted protocol packet, the size of the window is smaller, if based on P 0 -(V-V 0 ) 100% calculated window size is too small, but since the window size has a lower limit, the window size should not be smaller than P min When the size of the window used in identifying the target protocol packet is the minimum value P of the window min (ii) a When the flow rate of the transmission target protocol packet is less than the flow rate of the last accepted protocol packet, the size of the window is larger, and the maximum value is P 0 +V 0 . The embodiment of the invention can dynamically determine the size of the window according to the actual network environment when identifying whether the protocol packet is replay attack, thereby realizing most effective identification of replay attack in any network environment.
Optionally, after determining that the target protocol packet is a replay attack, the method further includes:
and updating a preset replay attack counter, wherein the replay attack counter is used for accumulating the obtained target protocol packets into the replay attack number.
After the target protocol packet is determined to be replay attack, the replay attack of the current time can be counted into a preset replay attack counter capable of accumulating the replay attack times acquired in the network session process, namely the process of updating the replay attack counter is a process of adding one to the replay attack counter. For example, the target protocol packet acquired this time is a replay attack, and if it has not been detected before that the protocol packet is a replay attack, the value of the replay attack counter is increased from 0 to 1; if the current target protocol packet is detected to be replay attack again, the value of the replay attack counter is continuously updated, and the value of the replay attack counter is increased from 1 to 2. The embodiment of the invention can conveniently record the replay attack frequency encountered in the network session process by using the method for setting the replay attack counter, so that developers can find the loopholes existing in the network in time, and the method is favorable for analyzing the replay attack characteristics and taking remedial measures.
The following describes the flow of the replay attack detection method in detail by using an embodiment, and as shown in fig. 3A and fig. 3B, the method includes the following steps 301 to 312.
Step 301: and acquiring a target protocol packet to be identified.
Step 302: determining whether the target protocol packet has a sequence number, if the target protocol packet has no sequence number, executing step 303, and if the target protocol packet has a sequence number, executing step 307.
Step 303: determining the target load in the target protocol packet, determining the historical load in the historical protocol packet, judging whether the first 8 bytes of data of the target load is the same as the first 8 bytes of data of any historical load, if so, executing a step 304, otherwise, executing a step 306.
Step 304: determining whether the remaining byte data of the historical payload identical to the first 8 bytes of data of the target payload is identical to the remaining byte data of the target payload, if so, executing step 305, and if not, executing step 306.
Step 305: and determining the target protocol packet as a replay attack.
Step 306: and receiving the target protocol packet.
Step 307: determining the size of the window, determining whether the target sequence number of the target protocol packet is greater than the maximum sequence number of the window, if so, executing step 308, otherwise, executing step 309.
Step 308: and receiving the target protocol packet, and taking the target sequence number as the maximum sequence number of the window.
Step 309: and judging whether the target sequence number is smaller than the minimum sequence number of the window, if so, executing step 311, otherwise, executing step 310.
Step 310: and judging whether the protocol packet with the target sequence number is accepted, if so, executing step 311, otherwise, executing step 312.
Step 311: and determining the target protocol packet as a replay attack.
Step 312: and receiving the target protocol packet.
It should be noted that the processes described in steps 301-306 can be referred to in fig. 3A, and the processes described in steps 307-312 can be referred to in fig. 3B.
An embodiment of the present invention further provides a replay attack detection apparatus, as shown in fig. 4, where the apparatus includes: an obtaining module 41, a determining module 42, a first comparing module 43, a first processing module 44 and a first identifying module 45.
The obtaining module 41 is configured to obtain a target protocol packet to be identified.
The determining module 42 is configured to determine a target load in the target protocol packet and determine a historical load in at least one historical protocol packet in the case that the target protocol packet has no sequence number, where the historical protocol packet is a protocol packet that is previously accepted and has a distance from the target protocol packet that is smaller than a preset threshold.
The first comparing module 43 is used to compare whether the first n bytes of data of the target load are the same as the first n bytes of data of any one of the historical loads.
The first processing module 44 is configured to receive the target protocol packet if the first n bytes of data of the target load are different from the first n bytes of data of any one of the historical loads; and if the first n bytes of data of the target load are the same as the first n bytes of data of at least one historical load, comparing whether the residual bytes of data of the historical load, which are the same as the first n bytes of data of the target load, are the same as the residual bytes of data of the target load.
The first identifying module 45 is configured to accept the target protocol packet if the remaining byte data is different; and if the residual byte data are the same, determining that the target protocol packet is replay attack.
Optionally, the apparatus further comprises: the device comprises an adjusting module, a second comparing module, a second processing module and a second identifying module.
The adjusting module is used for adjusting the size of a window according to the flow rate of transmitting the target protocol packet under the condition of the sequence number of the target protocol packet, wherein the window comprises a plurality of sequence numbers, and the maximum sequence number in the window is the sequence number of the protocol packet which is newly received before the target protocol packet.
And the second comparison module is used for comparing whether the target sequence number is greater than the maximum sequence number of the window, wherein the target sequence number is the sequence number of the target protocol packet.
The second processing module is used for receiving the target protocol packet and taking the target sequence number as the maximum sequence number of the window if the target sequence number is larger than the maximum sequence number of the window; and if the target sequence number is not larger than the maximum sequence number of the window, comparing whether the target sequence number is larger than the minimum sequence number of the window.
The second identification module is used for receiving the target protocol packet if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is not received; if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is accepted, determining that the target protocol packet is a replay attack; and if the target sequence number is smaller than the minimum sequence number of the window, determining that the target protocol packet is replay attack.
Optionally, the adjusting module is configured to adjust the size of the window based on a preset initial value of the size of the window and a traffic rate at which the target protocol packet is transmitted; the adjusted window size is: p = max (P) min ,P 0 -(V-V 0 ) 100%) of the substrate; wherein P represents the adjusted window size, P 0 An initial value representing the size of the preset window, V represents the flow rate of transmitting the target protocol packet, V 0 Representing a preset base traffic rate, P min Representing a preset minimum value.
Optionally, the apparatus further comprises: and a counting module.
And the counting module is used for updating a preset replay attack counter after the target protocol packet is determined to be replay attack, and the replay attack counter is used for accumulating the obtained target protocol packet as the number of the replay attack.
Optionally, the apparatus further comprises: and (5) a classification module.
The classification module is used for determining the protocol type of the target protocol packet after the target protocol packet to be identified is obtained, and determining whether the target protocol packet has a sequence number according to the protocol type of the target protocol packet.
The replay attack detection device provided by the embodiment of the invention can identify a target protocol packet without a sequence number, can compare the first n bytes of data of a target load carried by the target protocol packet with the first n bytes of data of a historical load carried by a historical protocol packet, can quickly identify a brand new protocol packet which has never been accepted before, and only when the first n bytes of data of the target load is completely the same as the first n bytes of data of a certain historical load, needs to further compare whether the two residual bytes of data are the same so as to accurately identify that the target protocol packet corresponding to the target load which is completely the same as the historical load carried by the historical protocol packet is a replay attack. The device divides the detection of replay attack into two stages, and can directly determine that the target protocol packet is a normal protocol packet to be accepted during primary judgment of the first stage, so that the detection result can be quickly obtained, and the efficiency is high; in addition, the device does not utilize all the received protocol packets to be respectively compared with the target protocol packet, but divides a part of the received protocol packets as historical protocol packets in a mode of determining intervals by a preset threshold value, so that the number of objects needing to be compared with the target protocol packets in the whole identification process is reduced, the identification process is simplified, and the occupied network resources in the process are reduced.
In addition, an embodiment of the present invention further provides an electronic device, which includes a bus, a transceiver, a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the transceiver, the memory, and the processor are connected via the bus, respectively, and when the computer program is executed by the processor, the processes of the foregoing replay attack detection method embodiment are implemented, and the same technical effects can be achieved, and are not described herein again to avoid repetition.
Specifically, referring to fig. 5, an embodiment of the present invention further provides an electronic device, which includes a bus 1110, a processor 1120, a transceiver 1130, a bus interface 1140, a memory 1150, and a user interface 1160.
In an embodiment of the present invention, the electronic device further includes: a computer program stored on the memory 1150 and executable on the processor 1120, the computer program implementing the various processes of the replay attack detection method embodiments described above when executed by the processor 1120.
A transceiver 1130 for receiving and transmitting data under the control of the processor 1120.
In embodiments of the invention in which a bus architecture (represented by bus 1110) is used, bus 1110 may include any number of interconnected buses and bridges, with bus 1110 connecting various circuits including one or more processors, represented by processor 1120, and memory, represented by memory 1150.
Bus 1110 represents one or more of any of several types of bus structures, including a memory bus, and memory controller, a peripheral bus, an Accelerated Graphics Port (AGP), a processor, or a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include: an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA), a Peripheral Component Interconnect (PCI) bus.
The bus 1110 may also connect various other circuits such as peripherals, voltage regulators, or power management circuits to provide an interface between the bus 1110 and the transceiver 1130, as is well known in the art. Therefore, the embodiments of the present invention will not be further described.
The transceiver 1130 may be one element or may be multiple elements, such as multiple receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. For example: the transceiver 1130 receives external data from other devices, and the transceiver 1130 transmits data processed by the processor 1120 to other devices. Depending on the nature of the computer system, a user interface 1160 may also be provided, such as: touch screen, physical keyboard, display, mouse, speaker, microphone, trackball, joystick, stylus.
It is to be appreciated that in embodiments of the invention, the memory 1150 may further include memory located remotely with respect to the processor 1120, which may be coupled to a server via a network. One or more portions of the above-described networks may be an ad hoc network (ad hoc network), an intranet (intranet), an extranet (extranet), a Virtual Private Network (VPN), a Local Area Network (LAN), a Wireless Local Area Network (WLAN), a Wide Area Network (WAN), a Wireless Wide Area Network (WWAN), a Metropolitan Area Network (MAN), the Internet (Internet), a Public Switched Telephone Network (PSTN), a plain old telephone service network (POTS), a cellular telephone network, a wireless fidelity (Wi-Fi) network, and combinations of two or more of the above. For example, the cellular telephone network and the wireless network may be a global system for Mobile Communications (GSM) system, a Code Division Multiple Access (CDMA) system, a Worldwide Interoperability for Microwave Access (WiMAX) system, a General Packet Radio Service (GPRS) system, a Wideband Code Division Multiple Access (WCDMA) system, a Long Term Evolution (LTE) system, an LTE Frequency Division Duplex (FDD) system, an LTE Time Division Duplex (TDD) system, a long term evolution-advanced (LTE-a) system, a Universal Mobile Telecommunications (UMTS) system, an enhanced Mobile Broadband (eMBB) system, a mass Machine Type Communication (mtc) system, an Ultra Reliable Low Latency Communication (urrllc) system, or the like.
It will be appreciated that the memory 1150 in embodiments of the present invention can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. Wherein the nonvolatile memory includes: read-Only Memory (ROM), programmable Read-Only Memory (PROM), erasable Programmable Read-Only Memory (EPROM), electrically Erasable Programmable Read-Only Memory (EEPROM), or Flash Memory (Flash Memory).
The volatile memory includes: random Access Memory (RAM), which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as: static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), double Data Rate Synchronous Dynamic random access memory (Double Data Rate SDRAM, DDRSDRAM), enhanced Synchronous DRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and Direct memory bus RAM (DRRAM). The memory 1150 of the electronic device described in the embodiments of the invention includes, but is not limited to, the above and any other suitable types of memory.
In an embodiment of the present invention, memory 1150 stores the following elements of operating system 1151 and application programs 1152: an executable module, a data structure, or a subset thereof, or an expanded set thereof.
Specifically, the operating system 1151 includes various system programs such as: a framework layer, a core library layer, a driver layer, etc. for implementing various basic services and processing hardware-based tasks. Applications 1152 include various applications such as: media Player (Media Player), browser (Browser), for implementing various application services. A program implementing a method of an embodiment of the invention may be included in application program 1152. The application programs 1152 include: applets, objects, components, logic, data structures, and other computer system executable instructions that perform particular tasks or implement particular abstract data types.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements each process of the foregoing replay attack detection method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
The computer-readable storage medium includes: permanent and non-permanent, removable and non-removable media may be tangible devices that retain and store instructions for use by an instruction execution apparatus. The computer-readable storage medium includes: electronic memory devices, magnetic memory devices, optical memory devices, electromagnetic memory devices, semiconductor memory devices, and any suitable combination of the foregoing. The computer-readable storage medium includes: phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), non-volatile random access memory (NVRAM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic tape cartridge storage, magnetic tape disk storage or other magnetic storage devices, memory sticks, mechanically encoded devices (e.g., punched cards or raised structures in a groove having instructions recorded thereon), or any other non-transmission medium useful for storing information that may be accessed by a computing device. As defined in embodiments of the present invention, the computer-readable storage medium does not include transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses traveling through a fiber optic cable), or electrical signals transmitted through a wire.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electrical, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to solve the problem to be solved by the embodiment of the present invention.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present invention may be substantially or partially contributed by the prior art, or all or part of the technical solutions may be embodied in a software product stored in a storage medium and including instructions for causing a computer device (including a personal computer, a server, a data center, or other network devices) to execute all or part of the steps of the methods of the embodiments of the present invention. And the storage medium includes various media that can store the program code as listed in the foregoing.
In the description of the embodiments of the present invention, it should be apparent to those skilled in the art that the embodiments of the present invention can be embodied as methods, apparatuses, electronic devices, and computer-readable storage media. Thus, embodiments of the invention may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), a combination of hardware and software. Furthermore, in some embodiments, embodiments of the invention may also be embodied in the form of a computer program product in one or more computer-readable storage media having computer program code embodied in the medium.
The computer-readable storage media described above may take any combination of one or more computer-readable storage media. The computer-readable storage medium includes: an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of the computer-readable storage medium include: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only Memory (ROM), an erasable programmable read-only Memory (EPROM), a Flash Memory (Flash Memory), an optical fiber, a compact disc read-only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any combination thereof. In embodiments of the invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, device, or apparatus.
The computer program code embodied on the computer readable storage medium may be transmitted using any appropriate medium, including: wireless, wire, fiber optic cable, radio Frequency (RF), or any suitable combination thereof.
Computer program code for carrying out operations for embodiments of the present invention may be written in assembly instructions, instruction Set Architecture (ISA) instructions, machine related instructions, microcode, firmware instructions, state setting data, integrated circuit configuration data, or in one or more programming languages, including an object oriented programming language, such as: java, smalltalk, C + +, and also include conventional procedural programming languages, such as: c or a similar programming language. The computer program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be over any of a variety of networks, including: a Local Area Network (LAN) or a Wide Area Network (WAN), which may be connected to the user's computer, may be connected to an external computer.
The embodiments of the present invention describe the provided method, apparatus, and electronic device through flowchart and/or block diagram.
It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions. These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer or other programmable data processing apparatus to function in a particular manner. Thus, the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The above description is only a specific implementation of the embodiments of the present invention, but the scope of the embodiments of the present invention is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the embodiments of the present invention, and all such changes or substitutions should be covered by the scope of the embodiments of the present invention. Therefore, the protection scope of the embodiments of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A replay attack detection method, comprising:
acquiring a target protocol packet to be identified;
under the condition that the target protocol packet has no sequence number, determining a target load in the target protocol packet, and determining a historical load in at least one historical protocol packet, wherein the historical protocol packet is a previously received protocol packet, and the interval between the historical protocol packet and the target protocol packet is smaller than a preset threshold value;
comparing whether the first n bytes of data of the target load is the same as the first n bytes of data of any one of the historical loads;
if the first n bytes of data of the target load are different from the first n bytes of data of any historical load, receiving the target protocol packet; if the first n bytes of data of the target load are the same as the first n bytes of data of at least one historical load, comparing whether the residual bytes of data of the historical load which are the same as the first n bytes of data of the target load are the same as the residual bytes of data of the target load;
if the residual byte data are different, receiving the target protocol packet; and if the residual byte data are the same, determining that the target protocol packet is replay attack.
2. The method of claim 1, further comprising:
under the condition that the sequence number of the target protocol packet is present, adjusting the size of a window according to the flow rate of the target protocol packet, wherein the window comprises a plurality of sequence numbers, and the maximum sequence number in the window is the sequence number of the protocol packet which is received before the target protocol packet;
comparing whether the target sequence number is larger than the maximum sequence number of the window, wherein the target sequence number is the sequence number of the target protocol packet;
if the target sequence number is larger than the maximum sequence number of the window, receiving the target protocol packet, and taking the target sequence number as the maximum sequence number of the window; if the target sequence number is not larger than the maximum sequence number of the window, comparing whether the target sequence number is larger than the minimum sequence number of the window or not;
if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is not accepted, accepting the target protocol packet; if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is accepted, determining that the target protocol packet is a replay attack; and if the target sequence number is smaller than the minimum sequence number of the window, determining that the target protocol packet is replay attack.
3. The method of claim 2, wherein adjusting the size of the window according to the traffic rate of transmitting the target protocol packet comprises:
adjusting the size of the window based on a preset initial value of the size of the window and the flow rate of transmitting the target protocol packet; the adjusted window size is:
P=max(P min ,P 0 -(V-V 0 )*100%);
wherein P represents the adjusted window size, P 0 An initial value representing the size of the preset window, V represents the flow rate of transmitting the target protocol packet, V 0 Representing a preset base traffic rate, P min Representing a preset minimum value.
4. The method of claim 2, further comprising, after said determining that the target protocol packet is a replay attack:
and updating a preset replay attack counter, wherein the replay attack counter is used for accumulating the acquired target protocol packets as the replay attack number.
5. The method of claim 1, further comprising, after the obtaining the target protocol packet to be identified:
and determining the protocol type of the target protocol packet, and determining whether the target protocol packet has a sequence number according to the protocol type of the target protocol packet.
6. A replay attack detecting apparatus, comprising: the device comprises an acquisition module, a determination module, a first comparison module, a first processing module and a first identification module;
the acquisition module is used for acquiring a target protocol packet to be identified;
the determining module is used for determining a target load in the target protocol packet and determining a historical load in at least one historical protocol packet under the condition that the target protocol packet has no sequence number, wherein the historical protocol packet is a previously received protocol packet of which the interval with the target protocol packet is smaller than a preset threshold value;
the first comparison module is used for comparing whether the first n bytes of data of the target load is the same as the first n bytes of data of any historical load or not;
the first processing module is used for receiving the target protocol packet if the first n bytes of data of the target load are different from the first n bytes of data of any historical load; if the first n bytes of data of the target load are the same as the first n bytes of data of at least one historical load, comparing whether the residual bytes of data of the historical load which are the same as the first n bytes of data of the target load are the same as the residual bytes of data of the target load;
the first identification module is used for receiving the target protocol packet if the residual byte data are different; and if the residual byte data are the same, determining that the target protocol packet is replay attack.
7. The apparatus of claim 6, further comprising: the device comprises an adjusting module, a second comparing module, a second processing module and a second identifying module;
the adjusting module is used for adjusting the size of a window according to the flow rate of transmitting the target protocol packet under the condition of the sequence number of the target protocol packet, wherein the window comprises a plurality of sequence numbers, and the maximum sequence number in the window is the sequence number of the protocol packet which is newly received before the target protocol packet;
the second comparison module is used for comparing whether the target sequence number is greater than the maximum sequence number of the window, wherein the target sequence number is the sequence number of the target protocol packet;
the second processing module is used for receiving the target protocol packet and taking the target sequence number as the maximum sequence number of the window if the target sequence number is larger than the maximum sequence number of the window; if the target sequence number is not larger than the maximum sequence number of the window, comparing whether the target sequence number is larger than the minimum sequence number of the window or not;
the second identification module is used for receiving the target protocol packet if the target sequence number is greater than the minimum sequence number of the window and the protocol packet with the target sequence number is not received; if the target sequence number is larger than the minimum sequence number of the window and the protocol packet with the target sequence number is accepted, determining that the target protocol packet is replay attack; and if the target sequence number is smaller than the minimum sequence number of the window, determining that the target protocol packet is replay attack.
8. The apparatus of claim 7, wherein the adjusting module is configured to adjust the size of the window based on a preset initial value of the size of the window and a traffic rate of transmitting the target protocol packet; the adjusted window size is:
P=max(P min ,P 0 -(V-V 0 )*100%);
wherein P represents the adjusted window size, P 0 An initial value representing the size of the window, V representing the traffic rate of the transmission of the target protocol packet, V 0 Representing a preset base traffic rate, P min Representing a preset minimum value.
9. An electronic device comprising a bus, a transceiver, a memory, a processor and a computer program stored on the memory and executable on the processor, the transceiver, the memory and the processor being connected via the bus, characterized in that the computer program realizes the steps in the replay attack detection method according to any of claims 1 to 5 when executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps in the replay attack detection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111150805.0A CN115913592A (en) | 2021-09-29 | 2021-09-29 | Replay attack detection method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111150805.0A CN115913592A (en) | 2021-09-29 | 2021-09-29 | Replay attack detection method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115913592A true CN115913592A (en) | 2023-04-04 |
Family
ID=86491883
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111150805.0A Pending CN115913592A (en) | 2021-09-29 | 2021-09-29 | Replay attack detection method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913592A (en) |
-
2021
- 2021-09-29 CN CN202111150805.0A patent/CN115913592A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2019095911A1 (en) | Method and device for withstanding denial-of-service attack | |
| US10250578B2 (en) | Internet key exchange (IKE) for secure association between devices | |
| US9124425B2 (en) | Systems, methods, and apparatuses for ciphering error detection and recovery | |
| CN111133427B (en) | Generating and analyzing network profile data | |
| CN113347210B (en) | DNS tunnel detection method and device and electronic equipment | |
| CN112866297B (en) | Method, device and system for processing access data | |
| US10931691B1 (en) | Methods for detecting and mitigating brute force credential stuffing attacks and devices thereof | |
| CN109754800B (en) | Method and equipment for recognizing user and equipment identity safety based on sound wave | |
| US9465921B1 (en) | Systems and methods for selectively authenticating queries based on an authentication policy | |
| CN112685422A (en) | Method and device for processing UTXO database and electronic equipment | |
| JP5911431B2 (en) | Block malicious access | |
| CN115913592A (en) | Replay attack detection method and device and electronic equipment | |
| EP3814963B1 (en) | Method and apparatus for attestation | |
| CN113645176B (en) | Method and device for detecting fake flow and electronic equipment | |
| CN113453227B (en) | Chain establishment rejection method and device and electronic equipment | |
| CN110381016A (en) | The means of defence and device, storage medium, computer equipment of CC attack | |
| CN113039766B (en) | Optimized equivalent Simultaneous Authentication (SAE) authentication in wireless networks | |
| KR20220124940A (en) | Digital sign-based system information block message transmission/reception method and apparatus | |
| US9177135B2 (en) | Signal security for wireless access point | |
| CN113630367B (en) | Anonymous flow identification method and device and electronic equipment | |
| KR20210069494A (en) | METHOD FOR CERTIFICATING IoT DEVICE AND VERIFYING INTEGRITY OF IoT DEVICE, AND CONTROL DEVICE USING THEM | |
| CN114765634B (en) | Network protocol identification method, device, electronic equipment and readable storage medium | |
| CN113630367A (en) | Anonymous traffic identification method and device and electronic equipment | |
| CN111355750B (en) | Method and device for recognizing brute force password cracking behavior | |
| CN116743399A (en) | Malicious single-stream detection method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |