CN117336084A - Replay attack processing method, system, electronic equipment and storage medium - Google Patents

Replay attack processing method, system, electronic equipment and storage medium Download PDF

Info

Publication number
CN117336084A
CN117336084A CN202311426193.2A CN202311426193A CN117336084A CN 117336084 A CN117336084 A CN 117336084A CN 202311426193 A CN202311426193 A CN 202311426193A CN 117336084 A CN117336084 A CN 117336084A
Authority
CN
China
Prior art keywords
replay
message
network message
sequence number
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311426193.2A
Other languages
Chinese (zh)
Inventor
彭海远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Xingyun Zhilian Technology Co Ltd
Original Assignee
Zhuhai Xingyun Zhilian Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Xingyun Zhilian Technology Co Ltd filed Critical Zhuhai Xingyun Zhilian Technology Co Ltd
Priority to CN202311426193.2A priority Critical patent/CN117336084A/en
Publication of CN117336084A publication Critical patent/CN117336084A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a replay attack processing method, a replay attack processing system, electronic equipment and a storage medium, and belongs to the technical field of network security technology. The processing method of the replay attack comprises the following steps: receiving a network message and judging whether the network message accords with the filtering condition of the anti-replay filtering table; if the network message meets the filtering condition, discarding the network message; if the network message does not accord with the filtering condition, decrypting the network message; if the decryption result passes the integrity check, judging whether the message sequence number of the network message is larger than the upper limit value of the first sequence number interval; if the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, updating the anti-replay sliding window according to the message sequence number of the network message, and updating the filtering condition of the anti-replay filtering table by utilizing the second sequence number interval corresponding to the anti-replay sliding window currently. The method and the device can improve the reliability of the replay attack processing process under the condition of avoiding network congestion.

Description

Replay attack processing method, system, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, a system, an electronic device, and a storage medium for processing replay attacks.
Background
Replay attacks (Replay attacks) are network attacks in which an attacker copies network messages that have been received by a destination host and resends them to the host to gain unauthorized access or to fool the host. The replay attack described above may occur in any authentication or encryption system that relies on the data packets.
In the related art, the replay attack is detected mainly through the replay filter table and the replay window, and the process of detecting the replay attack can be executed before or after the message decryption.
If the process of detecting replay attack can be executed before message decryption, when the message sequence number of the forged network message exceeds the maximum sequence number of the anti-replay sliding window, the message sequence number is smaller than or equal to the normal message of the forged network message and is discarded by mistake, and the reliability of the replay attack processing process is lower. If the process of detecting replay attack can be executed after message decryption, when the host receives a large number of network messages, the message decryption is needed first and then the replay attack detection operation is needed, and the above process increases the pressure of the decryption engine and easily causes the problem of network congestion.
Therefore, how to improve the reliability of replay attack processing in the case of avoiding network congestion is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide a replay attack processing method, a replay attack processing system, electronic equipment and a storage medium, which can improve the reliability of a replay attack processing process under the condition of avoiding network congestion.
In order to solve the above technical problems, the present application provides a method for processing replay attack, where the method for processing replay attack includes:
receiving a network message and judging whether the network message accords with the filtering condition of an anti-replay filtering table; the filtering conditions of the anti-replay filtering table are set according to the first serial number interval corresponding to the anti-replay sliding window currently;
discarding the network message if the network message meets the filtering condition;
if the network message does not accord with the filtering condition, decrypting the network message;
judging whether the decryption result of the network message passes through the integrity check;
if the decryption result passes the integrity check, judging whether the message sequence number of the network message is larger than the upper limit value of the first sequence number interval;
if the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, updating the anti-replay sliding window according to the message sequence number of the network message, and updating the filtering condition of the anti-replay filtering table by utilizing the second sequence number interval corresponding to the anti-replay sliding window currently.
Optionally, updating the anti-replay sliding window according to the message sequence number of the network message includes:
updating the anti-replay sliding window according to a preset rule according to the message sequence number of the network message; wherein, the preset rule is: the message sequence number is in a second sequence number interval corresponding to the updated anti-replay sliding window; and the window sizes corresponding to the first sequence number interval and the second sequence number interval are the same.
Optionally, updating the anti-replay sliding window according to a preset rule according to the message sequence number of the network message includes:
and updating the anti-replay sliding window by taking the message serial number of the network message as a new lower limit value.
Optionally, before determining whether the network packet meets the filtering condition of the anti-replay filtering table, the method further includes:
determining the network message number of the network message, and updating the message state parameter according to the network message number; the message state parameter is used for recording the receiving state of each serial number in a first serial number interval corresponding to the anti-replay sliding window currently;
setting the filtering condition according to the message state parameter and the first sequence number interval; wherein, the filtering condition is: the receiving state of the message sequence number is that the message sequence number is received, or the message sequence number is smaller than the lower limit value of the first sequence number interval.
Further, the method further comprises the following steps:
and after judging that the network message does not have replay attack, updating the receiving state of the network message number in the message state parameter to be received.
Optionally, after determining whether the decryption result of the network packet passes the integrity check, the method further includes:
and if the decryption result fails the integrity check, discarding the network message.
Optionally, after receiving the network packet, the method further includes:
if the buffer queue is in an open state, adding the network message to the buffer queue;
if the buffer queue is in a closed state, entering a step of judging whether the network message accords with the filtering condition of the anti-replay filtering table, and setting the buffer queue in an open state;
if the network message is discarded, setting the cache queue to be in a closed state;
if the decryption result of the network message fails to pass the integrity check, setting the cache queue to be in a closed state;
if the message sequence number of the network message is in the first sequence number interval, setting the cache queue to be in a closed state;
if the filtering condition of the anti-replay filtering table is updated, setting the cache queue to be in a closed state;
if a new network message is received and the buffer queue is in an open state, adding the new network message to the buffer queue;
and if a new network message is received and the buffer queue is in a closed state, judging whether the new network message is a replay message or not by utilizing the anti-replay filter table and/or the anti-replay sliding window.
The application also provides a replay attack processing system, which comprises:
the filtering module is used for receiving the network message and judging whether the network message accords with the filtering condition of the anti-replay filtering table or not; the filtering conditions of the anti-replay filtering table are set according to the first serial number interval corresponding to the anti-replay sliding window currently;
the replay processing module is used for discarding the network message if the network message accords with the filtering condition;
the decryption module is used for decrypting the network message if the network message does not accord with the filtering condition; the method is also used for judging whether the decryption result of the network message passes the integrity check;
the sliding window updating module is used for judging whether the message sequence number of the network message is larger than the upper limit value of the first sequence number interval or not if the decryption result passes the integrity check; and if the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, updating the anti-replay sliding window according to the message sequence number of the network message, and updating the filtering condition of the anti-replay filtering table by utilizing the second sequence number interval corresponding to the anti-replay sliding window currently.
The present application also provides a storage medium having stored thereon a computer program which, when executed, implements the steps of the above-described replay attack processing method.
The application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps executed by the processing method of the replay attack when calling the computer program in the memory.
The application provides a replay attack processing method, which comprises the following steps: receiving a network message and judging whether the network message accords with the filtering condition of an anti-replay filtering table; the filtering conditions of the anti-replay filtering table are set according to the first serial number interval corresponding to the anti-replay sliding window currently; discarding the network message if the network message meets the filtering condition; if the network message does not accord with the filtering condition, decrypting the network message; judging whether the decryption result of the network message passes through the integrity check; if the decryption result passes the integrity check, judging whether the message sequence number of the network message is larger than the upper limit value of the first sequence number interval; if the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, updating the anti-replay sliding window according to the message sequence number of the network message, and updating the filtering condition of the anti-replay filtering table by utilizing the second sequence number interval corresponding to the anti-replay sliding window currently.
After receiving the network message, the method judges whether the network message accords with the filtering condition of the anti-replay filtering table by using the anti-replay filtering table so as to realize replay attack detection based on the anti-replay filtering table. After determining that the network message meets the filtering condition, the method and the device can decrypt the network message, and compare the message sequence number of the network message with the first sequence number interval currently corresponding to the anti-replay sliding window after the decryption result passes the integrity check. According to the method and the device, when the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, the anti-replay sliding window can be updated, and further the filtering condition of the anti-replay filtering table is updated based on the second sequence number interval corresponding to the anti-replay sliding window currently, so that the updated filtering condition in the anti-replay filtering table is used for continuously detecting replay attacks in the subsequent detection process. In the above process, the processing flow of the anti-replay filter table is set before the message decryption, and the processing flow of the anti-replay sliding window is set after the message decryption, so that the reliability of the replay attack processing process can be improved under the condition of avoiding network congestion. The application also provides a replay attack processing system, a storage medium and a storage medium, which have the beneficial effects and are not described herein.
Drawings
For a clearer description of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for processing replay attacks according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of anti-replay processing performed before a message is decrypted according to an embodiment of the present application;
fig. 3 is a schematic diagram of anti-replay processing after decryption of a message according to an embodiment of the present application;
fig. 4 is a schematic diagram of a replay attack processing principle in which a replay resistant filtering table and a replay resistant sliding window are separately implemented according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a replay attack processing system according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Referring to fig. 1, fig. 1 is a flowchart of a processing method of replay attack according to an embodiment of the present application.
The specific steps may include:
s101: receiving a network message and judging whether the network message accords with the filtering condition of an anti-replay filtering table; if yes, enter S102; if not, entering S103;
the embodiment can be applied to host equipment such as a firewall, an equal-protection integrated machine, a switch and the like, and the host equipment can receive network messages transmitted by other equipment. The host device stores a replay-resistant filtering table and a replay-resistant sliding window, and can detect and process network messages with replay attacks by using the replay-resistant filtering table and the replay-resistant sliding window.
The filtering conditions used by the anti-replay filtering table are set according to the first sequence number interval corresponding to the anti-replay sliding window currently, and are used for filtering network messages repeatedly received in the first sequence number interval. Specifically, the anti-replay filtering table may record a sequence number corresponding to the first sequence number interval and the number of times of receiving each sequence number, and if the received network packet has been received, determine that the network packet meets the filtering condition of the anti-replay filtering table.
S102: discarding the network message;
the step is based on that the network message accords with the filtering condition, and at the moment, the replay attack of the network message can be judged, and the network message can be directly discarded.
S103: decrypting the network message;
the step is based on that the network message does not meet the filtering condition, and the network message is detected based on the anti-replay filtering table, so that the network message can be input into the decryption engine for decryption operation, and the network message which does not pass through the anti-replay filtering table can be prevented from being decrypted in the process.
S104: judging whether the decryption result of the network message passes through the integrity check; if yes, go to S105; if not, entering S102 to discard the network message;
the decryption of the network message can obtain a decryption result, the decryption result is subjected to complete verification, if the decryption result passes the integrity verification, the operation of S105 can be entered, and if the decryption result does not pass the integrity verification, the operation of S102 is entered to discard the network message.
S105: judging whether the message sequence number of the network message is larger than the upper limit value of the first sequence number interval;
the step is based on that the decryption result passes through the integrity check, and at the moment, the network message can be detected by using the first sequence number interval of the anti-replay sliding window. If the message sequence number of the network message is smaller than the lower limit value of the first sequence number interval, judging that replay attack exists in the network message, and directly discarding the network message; if the message sequence number of the network message is in the first sequence number interval, judging that the network message does not have replay attack, and continuously processing the network message; if the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, judging that the network message does not have replay attack, and continuously processing the network message and updating the replay-resistant sliding window and the replay-resistant filtering table.
S106: and updating the anti-replay sliding window according to the message sequence number of the network message, and updating the filtering condition of the anti-replay filtering table by utilizing the second sequence number interval corresponding to the anti-replay sliding window currently.
The step is based on that the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, and the anti-replay sliding window can be updated according to the message sequence number of the network message, and the filtering condition of the anti-replay filtering table is updated by utilizing the second sequence number interval corresponding to the anti-replay sliding window currently.
After receiving the network message, the embodiment firstly uses the anti-replay filter table to judge whether the network message accords with the filter condition of the anti-replay filter table so as to realize replay attack detection based on the anti-replay filter table. After determining that the network message meets the filtering condition, the embodiment can decrypt the network message, and after the decryption result passes the integrity check, compare the message serial number of the network message with the first serial number interval corresponding to the anti-replay sliding window currently. The embodiment can update the anti-replay sliding window when the message sequence number of the network message is greater than the upper limit value of the first sequence number interval, and further update the filtering condition of the anti-replay filtering table based on the second sequence number interval corresponding to the anti-replay sliding window currently, so that the updated filtering condition in the anti-replay filtering table is used for continuously detecting replay attack in the subsequent detection process. In the above process, the processing flow of the anti-replay filter table is set before the message decryption, and the processing flow of the anti-replay sliding window is set after the message decryption, so that the reliability of the replay attack processing process can be improved under the condition of avoiding network congestion.
As a further introduction to the corresponding embodiment of fig. 1, the anti-replay sliding window may be updated by: updating the anti-replay sliding window according to a preset rule according to the message sequence number of the network message; wherein, the preset rule is: the message sequence number is in a second sequence number interval corresponding to the updated anti-replay sliding window; and the window sizes corresponding to the first sequence number interval and the second sequence number interval are the same.
Further, the above operation may update the anti-replay sliding window with the message sequence number of the network message as a new lower bound value.
For example, the current sequence number interval of the anti-replay sliding window is N, the window size is W, if the sequence number M of the received message is greater than N, the updated sequence number interval is [ M, m+w-1].
Taking the first serial number interval [1, 10] corresponding to the anti-replay sliding window as an example, if the message serial number of the received network message is 21, updating the second serial number interval [21, 30] corresponding to the anti-replay sliding window.
As a further introduction to the corresponding embodiment of fig. 1, before determining whether the network packet meets the filtering condition of the anti-replay filter table, the anti-replay filter table may also be set by using the first sequence number interval currently corresponding to the anti-replay sliding window, which specifically includes the following steps: determining the network message number of the network message, and updating the message state parameter according to the network message number; setting the filtering condition according to the message state parameter and the first sequence number interval; wherein, the filtering condition is: the receiving state of the message sequence number is that the message sequence number is received, or the message sequence number is smaller than the lower limit value of the first sequence number interval. The message status parameter is used for recording a receiving status (received or not) of each sequence number in a first sequence number interval corresponding to the anti-replay sliding window currently.
When the filtering condition is used for filtering the network message, if the message sequence number of the network message is smaller than the lower limit value of the first sequence number interval, judging that the network message meets the filtering condition, and directly discarding the message; if the receiving state of the message serial number of the network message is received, judging that the network message accords with the filtering condition, and directly discarding the message; if the message sequence number of the network message is greater than or equal to the lower limit value of the first sequence number interval and less than or equal to the upper limit value of the first sequence number interval, and the receiving state of the message sequence number is not received, judging that the network message does not accord with the filtering condition, and performing decryption operation. Further, after determining that the network packet does not have a replay attack, the receiving state of the network packet number in the packet state parameter may be updated to be received.
Furthermore, in this embodiment, a buffer queue may be set in a host that receives a network packet, and before the nth network packet is not processed or the filtering condition is updated, a subsequently received network packet (e.g., the n+1th network packet) is added to the buffer queue.
In this embodiment, after receiving a network packet, if the buffer queue is in an open state, the network packet is added to the buffer queue so as to wait for the processing of the previous network packet; if the buffer queue is in the closed state, a step of determining whether the network packet meets the filtering condition of the anti-replay filtering table is entered to execute the operations of S101 to S106 in the above embodiment, and the buffer queue is set to the open state.
Taking the example that the buffer queue is in a closed state when the Nth network message is received, if the Nth network message is discarded, setting the buffer queue from an open state to a closed state; if the decryption result of the Nth network message fails to pass the integrity check, setting the buffer queue from an open state to a closed state; if the message sequence number of the network message is in the first sequence number interval, setting the buffer queue from an open state to a closed state; and if the filtering condition of the anti-replay filtering table is updated, setting the buffer queue from an open state to a closed state.
If a new network message (namely, the (n+1) th network message) is received and the buffer queue is in an open state, adding the new network message to the buffer queue; if a new network message (i.e., the n+1th network message) is received and the buffer queue is in a closed state, judging whether the new network message is a replay message or not by using the anti-replay filter table and/or the anti-replay sliding window.
By the method, misjudgment operation of replay attack caused by untimely updating of the filtering condition of the replay-resistant filtering table can be avoided, and reliability of the replay attack processing process is improved.
The flow described in the above embodiment is explained below by way of an embodiment in practical application.
With the rapid growth of the internet, networks have become an important component of people's lives and works. However, network security issues are also becoming increasingly prominent, with tremendous risks to individuals and businesses. The replay attack is an attack means commonly used in the network, and refers to the action that an attacker transmits an authenticated packet to a destination station at a later time after obtaining the authenticated packet. Repeated receipt of authenticated network messages may have unpredictable severe consequences.
To enable handling of replay attacks, the art typically adopts replay-resistant techniques based on replay-resistant filter tables and replay-resistant sliding windows. In the anti-replay technology, the anti-replay filter table and the anti-replay sliding window are usually maintained and processed together at the same time, and are realized either before the message is decrypted or after the message is decrypted. Referring to fig. 2 and fig. 3, fig. 2 is a schematic diagram of anti-replay processing before decrypting a message provided in an embodiment of the present application, and fig. 3 is a schematic diagram of anti-replay processing after decrypting a message provided in an embodiment of the present application. Therefore, in the related art, the two technical points of the anti-replay sliding window and the anti-replay filtering table are maintained together at the same time, and the anti-replay sliding window and the anti-replay filtering table are realized either before or after the message decryption.
If playback-resistant operation based on the playback-resistant filter table and the playback-resistant sliding window is performed before decrypting the network message, at least the following problems exist: (1) If the network message exceeding the maximum sequence number of the anti-replay sliding window is forged, the anti-replay sliding window can slide to the latest sequence number according to the processing of an anti-replay protocol, so that all normal network messages with the sequence number smaller than the latest sequence number can be discarded by mistake;
(2) If the network falsifies the current incomplete network message and sends the current incomplete network message before the current correct network message, the anti-replay protocol refreshes the filtering table after receiving the incomplete network message, the correct network message which is received later is filtered and discarded by the anti-replay filtering table, and the incomplete message which is received earlier is discarded after being decrypted, so that the correct network message is filtered and discarded by mistake after being falsified and attacked.
If playback-resistant operation based on the playback-resistant filter table and the playback-resistant sliding window is performed after the network message is decrypted, at least the following problems exist: (1) If the network falsifies a large number of messages to attack, the operation of the decryption engine is needed, so that the pressure of the decryption engine is increased intangibly, and particularly in a shared mode of the decryption engine, the system is possibly impacted due to the insufficient performance of the decryption engine, and a series of other performance problems are caused; (2) If the network falsifies a large number of messages to attack, network congestion can be caused under the condition of insufficient performance of a decryption engine, and even some normal messages are discarded to trigger the retransmission of the opposite end, so that the network congestion is further aggravated.
In order to solve the above-mentioned problems, a playback-resistant scheme is provided for combining the decryption and the decryption. Filtering replay messages by using a filtering table before decryption, and sliding a window by using a correct message serial number after decryption; and simultaneously, refreshing the filter table in real time by using the window after sliding. Whether a large number of complete or incomplete attack messages are forged or complete or incomplete attack messages of the super-sliding window are forged, the anti-replay method and design of the sliding window after combining anti-replay filtering and decryption before decryption introduced by the scheme can be processed.
Referring to fig. 4, fig. 4 is a schematic diagram of a replay attack processing principle in which a replay resistant filtering table and a replay resistant sliding window are separately implemented according to an embodiment of the present application. As shown in fig. 4, the anti-replay filter table and the anti-replay sliding window are separately processed, the anti-replay filter table is implemented before decryption, the anti-replay sliding window is implemented after decryption, and the anti-replay filter table needs to be updated in real time after the anti-replay sliding window is refreshed. The specific implementation process comprises the following steps:
step 1: and checking an anti-replay filtering table for the received message, and filtering and discarding the replay message.
Step 2: and carrying out decryption processing on the filtered network message according to a decryption protocol.
Step 3: and after decryption and verification, the network message passing through is subjected to refreshing of the anti-replay sliding window table according to the sequence number of the message.
Step 4: if the anti-replay sliding window table needs to be refreshed, the anti-replay filter table is updated synchronously in real time.
The embodiment adopts the anti-replay method and the design of combining anti-replay filtering before decryption with warrior after decryption, and can cope with a large number of complete or incomplete attack messages and complete or incomplete attack messages of a fake super-sliding window.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a replay attack processing system according to an embodiment of the present application, where the system may include:
the filtering module 501 is configured to receive a network packet and determine whether the network packet meets a filtering condition of an anti-replay filtering table; the filtering conditions of the anti-replay filtering table are set according to the first serial number interval corresponding to the anti-replay sliding window currently;
a replay processing module 502, configured to discard the network packet if the network packet meets the filtering condition;
a decryption module 503, configured to decrypt the network packet if the network packet does not meet the filtering condition; the method is also used for judging whether the decryption result of the network message passes the integrity check;
a sliding window updating module 504, configured to determine whether a message sequence number of the network message is greater than an upper bound value of the first sequence number interval if the decryption result passes an integrity check; and if the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, updating the anti-replay sliding window according to the message sequence number of the network message, and updating the filtering condition of the anti-replay filtering table by utilizing the second sequence number interval corresponding to the anti-replay sliding window currently.
After receiving the network message, the embodiment firstly uses the anti-replay filter table to judge whether the network message accords with the filter condition of the anti-replay filter table so as to realize replay attack detection based on the anti-replay filter table. After determining that the network message meets the filtering condition, the embodiment can decrypt the network message, and after the decryption result passes the integrity check, compare the message serial number of the network message with the first serial number interval corresponding to the anti-replay sliding window currently. The embodiment can update the anti-replay sliding window when the message sequence number of the network message is greater than the upper limit value of the first sequence number interval, and further update the filtering condition of the anti-replay filtering table based on the second sequence number interval corresponding to the anti-replay sliding window currently, so that the updated filtering condition in the anti-replay filtering table is used for continuously detecting replay attack in the subsequent detection process. In the above process, the processing flow of the anti-replay filter table is set before the message decryption, and the processing flow of the anti-replay sliding window is set after the message decryption, so that the reliability of the replay attack processing process can be improved under the condition of avoiding network congestion.
Further, the process of updating the anti-replay sliding window by the sliding window updating module 504 according to the message sequence number of the network message includes: updating the anti-replay sliding window according to a preset rule according to the message sequence number of the network message; wherein, the preset rule is: the message sequence number is in a second sequence number interval corresponding to the updated anti-replay sliding window; and the window sizes corresponding to the first sequence number interval and the second sequence number interval are the same.
Further, the process of updating the anti-replay sliding window by the sliding window updating module 504 according to the message sequence number of the network message and the preset rule includes: and updating the anti-replay sliding window by taking the message serial number of the network message as a new lower limit value.
Further, the method further comprises the following steps:
the condition setting module is used for determining the network message number of the network message before judging whether the network message accords with the filtering condition of the anti-replay filtering table or not, and updating the message state parameter according to the network message number; the message state parameter is used for recording the receiving state of each serial number in a first serial number interval corresponding to the anti-replay sliding window currently; the filtering condition is set according to the message state parameter and the first sequence number interval; wherein, the filtering condition is: the receiving state of the message sequence number is that the message sequence number is received, or the message sequence number is smaller than the lower limit value of the first sequence number interval.
Further, the method further comprises the following steps:
and the state updating module is used for updating the receiving state of the network message number in the message state parameter to be received after judging that the replay attack does not exist in the network message.
Further, the replay processing module 502 is further configured to discard the network packet after determining whether the decryption result of the network packet passes the integrity check, if the decryption result does not pass the integrity check.
Further, the method further comprises the following steps:
the buffer control module is used for adding the network message to the buffer queue if the buffer queue is in an open state; if the buffer queue is in a closed state, entering a step of judging whether the network message accords with the filtering condition of the anti-replay filtering table, and setting the buffer queue in an open state; the buffer queue is set to be in a closed state if the network message is discarded; the buffer queue is also used for setting the buffer queue to be in a closed state if the decryption result of the network message fails to pass the integrity check; the buffer queue is further configured to set the buffer queue to a closed state if the message sequence number of the network message is within the first sequence number interval; the buffer queue is also used for setting the buffer queue to be in a closed state if the filtering condition of the anti-replay filtering table is updated; the buffer queue is further configured to add the new network packet to the buffer queue if the new network packet is received and the buffer queue is in an open state; and if a new network message is received and the buffer queue is in a closed state, judging whether the new network message is a replay message or not by utilizing the anti-replay filter table and/or the anti-replay sliding window.
Since the embodiments of the system portion and the embodiments of the method portion correspond to each other, the embodiments of the system portion refer to the description of the embodiments of the method portion, which is not repeated herein.
The present application also provides a storage medium having stored thereon a computer program which, when executed, performs the steps provided by the above embodiments. The storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The application also provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided in the foregoing embodiments when calling the computer program in the memory. Of course the electronic device may also include various network interfaces, power supplies, etc.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section. It should be noted that it would be obvious to those skilled in the art that various improvements and modifications can be made to the present application without departing from the principles of the present application, and such improvements and modifications fall within the scope of the claims of the present application.
It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A method for handling replay attacks, comprising:
receiving a network message and judging whether the network message accords with the filtering condition of an anti-replay filtering table; the filtering conditions of the anti-replay filtering table are set according to the first serial number interval corresponding to the anti-replay sliding window currently;
discarding the network message if the network message meets the filtering condition;
if the network message does not accord with the filtering condition, decrypting the network message;
judging whether the decryption result of the network message passes through the integrity check;
if the decryption result passes the integrity check, judging whether the message sequence number of the network message is larger than the upper limit value of the first sequence number interval;
if the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, updating the anti-replay sliding window according to the message sequence number of the network message, and updating the filtering condition of the anti-replay filtering table by utilizing the second sequence number interval corresponding to the anti-replay sliding window currently.
2. The replay attack processing method of claim 1, wherein updating the replay resistant sliding window according to the message sequence number of the network message comprises:
updating the anti-replay sliding window according to a preset rule according to the message sequence number of the network message; wherein, the preset rule is: the message sequence number is in a second sequence number interval corresponding to the updated anti-replay sliding window; and the window sizes corresponding to the first sequence number interval and the second sequence number interval are the same.
3. The replay attack processing method according to claim 2, wherein updating the replay resistant sliding window according to a preset rule according to the message sequence number of the network message includes:
and updating the anti-replay sliding window by taking the message serial number of the network message as a new lower limit value.
4. The replay attack processing method of claim 1, further comprising, before determining whether the network message meets a filtering condition of a replay filter table:
determining the network message number of the network message, and updating the message state parameter according to the network message number; the message state parameter is used for recording the receiving state of each serial number in a first serial number interval corresponding to the anti-replay sliding window currently;
setting the filtering condition according to the message state parameter and the first sequence number interval; wherein, the filtering condition is: the receiving state of the message sequence number is that the message sequence number is received, or the message sequence number is smaller than the lower limit value of the first sequence number interval.
5. The method of processing a replay attack of claim 4, further comprising:
and after judging that the network message does not have replay attack, updating the receiving state of the network message number in the message state parameter to be received.
6. The replay attack processing method according to claim 1, further comprising, after determining whether the decryption result of the network message passes the integrity check:
and if the decryption result fails the integrity check, discarding the network message.
7. The method for processing a replay attack according to any one of claims 1 to 6, further comprising, after receiving the network packet:
if the buffer queue is in an open state, adding the network message to the buffer queue;
if the buffer queue is in a closed state, entering a step of judging whether the network message accords with the filtering condition of the anti-replay filtering table, and setting the buffer queue in an open state;
if the network message is discarded, setting the cache queue to be in a closed state;
if the decryption result of the network message fails to pass the integrity check, setting the cache queue to be in a closed state;
if the message sequence number of the network message is in the first sequence number interval, setting the cache queue to be in a closed state;
if the filtering condition of the anti-replay filtering table is updated, setting the cache queue to be in a closed state;
if a new network message is received and the buffer queue is in an open state, adding the new network message to the buffer queue;
and if a new network message is received and the buffer queue is in a closed state, judging whether the new network message is a replay message or not by utilizing the anti-replay filter table and/or the anti-replay sliding window.
8. A replay attack processing system, comprising:
the filtering module is used for receiving the network message and judging whether the network message accords with the filtering condition of the anti-replay filtering table or not; the filtering conditions of the anti-replay filtering table are set according to the first serial number interval corresponding to the anti-replay sliding window currently;
the replay processing module is used for discarding the network message if the network message accords with the filtering condition;
the decryption module is used for decrypting the network message if the network message does not accord with the filtering condition; the method is also used for judging whether the decryption result of the network message passes the integrity check;
the sliding window updating module is used for judging whether the message sequence number of the network message is larger than the upper limit value of the first sequence number interval or not if the decryption result passes the integrity check; and if the message sequence number of the network message is larger than the upper limit value of the first sequence number interval, updating the anti-replay sliding window according to the message sequence number of the network message, and updating the filtering condition of the anti-replay filtering table by utilizing the second sequence number interval corresponding to the anti-replay sliding window currently.
9. An electronic device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the replay attack handling method according to any one of claims 1 to 7 when the computer program in the memory is invoked by the processor.
10. A storage medium having stored therein computer executable instructions which, when loaded and executed by a processor, implement the steps of the replay attack handling method according to any one of claims 1 to 7.
CN202311426193.2A 2023-10-30 2023-10-30 Replay attack processing method, system, electronic equipment and storage medium Pending CN117336084A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311426193.2A CN117336084A (en) 2023-10-30 2023-10-30 Replay attack processing method, system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311426193.2A CN117336084A (en) 2023-10-30 2023-10-30 Replay attack processing method, system, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117336084A true CN117336084A (en) 2024-01-02

Family

ID=89277297

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311426193.2A Pending CN117336084A (en) 2023-10-30 2023-10-30 Replay attack processing method, system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117336084A (en)

Similar Documents

Publication Publication Date Title
US10229269B1 (en) Detecting ransomware based on file comparisons
CN106557696B (en) System and method for detecting malicious data encryption programs
CN109525558B (en) Data leakage detection method, system, device and storage medium
US7516488B1 (en) Preventing data from being submitted to a remote system in response to a malicious e-mail
US20190392146A1 (en) Intelligent event collection for cloud-based malware detection
US20170034189A1 (en) Remediating ransomware
CA2789243A1 (en) Systems and methods for the detection of malware
CN109756460B (en) Replay attack prevention method and device
US11916945B2 (en) Method and apparatus for combining a firewall and a forensics agent to detect and prevent malicious software activity
Schepers et al. Practical side-channel attacks against WPA-TKIP
CN116418538A (en) Single-packet authorization state detection method, terminal equipment and storage medium
CN114039774B (en) Blocking method, detection method and device for malicious PE program
CN111698201A (en) Data anti-disclosure detection method and device
CN113965418A (en) Attack success judgment method and device
CN113162885B (en) Safety protection method and device for industrial control system
CN117336084A (en) Replay attack processing method, system, electronic equipment and storage medium
CN113660291B (en) Method and device for preventing malicious tampering of intelligent large-screen display information
JP2010187327A (en) Packet communication apparatus, method and program
EP3151147A1 (en) System and method for detection of malicious data encryption programs
CN107395619B (en) Secure communication method and system
JP2013069016A (en) Information leakage prevention device and limitation information generation device
CN111698236A (en) Method and system for preventing leakage of browser
EP3989519B1 (en) Method for tracing malicious endpoints in direct communication with an application back end using tls fingerprinting technique
CN114598523B (en) Method and device for defending replay window replay attack of MACsec
KR101639428B1 (en) System for uni direction protocol control on board

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination