CN116418534A - Out-of-band attack detection method and device, electronic equipment, medium and product - Google Patents
Out-of-band attack detection method and device, electronic equipment, medium and product Download PDFInfo
- Publication number
- CN116418534A CN116418534A CN202111672869.7A CN202111672869A CN116418534A CN 116418534 A CN116418534 A CN 116418534A CN 202111672869 A CN202111672869 A CN 202111672869A CN 116418534 A CN116418534 A CN 116418534A
- Authority
- CN
- China
- Prior art keywords
- domain name
- data packet
- target network
- resolved
- flow data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 55
- 238000000034 method Methods 0.000 claims abstract description 28
- 230000004044 response Effects 0.000 claims description 45
- 238000004590 computer program Methods 0.000 claims description 15
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 4
- 238000009434 installation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an out-of-band attack detection method, an out-of-band attack detection device, electronic equipment, media and products, wherein the out-of-band attack detection method comprises the following steps: acquiring a target network flow data packet; performing domain name resolution on the target network flow data packet to obtain a resolved domain name; judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network traffic data packet is a request packet, and determining that the target network traffic data packet has out-of-band attack under the condition that the resolved domain name belongs to the predefined domain name blacklist; judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist; and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack. The method and the device can timely and effectively detect out-of-band attacks, ensure that sensitive information is not revealed, and improve network security.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for detecting an out-of-band attack, an electronic device, a medium, and a product.
Background
Out-of-Band attacks are attacks that exploit the OOB (all-called Out of Band) vulnerability in NETBIOS, whose principle is to pass a data packet over the TCP/IP protocol to some open port (typically 137, 138 and 139) of the computer, and when the computer receives the data packet, it will crash or blue screen, and it will not be possible to continue using the TCP/IP protocol to access the network without restarting the computer.
After the out-of-band TCP/UDP/ICMP request is generated by the attacker, the data containing the system sensitive information on the computer is extracted through the TCP/UDP/ICMP request, so that the user computer is invaded by the system sensitive information. Therefore, a detection method for the out-of-band attack is needed to discover and process in time, prevent sensitive information from being leaked, and improve the security of a user computer.
Disclosure of Invention
The invention provides an out-of-band attack detection method, an out-of-band attack detection device, electronic equipment, media and products, which are used for solving the defects.
The invention provides a method for detecting out-of-band attack, which comprises the following steps: acquiring a target network flow data packet; performing domain name resolution on the target network flow data packet to obtain a resolved domain name; judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to the predefined domain name blacklist; judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist; and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
According to the out-of-band attack detection method provided by the invention, the method further comprises the following steps: judging whether the analyzed IP inquired according to the analyzed domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet; and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
According to the method for detecting the out-of-band attack provided by the invention, after the out-of-band attack of the target network flow data packet is determined, the method further comprises the following steps: and generating alarm information according to the target network flow data packet, and reporting the alarm information.
According to the out-of-band attack detection method provided by the invention, after domain name resolution is carried out on the target network flow data packet to obtain the resolved domain name, the method further comprises the following steps: judging whether the resolved domain name is encrypted or not, and decrypting the resolved domain name to obtain a decrypted domain name under the condition that the resolved domain name is encrypted; correspondingly, in the case that the target network traffic data packet is a request packet, determining whether the resolved domain name belongs to a predefined domain name blacklist includes: and judging whether the decrypted domain name belongs to a predefined domain name blacklist or not.
According to the out-of-band attack detection method provided by the invention, the judging whether the resolved domain name is encrypted comprises the following steps: and judging whether the parsed domain name is encrypted by Base64 or Base 16.
The invention also provides an out-of-band attack detection device, which comprises: the data packet acquisition module is used for acquiring a target network flow data packet; the domain name resolution module is used for carrying out domain name resolution on the target network flow data packet to obtain a resolved domain name; the domain name blacklist judging module is used for judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to the predefined domain name blacklist; the sensitive information judging module is used for judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name contains the system sensitive information.
According to the out-of-band attack detection device provided by the invention, the device further comprises: the loop address judging module is used for judging whether the resolved IP queried according to the resolved domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet; and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and operable on the processor, the processor implementing the steps of any of the out-of-band attack detection methods described above when the processor executes the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of any of the out-of-band attack detection methods described above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements the steps of any of the out-of-band attack detection methods described above.
According to the out-of-band attack detection method, the device, the electronic equipment, the medium and the product, provided by the invention, the out-of-band attack detection method is used for determining whether the target network traffic data packet has the out-of-band attack by firstly carrying out domain name resolution on the request packet and then judging whether the resolved domain name belongs to a domain name blacklist or not and whether the resolved domain name contains system sensitive information, so that the out-of-band attack can be detected before responding to the domain name resolution request, the response packet containing the system sensitive information is not sent to the host, the out-of-band attack is timely and effectively detected, the sensitive information is ensured not to be revealed, and the network security is improved.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an out-of-band attack detection method according to an embodiment of the present invention;
FIG. 2 is a second flow chart of the out-of-band attack detection method according to the embodiment of the present invention;
FIG. 3 is a schematic diagram of an out-of-band attack detection device according to an embodiment of the present invention;
fig. 4 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a schematic flow chart of an out-of-band attack detection method according to an embodiment of the present invention; as shown in fig. 1, the out-of-band attack detection method may include the steps of:
step 101, obtaining a target network flow data packet.
The target network flow data packet is a request packet requesting hostname resolution through a domain name resolution system or a response packet responding to a hostname resolution request.
The domain name resolution system (DNS for short) is a distributed database of domain names and IP addresses that map to each other, which is responsible for resolving domain names into IP addresses. When accessing a site on the internet, the domain name of the site is generally input, for example www.cnblogs.com, and the IP address is as long as 32 bits, so that the storage is not easy, and the access is the IP address resolved by the domain name resolution system.
The specific process of domain name resolution is that a local machine sends a DNS request message to a local domain name server, wherein the message carries the domain name to be queried; and then the local domain name server generates a DNS response message according to the queried IP address and responds to the local domain name server. The request packet is generated based on a DNS request message, and the response packet is generated based on a DNS response message.
It should be noted that, after the target network traffic data packet is acquired, the type of the target network traffic data packet may be further determined, where the type of the target network traffic data packet may include: the request packet and the response packet may respectively perform different detection contents based on different types. Specifically, if the target network traffic data packet is a request packet, judging whether the target network traffic data packet belongs to a domain name blacklist or not and contains system sensitive information; if the target network traffic data packet is a response packet, judging whether the target network traffic data packet is a local loop IP, so as to detect out-of-band attack by using different methods according to different types of target network traffic data packets, and the detailed process is described below.
And 102, performing domain name resolution on the target network flow data packet to obtain a resolved domain name.
In this step, the target network traffic packet is parsed to obtain information of both communication parties (i.e. the host and the local domain name server), which mainly includes the host IP, the host port, the request time, the query type of the request query, the domain name length, etc.
In this embodiment, the domain name of the request query obtained by analysis is used as the basis for judging the out-of-band attack.
Step 103, judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
and under the condition that the resolved domain name belongs to a predefined domain name blacklist, determining that the target network flow data packet has out-of-band attack.
The predefined blacklist of domain names refers to a list formed by malicious domain names, which can be added to the blacklist through domain name management, or can be a commonly used blacklist of domain names, which is not limited in this embodiment.
In this step, it is first determined whether the target network traffic data packet is a request packet or a response packet according to the infrastructure portion of the DNS packet in the target network traffic data packet.
The flag field of the infrastructure part of the DNS packet is shown in table 1, and when the QR value is 0, the target network traffic packet is a request packet; when the QR value is 1, the target network traffic packet is a response packet.
Table 1 flag field of infrastructure portion of DNS packet
QR | Opcode | AA | TC | RD | RA | Z | rcpde |
Then, matching the resolved domain name with a malicious domain name in a domain name blacklist, and if the matching is carried out to obtain a corresponding malicious domain name, determining that the target network traffic data packet has out-of-band attack; if the malicious domain name is not matched in the domain name blacklist, step 104 is entered to judge the system sensitive information.
In addition, if the resolved domain name comprises a plurality of sub-domain names, a domain name blacklist is needed to be carried out on the sub-domain names, if the sub-domain names belong to the domain name blacklist, the resolved domain name is determined to be a malicious domain name, and the corresponding target network flow data packet has out-of-band attack; if all the sub-domain names do not belong to the domain name blacklist and all the resolved domain names do not belong to the domain name blacklist, the resolved domain names are normal, and step 104 is entered to judge the system sensitive information.
Step 104, judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
The system sensitive information comprises a system version of a local domain name server, a system type, serial configuration information on a host, account information of a user, a password file and the like. For example, the system version, IIS configuration file, password of the first installation of the Windows system, mySQL configuration, php configuration information, or the like of the Windows system, or account information, account password file, virtual website configuration, or the like in the Unix system, which is not limited in this embodiment.
In this step, if no, in step 103, it is further determined whether the resolved domain name includes system sensitive information, if yes, it is determined that the target network traffic data packet has an out-of-band attack, if no system sensitive information is included, it is determined that the target network traffic data packet is legal, and then a corresponding IP is searched according to the resolved domain name, a response packet is generated, and a response host is responded.
According to the out-of-band attack detection method provided by the embodiment of the invention, the domain name analysis is firstly carried out on the target network traffic data packet, then, if the target network traffic data packet is the request packet, whether the analyzed domain name belongs to the domain name blacklist or not and whether the system sensitive information is contained or not is judged, and whether the target network traffic data packet has the out-of-band attack or not is determined, so that the out-of-band attack can be detected before the domain name analysis request is responded, the response packet containing the system sensitive information is not sent to the host, the out-of-band attack is timely and effectively detected, the sensitive information is ensured not to be leaked, and the network security is improved.
Further, the method further comprises the steps of: judging whether the analyzed IP inquired according to the analyzed domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet;
and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
The local loop IP represents a device local virtual interface, and can be used to check whether a local network protocol, a basic data interface, etc. are normal. The local loop IP refers to an address beginning with 127 (127.0.0.1-127.255.255.254), generally indicated by 127.0.0.1.
Specifically, if the target network traffic data packet is a response packet, the response packet includes an resolved IP corresponding to the resolved domain name, which is queried according to the request packet, and whether the resolved IP is a local loop IP is determined. If the resolved IP is the local loop IP, determining that the target network flow data packet has out-of-band attack; if the resolved IP is not the local loop IP, the current response packet method is described, and the response packet is normally sent to the corresponding host.
According to the out-of-band attack detection method provided by the embodiment of the invention, whether the response packet contains the out-of-band attack is determined by further judging whether the analysis IP in the response packet is the local loop IP, so that the comprehensive detection of the request packet and the response packet is realized, and the network security is further improved.
Further, after the determining that the target network traffic data packet has an out-of-band attack, the method further includes:
and generating alarm information according to the target network flow data packet, and reporting the alarm information.
Specifically, after analyzing the target network traffic data packet, the relevant information about the host and the local domain name server is generated, which host is subjected to out-of-band attack, the purpose of the out-of-band attack and other information are determined, alarm information is generated according to the information, and the alarm information is reported to remind a relevant manager to process the out-of-band attack, for example, a domain name requiring analysis is added to a blacklist.
According to the out-of-band attack detection method provided by the embodiment of the invention, the alarm information is reported by generating the alarm information according to the target network flow data packet, so that an administrator is reminded of timely processing, and the safety is further improved.
Further, after performing domain name resolution on the target network traffic data packet to obtain a resolved domain name, the method further includes:
judging whether the resolved domain name is encrypted or not, and decrypting the resolved domain name to obtain a decrypted domain name under the condition that the resolved domain name is encrypted;
correspondingly, in the case that the target network traffic data packet is a request packet, determining whether the resolved domain name belongs to a predefined domain name blacklist includes:
and judging whether the decrypted domain name belongs to a predefined domain name blacklist or not.
Specifically, after performing domain name resolution on the target network traffic data packet, it may be found that some resolved domain names are encrypted in a Base64 or Base16 mode, and at this time, the resolved domain names need to be decrypted first, and then domain name blacklist judgment is performed on the decrypted domain names.
In the out-of-band attack detection method provided by the embodiment of the invention, in the domain name resolution process, the encrypted and resolved domain name is decrypted, and then the domain name blacklist judgment and the system sensitive information judgment are carried out, so that the out-of-band attack detection is accurately carried out on the basis of the correct domain name, and the detection accuracy is improved.
Fig. 2 is a second flow chart of the out-of-band attack detection method according to the embodiment of the present invention, as shown in fig. 2, the out-of-band attack detection method includes the following steps:
According to the out-of-band attack detection method provided by the embodiment of the invention, whether out-of-band attack exists is determined by carrying out multiple detection on the request packet and the response packet, so that sensitive information is ensured not to be revealed, and the network security is improved.
The out-of-band attack detection device provided by the invention is described below, and the out-of-band attack detection device described below and the out-of-band attack detection method described above can be referred to correspondingly.
Fig. 3 is a schematic structural diagram of an out-of-band attack detection device according to an embodiment of the present invention, as shown in fig. 3, an out-of-band attack detection device includes:
the data packet obtaining module 201 is configured to obtain a target network traffic data packet.
The target network flow data packet is a request packet requesting hostname resolution through a domain name resolution system or a response packet responding to a hostname resolution request.
The domain name resolution system (DNS for short) is a distributed database of domain names and IP addresses that map to each other, which is responsible for resolving domain names into IP addresses. When accessing a site on the internet, the domain name of the site is generally input, for example www.cnblogs.com, and the IP address is as long as 32 bits, so that the storage is not easy, and the access is the IP address resolved by the domain name resolution system.
The specific process of domain name resolution is that a local machine sends a DNS request message to a local domain name server, wherein the message carries the domain name to be queried; and then the local domain name server generates a DNS response message according to the queried IP address and responds to the local domain name server. The request packet is generated based on a DNS request message, and the response packet is generated based on a DNS response message.
If the target network flow data packet is a request packet, judging whether the target network flow data packet belongs to a domain name blacklist or not and contains system sensitive information; if the target network flow data packet is a response packet, judging whether the target network flow data packet is a local loop IP, and accordingly detecting out-of-band attack by using different methods according to different types of target network flow data packets.
The domain name resolution module 202 is configured to perform domain name resolution on the target network traffic data packet to obtain a resolved domain name.
In the domain name resolution module 202, the target network traffic data packet is resolved to obtain information of both communication parties (i.e. the host and the local domain name server), which mainly includes the host IP, the host port, the request time, the query type of the request query, the domain name length, and the like.
In this embodiment, the domain name of the request query obtained by analysis is used as the basis for judging the out-of-band attack.
The domain name blacklist judging module 203 is configured to judge whether the resolved domain name belongs to a predefined domain name blacklist if the target network traffic data packet is a request packet, and determine that the target network traffic data packet has an out-of-band attack if the resolved domain name belongs to the predefined domain name blacklist.
The predefined blacklist of domain names refers to a list formed by malicious domain names, which can be added to the blacklist through domain name management, or can be a commonly used blacklist of domain names, which is not limited in this embodiment.
In the domain name blacklist judging module 203, it is first determined whether the target network traffic data packet is a request packet or a response packet according to the infrastructure portion of the DNS packet in the target network traffic data packet.
After determining that the target network traffic data packet is a request packet, matching the resolved domain name with a malicious domain name in a domain name blacklist, and if the matching is performed to obtain a corresponding malicious domain name, determining that the target network traffic data packet has out-of-band attack; if the malicious domain name is not matched in the domain name blacklist, a sensitive information judging module is entered to judge the system sensitive information.
The sensitive information judging module 204 is configured to judge whether system sensitive information is included in the resolved domain name if the resolved domain name does not belong to a predefined domain name blacklist, and determine that the target network traffic data packet has an out-of-band attack if the resolved domain name includes the system sensitive information.
The system sensitive information comprises a system version of a local domain name server, a system type, serial configuration information on a host, account information of a user, a password file and the like. For example, the system version, IIS configuration file, password of the first installation of the Windows system, mySQL configuration, php configuration information, or the like of the Windows system, or account information, account password file, virtual website configuration, or the like in the Unix system, which is not limited in this embodiment.
In the sensitive information judging module 204, if the domain name blacklist judging module judges that the domain name is not in the state, whether the resolved domain name contains the system sensitive information is further judged, if the resolved domain name contains the system sensitive information, the out-of-band attack of the target network flow data packet is determined, if the resolved domain name does not contain the system sensitive information, the target network flow data packet is determined to be legal, the corresponding IP is searched according to the resolved domain name, a response packet is generated, and a response host is responded.
According to the out-of-band attack detection device provided by the embodiment of the invention, the domain name analysis is firstly carried out on the target network traffic data packet, then, if the target network traffic data packet is the request packet, whether the analyzed domain name belongs to the domain name blacklist or not and whether the system sensitive information is contained or not is judged, so that whether the out-of-band attack exists in the target network traffic data packet is determined, the out-of-band attack can be detected before the domain name analysis request is responded, the response packet containing the system sensitive information is not sent to the host, the out-of-band attack is timely and effectively detected, the sensitive information is ensured not to be leaked, and the network security is improved.
Further, the apparatus further comprises:
a loop address judging module (not shown in the figure) for judging whether the resolved IP queried according to the resolved domain name is a local loop IP in the case that the target network traffic data packet is a response packet;
and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
The local loop IP represents a device local virtual interface, and can be used to check whether a local network protocol, a basic data interface, etc. are normal. The local loop IP refers to an address beginning with 127 (127.0.0.1-127.255.255.254), generally indicated by 127.0.0.1.
Specifically, if the target network traffic data packet is a response packet, the response packet includes an resolved IP corresponding to the resolved domain name, which is queried according to the request packet, and whether the resolved IP is a local loop IP is determined. If the resolved IP is the local loop IP, determining that the target network flow data packet has out-of-band attack; if the resolved IP is not the local loop IP, the current response packet method is described, and the response packet is normally sent to the corresponding host.
According to the out-of-band attack detection device provided by the embodiment of the invention, whether the response packet contains the out-of-band attack is determined by further judging whether the analysis IP in the response packet is the local loop IP, so that the request packet and the response packet are comprehensively detected, and the network security is further improved.
Fig. 4 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention, as shown in fig. 4, where the electronic device may include: processor 310, communication interface (Communications Interface) 320, memory 330 and communication bus 340, wherein processor 310, communication interface 320, memory 330 accomplish communication with each other through communication bus 340. The processor 310 may invoke logic instructions in the memory 330 to perform out-of-band attack detection methods including: acquiring a target network flow data packet;
performing domain name resolution on the target network flow data packet to obtain a resolved domain name;
judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to a predefined domain name blacklist;
judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
Further, the logic instructions in the memory 330 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, where the computer program product includes a computer program, where the computer program can be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer can perform an out-of-band attack detection method provided by the above methods, where the method includes: acquiring a target network flow data packet;
performing domain name resolution on the target network flow data packet to obtain a resolved domain name;
judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to a predefined domain name blacklist;
judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the methods provided above to perform the out-of-band attack detection method, comprising: acquiring a target network flow data packet;
performing domain name resolution on the target network flow data packet to obtain a resolved domain name;
judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to a predefined domain name blacklist;
judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
The apparatus embodiments described above are merely illustrative, wherein elements illustrated as separate elements may or may not be physically separate, and elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product, which may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the various embodiments or methods of some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. An out-of-band attack detection method, comprising:
acquiring a target network flow data packet;
performing domain name resolution on the target network flow data packet to obtain a resolved domain name;
judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to a predefined domain name blacklist;
judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
2. The out-of-band attack detection method according to claim 1, wherein the method further comprises:
judging whether the analyzed IP inquired according to the analyzed domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet;
and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
3. The out-of-band attack detection method according to claim 1 or 2, wherein after said determining that the target network traffic data packet is subject to an out-of-band attack, the method further comprises:
and generating alarm information according to the target network flow data packet, and reporting the alarm information.
4. The out-of-band attack detection method according to claim 1, wherein after performing domain name resolution on the target network traffic packet to obtain a resolved domain name, the method further comprises:
judging whether the resolved domain name is encrypted or not, and decrypting the resolved domain name to obtain a decrypted domain name under the condition that the resolved domain name is encrypted;
correspondingly, in the case that the target network traffic data packet is a request packet, determining whether the resolved domain name belongs to a predefined domain name blacklist includes:
and judging whether the decrypted domain name belongs to a predefined domain name blacklist or not.
5. The out-of-band attack detection method according to claim 4, wherein the determining whether the resolved domain name is encrypted comprises:
and judging whether the parsed domain name is encrypted by Base64 or Base 16.
6. An out-of-band attack detection device comprising:
the data packet acquisition module is used for acquiring a target network flow data packet;
the domain name resolution module is used for carrying out domain name resolution on the target network flow data packet to obtain a resolved domain name;
the domain name blacklist judging module is used for judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to the predefined domain name blacklist;
the sensitive information judging module is used for judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name contains the system sensitive information.
7. The out-of-band attack detection device according to claim 6, wherein the device further comprises:
the loop address judging module is used for judging whether the resolved IP queried according to the resolved domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet;
and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the out-of-band attack detection method according to any of claims 1 to 5 when the program is executed by the processor.
9. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the steps of the out-of-band attack detection method according to any of claims 1 to 5.
10. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the out-of-band attack detection method according to any of claims 1 to 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111672869.7A CN116418534A (en) | 2021-12-31 | 2021-12-31 | Out-of-band attack detection method and device, electronic equipment, medium and product |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111672869.7A CN116418534A (en) | 2021-12-31 | 2021-12-31 | Out-of-band attack detection method and device, electronic equipment, medium and product |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116418534A true CN116418534A (en) | 2023-07-11 |
Family
ID=87050032
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111672869.7A Pending CN116418534A (en) | 2021-12-31 | 2021-12-31 | Out-of-band attack detection method and device, electronic equipment, medium and product |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116418534A (en) |
-
2021
- 2021-12-31 CN CN202111672869.7A patent/CN116418534A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9648033B2 (en) | System for detecting the presence of rogue domain name service providers through passive monitoring | |
CN109474575B (en) | DNS tunnel detection method and device | |
US8392963B2 (en) | Techniques for tracking actual users in web application security systems | |
US8972571B2 (en) | System and method for correlating network identities and addresses | |
US8321943B1 (en) | Programmatic communication in the event of host malware infection | |
CN108521408B (en) | Method and device for resisting network attack, computer equipment and storage medium | |
US11729134B2 (en) | In-line detection of algorithmically generated domains | |
CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
CN114598525A (en) | IP automatic blocking method and device for network attack | |
CN103701816B (en) | Perform the scan method and scanning means of the server of Denial of Service attack | |
CN105827599A (en) | Cache infection detection method and apparatus based on deep analysis on DNS message | |
US11652833B2 (en) | Detection of anomalous count of new entities | |
CN107623693B (en) | Domain name resolution protection method, device, system, computing equipment and storage medium | |
CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
CN107623916B (en) | Method and equipment for WiFi network security monitoring | |
CN113709129A (en) | White list generation method, device and system based on traffic learning | |
CN117375978A (en) | Domain name system cache attack detection method and system and domain name system server | |
CN113098852A (en) | Log processing method and device | |
KR100772177B1 (en) | Method and apparatus for generating intrusion detection event to test security function | |
CN116418534A (en) | Out-of-band attack detection method and device, electronic equipment, medium and product | |
CN110995738B (en) | Violent cracking behavior identification method and device, electronic equipment and readable storage medium | |
US10015179B2 (en) | Interrogating malware | |
US11683337B2 (en) | Harvesting fully qualified domain names from malicious data packets | |
US11038921B1 (en) | Detecting malicious actors | |
US10462180B1 (en) | System and method for mitigating phishing attacks against a secured computing device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |