TWI836279B - Network data packet processing device and network data packet processing method - Google Patents

Network data packet processing device and network data packet processing method Download PDF

Info

Publication number
TWI836279B
TWI836279B TW110137498A TW110137498A TWI836279B TW I836279 B TWI836279 B TW I836279B TW 110137498 A TW110137498 A TW 110137498A TW 110137498 A TW110137498 A TW 110137498A TW I836279 B TWI836279 B TW I836279B
Authority
TW
Taiwan
Prior art keywords
honeypot
analysis unit
addresses
address
data packet
Prior art date
Application number
TW110137498A
Other languages
Chinese (zh)
Other versions
TW202306353A (en
Inventor
吳旭康
李忠憲
劉奕賢
林俊豪
蘇冠名
Original Assignee
台達電子工業股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 台達電子工業股份有限公司 filed Critical 台達電子工業股份有限公司
Publication of TW202306353A publication Critical patent/TW202306353A/en
Application granted granted Critical
Publication of TWI836279B publication Critical patent/TWI836279B/en

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A network data packet processing device includes a processing unit, an operating system and an analysis unit. The processing unit is electrically connected to a network interface card. The operating system is configured to cooperate with the processing unit to control the network interface card in a promiscuous mode to receive a data packet from the Internet. The analysis unit is configured to obtain the data packet from the network interface, and to analysis a destination address in the data packet. The analysis unit also includes multiple honeypot units, and stores a plurality of honeypot addresses corresponding to the honeypot units. When the analysis unit determines that the destination address of the data packet corresponds to one of the honeypot addresses, the analysis unit is configured to selectively send a response message by one of the honeypot addresses or a preset address.

Description

網路封包處理裝置及網路封包處理方法Network packet processing device and network packet processing method

本揭示內容關於一種網路封包處理裝置及方法,特別是透過網路卡接收資料封包,並產生回應訊息之技術。This disclosure relates to a network packet processing device and method, particularly a technology for receiving data packets through a network card and generating response messages.

隨著科技的發展,網路通訊技術被廣泛應用於人們的生活中,且人們對於網路通訊的需求亦日益增加。相對的,網路通訊的安全性也日益重要。如何有效防禦網路攻擊,乃成為現今網際網路技術的重要課題。With the development of science and technology, network communication technology is widely used in people's lives, and people's demand for network communication is also increasing. In contrast, the security of network communications is becoming increasingly important. How to effectively defend against network attacks has become an important issue in today's Internet technology.

本揭示內容係關於一種網路封包處理裝置,包含處理單元、作業系統及分析單元。處理單元電性連接於網路介面卡。作業系統用以配合處理單元,將控制網路介面卡處於混雜模式,以自網際網路中接收資料封包。分析單元用以由網路介面卡取得資料封包,且用以解析資料封包內的目的位址。分析單元還包含複數個蜜罐單元,且儲存有對應的複數個蜜罐位址。在分析單元判斷資料封包之目的位址對應於該些蜜罐位址的其中之一時,分析單元用以選擇性地以該些蜜罐位址的其中之一或預設位址發送回應訊息。The present disclosure relates to a network packet processing device, including a processing unit, an operating system and an analysis unit. The processing unit is electrically connected to a network interface card. The operating system is used to cooperate with the processing unit to control the network interface card to be in promiscuous mode to receive data packets from the Internet. The analysis unit is used to obtain data packets from the network interface card and to parse the destination address in the data packet. The analysis unit also includes a plurality of honeypot units and stores a plurality of corresponding honeypot addresses. When the analysis unit determines that the destination address of the data packet corresponds to one of the honeypot addresses, the analysis unit is used to selectively send a response message with one of the honeypot addresses or a default address.

本揭示內容還關於一種網路封包處理方法,包含下列步驟:透過處理單元及作業系統,將網路介面卡設定於混雜模式,以自網際網路中接收資料封包;透過分析單元,解析資料封包的目的位址,其中分析單元包含複數個蜜罐單元,且儲存有對應於該些蜜罐單元的複數個蜜罐位址;在資料封包的目的位址對應於該些蜜罐位址的其中之一時,將資料封包傳送給對應於該些蜜罐位址的其中之一的蜜罐單元;以及選擇性地以該些蜜罐位址的其中之一或預設位址發送一回應訊息。This disclosure also relates to a network packet processing method, which includes the following steps: setting the network interface card in a promiscuous mode through a processing unit and an operating system to receive data packets from the Internet; and analyzing the data packets through an analysis unit The destination address of the data packet contains a plurality of honeypot units, and a plurality of honeypot addresses corresponding to the honeypot units are stored; the destination address of the data packet corresponds to one of the honeypot addresses. At one time, the data packet is sent to the honeypot unit corresponding to one of the honeypot addresses; and a response message is selectively sent to one of the honeypot addresses or a default address.

本揭示內容還關於一種網路封包處理裝置,包含處理單元、作業系統及分析單元。處理單元電性連接於網路介面卡。作業系統用以配合處理單元,控制網路介面卡處於混雜模式,以自網際網路中接收資料封包。分析單元用以接收資料封包。分析單元還包含複數個蜜罐單元,且用以儲存有對應於該些蜜罐單元的複數個蜜罐位址,在分析單元判斷資料封包對應於該些蜜罐位址的其中之一時,分析單元根據該些蜜罐位址的其中之一的回應設定條件,判斷是否以預設位址發送回應訊息。The present disclosure also relates to a network packet processing device, including a processing unit, an operating system and an analysis unit. The processing unit is electrically connected to the network interface card. The operating system cooperates with the processing unit to control the network interface card in promiscuous mode to receive data packets from the Internet. The analysis unit is used to receive data packets. The analysis unit also includes a plurality of honeypot units and is used to store a plurality of honeypot addresses corresponding to the honeypot units. When the analysis unit determines that the data packet corresponds to one of the honeypot addresses, the analysis unit The unit determines whether to send the response message at the default address based on the response setting condition of one of the honeypot addresses.

由於網路封包處理裝置係透過處理單元運行作業系統驅動網路介面卡,進而接收資料封包給分析單元,因此,分析單元無須針對每個蜜罐單元安裝對應的作業系統,以有效改善網路封包處理裝置的建構成本。Since the network packet processing device drives the network interface card through the processing unit running the operating system, and then receives data packets to the analysis unit, the analysis unit does not need to install a corresponding operating system for each honeypot unit, which effectively improves the construction cost of the network packet processing device.

以下將以圖式揭露本發明之複數個實施方式,為明確說明起見,許多實務上的細節將在以下敘述中一併說明。然而,應瞭解到,這些實務上的細節不應用以限制本發明。也就是說,在本發明部分實施方式中,這些實務上的細節是非必要的。此外,為簡化圖式起見,一些習知慣用的結構與元件在圖式中將以簡單示意的方式繪示之。A plurality of embodiments of the present invention will be disclosed in the drawings below. For clarity of explanation, many practical details will be explained in the following description. However, it will be understood that these practical details should not limit the invention. That is to say, in some embodiments of the present invention, these practical details are not necessary. In addition, for the sake of simplifying the drawings, some commonly used structures and components will be illustrated in a simple schematic manner in the drawings.

於本文中,當一元件被稱為「連接」或「耦接」時,可指「電性連接」或「電性耦接」。「連接」或「耦接」亦可用以表示二或多個元件間相互搭配操作或互動。此外,雖然本文中使用「第一」、「第二」、…等用語描述不同元件,該用語僅是用以區別以相同技術用語描述的元件或操作。除非上下文清楚指明,否則該用語並非特別指稱或暗示次序或順位,亦非用以限定本發明。In this document, when an element is referred to as "connected" or "coupled," it may mean "electrically connected" or "electrically coupled." "Connection" or "coupling" can also be used to indicate the coordinated operation or interaction between two or more components. In addition, although terms such as "first", "second", ... are used to describe different elements herein, the terms are only used to distinguish elements or operations described with the same technical terms. Unless the context clearly indicates otherwise, such terms do not specifically refer to or imply a sequence or order, nor are they intended to limit the invention.

第1圖所示為根據本揭示內容之部份實施例的網路封包處理裝置100之示意圖。網路封包處理裝置100包含處理單元110、網路介面卡120、作業系統130及分析單元140。處理單元110電性連接於網路介面卡120,用以配合作業系統130,控制網路介面卡120以接收網際網路傳來的資料,或者將資料透過網路介面卡120傳送至網際網路。FIG. 1 is a schematic diagram of a network packet processing device 100 according to some embodiments of the present disclosure. The network packet processing device 100 includes a processing unit 110, a network interface card 120, an operating system 130 and an analysis unit 140. The processing unit 110 is electrically connected to the network interface card 120 to cooperate with the operating system 130 and control the network interface card 120 to receive data from the Internet or transmit data to the Internet through the network interface card 120 .

處理單元110用以執行各種運算,且可以被實施為微控制單元(microcontroller)、微處理器(microprocessor)、數位訊號處理器(digital signal processor)、特殊應用積體電路(application specific integrated circuit,ASIC)、中央處理器(central processing unit, CPU)、系統單晶片(System on Chip, SoC)或特定功能的處理晶片或控制器。The processing unit 110 is used to perform various operations, and may be implemented as a microcontroller, a microprocessor, a digital signal processor, or an application specific integrated circuit (ASIC). ), a central processing unit (CPU), a system on chip (SoC), or a processing chip or controller with specific functions.

在部份實施例中,作業系統130係安裝於網路封包處理裝置100中之資料儲存單元(圖中未示)。資料儲存單元電性連接於處理單元110,可以被實作為唯讀記憶體、快閃記憶體、硬碟、隨身碟、可由網路存取之資料庫或熟悉此技藝者可輕易思及具有相同功能之儲存媒體。In some embodiments, the operating system 130 is a data storage unit (not shown in the figure) installed in the network packet processing device 100 . The data storage unit is electrically connected to the processing unit 110 and can be implemented as a read-only memory, a flash memory, a hard disk, a pen drive, a database accessible from the network, or those familiar with the art can easily imagine that the data storage unit has the same Functional storage media.

處理單元110用以執行作業系統130,以管理網路封包處理裝置100中的硬體(處理器、記憶體、網路卡等)、決定系統資源供需、控制輸入與輸出裝置等基本事務。同時,作業系統130也可提供一個讓使用者與網路封包處理裝置100互動的操作介面。在一實施例中,作業系統130之架構可包含硬體抽象層、系統服務層、子系統層等。其中系統服務層提供所有統一規格的函式呼叫庫,子系統層則位於系統服務層之上,屬於使用者模式,可以避免使用者程式執行非法行動。The processing unit 110 is used to execute the operating system 130 to manage the hardware (processor, memory, network card, etc.) in the network packet processing device 100, determine the supply and demand of system resources, control the input and output devices and other basic matters. At the same time, the operating system 130 can also provide an operating interface for users to interact with the network packet processing device 100. In one embodiment, the architecture of the operating system 130 can include a hardware abstraction layer, a system service layer, a subsystem layer, etc. The system service layer provides a function call library of all unified specifications, and the subsystem layer is located above the system service layer and belongs to the user mode, which can prevent user programs from performing illegal actions.

在一實施例中,分析單元140可為一種預先建構之資料庫的分析程式。在其他實施例中,分析單元140可為設置於網路封包處理裝置100之韌體、運算晶片或電路。分析單元140可儲存於網路封包處理裝置100中之資料儲存單元,亦可為安裝於作業系統130中之應用程式,或屬於作業系統之一部分。在其他部份實施例中,作業系統130包含系統服務層,分析單元140設置/安裝於系統服務層之上層。In one embodiment, the analysis unit 140 may be a pre-constructed database analysis program. In other embodiments, the analysis unit 140 may be firmware, a computing chip or a circuit provided in the network packet processing device 100 . The analysis unit 140 may be stored in a data storage unit in the network packet processing device 100, may also be an application program installed in the operating system 130, or may be part of the operating system. In some other embodiments, the operating system 130 includes a system service layer, and the analysis unit 140 is configured/installed above the system service layer.

如第1圖所示,分析單元140包含分析模組141及複數個蜜罐單元H1~Hn,且其內儲存有回應表T(如:儲存於記憶體)。在一實施例中,分析模組141為分析單元140中一種預先建構之運作程式,用以對接收到的資料進行分析,例如:分析一個封包或訊框的內部數據與組成。回應表T內儲存有對應於該些蜜罐單元H1~Hn的多個蜜罐位址,該蜜罐單元H1~Hn亦可由獨立的應用程式來實現,並獨立地連接於分析單元140。換言之,以應用程式來實現之蜜罐單元可由其他硬體設備驅動,而不限於網路封包處理裝置100中之分析單元140。蜜罐位址可至少包含網際協定位址(IP位址)、媒體存取控制位址(MAC位址)、完整網域名稱(Fully Qualified Domain Name,FQDN)或傳輸埠代碼等各類參數的至少一者。在部份實施例中,回應表T可包含第一蜜罐位址T1、第二蜜罐位址T2,第一蜜罐位址T1可為IP位址、第二蜜罐位址T2則可為MAC位址。As shown in FIG. 1 , the analysis unit 140 includes an analysis module 141 and a plurality of honeypot units H1 to Hn, and a response table T is stored therein (e.g., stored in a memory). In one embodiment, the analysis module 141 is a pre-constructed operating program in the analysis unit 140 for analyzing received data, for example, analyzing the internal data and composition of a packet or frame. The response table T stores a plurality of honeypot addresses corresponding to the honeypot units H1 to Hn, and the honeypot units H1 to Hn can also be implemented by independent applications and independently connected to the analysis unit 140. In other words, the honeypot unit implemented by the application can be driven by other hardware devices, and is not limited to the analysis unit 140 in the network packet processing device 100. The honeypot address may include at least one of various parameters such as an Internet Protocol address (IP address), a media access control address (MAC address), a fully qualified domain name (FQDN), or a port code. In some embodiments, the response table T may include a first honeypot address T1 and a second honeypot address T2. The first honeypot address T1 may be an IP address, and the second honeypot address T2 may be a MAC address.

本揭示內容之網路封包處理裝置100係用以建構「誘捕系統」。蜜罐(Honeypot)是一種特別被設計有安全漏洞,但被嚴密監控的網路主機,用以吸引入侵者(攻擊者、駭客)攻擊。蜜罐會在入侵者攻擊的過程中,記錄攻擊行爲和數據,並對入侵者進行追蹤與取證。由於本領域人士能理解蜜罐的建構方式與運作原理,故在此不另贅述。The network packet processing device 100 of the present disclosure is used to construct a "trapping system". A honeypot is a network host that is specially designed with security vulnerabilities but is closely monitored to attract intruders (attackers, hackers) to attack. During the attack process, the honeypot will record the attack behavior and data, and track and collect evidence from the intruder. Since people in this field can understand the construction method and operation principle of the honeypot, it will not be elaborated here.

蜜罐可為實體裝置,亦可為一種由軟體產生之虛擬裝置。在部份技術中,無論是實體裝置或虛擬裝置皆需要獨立安裝一個作業系統,以能使入侵者認為蜜罐為真實的攻擊目標(如:終端裝置、通訊裝置、機械手臂等)。A honeypot can be a physical device or a virtual device generated by software. In some technologies, whether it is a physical device or a virtual device, an operating system needs to be installed independently to make the intruder think that the honeypot is a real attack target (such as terminal devices, communication devices, robotic arms, etc.).

在本實施例中,蜜罐單元H1~Hn同樣具有用以紀錄、追蹤攻擊者的邏輯模組與功能模組,但並不需要安裝獨立的作業系統。處理單元110會統一透過作業系統130與網路介面卡120,為蜜罐單元H1~Hn發送及接收資料封包,因此分析單元140無須針對每一個蜜罐單元H1~Hn設置完整的作業系統。In this embodiment, the honeypot units H1-Hn also have logic modules and functional modules for recording and tracking attackers, but do not need to install independent operating systems. The processing unit 110 will uniformly send and receive data packets for the honeypot units H1-Hn through the operating system 130 and the network interface card 120, so the analysis unit 140 does not need to set up a complete operating system for each honeypot unit H1-Hn.

在網路封包處理裝置100透過網路介面卡120及作業系統130接收到網際網路傳來的資料封包時,處理單元110將資料封包傳給分析單元140。分析單元140由網路介面卡120取得資料封包,並透過分析模組141,判斷資料封包是否對應於回應表T中的任一個蜜罐位址。具體而言,分析模組141先解析出資料封包內的一個目的位址,再判斷該目的位址是否與任一個蜜罐位址相對應。在一實施例中,目的位址係指OSI (open system interconnection,開放式系統連結)七層架構中第2層(資料鏈結層)及第3層(網路層)的來源位址,例如前述之IP位址與MAC位址。When the network packet processing device 100 receives a data packet from the Internet through the network interface card 120 and the operating system 130, the processing unit 110 transmits the data packet to the analysis unit 140. The analysis unit 140 obtains the data packet from the network interface card 120, and determines whether the data packet corresponds to any honeypot address in the response table T through the analysis module 141. Specifically, the analysis module 141 first parses out a destination address in the data packet, and then determines whether the destination address corresponds to any honeypot address. In one embodiment, the destination address refers to the source address of the second layer (data link layer) and the third layer (network layer) in the seven-layer architecture of OSI (open system interconnection), such as the aforementioned IP address and MAC address.

在分析模組141判斷資料封包之目的位址對應於其中一個蜜罐位址時,若分析模組141進一步判斷需要回應此資料封包,則分析模組141將選擇性地根據此蜜罐位址,或者一個預設位址來產生回應訊息。分析模組141將透過處理單元110及網路介面卡120,以該蜜罐位址或預設位置發送回應訊息。據此,由於網路封包處理裝置100係透過處理單元110運行作業系統驅動網路介面卡,進而接收資料封包給分析模組141,因此,分析模組141無須針對每個蜜罐單元H1~Hn安裝對應的作業系統,以有效改善網路封包處理裝置100的建構成本。When the analysis module 141 determines that the destination address of the data packet corresponds to one of the honeypot addresses, if the analysis module 141 further determines that a response to the data packet is required, the analysis module 141 will selectively generate a response message based on the honeypot address or a preset address. The analysis module 141 will send the response message to the honeypot address or the preset location through the processing unit 110 and the network interface card 120. Accordingly, since the network packet processing device 100 drives the network interface card through the processing unit 110 to run the operating system and then receive the data packet to the analysis module 141, the analysis module 141 does not need to install a corresponding operating system for each honeypot unit H1~Hn, so as to effectively improve the construction cost of the network packet processing device 100.

第2圖所示為根據本揭示內容之部份實施例之網路封包處理方法的流程圖。在步驟S201中,處理單元110透過作業系統130控制網路介面卡120,以將網路介面卡120設定為混雜模式(Promiscuous mode)。在網路介面卡120處於混雜模式時,網路介面卡120會接收所有傳輸至網路封包處理裝置100的資料封包,即便資料封包的目的位址並非網路封包處理裝置100。FIG. 2 is a flow chart of a network packet processing method according to some embodiments of the present disclosure. In step S201, the processing unit 110 controls the network interface card 120 through the operating system 130 to set the network interface card 120 to a promiscuous mode. When the network interface card 120 is in the promiscuous mode, the network interface card 120 receives all data packets transmitted to the network packet processing device 100, even if the destination address of the data packet is not the network packet processing device 100.

在步驟S202中,處理單元110透過網路介面卡120,將接收到的資料封包傳給分析單元140。分析單元140判斷資料封包是否對應於多個蜜罐位址的任一個、或者是否對應於多個蜜罐單元的任一個。In step S202, the processing unit 110 transmits the received data packet to the analysis unit 140 through the network interface card 120. The analysis unit 140 determines whether the data packet corresponds to any one of the plurality of honeypot addresses, or whether it corresponds to any one of the plurality of honeypot units.

若資料封包並未對應於任一個蜜罐位址,在步驟S203中,分析單元140之分析模組141會判斷是否需要回覆。若分析模組141判斷需要回覆,則分析模組141將產生錯誤訊息,處理單元110會將錯誤訊息回傳至網際網路。If the data packet does not correspond to any honeypot address, in step S203, the analysis module 141 of the analysis unit 140 determines whether a reply is required. If the analysis module 141 determines that a reply is required, the analysis module 141 will generate an error message, and the processing unit 110 will return the error message to the Internet.

在部份實施例中,在資料封包並未對應於任一個蜜罐位址、或者資料封包的格式有錯誤時,分析單元140可使用一組虛擬位址來發送錯誤訊息。此一方式可透過作業系統中的實體驅動程式來回應,以確保資源利用效率。In some embodiments, when a data packet does not correspond to any honeypot address or the format of the data packet is incorrect, the analysis unit 140 may use a set of virtual addresses to send an error message. This method can be responded to by a physical driver in the operating system to ensure resource utilization efficiency.

在步驟S204中,若資料封包確實對應到其中一個蜜罐位址,則分析模組141將資料封包傳送至對應於該蜜罐位址的蜜罐單元。舉例而言,若資料封包內的目標位址為「Add1a」,對應於回應表T中蜜罐單元H1的第一蜜罐位址T1,則分析模組141將資料封包傳送至蜜罐單元H1。在步驟S205中,接收到資料封包之蜜罐單元H1會根據資料封包的類型及/或內容,產生對應的回應訊息,並將回應訊息回傳給分析模組141。In step S204, if the data packet does correspond to one of the honeypot addresses, the analysis module 141 transmits the data packet to the honeypot unit corresponding to the honeypot address. For example, if the target address in the data packet is "Add1a", which corresponds to the first honeypot address T1 of the honeypot unit H1 in the response table T, the analysis module 141 transmits the data packet to the honeypot unit H1. In step S205, the honeypot unit H1 that receives the data packet will generate a corresponding response message according to the type and/or content of the data packet, and return the response message to the analysis module 141.

在步驟S206中,分析模組141判斷是否根據預設位址來發送回應訊息,或者判斷蜜罐單元H1是否有指定回應訊息時所使用之位址。「預設位址」係用以模擬防火牆,在網路封包處理裝置100以預設位址回傳回應訊息的情況下,入侵者接收到回應訊息時,將會認為蜜罐單元處於一個防火牆後,因此訊息是以防火牆的位址來回應。In step S206, the analysis module 141 determines whether to send the response message according to the preset address, or determines whether the honeypot unit H1 has specified an address to be used when responding to the message. The "default address" is used to simulate a firewall. When the network packet processing device 100 returns a response message at the default address, the intruder will think that the honeypot unit is behind a firewall when receiving the response message. , so the message is responded to by the firewall's address.

若分析模組141判斷要以預設位址來發送回應訊息,或者蜜罐單元並未指定回應訊息要使用之位址,在步驟S207中,分析模組會透過處理單元110、作業系統130及網路介面卡120,以預設位址發送回應訊息。If the analysis module 141 determines that the response message should be sent at the default address, or the honeypot unit does not specify the address to be used for the response message, in step S207, the analysis module will send the response message at the default address through the processing unit 110, the operating system 130 and the network interface card 120.

若分析模組141判斷不需根據預設位址來發送回應訊息,或者蜜罐單元已指定要以特定位址(即,對應之蜜罐位址)傳送回應訊息,則在步驟S208中,分析模組會透過處理單元110、作業系統130及網路介面卡120,以回應表中對應的蜜罐位址發送回應訊息。換言之,分析模組141選擇性地以蜜罐位址或預設位址發送回應訊息。If the analysis module 141 determines that it is not necessary to send a response message according to the default address, or the honeypot unit has specified that a response message should be sent at a specific address (i.e., the corresponding honeypot address), then in step S208, the analysis module sends a response message at the corresponding honeypot address in the response table through the processing unit 110, the operating system 130, and the network interface card 120. In other words, the analysis module 141 selectively sends a response message at the honeypot address or the default address.

在一實施例中,回應表T內還可儲存多筆回應設定條件,每一個回應設定條件係分別對應至一個蜜罐單元H1~Hn。每一個回應設定條件設定了對應之蜜罐單元H1~Hn接收到資料封包時,所應回覆的方式。換言之,分析模組141可根據回應表T內之回應設定條件,確認前述步驟S206的判斷結果。回應設定條件係根據每個蜜罐單元H1~Hn所模擬的裝置類型而產生,例如:若蜜罐單元H1~Hn係模擬一個生產線上的機器手臂,且機器手臂的管理網路通常有防火牆保護,則該蜜罐單元H1~Hn的回應設定條件將會為「當蜜罐單元H1~Hn模擬防火牆後的機器手臂時,以預設位址回應」,以確保回應訊息能使入侵者誤以為成功攻擊了一個防火牆後的裝置。In one embodiment, multiple response setting conditions can be stored in the response table T, and each response setting condition corresponds to one honeypot unit H1-Hn respectively. Each response setting condition sets the way the corresponding honeypot unit H1~Hn should respond when receiving a data packet. In other words, the analysis module 141 can confirm the judgment result of the aforementioned step S206 based on the response setting conditions in the response table T. The response setting conditions are generated based on the device type simulated by each honeypot unit H1~Hn. For example: if the honeypot unit H1~Hn simulates a robot arm on a production line, and the management network of the robot arm is usually protected by a firewall , then the response setting conditions of the honeypot units H1~Hn will be "When the honeypot units H1~Hn simulate the robot arm behind the firewall, respond with the default address" to ensure that the response message can mislead the intruder. Successfully compromised a device behind a firewall.

在一實施例中,本揭示內容之網路封包處理裝置100係將分析單元140安裝於作業系統,且以軟體模擬方式設置蜜罐單元。據此,在虛擬的蜜罐單元需回應訊息時,可統一透過實體的驅動程式,由作業系統130進行回應,具有較佳的資源利用率。In one embodiment, the network packet processing device 100 of the present disclosure installs the analysis unit 140 in the operating system and sets the honeypot unit in a software simulation manner. Accordingly, when the virtual honeypot unit needs to respond to a message, the operating system 130 can respond uniformly through the physical driver, which has better resource utilization.

前述各實施例中的各項元件、方法步驟或技術特徵,係可相互結合,而不以本揭示內容中的文字描述順序或圖式呈現順序為限。The components, method steps or technical features in the foregoing embodiments can be combined with each other and are not limited to the order of text description or the order of presentation of the figures in this disclosure.

雖然本揭示內容已以實施方式揭露如上,然其並非用以限定本揭示內容,任何熟習此技藝者,在不脫離本揭示內容之精神和範圍內,當可作各種更動與潤飾,因此本揭示內容之保護範圍當視後附之申請專利範圍所界定者為準。Although the content of this disclosure has been disclosed in the above embodiments, it is not intended to limit the content of this disclosure. Anyone familiar with this art can make various changes and modifications without departing from the spirit and scope of this disclosure. Therefore, this disclosure The scope of protection of the content shall be determined by the scope of the patent application attached.

100:網路封包處理裝置 110:處理單元 120:網路介面卡 130:作業系統 140:分析單元 141:分析模組 T:回應表 T1:第一蜜罐位址 T2:第二蜜罐位址 H1-Hn:蜜罐單元 S201-S208:步驟 100: Network packet processing device 110: Processing unit 120: Network interface card 130: Operating system 140: Analysis unit 141: Analysis module T: Response table T1: First honeypot address T2: Second honeypot address H1-Hn: Honeypot unit S201-S208: Steps

第1圖為根據本揭示內容之部份實施例之網路封包處理裝置的示意圖。 第2圖為根據本揭示內容之部份實施例之網路封包處理方法的流程圖。 Figure 1 is a schematic diagram of a network packet processing device according to some embodiments of the present disclosure. Figure 2 is a flow chart of a network packet processing method according to some embodiments of the present disclosure.

國內寄存資訊(請依寄存機構、日期、號碼順序註記) 無 國外寄存資訊(請依寄存國家、機構、日期、號碼順序註記) 無 Domestic storage information (please note in the order of storage institution, date, and number) None Foreign storage information (please note in the order of storage country, institution, date, and number) None

S201-S208:步驟 S201-S208: Steps

Claims (17)

一種網路封包處理裝置,包含:一處理單元,電性連接於一網路介面卡;一作業系統,用以配合該處理單元,控制該網路介面卡處於一混雜模式,以自網際網路中接收一資料封包;以及一分析單元,用以由該網路介面卡取得該資料封包,且用以解析該一資料封包內的一目的位址,其中該分析單元還包含複數個蜜罐單元,且儲存有對應的複數個蜜罐位址,在該分析單元判斷該資料封包之該目的位址對應於該些蜜罐位址的其中之一時,該分析單元用以選擇性地以該些蜜罐位址的其中之一或一預設位址發送一回應訊息,其中該預設位址用以模擬一防火牆,以及當該分析單元選擇不根據該預設位址發送該回應訊息時,該分析單元用以根據該些蜜罐位址的其中之一發送該回應訊息;其中該分析單元安裝於該作業系統,且該處理單元透過該作業系統及該網路介面卡為該些蜜罐單元接收該資料封包。 A network packet processing device includes: a processing unit electrically connected to a network interface card; an operating system for cooperating with the processing unit to control the network interface card to be in a promiscuous mode to receive a data packet from the Internet; and an analysis unit for obtaining the data packet from the network interface card and for parsing a destination address in the data packet, wherein the analysis unit further includes a plurality of honeypot units and stores a plurality of corresponding honeypot addresses. When the analysis unit determines the destination address of the data packet, When corresponding to one of the honeypot addresses, the analysis unit is used to selectively send a response message using one of the honeypot addresses or a default address, wherein the default address is used to simulate a firewall, and when the analysis unit chooses not to send the response message according to the default address, the analysis unit is used to send the response message according to one of the honeypot addresses; wherein the analysis unit is installed in the operating system, and the processing unit receives the data packets for the honeypot units through the operating system and the network interface card. 如請求項1所述之網路封包處理裝置,其中該分析單元還包含儲存有該等蜜罐位址的一回應表,該分析單元根據該回應表內之一回應設定條件,決定以該些蜜罐位址的其中之一或該預設位址發送該回應訊息。 The network packet processing device as described in claim 1, wherein the analysis unit further includes a response table storing the honeypot addresses, and the analysis unit determines to use these honeypot addresses based on a response setting condition in the response table. Send the response message to one of the honeypot addresses or the default address. 如請求項1所述之網路封包處理裝置,其中 該分析單元安裝於該作業系統。 The network packet processing device as described in claim 1, wherein The analysis unit is installed on the operating system. 如請求項1所述之網路封包處理裝置,其中該作業系統包含一系統服務層,該分析單元設置於該系統服務層的上層。 A network packet processing device as described in claim 1, wherein the operating system includes a system service layer, and the analysis unit is disposed at an upper layer of the system service layer. 如請求項1所述之網路封包處理裝置,其中該些蜜罐位址的其中之一至少包含一網際協定位址、一媒體存取控制位址或一傳輸埠代碼的其中之一。 A network packet processing device as described in claim 1, wherein one of the honeypot addresses includes at least one of an Internet Protocol address, a media access control address, or a port code. 如請求項1所述之網路封包處理裝置,其中在該分析單元判斷該資料封包之該目的位址並未對應於該些蜜罐位址的其中之一時,該分析單元產生一錯誤訊息。 The network packet processing device as described in claim 1, wherein when the analysis unit determines that the destination address of the data packet does not correspond to one of the honeypot addresses, the analysis unit generates an error message. 一種網路封包處理方法,包含:透過一處理單元及一作業系統,將一網路介面卡設定於一混雜模式,以自網際網路中接收一資料封包;透過一分析單元,解析該資料封包的一目的位址,其中該分析單元包含一回應表,且儲存有對應於複數個蜜罐單元的複數個蜜罐位址;在該資料封包的該目的位址對應於該些蜜罐位址的其中之一時,根據該分析單元儲存之一回應設定條件,判斷是否以該些蜜罐位址的其中之一或一預設位址發送一回應訊息,其中該預設位址用以模擬一防火牆;以及 當該分析單元判斷不根據該預設位址發送該回應訊息時,該分析單元用以根據該些蜜罐位址的其中之一發送該回應訊息。 A network packet processing method includes: setting a network interface card in a promiscuous mode through a processing unit and an operating system to receive a data packet from the Internet; analyzing the data packet through an analysis unit a destination address, wherein the analysis unit includes a response table and stores a plurality of honeypot addresses corresponding to a plurality of honeypot units; the destination address of the data packet corresponds to the honeypot addresses When one of them occurs, based on a response setting condition stored in the analysis unit, it is determined whether to send a response message using one of the honeypot addresses or a default address, where the default address is used to simulate a firewall; and When the analysis unit determines that the response message is not to be sent according to the preset address, the analysis unit is used to send the response message according to one of the honeypot addresses. 如請求項7所述之網路封包處理方法,其中該分析單元安裝於該作業系統。 The network packet processing method as described in claim 7, wherein the analysis unit is installed in the operating system. 如請求項7所述之網路封包處理方法,其中該作業系統包含一系統服務層,該分析單元設置於該系統服務層的上層。 The network packet processing method as described in claim 7, wherein the operating system includes a system service layer, and the analysis unit is disposed at an upper layer of the system service layer. 如請求項7所述之網路封包處理方法,其中該些蜜罐位址的其中之一至少包含一網際協定位址、一媒體存取控制位址或一傳輸埠代碼的其中之一。 The network packet processing method of claim 7, wherein one of the honeypot addresses includes at least one of an Internet Protocol address, a media access control address, or a transport port code. 如請求項7所述之網路封包處理方法,還包含:在該資料封包的該目的位址並未對應於該些蜜罐位址的其中之一時,產生一錯誤訊息。 The network packet processing method described in claim 7 further includes: generating an error message when the destination address of the data packet does not correspond to one of the honeypot addresses. 一種網路封包處理裝置,包含:一處理單元,電性連接於一網路介面卡;一作業系統,用以配合該處理單元,控制該網路介面卡處於一混雜模式,以自網際網路中接收一資料封包;以及 一分析單元,用以接收該資料封包,其中該分析單元還包含複數個蜜罐單元,且用以儲存有對應於該些蜜罐單元的複數個蜜罐位址,在該分析單元判斷該資料封包對應於該些蜜罐位址的其中之一時,該分析單元根據該些蜜罐位址的其中之一的一回應設定條件,判斷是否以一預設位址發送一回應訊息,其中當該分析單元根據該預設位址發送該回應訊息時,該預設位址用以模擬一防火牆,以及該分析單元判斷不根據該預設位址發送該回應訊息時,該分析單元用以根據該些蜜罐位址的其中之一發送該回應訊息。 A network packet processing device includes: a processing unit electrically connected to a network interface card; an operating system for cooperating with the processing unit to control the network interface card to be in a promiscuous mode to receive a data packet from the Internet; and an analysis unit for receiving the data packet, wherein the analysis unit further includes a plurality of honeypot units and is used to store a plurality of honeypot addresses corresponding to the honeypot units. When corresponding to one of the honeypot addresses, the analysis unit determines whether to send a response message with a preset address according to a response setting condition of one of the honeypot addresses, wherein when the analysis unit sends the response message according to the preset address, the preset address is used to simulate a firewall, and when the analysis unit determines not to send the response message according to the preset address, the analysis unit is used to send the response message according to one of the honeypot addresses. 如請求項12所述之網路封包處理裝置,其中該分析單元用以判斷該資料封包之一封包位址是否對應於該些蜜罐位址,以判斷該資料封包是否對應於該些蜜罐位址的其中之一。 The network packet processing device of claim 12, wherein the analysis unit is used to determine whether a packet address of the data packet corresponds to the honeypot addresses, and to determine whether the data packet corresponds to the honeypot addresses. One of the addresses. 如請求項12所述之網路封包處理裝置,其中該分析單元安裝於該作業系統。 A network packet processing device as described in claim 12, wherein the analysis unit is installed in the operating system. 如請求項12所述之網路封包處理裝置,其中該作業系統包含一系統服務層,該分析單元設置於該系統服務層的上層。 A network packet processing device as described in claim 12, wherein the operating system includes a system service layer, and the analysis unit is disposed at an upper layer of the system service layer. 如請求項12所述之網路封包處理裝置,其 中該些蜜罐位址的其中之一至少包含一網際協定位址、一媒體存取控制位址或一傳輸埠代碼的其中之一。 A network packet processing device as described in claim 12, wherein one of the honeypot addresses includes at least one of an Internet Protocol address, a media access control address, or a port code. 如請求項12所述之網路封包處理裝置,其中在該分析單元判斷該資料封包並未對應於該些蜜罐位址的其中之一時,該分析單元產生一錯誤訊息。 A network packet processing device as described in claim 12, wherein when the analysis unit determines that the data packet does not correspond to one of the honeypot addresses, the analysis unit generates an error message.
TW110137498A 2021-07-16 2021-10-08 Network data packet processing device and network data packet processing method TWI836279B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202163222439P 2021-07-16 2021-07-16
US63/222,439 2021-07-16

Publications (2)

Publication Number Publication Date
TW202306353A TW202306353A (en) 2023-02-01
TWI836279B true TWI836279B (en) 2024-03-21

Family

ID=85121055

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110137498A TWI836279B (en) 2021-07-16 2021-10-08 Network data packet processing device and network data packet processing method

Country Status (2)

Country Link
CN (1) CN115701029A (en)
TW (1) TWI836279B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170180315A1 (en) * 2014-05-19 2017-06-22 Fortinet, Inc. Network interface card rate limiting
CN106961442A (en) * 2017-04-20 2017-07-18 中国电子技术标准化研究院 A kind of network method for entrapping based on honey jar
CN107404465A (en) * 2016-05-20 2017-11-28 阿里巴巴集团控股有限公司 Network data analysis method and server
CN109347881A (en) * 2018-11-30 2019-02-15 东软集团股份有限公司 Network protection method, apparatus, equipment and storage medium based on network cheating
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system
CN111556061A (en) * 2020-04-29 2020-08-18 上海沪景信息科技有限公司 Network disguising method, device, equipment and computer readable storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170180315A1 (en) * 2014-05-19 2017-06-22 Fortinet, Inc. Network interface card rate limiting
CN107404465A (en) * 2016-05-20 2017-11-28 阿里巴巴集团控股有限公司 Network data analysis method and server
CN106961442A (en) * 2017-04-20 2017-07-18 中国电子技术标准化研究院 A kind of network method for entrapping based on honey jar
CN109347881A (en) * 2018-11-30 2019-02-15 东软集团股份有限公司 Network protection method, apparatus, equipment and storage medium based on network cheating
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system
CN111556061A (en) * 2020-04-29 2020-08-18 上海沪景信息科技有限公司 Network disguising method, device, equipment and computer readable storage medium

Also Published As

Publication number Publication date
TW202306353A (en) 2023-02-01
CN115701029A (en) 2023-02-07

Similar Documents

Publication Publication Date Title
US10691839B2 (en) Method, apparatus, and system for manageability and secure routing and endpoint access
US11048569B1 (en) Adaptive timeout mechanism
US8886927B2 (en) Method, apparatus and system for preventing DDoS attacks in cloud system
US8606407B2 (en) Energy management application server and processes
US9560062B2 (en) System and method for tamper resistant reliable logging of network traffic
Dover A denial of service attack against the Open Floodlight SDN controller
US10440054B2 (en) Customized information networks for deception and attack mitigation
CN104967609A (en) Intranet development server access method, intranet development server access device and intranet development server access system
US20180302418A1 (en) Method and system for detection and interference of network reconnaissance
US9473451B2 (en) Methods, systems, and computer readable media for providing mapping information associated with port control protocol (PCP) in a test environment
TWI836279B (en) Network data packet processing device and network data packet processing method
US10944719B2 (en) Restrict communications to device based on internet access
KR20230156262A (en) System and method for machine learning based malware detection
CN108429727B (en) Method for secure exchange of discovery link information
KR101188308B1 (en) Pseudo packet monitoring system for address resolution protocol spoofing monitoring of malicious code and pseudo packet monitoring method therefor
CN111866005A (en) ARP spoofing attack defense method, system and device based on block chain
Qian The automatic prevention and control research of ARP deception and implementation
TWI852130B (en) Automatic proxy system and automatic proxy method
US20230269236A1 (en) Automatic proxy system, automatic proxy method and non-transitory computer readable medium
US10574596B2 (en) Software defined networking FCoE initialization protocol snooping bridge system
Henderson Designing a Sustainable and Secure Network Security Architecture for the Internet of Things
Hudak Automatic Honeypot Generation and Network Deception
KR20100015846A (en) Method and system for communication between nodes
JP2010004158A (en) Setting method of network relay device, network relay device, and network system