CN116132345A - Harmless generation method and device for malicious traffic and electronic equipment - Google Patents

Harmless generation method and device for malicious traffic and electronic equipment Download PDF

Info

Publication number
CN116132345A
CN116132345A CN202310071188.8A CN202310071188A CN116132345A CN 116132345 A CN116132345 A CN 116132345A CN 202310071188 A CN202310071188 A CN 202310071188A CN 116132345 A CN116132345 A CN 116132345A
Authority
CN
China
Prior art keywords
malicious
attacked
flow
data packet
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310071188.8A
Other languages
Chinese (zh)
Inventor
王达
吴浩杰
陈之裕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Saixun Information Technology Shanghai Co ltd
Original Assignee
Saixun Information Technology Shanghai Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Saixun Information Technology Shanghai Co ltd filed Critical Saixun Information Technology Shanghai Co ltd
Priority to CN202310071188.8A priority Critical patent/CN116132345A/en
Publication of CN116132345A publication Critical patent/CN116132345A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/26Testing cryptographic entity, e.g. testing integrity of encryption key or encryption algorithm
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2475Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a malicious traffic harmless generation method, a malicious traffic harmless generation device and electronic equipment, wherein the method comprises the steps of extracting malicious data streams meeting the conditions in PCAP files, identifying traffic application information, storing the malicious data streams as traffic files, and completing preparation for harmless generation of the malicious traffic; the attack end and the attacked end read the same flow file and respectively generate flow byte codes according to the read configuration parameters; the attacked end establishes a socket according to the ports identified in the flow byte codes and monitors one or more corresponding ports; when the attack end has the proxy parameter, proxy authentication and connection of the attacked end are carried out according to the proxy parameter; after the attack end and the attacked end are successfully connected, the attack end and the attacked end send or receive data packets, and harmless generation of malicious traffic is realized. By the processing scheme, the harmless generation method and device for the malicious traffic of the network-span-NAT-span agent are simple in algorithm logic, easy to deploy, high in fault tolerance, suitable for metadata/load and the like, and capable of being modified at will.

Description

Harmless generation method and device for malicious traffic and electronic equipment
Technical Field
The application relates to the technical field of network security, in particular to a malicious traffic harmless generation method and device and electronic equipment.
Background
Currently, when testing or verifying a network security product, because the manner of directly running malicious software to generate malicious network traffic is very inconvenient in environmental configuration and deployment, we generally use a general software tool or device to generate different malicious network traffic, and when the traffic passes through the network security device, the network security device generates different responses, thereby achieving the purpose of testing or verifying the network security product.
The existing method for testing or verifying network security products mainly refers to capturing traffic generated by malicious software and storing the traffic as a PCAP file. At the time of testing or validation, there are generally two methods:
the first method resends traffic in the PCAP file by reading the PCAP file as shown in fig. 1. The method is suitable for network security products for obtaining mirror image flow and is not suitable for network security products connected in series.
The second method deploys two pieces of software or two pieces of equipment, one as an attack end and one as an attacked end, as shown in fig. 2. The attack end and the attacked end read the corresponding content in the PCAP, replace the corresponding MAC address, and then send the traffic data to each other.
However, the prior art methods have limitations and complexities of use in testing or validation:
problem one: when a network link is unstable and packet loss exists, the PCAP method cannot retransmit the data packet; even if the software or the device logically performs timeout retransmission, the retransmission content is completely consistent with the content of the lost packet, and does not conform to the actual processing of network protocol retransmission, which may cause the problems that the network security product cannot identify the flow of the retransmission data packet as the same data stream, the application cannot identify the retransmission data packet normally, and the like.
And a second problem: the contents of the data packet cannot be modified conveniently, such as i p address, port, load, etc. There may be a need to tailor the content of a data packet when testing or verifying a particular environment. However, when the PCAP method is used, as long as the content of the data packet is modified, operations such as checksum of each protocol layer, synchronous modification and verification of the attack end and the attacked end need to be recalculated, and the algorithm of software or equipment is complex.
Problem three: the PCAP method cannot be applied to a network environment in which NAT or a cross-network segment exists between an attack end and an attacked end. Because the PCAP method replaces the MAC address belonging to two layers, the forwarding process of the three layers of NATs or routes cannot be processed.
Fourth problem: the PCAP method described above cannot be applied to a network environment in which a proxy exists between an attacking end and an attacked end. Because the PCAP mode replaces the MAC address with a two-layer, the proxy is not in the two-layer.
Problem five: the PCAP method needs to check and record the MAC addresses of the attacker and the attacked party, and the MAC addresses are longer than i p address ports, so that the check, configuration and memorization are inconvenient.
Problem six: under special conditions, if the attacked end monitors the port of the PCAP, the case that the attacked end is directly damaged by the malicious data packet exists in the PCAP method, and irreversible damage may be caused to the attacked end.
Problem seven: in some operating systems, the PCAP method needs to involve a driving layer, and has relatively high requirement on compatibility of software, which is unfavorable for algorithm and software maintenance.
Problem eight: the PCAP method will not work properly when Mtu of the test or verification environment is less than Mtu of the captured data packet.
Problem nine: the PCAP method cannot conveniently convert the grabbed i pv6 data packet into an i pv4 data packet or convert the i pv4 data packet into an i pv6 data packet, i.e. the PCAP of i pv4 cannot adapt to the environment of i pv6 and the PCAP of i pv6 cannot adapt to i pv4.
Disclosure of Invention
In view of this, the embodiments of the present application provide a malicious traffic harmless generation method, apparatus, and electronic device, which at least partially solve the problems existing in the prior art, and aim to provide a malicious traffic harmless generation method, apparatus, and electronic device that has simple algorithm logic, is easy to deploy, has strong fault tolerance, is suitable for metadata/load, and the like, can be modified at will, and spans network segments and NAT and agents.
In a first aspect, the present application provides a method for harmless generation of malicious traffic, where the method includes:
extracting malicious data streams meeting the conditions in the PCAP file, identifying flow application information, storing the malicious data streams as flow files, and completing preparation for harmless generation of malicious flow;
the attack end and the attacked end read the same flow file and respectively generate flow byte codes according to the read configuration parameters;
the attacked end establishes a socket according to the ports identified in the flow byte codes and monitors one or more corresponding ports;
when the attack end has the proxy parameter, proxy authentication and connection of the attacked end are carried out according to the proxy parameter;
after the attack end and the attacked end are successfully connected, the attack end and the attacked end send or receive data packets, and harmless generation of malicious traffic is realized.
According to a specific implementation manner of the present application, the extracting a malicious data stream meeting a condition in a PCAP file includes:
reading a PCAP file;
screening the read PCAP file according to the condition of a user, and extracting one or more malicious data streams to be sent and received;
according to a specific implementation manner of the application, the condition of the user includes one or more conditions of an attacker ip, an attacked ip, an attacker port, an attacked port and a protocol.
According to a specific implementation manner of the application, the attacker ip is ipv6 or ipv4; the attacked ip is ipv6 or ipv4.
According to a specific implementation manner of the application, the data stream to be sent is load data with an attack end or an attacked end identifier and capable of being identified by an attacked end generation program.
According to a specific implementation manner of the present application, the traffic file is the malicious data stream to be sent and received, which is stored in a memory or has an unlimited content format on a disk.
According to a specific implementation manner of the present application, the identifying traffic application information includes:
carrying out feature recognition on the load of the malicious data stream meeting the conditions in the PCAP file while extracting the malicious data stream, and identifying by using an application name; or (b)
And after the extraction of the malicious data stream meeting the conditions in the PCAP file is completed, uniformly carrying out feature recognition on the load of the malicious data stream, and identifying by using an application name.
According to a specific implementation manner of the application, the configuration parameters comprise the ip address and port of the opposite terminal and the content of the replacement load;
the ports in the configuration parameters are one or more ports, and when one parameter port exists, the attack end adjusts all the attacked ports to be parameter ports; when a plurality of parameter ports exist, replacing the plurality of ports according to a port replacement rule specified by the parameters; when the parameter port does not exist, using the port or the default port in the flow file;
when the content parameters of the replacement load in the configuration parameters exist, the attack end or the attacked end replaces the load content according to the rule description of the parameters, and the system is utilized to automatically perform related checksum recalculation and protocol stack encapsulation on the modified load;
the content of the replacement payload may contain zero or more.
According to a specific implementation manner of the application, the socket comprises a socket of a system or a package of a custom similar system socket;
And retransmitting the data packet load content in the PCAP file by using the created socket.
According to a specific implementation manner of the application, the transmitting or receiving data packets by the attacking end and the attacked end includes:
the attack end firstly receives or firstly transmits the data packet according to the identification content of the flow byte code;
and the attacked end firstly receives or firstly transmits the data packet according to the identification content of the flow byte code.
According to a specific implementation manner of the application, the attack end or the attacked end firstly receives the data packet according to the content of the traffic byte code identification, and the method includes:
waiting for receiving the data packet according to the content of the flow byte code identification; starting overtime processing, and if receiving overtime, entering ending processing;
after receiving the data packet, judging whether the received data packet is the data packet which needs to be received currently according to the identification content of the flow byte code, if so, entering the next step, otherwise, returning to the previous step;
judging whether the flow byte codes contain unprocessed flow byte codes or not, and if not, ending the flow; otherwise, entering the next step;
judging whether the next data packet is a data packet to be transmitted, if so, entering the next step, otherwise, returning to wait for receiving the data packet;
Transmitting a data packet;
judging whether the flow byte codes contain unprocessed flow byte codes or not, and if not, ending the flow; otherwise, entering the next step;
judging whether the next data packet is a data packet to be transmitted, if so, returning to transmit the data packet; if not, returning to wait for receiving data packet.
In a second aspect, the present application provides a malicious traffic innocent generation device, including:
the preparation device extracts malicious data streams meeting the conditions in the PCAP file, identifies flow application information, stores the malicious data streams as flow files and completes preparation of harmless generation of malicious flow;
the attacked end reads the flow file and generates flow byte codes according to the read configuration parameters; socket creation is carried out according to the ports identified in the flow byte codes, and one or more corresponding ports are monitored; after successful connection with the attack end, sending or receiving a data packet;
the attack end and the attacked end read the same flow file and respectively generate flow byte codes according to the read configuration parameters; when the attack end has the proxy parameter, proxy authentication and connection of the attacked end are carried out according to the proxy parameter; after the connection with the attacked end is successful, the data packet is sent or received, and harmless generation of malicious traffic is realized.
In a third aspect, the present application provides an electronic device, including:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a malicious traffic innocuous generating method according to the first aspect or any implementation of the first aspect.
In a fourth aspect, the present application provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform a malicious traffic innocuous generating method according to the first aspect or any implementation manner of the first aspect.
In a fifth aspect, the present application also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform a malicious traffic innocuous generating method according to the first aspect or any implementation manner of the first aspect.
The malicious traffic harmless generation method comprises the steps of extracting malicious data streams meeting the conditions in PCAP files, identifying traffic application information, storing the malicious data streams as traffic files, and completing preparation for malicious traffic harmless generation; the attack end and the attacked end read the same flow file and respectively generate flow byte codes according to the read configuration parameters; the attacked end establishes a socket according to the ports identified in the flow byte codes and monitors one or more corresponding ports; when the attack end has the proxy parameter, proxy authentication and connection of the attacked end are carried out according to the proxy parameter; after the attack end and the attacked end are successfully connected, the attack end and the attacked end send or receive data packets, and harmless generation of malicious traffic is realized.
According to the processing scheme, the socket is created at the attacked end according to the port identified in the flow byte code to retransmit the data packet load content in the PCAP, the attacked port is the port monitored by the test or detection program, and the transmitted data packet is not received by the program with the loophole or problem in practice, so that the actual system is not damaged.
By the processing scheme, the socket is utilized to realize the processing of cross-network segments and cross-routes; generating malicious traffic of various application protocol types by utilizing sockets and traffic files; the socket is used for supporting the interconversion of the malicious traffic of the ipv4 and the ipv 6; various proxy protocol processes for malicious traffic are supported with sockets.
According to the processing scheme, the system is enabled to automatically process data packet loss occurring in the network protocol stack, the algorithm is transparent, and the algorithm complexity is simplified. The load of PCAP is processed by using the socket, so that when packet loss occurs, the automatically retransmitted data packet meets the standard requirement of a data flow protocol, and can be correctly identified by network security products.
Through the processing scheme, the requirements of load, i p address ports and the like which can be modified are met, data packets meeting the testing or verification environment are conveniently sent, and the authenticity of data traffic is achieved. When the attacking end and the attacked end mutually send data, only a i p address and a port with simple configuration are needed, and the method is simple and convenient. The algorithm implementation part does not depend on an extra driver outside the system, and can be simply universal and compatible on each operating system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a prior art method I;
FIG. 2 is a flow chart of a second prior art method;
FIG. 3 is a flowchart of a malicious traffic innocent generation method according to an embodiment of the present application;
FIG. 4 is a specific flowchart of a malicious traffic innocent generation method according to an embodiment of the present application;
fig. 5 is a flowchart of transmitting and receiving data according to an embodiment of the present application;
FIG. 6 is a schematic structural diagram of a malicious traffic harmless generation device according to an embodiment of the present application; and is also provided with
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below with reference to the accompanying drawings.
Other advantages and effects of the present application will become apparent to those skilled in the art from the present disclosure, when the following description of the embodiments is taken in conjunction with the accompanying drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. The present application may be embodied or carried out in other specific embodiments, and the details of the present application may be modified or changed from various points of view and applications without departing from the spirit of the present application. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present application, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concepts of the application by way of illustration, and only the components related to the application are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
Abbreviations and key terms involved in this embodiment are defined as follows.
DEX, english is fully denominated Decimal, and Decimal.
PCAP: english is called packet capture, which is an industry standard network data packet capture format.
ip: internetwork protocol refers to a protocol for interconnection between networks, commonly referred to simply as "networking protocol", which is a protocol designed specifically for communication over computer networks
Mtu: the maximum transmission unit (Maximum Transmission Unit, MTU) is used to inform the partner of the maximum size of the acceptable data service units, indicating the size of the payload that the sender can accept.
MAC: (MediaAccess ControlAddress) is interpreted as a media access control address, also known as a local area network address (lan address), a MAC address, an ethernet address (ethernet address) or a physical address (physical address), which is an address used to identify the location of the network device.
SOCKS: the firewall secure session transfer protocol (SOCKS: protocol for sessions traversal across firewall securely) SOCKS protocol provides a framework for client/server applications in the TCP and UDP domains to more conveniently and securely use the services provided by the network firewall. The protocol operates at layer 5 (session layer) of the OSI reference model, transmitting data using the TCP protocol, and thus does not provide network layer gateway services such as delivering ICMP information.
HTTP: the hypertext transfer protocol (HyperTextTransferProtocol, HTTP) is a simple request-response protocol that typically runs on top of TCP. It specifies what messages the client might send to the server and what responses it gets.
Base64: one of the most common encoding schemes used to transmit 8Bit bytecodes on a network, base64 is a method of representing binary data based on 64 printable characters.
NAT: networkAddress Translation network address translation. By means of NAT, when the internal network of private (reserved) address sends data packet through router, the private address is converted into legal ip address, and one LAN can realize the communication requirement between all computers and Internet in private address network by using only small number of ip addresses (even 1).
Modbus: modbus is a serial communication protocol, which was published by Modicon corporation in 1979 for communication using Programmable Logic Controllers (PLCs). Modbus has become the industry standard (De factor) for industry communication protocols and is now a common way of connecting between industrial electronic devices.
SSL: SSL (Secure SocketLayer) the secure socket layer is the network security protocol first adopted by Netscape corporation. It is a security protocol implemented on the transmission communication protocol (TCP/IP) and employs public key technology. SSL supports a wide variety of types of networks while providing three basic security services, all of which use public key technology.
CSV: comma separated values (Comma-SeparatedValues, CSV, sometimes also called character separated values, because the separated characters may not be commas), whose file stores table data (numbers and text) in plain text form.
The embodiment of the application relates to a malicious traffic harmless generation method, and aims to provide a malicious traffic harmless generation method which is simple in algorithm logic, easy to deploy, high in fault tolerance, suitable for metadata/load and the like, can be modified randomly, and can cross network segments and NAT and agents.
Next, a malicious traffic innocuous generating method according to an embodiment of the present application is specifically described with reference to the accompanying drawings.
Referring to fig. 3, a malicious traffic harmless generation method provided in an embodiment of the present application includes:
s100: extracting malicious data streams meeting the conditions in the PCAP file, identifying flow application information, storing the malicious data streams as flow files, and completing preparation for harmless generation of malicious flow;
s200: the attack end and the attacked end read the same flow file and respectively generate flow byte codes according to the read configuration parameters;
s300: the attacked end establishes a socket according to the ports identified in the flow byte codes and monitors one or more corresponding ports;
S400: when the attack end has the proxy parameter, proxy authentication and connection of the attacked end are carried out according to the proxy parameter;
s500: after the attack end and the attacked end are successfully connected, the attack end and the attacked end send or receive data packets, and harmless generation of malicious traffic is realized.
Referring to fig. 4, in a preparation stage of innocuous generation of malicious traffic in step S100 according to a specific implementation manner of an embodiment of the present application, the preparation stage includes:
s101: reading a PCAP file;
s102: screening the read PCAP file according to the condition of a user, and extracting one or more malicious data streams to be sent and received; and identifying traffic application information;
s103: and storing the malicious data stream into a traffic file according to a certain format.
According to a specific implementation manner of the embodiment of the present application, in the step S102, a PCAP file is subjected to conditional conversion to obtain a malicious data stream to be sent and received;
in the embodiment of the present application, the conditional switching refers to: the malicious data stream to be generated will be screened according to the conditions of the user. The user condition comprises one or more of an attacker ip, an attacked ip, an attacker port, an attacked port and a protocol, and the data stream extraction is carried out on the one or more condition pairs. The data stream extraction may refer to one or more data streams. The data streams with the same five-tuple are called a data stream, namely an attacker ip, an attacked ip, an attacker port, an attacked port and a protocol. In the embodiment of the application, the content of the PCAP conversion is not limited, and only the bytecode+the attack end identifier or the attacked end identifier and the like can be used.
According to a specific implementation manner of the embodiment of the present application, in the step S102, the data packet load is identified by using the application name to identify each data packet while obtaining the malicious data stream to be sent and received. The application name may be HTTP, modbus, SSL, etc. In the embodiment of the application, the type of the application protocol of the PCAP is not limited, and may be HTTP/Modbus/samba/SSL, etc.
The step S102 may be performed synchronously when screening the data packets, or may perform unified identification after screening all the data packets.
Carrying out feature recognition on the load of the malicious data stream meeting the conditions in the PCAP file while extracting the malicious data stream, and identifying by using an application name; or (b)
And after the extraction of the malicious data stream meeting the conditions in the PCAP file is completed, uniformly carrying out feature recognition on the load of the malicious data stream, and identifying by using an application name.
In this embodiment of the present application, the aggressor ip and the aggressor ip may be ipv6 or ipv4.
In this embodiment of the present application, the data flow to be sent refers to load data with an attack end or an attacked end identifier, where the load data may be identified by an attacked end generation program, and in step S103, the data may be stored in a memory or on a disk in different formats or forms, and is to be used by a subsequent attack end or an attacked end. The content format of the file (i.e., the flow file) converted by the PCAP file is not limited, and may be ip port+base 64, ip port+dex, ip port+binary string, CSV table, etc.
According to a specific implementation manner of the embodiment of the present application, in the preparation stage of harmless generation of the malicious traffic in step S100, the result of the stage may be saved in the form of a traffic file, and if it is desired to generate malicious traffic with the same effect, the traffic file may be directly read without repeatedly executing steps S102 to S103.
According to a specific implementation manner of the embodiment of the application, in step S200, the attacking end and the attacked end read the same flow file, and simultaneously read the configuration parameters, and generate the final actual flow byte code according to the parameters.
In the embodiment of the application, the configuration parameters include the ip address and port of the opposite terminal and the content of the replacement load;
the ports in the configuration parameters are one or more ports, and when one parameter port exists, the attack end adjusts all the attacked ports to be parameter ports; when a plurality of parameter ports exist, replacing the plurality of ports according to a port replacement rule specified by the parameters, wherein if the port of replacement 80 is 8080, the port of replacement 443 is 8443; when there is no parameter port, the port in the traffic file or the default port is used.
When the content parameters of the replacement load in the configuration parameters exist, the attack end or the attacked end replaces the load content according to the rule description of the parameters, for example, in the HTTP protocol, the content of the Host field of the HTTP header is replaced, and the content of the replacement load can contain zero or more. During load processing, different types of agent related processing can be added for different scenes, and the system is utilized to automatically perform related checksum recalculation and protocol stack encapsulation on the modified load; the embodiment of the application meets the requirements of load, ip address port and the like which can be modified, and is convenient for sending the data packet which accords with the testing or verifying environment, so that the authenticity of the data flow is realized.
According to a specific implementation manner of the embodiment of the present application, in step S300, an attacked end first creates a socket according to a port identified in a traffic bytecode, and listens to a corresponding port. In this embodiment of the present application, the number of the listening ports may be one or more, which is specifically determined according to the number of the identifiers in the traffic bytecode. If the monitoring fails, the method is directly finished. In this embodiment of the present application, the socket may be any hardware capable of implementing a socket, such as a singlechip without an operating system, and the like. The socket can be a socket of a system, or can be a package (i.e. a self-written protocol stack) of a self-defined similar system socket; and retransmitting the data packet load content in the PCAP file by using the created socket, and processing the PCAP load by using a protocol stack of the system, so that when packet loss occurs, the automatically retransmitted data packet meets the data flow protocol specification requirement, and can be correctly identified by a network security product.
In the embodiment of the application, the socket is utilized to process the cross-network-segment and cross-route processes, so that the cross-network-segment and cross-NAT transmission of malicious data packets is supported. And generating malicious traffic of various application protocol types by utilizing the socket and the traffic file. The sockets are used to support the interconversion of ipv4 and ipv6 malicious traffic. And various proxy protocols supporting malicious traffic are processed by utilizing sockets, so that the purpose of supporting any user-defined type proxy to send malicious data packets is realized.
In the embodiment of the application, the system is automatically processed aiming at packet loss of the data packet of the network protocol stack, and the system is transparent to the algorithm, so that the complexity of the algorithm is simplified. And the data packet load content in the PCAP is retransmitted by utilizing the socket of the system, and the server side truly monitors the port to receive the data packet, so that the system is not damaged. And processing cross-network segment and cross-route processing by utilizing sockets.
According to a specific implementation manner of the embodiment of the present application, in step S400, if the proxy parameter exists, the attack end selects the proxy type and the address designated by the authentication mode connection to perform proxy authentication and connects the attacked end according to the proxy parameter. In the embodiment of the present application, the protocol type of the proxy type proxy is not limited, and may be HTTP proxy, SOCKS proxy, etc.; the authentication mode can be authentication-free, account password authentication and the like. If the connection fails, a specified number of connections may be attempted, depending on the actual reliability requirements of the system. If the connection still fails finally, the method is directly finished.
In this embodiment of the present application, the connected attacked end may be a plurality of ports connected to the attacked end simultaneously and concurrently, or may be a plurality of ports connected to the attacked end sequentially, or may be a port connected to only the attacked end, and specifically, the description content of the traffic bytecode is based on.
According to a specific implementation manner of the embodiment of the present application, in step S500, after the attack end and the attacked end are successfully connected, the attack end and the attacked end start to send and receive data packets. In the embodiment of the application, when the attack end and the attacked end mutually send data, only a simple ip address and a simple port are needed to be configured, so that the method is simple and convenient. The data packet can be sent and received by an attack end or an attacked end, and the description content of the flow byte code is used as the reference. The flow of the attack end and the attacked end is the same. The identification content of the flow byte code can be divided into first receiving or first transmitting according to the different identification content of the flow byte code.
According to a specific implementation manner of the embodiment of the present application, taking first receiving as an example, as shown in fig. 5. The attack end or the attacked end firstly receives the data packet according to the identification content of the flow byte code, and the method comprises the following steps:
s501: waiting for receiving the data packet according to the content of the flow byte code identification; starting overtime processing, and if receiving overtime, entering ending processing;
s502: after receiving the data packet, judging whether the received data packet is the data packet which needs to be received currently according to the identification content of the flow byte code, if so, entering step S503, otherwise returning to step S501; in this embodiment of the present application, the judging method may be content comparison of the whole load, or Ha Xibi pairs of the whole load, or content comparison of partial loads, for example, only comparison of response codes of HTTP in the byte codes of the stream, where the method is to judge the content of the partial load.
S503: judging whether the flow byte codes contain unprocessed flow byte codes or not, namely judging whether the processing is completed or not, if not, namely ending the flow if the processing is completed; otherwise, the process is not completed, and the process proceeds to step S504;
s504: judging whether the next data packet is a data packet to be transmitted, if so, entering step S505, otherwise, returning to step S501, and continuing waiting;
s505: transmitting the data packet, and entering step S506;
s506: judging whether the flow byte codes contain unprocessed flow byte codes or not, namely judging whether the processing is completed or not, if not, namely ending the flow if the processing is completed; otherwise, the process is not completed, and the step S507 is entered;
s507: judging whether the next data packet is a data packet to be transmitted, if so, returning to the step S505; if not, the process returns to step S501.
In the embodiment of the application, since the attacked port is the port monitored by the test or detection program, the transmitted data packet is not received by the program actually having the loophole or problem, so that the actual system is not damaged. The algorithm implementation part does not depend on an extra driver outside the system, and can be simply universal and compatible on each operating system. Can work normally in any Mtu size environment.
Corresponding to the above method embodiment, referring to fig. 6, the embodiment of the present application further provides a malicious traffic innocent generating device 1000, including:
a preparation device 1001, where the preparation device 1001 extracts a malicious data stream meeting the conditions in the PCAP file, identifies traffic application information, and stores the malicious data stream as a traffic file, thereby completing the preparation of harmless generation of malicious traffic;
the attacked end 1002, the attacked end 1002 reads the flow file and generates flow byte codes according to the read configuration parameters; socket creation is carried out according to the ports identified in the flow byte codes, and one or more corresponding ports are monitored; after successful connection with the attack end 1003, the data packet is sent or received;
the attack end 1003 and the attacked end 1002 read the same flow file, and respectively generate flow byte codes according to the read configuration parameters; when the proxy parameter exists, the attack end 1003 performs proxy authentication according to the proxy parameter and connects with the attacked end 1002; after successful connection with the attacked end 1002, the data packet is sent or received, so that harmless generation of malicious traffic is realized.
The apparatus shown in fig. 6 may correspondingly perform the content in the foregoing method embodiment, and the portions not described in detail in this embodiment refer to the content described in the foregoing method embodiment and are not described herein again.
Referring to fig. 7, an embodiment of the present application further provides an electronic device 1100, including:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a malicious traffic innocuous generating method in the foregoing method embodiments.
The embodiment of the application also provides a non-transitory computer readable storage medium, which stores computer instructions for causing a computer to execute the malicious traffic harmless generation method in the embodiment of the method.
The present application also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform a malicious traffic innocuous generating method according to the foregoing method embodiments.
Referring now to fig. 7, a schematic diagram of an electronic device 1100 suitable for use in implementing embodiments of the present application is shown. The electronic device 1100 in the embodiments of the present application may include, but is not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), car terminals (e.g., car navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device 700 shown in fig. 7 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments herein.
As shown in fig. 7, the electronic device 110 may include a processing means (e.g., a central processing unit CPU, a graphics processor GPU, FPGA, ASIC, etc.) 1101, which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1102 or a program loaded from a storage means 1108 into a Random Access Memory (RAM) 1103. In the RAM 1103, various programs and data necessary for the operation of the electronic device 1100 are also stored. The processing device 1101, ROM 1102, and RAM 1103 are connected to each other by a bus 1104. An input/output (I/O) interface 1105 is also connected to bus 1104.
In general, the following devices may be connected to the I/O interface 1105: input devices 1106 including, for example, a touch screen, touchpad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, and the like; an output device 1107 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 1108, including for example, magnetic tape, hard disk, etc.; and a communication device 1109. The communication means 1109 may allow the electronic device 1100 to communicate wirelessly or by wire with other devices to exchange data. While an electronic device 1100 having various means is shown, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via communications device 1109, or from storage device 1108, or from ROM 1102. The above-described functions defined in the methods of the embodiments of the present application are performed when the computer program is executed by the processing means 1101.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. The operating system is not limited and may be Linux, windows, MACOS, etc. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present application may be implemented by software, or may be implemented by hardware. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
It should be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof.
The foregoing is merely specific embodiments of the disclosure, but the protection scope of the disclosure is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the disclosure are intended to be covered by the protection scope of the disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.

Claims (10)

1. A malicious traffic harmless generation method is characterized by comprising the following steps:
extracting malicious data streams meeting the conditions in the PCAP file, identifying flow application information, storing the malicious data streams as flow files, and completing preparation for harmless generation of malicious flow;
the attack end and the attacked end read the same flow file and respectively generate flow byte codes according to the read configuration parameters;
the attacked end establishes a socket according to the ports identified in the flow byte codes and monitors one or more corresponding ports;
when the attack end has the proxy parameter, proxy authentication and connection of the attacked end are carried out according to the proxy parameter;
After the attack end and the attacked end are successfully connected, the attack end and the attacked end send or receive data packets, and harmless generation of malicious traffic is realized.
2. The method for innocuous generation of malicious traffic of claim 1, wherein the extracting the malicious data stream meeting the condition in the PCAP file comprises:
reading a PCAP file;
screening the read PCAP file according to the condition of a user, and extracting one or more malicious data streams to be sent and received;
the conditions of the user comprise one or more conditions of an attacker ip, an attacked ip, an attacker port, an attacked port and a protocol;
the attacker ip is ipv6 or ipv4; the attacked ip is ipv6 or ipv4;
the data stream to be sent is load data with an attack end or an attacked end identifier and capable of being identified by an attacked end generation program.
3. The harmless generation method of malicious traffic according to claim 1, wherein the traffic file is the malicious data stream to be transmitted and received stored in a memory or on a disk with unlimited content format.
4. The method for harmlessly generating malicious traffic according to claim 1, wherein the identifying traffic application information includes:
Carrying out feature recognition on the load of the malicious data stream meeting the conditions in the PCAP file while extracting the malicious data stream, and identifying by using an application name; or (b)
And after the extraction of the malicious data stream meeting the conditions in the PCAP file is completed, uniformly carrying out feature recognition on the load of the malicious data stream, and identifying by using an application name.
5. The harmless generation method of malicious traffic according to claim 1, wherein the configuration parameters include the ip address and port of the opposite terminal, and the content of the replacement load;
the ports in the configuration parameters are one or more ports, and when one parameter port exists, the attack end adjusts all the attacked ports to be parameter ports; when a plurality of parameter ports exist, replacing the plurality of ports according to a port replacement rule specified by the parameters; when the parameter port does not exist, using the port or the default port in the flow file;
when the content parameters of the replacement load in the configuration parameters exist, the attack end or the attacked end replaces the load content according to the rule description of the parameters, and the system is utilized to automatically perform related checksum recalculation and protocol stack encapsulation on the modified load;
The content of the replacement payload may contain zero or more.
6. The method for harmlessly generating malicious traffic according to claim 1, wherein the socket comprises a socket of a system or a package of a custom system-like socket;
and retransmitting the data packet load content in the PCAP file by using the created socket.
7. The harmless generation method of malicious traffic according to claim 1, wherein the transmitting or receiving data packets by the attacking end and the attacked end comprises:
the attack end firstly receives or firstly transmits the data packet according to the identification content of the flow byte code;
the attacked end firstly receives or firstly transmits the data packet according to the identification content of the flow byte code;
the attack end or the attacked end firstly receives the data packet according to the identification content of the flow byte code, and the method comprises the following steps:
waiting for receiving the data packet according to the content of the flow byte code identification; starting overtime processing, and if receiving overtime, entering ending processing;
after receiving the data packet, judging whether the received data packet is the data packet which needs to be received currently according to the identification content of the flow byte code, if so, entering the next step, otherwise, returning to the previous step;
Judging whether the flow byte codes contain unprocessed flow byte codes or not, and if not, ending the flow; otherwise, entering the next step;
judging whether the next data packet is a data packet to be transmitted, if so, entering the next step, otherwise, returning to wait for receiving the data packet;
transmitting a data packet;
judging whether the flow byte codes contain unprocessed flow byte codes or not, and if not, ending the flow; otherwise, entering the next step;
judging whether the next data packet is a data packet to be transmitted, if so, returning to transmit the data packet; if not, returning to wait for receiving data packet.
8. A malicious traffic innocent generation device is characterized by comprising:
the preparation device extracts malicious data streams meeting the conditions in the PCAP file, identifies flow application information, stores the malicious data streams as flow files and completes preparation of harmless generation of malicious flow;
the attacked end reads the flow file and generates flow byte codes according to the read configuration parameters; socket creation is carried out according to the ports identified in the flow byte codes, and one or more corresponding ports are monitored; after successful connection with the attack end, sending or receiving a data packet;
The attack end and the attacked end read the same flow file and respectively generate flow byte codes according to the read configuration parameters; when the attack end has the proxy parameter, proxy authentication and connection of the attacked end are carried out according to the proxy parameter; after the connection with the attacked end is successful, the data packet is sent or received, and harmless generation of malicious traffic is realized.
9. An electronic device, the electronic device comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a malicious traffic innocuous generating method according to any one of the preceding claims 1-7.
10. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform a malicious traffic innocuous generating method according to any one of the preceding claims 1-7.
CN202310071188.8A 2023-01-12 2023-01-12 Harmless generation method and device for malicious traffic and electronic equipment Pending CN116132345A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310071188.8A CN116132345A (en) 2023-01-12 2023-01-12 Harmless generation method and device for malicious traffic and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310071188.8A CN116132345A (en) 2023-01-12 2023-01-12 Harmless generation method and device for malicious traffic and electronic equipment

Publications (1)

Publication Number Publication Date
CN116132345A true CN116132345A (en) 2023-05-16

Family

ID=86302468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310071188.8A Pending CN116132345A (en) 2023-01-12 2023-01-12 Harmless generation method and device for malicious traffic and electronic equipment

Country Status (1)

Country Link
CN (1) CN116132345A (en)

Similar Documents

Publication Publication Date Title
CN113169958B (en) User datagram protocol tunnel in distributed application program instance
US7978716B2 (en) Systems and methods for providing a VPN solution
CN109218261B (en) Data processing method and data processing device
CA2545496C (en) Virtual private network with pseudo server
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
US11677585B2 (en) Transparent TCP connection tunneling with IP packet filtering
CN110177128B (en) Data transmission system and method for establishing VPN connection, terminal and VPN proxy thereof
CN107835102B (en) Method for decomposing protocol characteristics and decomposing fuzzy test
CN114828140B (en) Service flow message forwarding method and device, storage medium and electronic equipment
CN110545230B (en) Method and device for forwarding VXLAN message
CN111385068B (en) Data transmission method, device, electronic equipment and communication system
US11522979B2 (en) Transmission control protocol (TCP) acknowledgement (ACK) packet suppression
CN116055586B (en) Fragment message matching method, router and storage medium
CN116132345A (en) Harmless generation method and device for malicious traffic and electronic equipment
Van Winkle Hands-On Network Programming with C: Learn socket programming in C and write secure and optimized network code
CN113472625B (en) Transparent bridging method, system, equipment and storage medium based on mobile internet
CN100592265C (en) Method, system and computer system for guaranteeing communication safety by route packet quantity
CN112242943B (en) IPSec tunnel establishment method and device, branch equipment and center-end equipment
CN111490986A (en) Test system and method for intrusion prevention equipment
CN114978643B (en) Communication method, network equipment and storage medium
CN113365296B (en) Network configuration method and equipment of communication central station
CN113709196A (en) Data extraction method, data extraction device, computer equipment, medium and program product
CN118784601A (en) Flow mirroring method, device, equipment and medium
CN116846625A (en) Communication method, communication device, electronic apparatus, and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination