CN117081862B - Local area network security defense method and device, electronic equipment and storage medium - Google Patents
Local area network security defense method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117081862B CN117081862B CN202311330593.3A CN202311330593A CN117081862B CN 117081862 B CN117081862 B CN 117081862B CN 202311330593 A CN202311330593 A CN 202311330593A CN 117081862 B CN117081862 B CN 117081862B
- Authority
- CN
- China
- Prior art keywords
- host
- address
- local area
- area network
- sending
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000007123 defense Effects 0.000 title claims abstract description 37
- 238000004088 simulation Methods 0.000 claims abstract description 50
- 238000012544 monitoring process Methods 0.000 claims abstract description 34
- 230000004044 response Effects 0.000 claims description 25
- 238000012937 correction Methods 0.000 claims description 10
- 230000008520 organization Effects 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 claims description 9
- 238000012546 transfer Methods 0.000 claims description 9
- 230000003993 interaction Effects 0.000 claims description 8
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 230000007480 spreading Effects 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The embodiment of the application discloses a local area network security defense method, a device, electronic equipment and a storage medium, relates to the technical field of network security, and can effectively improve the initiative and the security of network security defense. The method comprises the following steps: monitoring whether a collapse host exists in the current local area network; if the current local area network has the collapse host, monitoring an ARP request of the first host to the second host in the current local area network; wherein the first host is the collapse host; responding to the ARP request of the first host, and sending an ARP reply message to the first host; acquiring the access flow of the first host to the second host, and sending the access flow to a simulation asset; responding to the access traffic through the simulation asset to obtain backhaul traffic, and sending the backhaul traffic to the first host. The invention is suitable for preventing the lateral attack from spreading.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a local area network security defense method, a device, an electronic device, and a storage medium.
Background
The traditional security defense thought requires that the defender fully, comprehensively and completely analyze, evaluate and rectify security holes and risks of the network and the system to ensure the security of the whole network, but because of a plurality of potential attacked surfaces, the defender can hardly find all problems or risks completely and timely, and the attacker can reach the target only by taking one opportunity, so that hidden danger is brought to the network and the system of the defender.
Disclosure of Invention
In order to solve the problem of high security risk of the existing network, the application provides a local area network security defense method, a device, electronic equipment and a storage medium.
In a first aspect, an embodiment of the present invention provides a security defense method for a local area network, including:
monitoring whether a collapse host exists in the current local area network;
if the current local area network has the collapse host, monitoring an ARP request of the first host to the second host in the current local area network; wherein the first host is the collapse host;
responding to the ARP request of the first host, and sending an ARP reply message to the first host;
acquiring the access flow of the first host to the second host, and sending the access flow to a simulation asset;
Responding to the access traffic through the simulation asset to obtain backhaul traffic, and sending the backhaul traffic to the first host.
In a specific embodiment, the monitoring the ARP request of the first host to the second host in the current local area network includes:
acquiring the IP address and the MAC address of a current host in the local area network;
and according to the monitored ARP request of the first host, matching with the IP address of the current host in the local area network, and determining the second host.
In a specific embodiment, the obtaining access traffic of the first host to the second host and sending the access traffic to a simulated asset includes:
acquiring the access flow of the first host to the second host;
converting the address of the second host in the access flow into a false address of the simulated asset;
and sending the access traffic to the simulated asset.
In a specific embodiment, said responding to said access traffic by said emulated asset to obtain backhaul traffic, and sending said backhaul traffic to said first host, comprising:
obtaining a backhaul traffic based on a response of the simulated asset to the access traffic;
Restoring the false address in the backhaul traffic to an address of the second host;
and sending the backhaul traffic to the first host.
In a specific embodiment, the sending, in response to the ARP request of the first host, an ARP reply message to the first host includes:
extracting a target IP address in the ARP request; determining the IP address of the second host according to the target IP address;
determining a MAC address of the second host based on the IP address of the second host;
determining an organization unique identifier OUI of the second host based on the MAC address of the second host;
generating a confusion MAC address according to the OUI of the second host;
and sending the confusing MAC address to the first host.
In a specific embodiment, there are a plurality of said confusing MAC addresses generated according to the OUI of said second host, and at least two of said confusing MAC addresses are different;
wherein said sending the obfuscated MAC address to the first host includes:
and according to a preset sending time sequence, the confused MAC addresses are sent to the first host one by one.
In a specific embodiment, before the monitoring whether the current local area network has the collapse host, the method includes:
According to the time length from the first host to the second host when the first host obtains the ARP reply message sent by the second host, obtaining a time length set;
sequencing the time durations in the time duration set according to the size, and dividing the time durations into the time durationsParts, get a subset of time lengthWhereinAnd (2) andis a positive integer;
according to the subset of time durationsSelected minimum duration ofAnd maximum durationDetermining a correction duration、WhereinIs thatIs used to adjust the lead adjustment value of (c),is thatIs used to adjust the hysteresis of the set of values,≥0,≥0;
to correct the duration setIs a preset sending time sequence, and each time in the preset sending time sequenceThe length is the length of time from when the first host issues an ARP request to when the first host obtains the obfuscated MAC address.
In a specific embodiment, before the obtaining the access traffic of the first host to the second host, the method includes:
a simulated asset is constructed that is a simulation of a current host in the local area network for providing access to an attacker.
In a specific embodiment, before the obtaining the access traffic of the first host to the second host, the method further includes:
and determining an interaction strategy for traffic transfer between the first host and the second host through a third party.
In a specific embodiment, the address includes at least one of a MAC address, an IP address, and a port number.
In a second aspect, embodiments of the present invention further provide a local area network security defense device, including:
the monitoring unit is used for monitoring whether a collapse host exists in the current local area network;
the ARP monitoring unit is used for monitoring an ARP request of the first host to the second host in the current local area network if the current local area network has the subsided host; wherein the first host is the collapse host;
an ARP response unit, configured to respond to an ARP request of the first host, and send an ARP reply message to the first host;
the flow acquisition unit is used for acquiring the access flow of the first host to the second host and sending the access flow to the simulation asset;
and the flow response unit is used for responding to the access flow through the simulation asset to obtain the return flow and transmitting the return flow to the first host.
In a specific embodiment, the ARP listening unit comprises:
the detection module is used for acquiring the IP address and the MAC address of the current host in the local area network;
And the second host determining module is used for determining the second host by matching the ARP request of the first host with the IP address of the current host in the local area network.
In a specific embodiment, the flow acquisition unit includes:
the acquisition module is used for acquiring the access flow of the first host to the second host;
the address conversion module is used for converting the address of the second host in the access flow into a false address of the simulation asset;
and the forwarding module is used for sending the access flow to the simulation asset.
In a specific embodiment, the flow response unit comprises:
the return flow module is used for obtaining return flow based on the response of the simulation asset to the access flow;
an address restoring module, configured to restore the false address in the backhaul traffic to an address of the second host;
and the backhaul traffic sending module is used for sending the backhaul traffic to the first host.
In a specific embodiment, the ARP response unit comprises:
the IP address determining module is used for extracting a target IP address in the ARP request; determining the IP address of the second host according to the target IP address;
A determining MAC address module, configured to determine a MAC address of the second host based on the IP address of the second host;
a determining OUI module configured to determine an organization unique identifier OUI of the second host based on a MAC address of the second host;
the confusion address generation module is used for generating a confusion MAC address according to the OUI of the second host;
and the confusion address sending module is used for sending the confusion MAC address to the first host.
In a specific embodiment, there are a plurality of said confusing MAC addresses generated according to the OUI of said second host, and at least two of said confusing MAC addresses are different; the sending confusion address module is specifically configured to send the confusion MAC addresses to the first host one by one according to a preset sending time sequence.
In a specific embodiment, the method further comprises a preset transmission timing unit, wherein the preset transmission timing unit comprises:
the time length set module is used for obtaining a time length set according to the time length from the first host to the second host to the first host obtaining the ARP reply message sent by the second host before monitoring whether the current local area network has the sinking host or not;
a time length subset module for sorting the time lengths in the time length set according to the size and dividing the time length set into Parts, get a subset of time lengthWhereinAnd (2) andis a positive integer;
a correction duration module for correcting the duration subsetSelected minimum duration ofAnd maximum durationDetermining a correction duration、WhereinIs thatIs used to adjust the lead adjustment value of (c),is thatIs used to adjust the hysteresis of the set of values,≥0,≥0;
a time sequence module for correcting the time length setAnd each time length in the preset sending time sequence is a time length from the first host to the first host obtaining the confused MAC address.
In a specific embodiment, the method further comprises a simulation unit for constructing a simulated asset, which is a simulation of the current host in the local area network for providing access to an attacker, before obtaining the access traffic of the first host to the second host.
In a specific embodiment, the system further includes a traffic transfer unit, where the traffic transfer unit is configured to determine an interaction policy for traffic transfer between the first host and the second host by a third party before obtaining the access traffic of the first host to the second host.
In a specific embodiment, the address includes at least one of a MAC address, an IP address, and a port number.
In a third aspect, embodiments of the present invention further provide an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing any one of the local area network security defense methods provided by the embodiments of the present invention.
In a fourth aspect, embodiments of the present invention also provide a computer readable storage medium storing one or more programs executable by one or more processors to implement any of the local area network security defense methods provided by the embodiments of the present invention.
According to the local area network security defense method, the device, the electronic equipment and the storage medium provided by the embodiment of the invention, whether the current local area network has the collapse host is monitored, if the current local area network has the collapse host, an ARP request of a first host to a second host in the current local area network is monitored, wherein the first host is the collapse host; then responding to the ARP request of the first host, sending an ARP reply message to the first host so as to acquire the access flow of the first host to the second host, and sending the access flow to the simulation asset; and then responding to the access flow through the simulation asset to obtain the return flow, and then sending the return flow to the first host. The method can deceptive the lost host, and guide the attack of the lost host to other normal hosts to the simulation asset, thereby isolating the lost host from other normal hosts, reducing the attack range of an attacker to the local area network, and improving the active defending capability of network security.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a security defense method for a local area network according to the present application;
FIG. 2 is a schematic diagram of ARP response of a security defense of a local area network according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a local area network security defense application according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a lan security defense device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an ARP response unit of a lan security defense device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In a first aspect, as shown in fig. 1, an embodiment of the present invention provides a local area network security defense method, which may include:
s11, monitoring whether a collapse host exists in the current local area network.
In this step, a collapsed Host (computed Host) refers to a Host that is remotely controlled or utilized by a malicious attacker in a computer network. These decoy hosts have been hacked, infected with malware or manipulated to perform the intent of the attacker, but the legitimate users of the decoy hosts may not be aware, in which case the decoy attacker may respond to the attack side by honeypot technology, decoy the attacker into thinking that a vulnerability exists, and then send more instructions, complete recording of the attacker's attack instructions, and converted into threat intelligence provision monitoring devices for accurately monitoring the decoy hosts in the current local area network at a certain moment.
S12, if a subsidence host exists in the current local area network, monitoring an ARP request of a first host to a second host in the current local area network; wherein the first host is the collapse host.
In this step, after detecting that there is a missing host in the current lan, the missing host is monitored to capture the attack information of the first host that has become the missing host to other hosts, specifically, the ARP request sent by the first host may be monitored, and when the first host sends an ARP request to other normal hosts, such as a second host, in the intranet, the ARP broadcast message is captured, so as to make a control policy according to the ARP request. ARP in this example refers to address resolution protocol (Address Resolution Protocol), and using ARP protocol can obtain the MAC address (Media Access Control Address, physical address, also called MAC address) of the corresponding host through the IP address. The MAC address is used to identify the address of the location of the network device, and is used to uniquely identify a network card in the network, where each network card is required and has a unique MAC address if one or more network cards are available in a device.
S13, responding to the ARP request of the first host, and sending an ARP reply message to the first host.
After capturing an ARP request sent by a defective host, namely a first host to a second host in a local area network, responding to the ARP request, sending an ARP reply message to the first host, generating a target address for attacking the second host based on the ARP reply message after the first host receives the ARP reply message, and further initiating an attack to the target address, so that the attack target address of the first host can be guided or interfered by sending the ARP reply message to the first host.
S14, obtaining the access flow of the first host to the second host, and sending the access flow to the simulation asset.
After the first host generates a target address for attacking the second host according to the ARP reply message, the attack to the second host is initiated according to the target address, access flow aiming at the second host is formed in the attack process, a spoofing defending strategy is constructed for the first host, the access flow is guided in the step, namely, the access flow of the first host to the second host is guided and sent to a simulation asset, the simulation asset responds to the access flow, and direct interaction of the first host to the second host is avoided, so that the first host is isolated from other hosts.
And S15, responding to the access flow through the simulation asset to obtain a return flow, and sending the return flow to the first host.
In this step, the simulation asset responds to the access traffic, and the responded backhaul traffic is sent to the first host, so as to form a spoofing policy for the first host, so that an attacker spends a lot of time attacking the simulation asset, thereby gaining precious emergency treatment time for a network manager, blocking the lateral attack of the first host on other hosts in the local area network, and reducing the loss to the greatest extent.
According to the local area network security defense method provided by the embodiment of the invention, whether the current local area network has the collapse host is monitored, if the current local area network has the collapse host, an ARP request of a first host to a second host in the current local area network is monitored, wherein the first host is the collapse host; then responding to the ARP request of the first host, sending an ARP reply message to the first host so as to acquire the access flow of the first host to the second host, and sending the access flow to the simulation asset; and then responding to the access flow through the simulation asset to obtain the return flow, and then sending the return flow to the first host. The method can deceptive the lost host, and guide the attack of the lost host to other normal hosts to the simulation asset, thereby isolating the lost host from other normal hosts, reducing the attack range of an attacker to the local area network, and improving the active defending capability of network security.
Optionally, in an embodiment of the present invention, the monitoring the ARP request of the first host to the second host in the current local area network includes:
acquiring the IP address and the MAC address of a current host in the local area network;
and according to the monitored ARP request of the first host, matching with the IP address of the current host in the local area network, and determining the second host.
In this step, the current host IP in the lan network segment can be detected through regular ARP scanning, all the host IP and MAC addresses are updated to the local cache database, and when the ARP request of the first host is monitored, the target IP address in the ARP request is matched with the current IP address of the host in the lan, so as to determine the second host.
Optionally, in one embodiment of the present invention, before the obtaining the access traffic of the first host to the second host, the method includes:
a simulated asset is constructed that is a simulation of a current host in the local area network for providing access to an attacker.
In the scheme, the simulated asset can be generated by a virtualization technology or an open-source application container engine dock and other technologies, and the purpose is to simulate the current real host in the local area network, guide an attacker to the simulated asset through the attack of the first host on the second host, and form a complete spoofing strategy for the attacker.
Optionally, in one embodiment of the present invention, the obtaining the access traffic of the first host to the second host and sending the access traffic to the emulated asset includes:
acquiring the access flow of the first host to the second host;
converting the address of the second host in the access flow into a false address of the simulated asset;
and sending the access traffic to the simulated asset.
In the scheme, after the access flow of the first host to the second host is acquired, the address of the access flow about the attack to the second host can be converted into the false address of the simulation asset according to the simulation strategy, the access flow is guided and sent to the simulation asset according to the false address, and the deception strategy of the sinking host, namely the first host, is formed by responding to the access flow through the simulation asset, so that the first host is isolated from the second host. The access flow of the collapse host to other normal hosts can be sent to the same simulation asset, or a plurality of simulation assets can be configured according to actual conditions, and the access flow of the collapse host to other normal hosts can be sent to different simulation assets.
Optionally, in an embodiment of the present invention, the address includes at least one of a MAC address, an IP address, and a port number.
For example, in this example, the address includes a MAC address, an IP address, and a port number, and the address of the second host in the access traffic is converted into a dummy address of the emulation asset, so that the attack traffic of the first host is guided to the corresponding emulation asset by the dummy IP address, the dummy MAC address, and the dummy port number, thereby forming a complete spoofing policy for the first host.
Optionally, in an embodiment of the present invention, the responding, by the emulated asset, to the access traffic, to obtain a backhaul traffic, and sending the backhaul traffic to the first host includes:
obtaining a backhaul traffic based on a response of the simulated asset to the access traffic;
restoring the false address in the backhaul traffic to an address of the second host;
and sending the backhaul traffic to the first host.
After the access flow is responded through the simulation asset and the return flow is obtained, similarly, a false address of the simulation asset in the return flow can be restored to an address of the first host for attacking the second host according to the simulation strategy, the return flow after the address is restored is sent to the first host for completing response to the attack of the first host, therefore, the address of the second host in the access flow is converted to the false address to be guided to the simulation asset, then the false address in the return flow after the response of the simulation asset is restored to the address of the second host, and a complete deception strategy is formed for the deception host, namely the first host, and active deception defense for the first host is realized.
Optionally, referring to fig. 2, in one embodiment of the present invention, the sending, in response to the ARP request of the first host, an ARP reply message to the first host includes:
s21, extracting a target IP address in the ARP request; determining the IP address of the second host according to the target IP address;
s22, determining the MAC address of the second host based on the IP address of the second host;
s23, determining an organization unique identifier OUI of the second host based on the MAC address of the second host;
s24, generating a confusion MAC address according to the OUI of the second host;
s25, the confusion MAC address is sent to the first host.
When the first host is found to become a default host, by monitoring the ARP request of the first host, when the ARP request of the first host is received, extracting the target IP address in the ARP request, determining the second host corresponding to the target IP address by matching with the IP address of the current host in the monitored local area network, determining the MAC address of the second host according to the IP address of the second host, and extracting the organization unique identifier (Organizationally unique identifier, OUI) of the second host according to the MAC address of the second host, wherein the organization unique identifier OUI is allocated to a unit organization by an Institute of Electrical and Electronic Engineers (IEEE), and comprises 24 bits (the first 3 bytes of the MAC address), each unit organization is allocated with a global management address (24 bits, or 3 bytes) in turn, and the address is unique for each network card produced by a manufacturer. According to the OUI of the second host, generating a confusing MAC address, wherein the purpose is to mask the MAC address of the second host: in the process that the second host machine makes ARP reply to the first host machine and sends the MAC address of the second host machine, the scheme also sends the confusing MAC address to the first host machine, so that an attacker cannot judge which MAC address of the second host machine is specifically, the attacker is prevented from bypassing the defense strategy of the scheme through a static binding ARP mode, and the attack cost and the attack difficulty of the attacker are further improved.
Optionally, in an embodiment of the present invention, there are a plurality of the confusing MAC addresses generated according to the OUI of the second host, and at least two of the confusing MAC addresses are different;
wherein said sending the obfuscated MAC address to the first host includes:
and according to a preset sending time sequence, the confused MAC addresses are sent to the first host one by one.
In the scheme, a plurality of different confusion MAC addresses can be generated according to the OUI of the second host, and the confusion MAC addresses are sent to the first host one by one and in a time sharing way in a unicast mode through a preset sending time sequence, so that an attacker is further confused, and when facing the plurality of different confusion MAC addresses, the attacker gives up the attempt of one-by-one heuristic attack on the plurality of different confusion MAC addresses, because the one-by-one heuristic attack on the plurality of different confusion MAC addresses increases the attack cost and the cost of the attacker; in addition, the cost and cost of selecting an attacker are further increased by sending the confusing MAC addresses to the first host one by one and in a time-sharing manner through the preset sending timing sequence, because when the attacker makes the final selection decision about the last received MAC address, the policy based on the preset sending timing sequence may continue to send the ARP reply message composed of the confusing MAC addresses to the first host after the second host makes the ARP reply to the first host, and when the attacker makes the final selection decision about the first received MAC address, the policy based on the preset sending timing sequence may send the ARP reply message composed of the confusing MAC addresses to the first host before the second host makes the ARP reply to the first host. Further, the confidence of ARP spoofing to the first host can be improved by improving the sending frequency of the preset sending time sequence, so that on the basis of forming a first layer of active spoofing strategy for the first host through the simulation asset, a second layer of active spoofing strategy is further formed for the first host through the scheme, and the attack cost and difficulty of an attacker are further improved.
Optionally, in one embodiment of the present invention, before the monitoring whether a current host is a failure host in the local area network includes:
according to the time length from the first host to the second host when the first host obtains the ARP reply message sent by the second host, obtaining a time length set;
sequencing the time durations in the time duration set according to the size, and dividing the time durations into the time durationsParts, get a subset of time lengthWhereinAnd (2) andis a positive integer;
according to the subset of time durationsSelected minimum duration ofAnd maximum durationDetermining a correction duration、WhereinIs thatIs used to adjust the lead adjustment value of (c),is thatIs used to adjust the hysteresis of the set of values,≥0,≥0;
to correct the duration setAnd each time length in the preset sending time sequence is a time length from the first host to the first host obtaining the confused MAC address.
As described above, when the first host becomes a default host and sends an ARP request to the second host, the second host sends a real ARP reply message containing the MAC address of the second host to the first host, and the first host updates the ARP cache of the first host based on the real ARP reply message received, so as to "preempt" the update opportunity and avoid too frequent sending of the confusing MAC address to cause resource load pressure on the lan communication capability. Therefore, when determining the preset sending time sequence, the specific method is as follows, taking the duration from sending an ARP request from the first host to the second host to the first host obtaining the ARP reply message sent by the second host as a reference.
The first host has not become the host before monitoring whether there is a collapsed host in the current LANWhen the sinking host, namely the first host and the second host are normal hosts, according to the ARP request sent from the first host to the second host, obtaining a time length set by the first host according to a plurality of time lengths of the ARP reply message sent by the second host, and carrying out statistical analysis on the ARP request and reply between the first host and the second host according to the time length set; sequencing the time durations in the time duration set according to the size, and dividing the time durations into the time durationsParts, get a subset of time lengthWhereinAnd (2) andis a positive integer, and can be used for carrying out time length data according to specific distribution conditionsThe division of the parts, for example, the time domain with dense time length data distribution can be divided into more parts than the time domain with sparse time length data distribution, and the actual conditions of hardware communication equipment and network resources in the local area network, such as hardware setting, software setting, network resource loading capacity and the like, can be further reflected by subdivision statistics, so that the influences on ARP request and reply time length between the first host and the second host are further reflected; and further according to a subset of time durations from theSelected minimum duration ofAnd maximum durationDetermining a correction duration 、WhereinIs thatIs used to adjust the lead adjustment value of (c),is thatIs used to adjust the hysteresis of the set of values,≥0,0 or more, in the sub-set of slave durationsSelecting the minimum durationAnd maximum durationWhen, when the time is long subsetsWhen only one time is available, the only time can be taken as the minimum timeAnd maximum durationThe method comprises the steps of carrying out a first treatment on the surface of the Then can correct the duration set byAnd for presetting the transmission time sequence, transmitting the confused MAC address to the first host. It will be appreciated that whenIs smaller in the set valueFor example, when 1, the preset sending time sequence is based on the statistic rule of the ARP request and reply time length of the normal first host and the second host, before and after the first host which becomes the collapse host obtains the real ARP reply message sent by the second host, the first host is sent to the confused MAC address, so that the opportunity that the first host updates the confused MAC address to the ARP cache of the first host is preempted to a certain extent, and meanwhile, the resource load pressure caused by sending the confused MAC address to the local area network communication capability is smaller; when (when)When the set value of (a) is larger, the preset sending time sequence sends the confusing MAC address to the first host for multiple times in a period of time before and after the first host which becomes the collapse host obtains the real ARP reply message sent by the second host, thereby further improving the opportunity of the first host to update the confusing MAC address to the ARP cache of the first host, but increasing the pressure on the communication resources of the local area network to a certain extent, so that the confusing MAC address can be determined according to the actual conditions of the hardware communication equipment and the network resources in the local area network Is a value of (a). But no matterIn particular, how to take a value, according to the method, by analyzing the statistical rule of the ARP request and reply duration influence between the first host and the second host by the hardware communication equipment and the actual condition of network resources in the local area network, the confusion MAC address is only sent to the first host which becomes the collapse host in the duration distribution period obtained according to the statistical rule, so that the probability that the confusion MAC address is frequently sent in the duration distribution period of other non-statistical rules is avoided, the probability that the confusion MAC address is updated to the ARP cache of the first host is improved, the resource load pressure caused to the local area network communication capability is reduced, the possibility that an attacker obtains the actual MAC address of the second host by the collapse host is reduced, and the attack cost and the attack difficulty of the attacker are improved by bypassing the defense strategy of the scheme in a static binding ARP mode.
Optionally, in one embodiment of the present invention, before the obtaining the access traffic of the first host to the second host, the method further includes:
and determining an interaction strategy for traffic transfer between the first host and the second host through a third party.
In this example, before the access flow of the first host to the second host is obtained, to isolate the first host from the second host, an interaction policy for transferring the access flow between the first host and the second host through a third party may be determined, so as to establish a communication path for transferring the access flow between the first host and the second host through the third party, so as to prevent the attack range from being laterally diffused.
Specifically, please refer to fig. 3 for a specific application example of the present application:
firstly, the host online monitoring module 101 detects the IP address of the real host surviving in the current lan network segment through regular ARP scanning, and updates all the IP addresses and MAC addresses of the host to the local cache database for the ARP spoofing module 102 and the service emulation module 106.
Step two, after the host online monitoring module 101 finds out the collapse host 103, the ARP spoofing module 102 monitors ARP request messages of the collapse host 103, when the ARP request messages of the collapse host 103 are received, the target IP addresses in the ARP request messages are extracted, whether the target IP addresses are IP addresses of other hosts in the local area network is judged according to host information provided by the host online monitoring module 101, if yes, the second host is determined, the MAC addresses of the second host are obtained according to the IP addresses of the second host, OUI information of the second host is extracted, and a plurality of confused MAC addresses are randomly generated according to the OUI of the second host, so that an attacker cannot judge which one of the real MAC addresses of the second host is in particular through a manual mode, and therefore the attacker is prevented from bypassing a defending strategy of the method through a static binding ARP mode. The ARP spoofing module 102 falsifies a plurality of ARP reply messages, encapsulates the above randomly generated MAC addresses and target IP addresses into ARP reply messages one by one, and then delays and sends the ARP reply messages to the failed host 103 one by one in a unicast manner.
Step three, the collapse host 103 will receive multiple ARP reply messages, where one ARP reply message is recovered by the second host, and the rest ARP reply messages forged by the ARP spoofing module 102. Thus, if the failed host 103 chooses to update its own ARP cache with the last received ARP reply message, because the method adopts one-by-one delay for the ARP reply message to reply to the failed host 103, the failed host 103 updates the last ARP reply message sent by the ARP spoofing module 102 to its own ARP cache, thereby forming ARP spoofing for the failed host 103.
Step four, any connection initiated by the failed host 103 to other hosts will be transferred to the forwarding control module 104 of the present method due to ARP spoofing of the failed host 103. Specifically, the forwarding control module 104 may be composed of a scheduler, an SDN controller, and an OVS; the SDN (Software-defined network) is different from a traditional network architecture, separates a control plane and a data plane of the network, and concentrates control logic of the network in a centralized controller, so that the network can be managed and configured in a Software-defined and programming manner; OVS (Open vSwitch) is an Open source SDN virtual switch for implementing network virtualization and centralized management. The dispatcher in the forwarding control module 104 may acquire the IP address information of all hosts in the current local area network through the host online monitoring module 101, then call the north interface of the SDN controller, issue a flow table policy to the OVS, and according to the flow table policy, all data packets sent by the collapse host 103 to other hosts are sent to the SDN controller.
Fifth, the access traffic of the failing host 103 to other hosts reaches the OVS first, the access traffic is forwarded to the SDN controller according to the flow table policy of the OVS, then the scheduler converts the attack address, such as MAC address, IP address, port number, etc., of the access traffic to other hosts into a false address of the emulated asset 105 according to the policy defined by the service emulation module 106, and then the SDN controller forwards the access traffic to the emulated asset 105. After the simulated asset 105 responds, the return traffic is obtained, the relevant false addresses in the return traffic are restored to attack addresses for other hosts according to the flow table strategy issued by the scheduler, and then the attack addresses are forwarded to the collapse host 103 through the OVS, so that the response spoofing of the collapse host 103 is realized through the simulated asset 105.
Through the application example, ARP spoofing and simulated asset response spoofing based on SDN technology are combined, so that the access of the sinking host 103 to other hosts is converted into the access to the simulated asset 105, which not only prevents the lateral attack from spreading, but also realizes the active spoofing defense to the attacker.
In a second aspect, the embodiment of the invention further provides a local area network security defense device, which can effectively improve initiative and security of network security defense.
As shown in fig. 4, the local area network security defense device provided in the embodiment of the present application may include:
a monitoring unit 11, configured to monitor whether a current local area network has a host that is lost;
an ARP monitoring unit 12, configured to monitor an ARP request of the first host to the second host in the current local area network if the current local area network has a sagged host; wherein the first host is the collapse host;
an ARP response unit 13, configured to send an ARP reply message to the first host in response to an ARP request of the first host;
a flow obtaining unit 14, configured to obtain an access flow of the first host to the second host, and send the access flow to a simulated asset;
and the flow response unit 15 is configured to respond to the access flow through the emulation asset, obtain a backhaul flow, and send the backhaul flow to the first host.
Optionally, the ARP listening unit 12 includes:
the detection module is used for acquiring the IP address and the MAC address of the current host in the local area network;
and the second host determining module is used for determining the second host by matching the ARP request of the first host with the IP address of the current host in the local area network.
Optionally, the flow obtaining unit 14 includes:
the acquisition module is used for acquiring the access flow of the first host to the second host;
the address conversion module is used for converting the address of the second host in the access flow into a false address of the simulation asset;
and the forwarding module is used for sending the access flow to the simulation asset.
Optionally, the flow response unit 15 includes:
the return flow module is used for obtaining return flow based on the response of the simulation asset to the access flow;
an address restoring module, configured to restore the false address in the backhaul traffic to an address of the second host;
and the backhaul traffic sending module is used for sending the backhaul traffic to the first host.
Optionally, referring to fig. 5, the ARP response unit 13 includes:
a determining IP address module 21, configured to extract a target IP address in the ARP request; determining the IP address of the second host according to the target IP address;
a determine MAC address module 22, configured to determine a MAC address of the second host based on the IP address of the second host;
a determining OUI module 23 configured to determine an organization unique identifier OUI of the second host based on a MAC address of the second host;
A confusion address generation module 24, configured to generate a confusion MAC address according to the OUI of the second host;
a transmit confusing address module 25 for transmitting the confusing MAC address to the first host.
Optionally, according to the OUI of the second host, there are a plurality of generated confusion MAC addresses, and at least two confusion MAC addresses are different; the transmission confusion address module 25 is specifically configured to send the confusion MAC addresses to the first host one by one according to a preset transmission timing sequence.
Optionally, the apparatus further includes a preset transmission timing unit, where the preset transmission timing unit includes:
the time length set module is used for obtaining a time length set according to the time length from the first host to the second host to the first host obtaining the ARP reply message sent by the second host before monitoring whether the current local area network has the sinking host or not;
a time length subset module for sorting the time lengths in the time length set according to the size and dividing the time length set intoParts, get a subset of time lengthWhereinAnd (2) andis a positive integer;
a correction duration module for correcting the duration subsetSelected minimum duration ofAnd maximum durationDetermining a correction duration 、WhereinIs thatIs used to adjust the lead adjustment value of (c),is thatIs used to adjust the hysteresis of the set of values,≥0,≥0;
a time sequence module for correcting the time length setAnd each time length in the preset sending time sequence is a time length from the first host to the first host obtaining the confused MAC address.
Optionally, the device further includes a simulation unit, where the simulation unit is configured to construct a simulation asset, where the simulation asset is a simulation of a current host in the local area network, for providing access to an attacker, before obtaining the access traffic of the first host to the second host.
Optionally, the device further includes a traffic transfer unit, where the traffic transfer unit is configured to determine an interaction policy for performing traffic transfer between the first host and the second host through a third party before obtaining the access traffic of the first host to the second host.
Optionally, the address includes at least one of a MAC address, an IP address, and a port number.
In a third aspect, an embodiment of the present invention further provides an electronic device.
As shown in fig. 6, an electronic device provided in an embodiment of the present application includes: the processor 52 and the memory 53 are arranged on the circuit board 54, wherein the circuit board 54 is arranged in a space surrounded by the shell 51; a power supply circuit 55 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 53 is for storing executable program code; the processor 52 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 53 for performing any one of the local area network security defense methods provided by the embodiments of the present invention.
The specific implementation of the above steps by the processor 52 and the further implementation of the steps by the processor 52 through the execution of the executable program code may be referred to the description of the foregoing embodiments, and will not be repeated here.
Such electronic devices exist in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily targeted to provide voice and data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction functions.
Accordingly, embodiments of the present invention further provide a computer readable storage medium, where one or more programs are stored, where the one or more programs may be executed by one or more processors, so as to implement any of the local area network security defense methods provided by the embodiments of the present invention, and thus, the corresponding technical effects are also achieved, which have been described in detail above and are not repeated herein.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
For convenience of description, the above apparatus is described as being functionally divided into various units/modules, respectively. Of course, the functions of the various elements/modules may be implemented in the same piece or pieces of software and/or hardware when implementing the present invention.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (10)
1. A method of security defense for a local area network, comprising:
monitoring whether a collapse host exists in the current local area network;
if the current local area network has the collapse host, monitoring an ARP request of the first host to the second host in the current local area network; wherein the first host is the collapse host;
responding to the ARP request of the first host, and sending an ARP reply message to the first host;
acquiring the access flow of the first host to the second host, and sending the access flow to a simulation asset;
responding to the access traffic through the simulated asset to obtain backhaul traffic, and sending the backhaul traffic to the first host;
the responding to the ARP request of the first host sends an ARP reply message to the first host, which comprises the following steps:
Extracting a target IP address in the ARP request; determining the IP address of the second host according to the target IP address;
determining a MAC address of the second host based on the IP address of the second host;
determining an organization unique identifier OUI of the second host based on the MAC address of the second host;
generating a confusion MAC address according to the OUI of the second host;
transmitting the obfuscated MAC address to the first host;
according to the OUI of the second host, a plurality of confusion MAC addresses are generated, and at least two confusion MAC addresses are different; wherein said sending the obfuscated MAC address to the first host includes:
according to a preset sending time sequence, the confusing MAC addresses are sent to the first host one by one;
before monitoring whether a collapse host exists in the current local area network, the method comprises the following steps:
according to the time length from the first host to the second host when the first host obtains the ARP reply message sent by the second host, obtaining a time length set;
sequencing the time durations in the time duration set according to the size, and dividing the time durations into the time durationsParts, get duration subset ∈ ->WhereinAnd->Is a positive integer;
according to the subset of time durations Is selected from the minimum duration +.>And maximum duration +.>Determining a correction duration、/>Wherein->Is->Advance adjustment value, < >>Is->Hysteresis adjustment value of->≥0,/>≥0;
To correct the duration setAnd each time length in the preset sending time sequence is a time length from the first host to the first host obtaining the confused MAC address.
2. The method of claim 1, wherein monitoring ARP requests of the first host to the second host in the current lan comprises:
acquiring the IP address and the MAC address of a current host in the local area network;
and according to the monitored ARP request of the first host, matching with the IP address of the current host in the local area network, and determining the second host.
3. The local area network security defense method of claim 1 wherein the obtaining access traffic of the first host to the second host and sending the access traffic to a simulated asset comprises:
acquiring the access flow of the first host to the second host;
converting the address of the second host in the access flow into a false address of the simulated asset;
And sending the access traffic to the simulated asset.
4. The local area network security defense method of claim 3 wherein responding to the access traffic by the emulated asset to obtain backhaul traffic, transmitting the backhaul traffic to the first host, comprising:
obtaining a backhaul traffic based on a response of the simulated asset to the access traffic;
restoring the false address in the backhaul traffic to an address of the second host;
and sending the backhaul traffic to the first host.
5. The local area network security defense method of claim 1, wherein prior to obtaining access traffic of the first host to the second host, comprising:
a simulated asset is constructed that is a simulation of a current host in the local area network for providing access to an attacker.
6. The local area network security defense method of claim 1, wherein prior to obtaining access traffic of the first host to the second host, further comprising:
and determining an interaction strategy for traffic transfer between the first host and the second host through a third party.
7. A local area network security defense method as defined in claim 3, wherein the address comprises at least one of a MAC address, an IP address, a port number.
8. A local area network security defense device, comprising:
the monitoring unit is used for monitoring whether a collapse host exists in the current local area network;
the ARP monitoring unit is used for monitoring an ARP request of the first host to the second host in the current local area network if the current local area network has the subsided host; wherein the first host is the collapse host;
an ARP response unit, configured to respond to an ARP request of the first host, and send an ARP reply message to the first host;
the flow acquisition unit is used for acquiring the access flow of the first host to the second host and sending the access flow to the simulation asset;
the flow response unit is used for responding to the access flow through the simulation asset to obtain a return flow, and sending the return flow to the first host;
the ARP response unit includes:
the IP address determining module is used for extracting a target IP address in the ARP request; determining the IP address of the second host according to the target IP address;
A determining MAC address module, configured to determine a MAC address of the second host based on the IP address of the second host;
a determining OUI module configured to determine an organization unique identifier OUI of the second host based on a MAC address of the second host;
the confusion address generation module is used for generating a confusion MAC address according to the OUI of the second host;
a confusion address sending module, configured to send the confusion MAC address to the first host;
according to the OUI of the second host, a plurality of confusion MAC addresses are generated, and at least two confusion MAC addresses are different; the transmission confusion address module is specifically configured to send the confusion MAC addresses to the first host one by one according to a preset transmission timing sequence;
the device further comprises a preset sending time sequence unit, wherein the preset sending time sequence unit comprises:
the time length set module is used for obtaining a time length set according to the time length from the first host to the second host to the first host obtaining the ARP reply message sent by the second host before monitoring whether the current local area network has the sinking host or not;
a time length subset module for sorting the time lengths in the time length set according to the size and dividing the time length set into Parts, get duration subset ∈ ->Wherein->And->Is a positive integer;
a correction duration module for correcting the duration subsetIs selected from the minimum duration +.>And maximum durationDetermining a correction period +.>、/>Wherein->Is->Advance adjustment value, < >>Is thatHysteresis adjustment value of->≥0,/>≥0;
A time sequence module for correcting the time length setAnd each time length in the preset sending time sequence is a time length from the first host to the first host obtaining the confused MAC address.
9. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the local area network security defense method according to any one of the preceding claims 1-7.
10. A computer readable storage medium storing one or more programs executable by one or more processors to implement the local area network security defense method of any of the preceding claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311330593.3A CN117081862B (en) | 2023-10-16 | 2023-10-16 | Local area network security defense method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311330593.3A CN117081862B (en) | 2023-10-16 | 2023-10-16 | Local area network security defense method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117081862A CN117081862A (en) | 2023-11-17 |
| CN117081862B true CN117081862B (en) | 2024-01-26 |
Family
ID=88719855
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311330593.3A Active CN117081862B (en) | 2023-10-16 | 2023-10-16 | Local area network security defense method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117081862B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111901348A (en) * | 2020-07-29 | 2020-11-06 | 北京宏达隆和科技有限公司 | Method and system for active network threat awareness and mimicry defense |
| CN112688900A (en) * | 2019-10-18 | 2021-04-20 | 张长河 | Local area network safety protection system and method for preventing ARP spoofing and network scanning |
| CN113949520A (en) * | 2020-06-29 | 2022-01-18 | 奇安信科技集团股份有限公司 | Method, apparatus, computer device and readable storage medium for spoof trapping |
| CN116132090A (en) * | 2022-11-09 | 2023-05-16 | 中国电子科技集团公司第三十研究所 | Spoofing defending system for Web security protection |
| CN116471064A (en) * | 2023-04-04 | 2023-07-21 | 广西电网有限责任公司信息中心 | Network safety protection system, method and device based on active defense strategy |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080098476A1 (en) * | 2005-04-04 | 2008-04-24 | Bae Systems Information And Electronic Systems Integration Inc. | Method and Apparatus for Defending Against Zero-Day Worm-Based Attacks |
-
2023
- 2023-10-16 CN CN202311330593.3A patent/CN117081862B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112688900A (en) * | 2019-10-18 | 2021-04-20 | 张长河 | Local area network safety protection system and method for preventing ARP spoofing and network scanning |
| CN113949520A (en) * | 2020-06-29 | 2022-01-18 | 奇安信科技集团股份有限公司 | Method, apparatus, computer device and readable storage medium for spoof trapping |
| CN111901348A (en) * | 2020-07-29 | 2020-11-06 | 北京宏达隆和科技有限公司 | Method and system for active network threat awareness and mimicry defense |
| CN116132090A (en) * | 2022-11-09 | 2023-05-16 | 中国电子科技集团公司第三十研究所 | Spoofing defending system for Web security protection |
| CN116471064A (en) * | 2023-04-04 | 2023-07-21 | 广西电网有限责任公司信息中心 | Network safety protection system, method and device based on active defense strategy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117081862A (en) | 2023-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347881B (en) | Network protection method, device, equipment and storage medium based on network spoofing | |
| CN108965259B (en) | Method and device for discovering and isolating malicious nodes of block chain | |
| US20230092522A1 (en) | Data packet processing method, apparatus, and electronic device, computer-readable storage medium, and computer program product | |
| US11212281B2 (en) | Attacker detection via fingerprinting cookie mechanism | |
| CN112491892A (en) | Network attack inducing method, device, equipment and medium | |
| CN111030986A (en) | Attack organization traceability analysis method and device and storage medium | |
| Guha Roy et al. | A blockchain‐based cyber attack detection scheme for decentralized Internet of Things using software‐defined network | |
| US10931691B1 (en) | Methods for detecting and mitigating brute force credential stuffing attacks and devices thereof | |
| US10812489B2 (en) | Method and system for classifying network requests | |
| CN112019545B (en) | Honeypot network deployment method, device, equipment and medium | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN113691504B (en) | Network trapping method and system based on software defined network | |
| US20160255056A1 (en) | Apparatus and method for messaging security and reliability | |
| WO2023193513A1 (en) | Honeypot network operation method and apparatus, device, and storage medium | |
| CN110798402B (en) | Service message processing method, device, equipment and storage medium | |
| Durga Devi et al. | Malicious node and malicious observer node detection system in MANETs | |
| CN117081862B (en) | Local area network security defense method and device, electronic equipment and storage medium | |
| US8661102B1 (en) | System, method and computer program product for detecting patterns among information from a distributed honey pot system | |
| CN104378327A (en) | Network attack protection method, device and system | |
| CN112003853B (en) | Network security emergency response system supporting ipv6 | |
| CN114172815A (en) | Behavior traffic transmission method and device, computer equipment and computer readable storage medium | |
| Alnaim et al. | A Misuse Pattern for Distributed Denial-of-Service Attack in Network Function Virtualization | |
| Machida et al. | Novel deception techniques for malware detection on industrial control systems | |
| CN110601878A (en) | Method for constructing stealth network | |
| CN114465750B (en) | Network topology confusion virtual path creating method, device, terminal and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |