CN116418534A - Out-of-band attack detection method and device, electronic equipment, medium and product - Google Patents

Out-of-band attack detection method and device, electronic equipment, medium and product Download PDF

Info

Publication number
CN116418534A
CN116418534A CN202111672869.7A CN202111672869A CN116418534A CN 116418534 A CN116418534 A CN 116418534A CN 202111672869 A CN202111672869 A CN 202111672869A CN 116418534 A CN116418534 A CN 116418534A
Authority
CN
China
Prior art keywords
domain name
data packet
target network
resolved
flow data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111672869.7A
Other languages
Chinese (zh)
Inventor
志国
王健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202111672869.7A priority Critical patent/CN116418534A/en
Publication of CN116418534A publication Critical patent/CN116418534A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an out-of-band attack detection method, an out-of-band attack detection device, electronic equipment, media and products, wherein the out-of-band attack detection method comprises the following steps: acquiring a target network flow data packet; performing domain name resolution on the target network flow data packet to obtain a resolved domain name; judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network traffic data packet is a request packet, and determining that the target network traffic data packet has out-of-band attack under the condition that the resolved domain name belongs to the predefined domain name blacklist; judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist; and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack. The method and the device can timely and effectively detect out-of-band attacks, ensure that sensitive information is not revealed, and improve network security.

Description

Out-of-band attack detection method and device, electronic equipment, medium and product
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for detecting an out-of-band attack, an electronic device, a medium, and a product.
Background
Out-of-Band attacks are attacks that exploit the OOB (all-called Out of Band) vulnerability in NETBIOS, whose principle is to pass a data packet over the TCP/IP protocol to some open port (typically 137, 138 and 139) of the computer, and when the computer receives the data packet, it will crash or blue screen, and it will not be possible to continue using the TCP/IP protocol to access the network without restarting the computer.
After the out-of-band TCP/UDP/ICMP request is generated by the attacker, the data containing the system sensitive information on the computer is extracted through the TCP/UDP/ICMP request, so that the user computer is invaded by the system sensitive information. Therefore, a detection method for the out-of-band attack is needed to discover and process in time, prevent sensitive information from being leaked, and improve the security of a user computer.
Disclosure of Invention
The invention provides an out-of-band attack detection method, an out-of-band attack detection device, electronic equipment, media and products, which are used for solving the defects.
The invention provides a method for detecting out-of-band attack, which comprises the following steps: acquiring a target network flow data packet; performing domain name resolution on the target network flow data packet to obtain a resolved domain name; judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to the predefined domain name blacklist; judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist; and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
According to the out-of-band attack detection method provided by the invention, the method further comprises the following steps: judging whether the analyzed IP inquired according to the analyzed domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet; and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
According to the method for detecting the out-of-band attack provided by the invention, after the out-of-band attack of the target network flow data packet is determined, the method further comprises the following steps: and generating alarm information according to the target network flow data packet, and reporting the alarm information.
According to the out-of-band attack detection method provided by the invention, after domain name resolution is carried out on the target network flow data packet to obtain the resolved domain name, the method further comprises the following steps: judging whether the resolved domain name is encrypted or not, and decrypting the resolved domain name to obtain a decrypted domain name under the condition that the resolved domain name is encrypted; correspondingly, in the case that the target network traffic data packet is a request packet, determining whether the resolved domain name belongs to a predefined domain name blacklist includes: and judging whether the decrypted domain name belongs to a predefined domain name blacklist or not.
According to the out-of-band attack detection method provided by the invention, the judging whether the resolved domain name is encrypted comprises the following steps: and judging whether the parsed domain name is encrypted by Base64 or Base 16.
The invention also provides an out-of-band attack detection device, which comprises: the data packet acquisition module is used for acquiring a target network flow data packet; the domain name resolution module is used for carrying out domain name resolution on the target network flow data packet to obtain a resolved domain name; the domain name blacklist judging module is used for judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to the predefined domain name blacklist; the sensitive information judging module is used for judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name contains the system sensitive information.
According to the out-of-band attack detection device provided by the invention, the device further comprises: the loop address judging module is used for judging whether the resolved IP queried according to the resolved domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet; and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and operable on the processor, the processor implementing the steps of any of the out-of-band attack detection methods described above when the processor executes the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of any of the out-of-band attack detection methods described above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements the steps of any of the out-of-band attack detection methods described above.
According to the out-of-band attack detection method, the device, the electronic equipment, the medium and the product, provided by the invention, the out-of-band attack detection method is used for determining whether the target network traffic data packet has the out-of-band attack by firstly carrying out domain name resolution on the request packet and then judging whether the resolved domain name belongs to a domain name blacklist or not and whether the resolved domain name contains system sensitive information, so that the out-of-band attack can be detected before responding to the domain name resolution request, the response packet containing the system sensitive information is not sent to the host, the out-of-band attack is timely and effectively detected, the sensitive information is ensured not to be revealed, and the network security is improved.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an out-of-band attack detection method according to an embodiment of the present invention;
FIG. 2 is a second flow chart of the out-of-band attack detection method according to the embodiment of the present invention;
FIG. 3 is a schematic diagram of an out-of-band attack detection device according to an embodiment of the present invention;
fig. 4 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a schematic flow chart of an out-of-band attack detection method according to an embodiment of the present invention; as shown in fig. 1, the out-of-band attack detection method may include the steps of:
step 101, obtaining a target network flow data packet.
The target network flow data packet is a request packet requesting hostname resolution through a domain name resolution system or a response packet responding to a hostname resolution request.
The domain name resolution system (DNS for short) is a distributed database of domain names and IP addresses that map to each other, which is responsible for resolving domain names into IP addresses. When accessing a site on the internet, the domain name of the site is generally input, for example www.cnblogs.com, and the IP address is as long as 32 bits, so that the storage is not easy, and the access is the IP address resolved by the domain name resolution system.
The specific process of domain name resolution is that a local machine sends a DNS request message to a local domain name server, wherein the message carries the domain name to be queried; and then the local domain name server generates a DNS response message according to the queried IP address and responds to the local domain name server. The request packet is generated based on a DNS request message, and the response packet is generated based on a DNS response message.
It should be noted that, after the target network traffic data packet is acquired, the type of the target network traffic data packet may be further determined, where the type of the target network traffic data packet may include: the request packet and the response packet may respectively perform different detection contents based on different types. Specifically, if the target network traffic data packet is a request packet, judging whether the target network traffic data packet belongs to a domain name blacklist or not and contains system sensitive information; if the target network traffic data packet is a response packet, judging whether the target network traffic data packet is a local loop IP, so as to detect out-of-band attack by using different methods according to different types of target network traffic data packets, and the detailed process is described below.
And 102, performing domain name resolution on the target network flow data packet to obtain a resolved domain name.
In this step, the target network traffic packet is parsed to obtain information of both communication parties (i.e. the host and the local domain name server), which mainly includes the host IP, the host port, the request time, the query type of the request query, the domain name length, etc.
In this embodiment, the domain name of the request query obtained by analysis is used as the basis for judging the out-of-band attack.
Step 103, judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
and under the condition that the resolved domain name belongs to a predefined domain name blacklist, determining that the target network flow data packet has out-of-band attack.
The predefined blacklist of domain names refers to a list formed by malicious domain names, which can be added to the blacklist through domain name management, or can be a commonly used blacklist of domain names, which is not limited in this embodiment.
In this step, it is first determined whether the target network traffic data packet is a request packet or a response packet according to the infrastructure portion of the DNS packet in the target network traffic data packet.
The flag field of the infrastructure part of the DNS packet is shown in table 1, and when the QR value is 0, the target network traffic packet is a request packet; when the QR value is 1, the target network traffic packet is a response packet.
Table 1 flag field of infrastructure portion of DNS packet
QR Opcode AA TC RD RA Z rcpde
Then, matching the resolved domain name with a malicious domain name in a domain name blacklist, and if the matching is carried out to obtain a corresponding malicious domain name, determining that the target network traffic data packet has out-of-band attack; if the malicious domain name is not matched in the domain name blacklist, step 104 is entered to judge the system sensitive information.
In addition, if the resolved domain name comprises a plurality of sub-domain names, a domain name blacklist is needed to be carried out on the sub-domain names, if the sub-domain names belong to the domain name blacklist, the resolved domain name is determined to be a malicious domain name, and the corresponding target network flow data packet has out-of-band attack; if all the sub-domain names do not belong to the domain name blacklist and all the resolved domain names do not belong to the domain name blacklist, the resolved domain names are normal, and step 104 is entered to judge the system sensitive information.
Step 104, judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
The system sensitive information comprises a system version of a local domain name server, a system type, serial configuration information on a host, account information of a user, a password file and the like. For example, the system version, IIS configuration file, password of the first installation of the Windows system, mySQL configuration, php configuration information, or the like of the Windows system, or account information, account password file, virtual website configuration, or the like in the Unix system, which is not limited in this embodiment.
In this step, if no, in step 103, it is further determined whether the resolved domain name includes system sensitive information, if yes, it is determined that the target network traffic data packet has an out-of-band attack, if no system sensitive information is included, it is determined that the target network traffic data packet is legal, and then a corresponding IP is searched according to the resolved domain name, a response packet is generated, and a response host is responded.
According to the out-of-band attack detection method provided by the embodiment of the invention, the domain name analysis is firstly carried out on the target network traffic data packet, then, if the target network traffic data packet is the request packet, whether the analyzed domain name belongs to the domain name blacklist or not and whether the system sensitive information is contained or not is judged, and whether the target network traffic data packet has the out-of-band attack or not is determined, so that the out-of-band attack can be detected before the domain name analysis request is responded, the response packet containing the system sensitive information is not sent to the host, the out-of-band attack is timely and effectively detected, the sensitive information is ensured not to be leaked, and the network security is improved.
Further, the method further comprises the steps of: judging whether the analyzed IP inquired according to the analyzed domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet;
and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
The local loop IP represents a device local virtual interface, and can be used to check whether a local network protocol, a basic data interface, etc. are normal. The local loop IP refers to an address beginning with 127 (127.0.0.1-127.255.255.254), generally indicated by 127.0.0.1.
Specifically, if the target network traffic data packet is a response packet, the response packet includes an resolved IP corresponding to the resolved domain name, which is queried according to the request packet, and whether the resolved IP is a local loop IP is determined. If the resolved IP is the local loop IP, determining that the target network flow data packet has out-of-band attack; if the resolved IP is not the local loop IP, the current response packet method is described, and the response packet is normally sent to the corresponding host.
According to the out-of-band attack detection method provided by the embodiment of the invention, whether the response packet contains the out-of-band attack is determined by further judging whether the analysis IP in the response packet is the local loop IP, so that the comprehensive detection of the request packet and the response packet is realized, and the network security is further improved.
Further, after the determining that the target network traffic data packet has an out-of-band attack, the method further includes:
and generating alarm information according to the target network flow data packet, and reporting the alarm information.
Specifically, after analyzing the target network traffic data packet, the relevant information about the host and the local domain name server is generated, which host is subjected to out-of-band attack, the purpose of the out-of-band attack and other information are determined, alarm information is generated according to the information, and the alarm information is reported to remind a relevant manager to process the out-of-band attack, for example, a domain name requiring analysis is added to a blacklist.
According to the out-of-band attack detection method provided by the embodiment of the invention, the alarm information is reported by generating the alarm information according to the target network flow data packet, so that an administrator is reminded of timely processing, and the safety is further improved.
Further, after performing domain name resolution on the target network traffic data packet to obtain a resolved domain name, the method further includes:
judging whether the resolved domain name is encrypted or not, and decrypting the resolved domain name to obtain a decrypted domain name under the condition that the resolved domain name is encrypted;
correspondingly, in the case that the target network traffic data packet is a request packet, determining whether the resolved domain name belongs to a predefined domain name blacklist includes:
and judging whether the decrypted domain name belongs to a predefined domain name blacklist or not.
Specifically, after performing domain name resolution on the target network traffic data packet, it may be found that some resolved domain names are encrypted in a Base64 or Base16 mode, and at this time, the resolved domain names need to be decrypted first, and then domain name blacklist judgment is performed on the decrypted domain names.
In the out-of-band attack detection method provided by the embodiment of the invention, in the domain name resolution process, the encrypted and resolved domain name is decrypted, and then the domain name blacklist judgment and the system sensitive information judgment are carried out, so that the out-of-band attack detection is accurately carried out on the basis of the correct domain name, and the detection accuracy is improved.
Fig. 2 is a second flow chart of the out-of-band attack detection method according to the embodiment of the present invention, as shown in fig. 2, the out-of-band attack detection method includes the following steps:
step 210, obtaining a target network flow data packet, and then entering step 220;
step 220, performing domain name resolution on the target network flow data packet to obtain a resolved domain name, and then entering step 230;
step 230, judging whether the target network traffic data packet is a request packet or a response packet, if the target network traffic data packet is a request packet, proceeding to step 240; if the target network traffic packet is a response packet, then go to step 270;
step 240, judging whether the resolved domain name belongs to a predefined domain name blacklist, if so, entering step 260; if the resolved domain name does not belong to the predefined domain name blacklist, step 250 is entered;
step 250, judging whether the resolved domain name contains system sensitive information, if yes, entering step 260; if the resolved domain name does not contain the system sensitive information, entering an ending state;
step 260, determining that the target network flow data packet has an out-of-band attack, generating alarm information according to the target network flow data packet, reporting the alarm information, and then entering an end state;
step 270, determining whether the resolved IP queried according to the resolved domain name is a local loop IP, if the resolved domain name is the local loop IP, entering step 260; if the resolved domain name is not the local loop IP, the response packet is normally sent to the corresponding host computer, and then the state is ended.
According to the out-of-band attack detection method provided by the embodiment of the invention, whether out-of-band attack exists is determined by carrying out multiple detection on the request packet and the response packet, so that sensitive information is ensured not to be revealed, and the network security is improved.
The out-of-band attack detection device provided by the invention is described below, and the out-of-band attack detection device described below and the out-of-band attack detection method described above can be referred to correspondingly.
Fig. 3 is a schematic structural diagram of an out-of-band attack detection device according to an embodiment of the present invention, as shown in fig. 3, an out-of-band attack detection device includes:
the data packet obtaining module 201 is configured to obtain a target network traffic data packet.
The target network flow data packet is a request packet requesting hostname resolution through a domain name resolution system or a response packet responding to a hostname resolution request.
The domain name resolution system (DNS for short) is a distributed database of domain names and IP addresses that map to each other, which is responsible for resolving domain names into IP addresses. When accessing a site on the internet, the domain name of the site is generally input, for example www.cnblogs.com, and the IP address is as long as 32 bits, so that the storage is not easy, and the access is the IP address resolved by the domain name resolution system.
The specific process of domain name resolution is that a local machine sends a DNS request message to a local domain name server, wherein the message carries the domain name to be queried; and then the local domain name server generates a DNS response message according to the queried IP address and responds to the local domain name server. The request packet is generated based on a DNS request message, and the response packet is generated based on a DNS response message.
If the target network flow data packet is a request packet, judging whether the target network flow data packet belongs to a domain name blacklist or not and contains system sensitive information; if the target network flow data packet is a response packet, judging whether the target network flow data packet is a local loop IP, and accordingly detecting out-of-band attack by using different methods according to different types of target network flow data packets.
The domain name resolution module 202 is configured to perform domain name resolution on the target network traffic data packet to obtain a resolved domain name.
In the domain name resolution module 202, the target network traffic data packet is resolved to obtain information of both communication parties (i.e. the host and the local domain name server), which mainly includes the host IP, the host port, the request time, the query type of the request query, the domain name length, and the like.
In this embodiment, the domain name of the request query obtained by analysis is used as the basis for judging the out-of-band attack.
The domain name blacklist judging module 203 is configured to judge whether the resolved domain name belongs to a predefined domain name blacklist if the target network traffic data packet is a request packet, and determine that the target network traffic data packet has an out-of-band attack if the resolved domain name belongs to the predefined domain name blacklist.
The predefined blacklist of domain names refers to a list formed by malicious domain names, which can be added to the blacklist through domain name management, or can be a commonly used blacklist of domain names, which is not limited in this embodiment.
In the domain name blacklist judging module 203, it is first determined whether the target network traffic data packet is a request packet or a response packet according to the infrastructure portion of the DNS packet in the target network traffic data packet.
After determining that the target network traffic data packet is a request packet, matching the resolved domain name with a malicious domain name in a domain name blacklist, and if the matching is performed to obtain a corresponding malicious domain name, determining that the target network traffic data packet has out-of-band attack; if the malicious domain name is not matched in the domain name blacklist, a sensitive information judging module is entered to judge the system sensitive information.
The sensitive information judging module 204 is configured to judge whether system sensitive information is included in the resolved domain name if the resolved domain name does not belong to a predefined domain name blacklist, and determine that the target network traffic data packet has an out-of-band attack if the resolved domain name includes the system sensitive information.
The system sensitive information comprises a system version of a local domain name server, a system type, serial configuration information on a host, account information of a user, a password file and the like. For example, the system version, IIS configuration file, password of the first installation of the Windows system, mySQL configuration, php configuration information, or the like of the Windows system, or account information, account password file, virtual website configuration, or the like in the Unix system, which is not limited in this embodiment.
In the sensitive information judging module 204, if the domain name blacklist judging module judges that the domain name is not in the state, whether the resolved domain name contains the system sensitive information is further judged, if the resolved domain name contains the system sensitive information, the out-of-band attack of the target network flow data packet is determined, if the resolved domain name does not contain the system sensitive information, the target network flow data packet is determined to be legal, the corresponding IP is searched according to the resolved domain name, a response packet is generated, and a response host is responded.
According to the out-of-band attack detection device provided by the embodiment of the invention, the domain name analysis is firstly carried out on the target network traffic data packet, then, if the target network traffic data packet is the request packet, whether the analyzed domain name belongs to the domain name blacklist or not and whether the system sensitive information is contained or not is judged, so that whether the out-of-band attack exists in the target network traffic data packet is determined, the out-of-band attack can be detected before the domain name analysis request is responded, the response packet containing the system sensitive information is not sent to the host, the out-of-band attack is timely and effectively detected, the sensitive information is ensured not to be leaked, and the network security is improved.
Further, the apparatus further comprises:
a loop address judging module (not shown in the figure) for judging whether the resolved IP queried according to the resolved domain name is a local loop IP in the case that the target network traffic data packet is a response packet;
and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
The local loop IP represents a device local virtual interface, and can be used to check whether a local network protocol, a basic data interface, etc. are normal. The local loop IP refers to an address beginning with 127 (127.0.0.1-127.255.255.254), generally indicated by 127.0.0.1.
Specifically, if the target network traffic data packet is a response packet, the response packet includes an resolved IP corresponding to the resolved domain name, which is queried according to the request packet, and whether the resolved IP is a local loop IP is determined. If the resolved IP is the local loop IP, determining that the target network flow data packet has out-of-band attack; if the resolved IP is not the local loop IP, the current response packet method is described, and the response packet is normally sent to the corresponding host.
According to the out-of-band attack detection device provided by the embodiment of the invention, whether the response packet contains the out-of-band attack is determined by further judging whether the analysis IP in the response packet is the local loop IP, so that the request packet and the response packet are comprehensively detected, and the network security is further improved.
Fig. 4 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention, as shown in fig. 4, where the electronic device may include: processor 310, communication interface (Communications Interface) 320, memory 330 and communication bus 340, wherein processor 310, communication interface 320, memory 330 accomplish communication with each other through communication bus 340. The processor 310 may invoke logic instructions in the memory 330 to perform out-of-band attack detection methods including: acquiring a target network flow data packet;
performing domain name resolution on the target network flow data packet to obtain a resolved domain name;
judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to a predefined domain name blacklist;
judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
Further, the logic instructions in the memory 330 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, where the computer program product includes a computer program, where the computer program can be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer can perform an out-of-band attack detection method provided by the above methods, where the method includes: acquiring a target network flow data packet;
performing domain name resolution on the target network flow data packet to obtain a resolved domain name;
judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to a predefined domain name blacklist;
judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the methods provided above to perform the out-of-band attack detection method, comprising: acquiring a target network flow data packet;
performing domain name resolution on the target network flow data packet to obtain a resolved domain name;
judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to a predefined domain name blacklist;
judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
The apparatus embodiments described above are merely illustrative, wherein elements illustrated as separate elements may or may not be physically separate, and elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product, which may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the various embodiments or methods of some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. An out-of-band attack detection method, comprising:
acquiring a target network flow data packet;
performing domain name resolution on the target network flow data packet to obtain a resolved domain name;
judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet,
determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to a predefined domain name blacklist;
judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist;
and under the condition that the resolved domain name contains system sensitive information, determining that the target network flow data packet has out-of-band attack.
2. The out-of-band attack detection method according to claim 1, wherein the method further comprises:
judging whether the analyzed IP inquired according to the analyzed domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet;
and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
3. The out-of-band attack detection method according to claim 1 or 2, wherein after said determining that the target network traffic data packet is subject to an out-of-band attack, the method further comprises:
and generating alarm information according to the target network flow data packet, and reporting the alarm information.
4. The out-of-band attack detection method according to claim 1, wherein after performing domain name resolution on the target network traffic packet to obtain a resolved domain name, the method further comprises:
judging whether the resolved domain name is encrypted or not, and decrypting the resolved domain name to obtain a decrypted domain name under the condition that the resolved domain name is encrypted;
correspondingly, in the case that the target network traffic data packet is a request packet, determining whether the resolved domain name belongs to a predefined domain name blacklist includes:
and judging whether the decrypted domain name belongs to a predefined domain name blacklist or not.
5. The out-of-band attack detection method according to claim 4, wherein the determining whether the resolved domain name is encrypted comprises:
and judging whether the parsed domain name is encrypted by Base64 or Base 16.
6. An out-of-band attack detection device comprising:
the data packet acquisition module is used for acquiring a target network flow data packet;
the domain name resolution module is used for carrying out domain name resolution on the target network flow data packet to obtain a resolved domain name;
the domain name blacklist judging module is used for judging whether the resolved domain name belongs to a predefined domain name blacklist or not under the condition that the target network flow data packet is a request packet, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name belongs to the predefined domain name blacklist;
the sensitive information judging module is used for judging whether the resolved domain name contains system sensitive information or not under the condition that the resolved domain name does not belong to a predefined domain name blacklist, and determining that the target network flow data packet has out-of-band attack under the condition that the resolved domain name contains the system sensitive information.
7. The out-of-band attack detection device according to claim 6, wherein the device further comprises:
the loop address judging module is used for judging whether the resolved IP queried according to the resolved domain name is a local loop IP or not under the condition that the target network flow data packet is a response packet;
and under the condition that the resolved domain name is the local loop IP, determining that the target network flow data packet has out-of-band attack.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the out-of-band attack detection method according to any of claims 1 to 5 when the program is executed by the processor.
9. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the steps of the out-of-band attack detection method according to any of claims 1 to 5.
10. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the out-of-band attack detection method according to any of claims 1 to 5.
CN202111672869.7A 2021-12-31 2021-12-31 Out-of-band attack detection method and device, electronic equipment, medium and product Pending CN116418534A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111672869.7A CN116418534A (en) 2021-12-31 2021-12-31 Out-of-band attack detection method and device, electronic equipment, medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111672869.7A CN116418534A (en) 2021-12-31 2021-12-31 Out-of-band attack detection method and device, electronic equipment, medium and product

Publications (1)

Publication Number Publication Date
CN116418534A true CN116418534A (en) 2023-07-11

Family

ID=87050032

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111672869.7A Pending CN116418534A (en) 2021-12-31 2021-12-31 Out-of-band attack detection method and device, electronic equipment, medium and product

Country Status (1)

Country Link
CN (1) CN116418534A (en)

Similar Documents

Publication Publication Date Title
US9648033B2 (en) System for detecting the presence of rogue domain name service providers through passive monitoring
CN109474575B (en) DNS tunnel detection method and device
US8392963B2 (en) Techniques for tracking actual users in web application security systems
US8972571B2 (en) System and method for correlating network identities and addresses
US8321943B1 (en) Programmatic communication in the event of host malware infection
CN108521408B (en) Method and device for resisting network attack, computer equipment and storage medium
US11729134B2 (en) In-line detection of algorithmically generated domains
CN104135474B (en) Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree
CN114598525A (en) IP automatic blocking method and device for network attack
CN103701816B (en) Perform the scan method and scanning means of the server of Denial of Service attack
CN105827599A (en) Cache infection detection method and apparatus based on deep analysis on DNS message
US11652833B2 (en) Detection of anomalous count of new entities
CN107623693B (en) Domain name resolution protection method, device, system, computing equipment and storage medium
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
CN107623916B (en) Method and equipment for WiFi network security monitoring
CN113709129A (en) White list generation method, device and system based on traffic learning
CN117375978A (en) Domain name system cache attack detection method and system and domain name system server
CN113098852A (en) Log processing method and device
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
CN116418534A (en) Out-of-band attack detection method and device, electronic equipment, medium and product
CN110995738B (en) Violent cracking behavior identification method and device, electronic equipment and readable storage medium
US10015179B2 (en) Interrogating malware
US11683337B2 (en) Harvesting fully qualified domain names from malicious data packets
US11038921B1 (en) Detecting malicious actors
US10462180B1 (en) System and method for mitigating phishing attacks against a secured computing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination