KR101806310B1 - Eavesdropping attack module, preventing method for eavesdropping using the same, and security system including the same - Google Patents
Eavesdropping attack module, preventing method for eavesdropping using the same, and security system including the same Download PDFInfo
- Publication number
- KR101806310B1 KR101806310B1 KR1020150185368A KR20150185368A KR101806310B1 KR 101806310 B1 KR101806310 B1 KR 101806310B1 KR 1020150185368 A KR1020150185368 A KR 1020150185368A KR 20150185368 A KR20150185368 A KR 20150185368A KR 101806310 B1 KR101806310 B1 KR 101806310B1
- Authority
- KR
- South Korea
- Prior art keywords
- host
- attack
- packet
- data packet
- generating
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/141—Denial of service attacks against endpoints in a network
Abstract
The eavesdropping prevention method using the eavesdropping attack module of the first host including the eavesdropping attack module for generating an attack packet in response to the eavesdropping attack of the present invention is characterized in that the first host receives a query packet from the second host through the network The first host generating a data packet in response to the query packet; generating the attack packet by the first host; and transmitting the attack packet to the first host, And transmitting an attack packet to the second host.
Description
An embodiment according to the concept of the present invention relates to an eavesdropping attack module, an eavesdropping prevention method using the same, and a security system including the same.
An attacker can connect to a wired or wireless network and it is possible to eavesdrop on traffic of a specific target. In particular, when a wired or wireless network is not encrypted to be eavesdropped, data packets transmitted and received through each channel can be more easily exposed to an attacker.
Typically, attackers use a network traffic sniffing tool or a traffic analyzer to wiretap. Typical examples of network traffic sniffing tools or traffic analyzers include wireshark or tshark.
Network traffic sniffing tools or traffic analyzers are used by attackers, but they are vulnerable because they are a kind of software. Vulnerabilities in these network traffic sniffing tools and traffic analyzers are constantly being discovered every year.
SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide an attack packet generating apparatus and a method for generating an attack packet in order to protect an external attacker who accesses a network unauthorizedly and intercepts a data packet, A wiretap attack module for attacking a vulnerability, a method for preventing eavesdropping using the same, and a security system including the same.
The eavesdropping prevention method using the eavesdropping attack module of the first host, which includes the eavesdropping attack module for generating an attack packet in response to the eavesdropping attack according to the embodiment of the present invention, The method comprising the steps of: receiving a query packet; generating a data packet in response to the query packet by the first host; generating the attack packet by the first host; And transmitting the data packet and the attack packet to the second host.
According to an embodiment, the attack packet may be a protocol that attacks a vulnerability of an attacker's network traffic analyzer that analyzes the data packet.
According to an embodiment, the network traffic analyzer may be at least one of wireshark and tshark.
According to an embodiment, the attack packet may be generated in one of a control and provisioning of wireless access points (CAPWAP) protocol and a moving picture experts group phase 1 (MPEG-1) protocol.
According to an embodiment, the step of generating the attack packet may generate the attack packet every time the data packet is generated.
The generating of the attack packet may further include: determining a security level of the data packet; and generating the attack packet when the security level is higher than a reference level.
The generating of the attack packet may further include selecting either the security mode or the general mode of the first host and generating the attack packet in the secure mode according to the embodiment .
According to an embodiment, a computer-readable recording medium storing a computer program for implementing the eavesdropping prevention method using the eavesdropping module may be implemented.
The eavesdropper attack module according to another embodiment of the present invention includes a data packet generator for generating a data packet in response to a query packet received from an external host, an attack packet generator for generating an attack packet attacking a vulnerability of the network traffic analyzer, A transmitting and receiving unit for receiving the query packet from the external host and transmitting at least one of the attack packet and the data packet to the external host under the control of the controller, .
According to an embodiment, the attack packet may be generated in a format of either the CAPWAP protocol or the MPEG-1 protocol.
According to an embodiment, the network traffic analyzer may be at least one of wire shark and tee shark.
According to an embodiment, the control unit may determine whether to generate the attack packet whenever the data packet is generated.
According to an embodiment, the controller may determine whether to generate the attack packet at predetermined intervals.
According to an embodiment, the controller may determine the security level of the data packet, and may determine to generate the attack packet when the security level is higher than the reference level.
According to another aspect of the present invention, there is provided a security system including a first host for generating a data packet and an attack packet, and a second host for transmitting a query packet to the first host through a network, May insert the attack packet into the data packet and attack an attacker's network traffic analyzer that analyzes the data packet through the network.
According to the eavesdropping attack module, the eavesdropping prevention method using the eavesdropping module, and the security system including the eavesdropping attack module according to the embodiment of the present invention, even if an attacker unauthorizedly accesses the network and taps data packets, Or network traffic analyzer to attack the attacker's eavesdropping attack.
1 shows a block diagram of a security system according to an embodiment of the present invention.
2 is a block diagram illustrating an operation of the eavesdropping module shown in FIG.
3 is a conceptual diagram for explaining a data packet and an attack packet transmitted from the first host to the second host shown in FIG.
4 is a flowchart illustrating an operation of the eavesdropping attack module shown in FIG.
5 shows a block diagram of a security system according to another embodiment of the present invention.
It is to be understood that the specific structural or functional description of embodiments of the present invention disclosed herein is for illustrative purposes only and is not intended to limit the scope of the inventive concept But may be embodied in many different forms and is not limited to the embodiments set forth herein.
The embodiments according to the concept of the present invention can make various changes and can take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It should be understood, however, that it is not intended to limit the embodiments according to the concepts of the present invention to the particular forms disclosed, but includes all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.
The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms may be named for the purpose of distinguishing one element from another, for example, without departing from the scope of the right according to the concept of the present invention, the first element may be referred to as a second element, The component may also be referred to as a first component.
It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like are used to specify that there are features, numbers, steps, operations, elements, parts or combinations thereof described herein, But do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.
Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.
As used herein, a module may refer to a functional or structural combination of hardware to perform the method according to an embodiment of the present invention or software that can drive the hardware. Accordingly, the module may refer to a logical unit or a set of hardware resources capable of executing the program code and the program code, and does not necessarily mean a physically connected code or a kind of hardware.
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings attached hereto.
1 shows a block diagram of a security system according to an embodiment of the present invention.
Referring to FIG. 1, a
The
The
For example, the
The
The
At this time, even if the traffic of the
Generally, the
Here, a vulnerability exploit means that an attacker uses the procedure, command, script, program, or a specific piece of data to cause the electronic product or the like to perform an intended operation of the attacker. For example, a buffer overflow, which is a kind of vulnerability attack, can acquire the privilege of the object having the vulnerability or take the stored personal information.
The
That is, the
The
For example, the
The
The
For example, the
This network traffic sniffing tool or network traffic analyzer can be vulnerable because it is software. For example, wire shark includes a dissector that is a module for analyzing network traffic, which has a vulnerability (e.g., CVE-2014-6423).
Accordingly, even if the
The
2 is a block diagram illustrating an operation of the eavesdropping module shown in FIG.
Although the
Referring to FIG. 2, the
The
According to the embodiment, the
According to another embodiment, the
According to yet another embodiment, the
For example, when the
For example, when the
The attack
Here, the attack packet AP may be one of a control and provisioning of wireless access points (CAPWAP) protocol and a moving picture experts group phase 1 (MPEG-1) protocol, but is not limited thereto.
The
The transmitting and receiving
3 is a conceptual diagram for explaining a data packet and an attack packet transmitted from the first host to the second host shown in FIG.
Referring to FIG. 3, the
If the
For example, when the
First attack packet (AP1): D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 04 00 01 00 00 00 5A 6D 66 56 8A 77 02 00 3D 00 00 00 3D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 00 2F FF 18 40 00 40 11 3D A3 7F 00 00 01 7F 00 00 01 ED 46 14 7F 00 1B FE 2E B8 72 06 90 7A BF BD 47 89 03 CE F6 58 E2 7F BA B4 2B 84 5A 6D 66 56 D4 77 02 00 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 C0 00 4B 83 4A 00 00 40 01 F8 A5 7F 00 00 01 7F 00 00 01 03 03 9D 1F 00 00 00 00 00 00 00 2F FF 18 40 00 40 11 3D A3 7F 00 00 01 7F 00 00 01 ED 46 14 7F 00 1B FE 2E B8 72 06 90 7A BF BD 47 89 03 CE F6 58 E2 7F BA B4 2B 84
Here, the first attack packet AP1 can be used to attack a specific network traffic analyzer (e.g., wire shark), but does not attack the
However, since the
Thus, the
FIG. 4 is a conceptual diagram for explaining the operation of the eavesdropping attack module shown in FIG. 2. FIG.
Referring to FIGS. 1 and 4, the
The
The
5 shows a block diagram of a security system according to another embodiment of the present invention.
The second host and the third host shown in FIG. 5 perform substantially the same or similar functions as the second host and the third host shown in FIGS. 1 and 3, The internal network performs substantially the same or similar function as the network shown in FIG. 1 and FIG. 3, so that redundant description will be omitted.
5, the security system 10 'includes a first host 100', a
The
The
The
The
At this time, even if the traffic of the first host 100 'is intercepted by the
In addition, the eavesdropping prevention method using the
A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. For example, the recording medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, or an optical data storage device, but is not limited thereto.
The computer-readable recording medium may also be distributed over a networked computer system to store and execute computer readable code in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.
10: security system 100: first host
200: Second host 300: Third host
400: network 410: internal network
420: Internal network
Claims (15)
The first host receiving a query packet from a second host over a network;
The first host generating a data packet in response to the query packet;
The first host generating an attack packet corresponding to the data packet;
The first host transmitting traffic including the data packet and the attack packet to the second host,
The attack packet includes:
A network traffic analyzer configured to attack only a vulnerability of a network traffic analyzer of an attacker host that intercepts packets transmitted and received between the first host and the second host,
The attack packet includes:
Wherein when the attacker host analyzes the traffic using the network traffic analyzer to eavesdrop the traffic transmitted from the first host to the second host,
Wherein the network traffic analyzer comprises:
At least one of wireshark and tshark,
The attack packet includes:
Wherein the eavesdropping attack module is generated according to the security level of the data packet or whenever the data packet is generated.
Wherein the attack packet is generated in one of a control and provisioning of wireless access points (CAPWAP) protocol and a moving picture experts group phase 1 (MPEG-1) protocol.
And generating the attack packet every time the data packet is generated.
Determining the security class of the data packet; And
And generating the attack packet when the security level is higher than the reference level.
Selecting either the secure mode or the normal mode of the first host; And
And generating the attack packet in the secure mode.
An attack packet generating unit generating an attack packet corresponding to the data packet;
A controller for determining whether to generate the attack packet; And
And a transmitting and receiving unit receiving the query packet from the external host and transmitting traffic including the attack packet and the data packet to the external host under the control of the controller,
The attack packet includes:
A network traffic analyzer configured to attack only a vulnerability of an attacker host's network traffic analyzer that eavesdrops on packets transmitted to and received from the external host,
The attack packet includes:
Wherein when the attacker host analyzes the traffic using the network traffic analyzer to eavesdrop the traffic transmitted from the first host to the second host,
Wherein the network traffic analyzer comprises:
At least one of wireshark and tshark,
Wherein,
And to generate the attack packet every time the data packet is generated or according to the security level of the data packet.
Wherein the attack packet is generated in one of a CAPWAP protocol and an MPEG-1 protocol.
Wherein the control unit determines whether to generate the attack packet every time the data packet is generated.
Wherein the control unit determines whether to generate the attack packet every predetermined period.
Wherein the controller determines the security level of the data packet and determines to generate the attack packet when the security level is higher than the reference level.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150185368A KR101806310B1 (en) | 2015-12-23 | 2015-12-23 | Eavesdropping attack module, preventing method for eavesdropping using the same, and security system including the same |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150185368A KR101806310B1 (en) | 2015-12-23 | 2015-12-23 | Eavesdropping attack module, preventing method for eavesdropping using the same, and security system including the same |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20170075557A KR20170075557A (en) | 2017-07-03 |
KR101806310B1 true KR101806310B1 (en) | 2017-12-08 |
Family
ID=59357542
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150185368A KR101806310B1 (en) | 2015-12-23 | 2015-12-23 | Eavesdropping attack module, preventing method for eavesdropping using the same, and security system including the same |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101806310B1 (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150096035A1 (en) * | 2013-09-30 | 2015-04-02 | Juniper Networks, Inc. | Polluting results of vulnerability scans |
-
2015
- 2015-12-23 KR KR1020150185368A patent/KR101806310B1/en active IP Right Grant
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150096035A1 (en) * | 2013-09-30 | 2015-04-02 | Juniper Networks, Inc. | Polluting results of vulnerability scans |
Non-Patent Citations (1)
Title |
---|
Nicolas Darchis, "Sniffing Wireless traffic", Cisco Support Community (2014.04.05.) |
Also Published As
Publication number | Publication date |
---|---|
KR20170075557A (en) | 2017-07-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Nobakht et al. | A host-based intrusion detection and mitigation framework for smart home IoT using OpenFlow | |
Sivanathan et al. | Low-cost flow-based security solutions for smart-home IoT devices | |
Acar et al. | Web-based attacks to discover and control local IoT devices | |
US20180159894A1 (en) | Automatic threshold limit configuration for internet of things devices | |
US9954820B2 (en) | Detecting and preventing session hijacking | |
US20140283062A1 (en) | Apparatus, system and method for suppressing erroneous reporting of attacks on a wireless network | |
US10505967B1 (en) | Sensor-based wireless network vulnerability detection | |
WO2016086763A1 (en) | Wireless access node detecting method, wireless network detecting system and server | |
US11316861B2 (en) | Automatic device selection for private network security | |
Kumar et al. | Review on security and privacy concerns in Internet of Things | |
TWI506472B (en) | Network device and method for avoiding arp attacks | |
US10498758B1 (en) | Network sensor and method thereof for wireless network vulnerability detection | |
Lei et al. | SecWIR: Securing smart home IoT communications via wi-fi routers with embedded intelligence | |
Park et al. | Session management for security systems in 5g standalone network | |
US9444845B2 (en) | Network security apparatus and method | |
US11689928B2 (en) | Detecting unauthorized access to a wireless network | |
CN110753014B (en) | Threat perception method, equipment and device based on flow forwarding and storage medium | |
US9686311B2 (en) | Interdicting undesired service | |
KR20110022816A (en) | System and method for protecting ddos attack using ap | |
KR101593897B1 (en) | Network scan method for circumventing firewall, IDS or IPS | |
KR101806310B1 (en) | Eavesdropping attack module, preventing method for eavesdropping using the same, and security system including the same | |
Guo et al. | IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended) | |
Habibi Gharakheili et al. | Cyber‐Securing IoT Infrastructure by Modeling Network Traffic | |
Patel et al. | Security Issues, Attacks and Countermeasures in Layered IoT Ecosystem. | |
Cao et al. | Covert Channels in SDN: Leaking Out Information from Controllers to End Hosts |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
AMND | Amendment | ||
E601 | Decision to refuse application | ||
AMND | Amendment | ||
X701 | Decision to grant (after re-examination) | ||
GRNT | Written decision to grant |