WO2016045347A1 - Malicious attack detection method, terminal, and computer storage medium - Google Patents

Malicious attack detection method, terminal, and computer storage medium Download PDF

Info

Publication number
WO2016045347A1
WO2016045347A1 PCT/CN2015/075973 CN2015075973W WO2016045347A1 WO 2016045347 A1 WO2016045347 A1 WO 2016045347A1 CN 2015075973 W CN2015075973 W CN 2015075973W WO 2016045347 A1 WO2016045347 A1 WO 2016045347A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
mac address
malicious attack
blacklist
authentication
Prior art date
Application number
PCT/CN2015/075973
Other languages
French (fr)
Chinese (zh)
Inventor
王彦东
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016045347A1 publication Critical patent/WO2016045347A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to network detection technologies in wireless communication, and in particular, to a malicious attack detection method, a terminal, and a computer storage medium.
  • WiFi Wireless Fidelity
  • IEEE 802.11b is the most widely used standard in wireless LAN (WLAN), with a band of 2.4 GHz.
  • WLAN wireless LAN
  • WLAN based WiFi technology has become more and more popular, and its coverage has become more and more extensive.
  • WLAN has become a new way for more and more people, especially young people, to live online. More and more public places can use WLAN to quickly and easily surf, browse or download information online.
  • the terminal When an existing terminal accesses a WLAN network, if the terminal has a malicious attack behavior, the information security of the WLAN network may be threatened.
  • the terminal according to the information related to the WiFi hotspot, such as a vendor, a service set identifier (SSID, Service Set Identifier), The right mode, the medium access control (MAC) address, and the password shared by the netizen and the collected various WiFi passwords, use the corresponding dictionary resources to brute force to obtain the WiFi password multiple times in a period of time; or, the terminal according to the hotspot
  • the interaction message with other terminals for example, the handshake message, obtains the PMK, PTK or MIC check code, and then performs a dictionary attack according to the acquired PMK, PTK or MIC check code to obtain the WiFi password.
  • the embodiments of the present invention are intended to provide a malicious attack detection method, a terminal, and a computer storage medium, which can detect malicious attacks, thereby preventing malicious attacks, thereby ensuring information security of the WLAN network.
  • the embodiment of the invention provides a malicious attack detection method, and the method includes:
  • the malicious attack detection on the terminal according to the number of the authentication failures and the preset number of authentication failures includes:
  • the terminal is not detected as the terminal that performs the malicious attack, and the process is terminated.
  • the method further includes:
  • the method further includes:
  • the method further includes: controlling, by using a timer, a storage time of the MAC address of the terminal in the blacklist, when the timing of the timer expires, Deleting the MAC address of the terminal from the blacklist; or
  • the MAC address of the terminal is permanently added to the blacklist.
  • the method further includes:
  • the terminal When the obtained MAC address is queried in the blacklist, the terminal is detected as a terminal that is maliciously attacked, and the process is terminated.
  • the terminal is authenticated.
  • An embodiment of the present invention further provides a terminal, where the terminal includes: a statistics unit and a detecting unit;
  • the statistic unit is configured to perform the authentication on the terminal when receiving the handshake message sent by the terminal in the WLAN; if the terminal fails to perform the authentication in the preset time period, the preset time period is calculated. Number of failed authentications;
  • the detecting unit is configured to perform malicious attack detection on the terminal according to the number of authentication failures and a preset threshold of the number of authentication failures.
  • the detecting unit is configured to compare the number of authentication failures with a preset number of authentication failure thresholds
  • the terminal is not detected as the terminal that performs the malicious attack, and the process is terminated.
  • the terminal is a terminal that performs a malicious attack.
  • the terminal further includes:
  • the setting unit is configured to pre-configure a blacklist of MAC addresses of malicious attack terminals
  • the control unit is configured to add a MAC address of the terminal to the blacklist after the terminal detects that the terminal is a malicious attack.
  • control unit is further configured to control, by using a timer, a storage time of the MAC address of the terminal in the blacklist, when the timer expires, The MAC address of the terminal is deleted from the blacklist; or
  • the MAC address of the terminal is permanently added to the blacklist.
  • the terminal further includes:
  • the pre-detection unit is configured to: after receiving the handshake message sent by the terminal in the WLAN, obtain the MAC address of the terminal in the handshake message; and according to the obtained MAC address and the MAC address stored in the blacklist list, Performing malicious attack detection on the terminal;
  • the terminal When the obtained MAC address is queried in the blacklist, the terminal is detected as a terminal that is maliciously attacked, and the process is terminated.
  • the terminal is authenticated.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the malicious attack detection method according to the embodiment of the invention.
  • the malicious attack detection method, the terminal, and the computer storage medium provided by the embodiment of the present invention perform authentication on the terminal when receiving the handshake message sent by the terminal in the WLAN; if the terminal is in the preset time period If the authentication fails, the number of authentication failures in the preset time period is counted. According to the number of authentication failures and the preset number of authentication failures, the terminal is Conduct malicious attack detection. As such, the embodiment of the present invention can detect malicious attacks, thereby preventing malicious attacks when detecting malicious attacks, thereby ensuring information security of the WLAN network.
  • FIG. 1 is a schematic flowchart of implementing a malicious attack detection method according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a terminal of an embodiment of the present invention.
  • the terminal when receiving the handshake message sent by the terminal in the WLAN, the terminal is authenticated; if the terminal fails to perform authentication every time in the preset time period, the preset time is counted. The number of authentication failures in the segment; performing malicious attack detection on the terminal according to the number of authentication failures and the preset number of authentication failure thresholds.
  • the terminal having the WiFi function needs to perform the malicious attack detection first
  • the terminal having the WiFi function may be the software module running under the operating system of the terminal that initiates the authentication, that is, the internal module of the terminal that initiates the authentication, which may also be called
  • the malicious attack detection module detects malicious attacks on the terminal by the malicious attack detection module.
  • FIG. 1 is a schematic flowchart of a malicious attack detection method according to an embodiment of the present invention; as shown in FIG. 1 , the method includes:
  • Step S100 When receiving the handshake message sent by the terminal in the WLAN, the terminal is authenticated; if the terminal fails to authenticate each time within the preset time period, the authentication failure in the preset time period is counted. frequency.
  • the preset time period may be set based on a total time consumption of the WiFi client accessing the authentication in a normal situation, and the preset time period may be set as a sum of N total time consumptions, where N is a positive integer.
  • the preset time period may include N authentication processes; the higher the value set by N, the higher the security, but the overall access time is affected; the lower the value set by N, the normal user may be identified as A malicious user; the preset time period is not specifically limited in the embodiment of the present invention.
  • the malicious attack detection method in this embodiment may be applied to a wireless access node (AP), and the wireless AP may be a node device capable of implementing wireless network access of a wireless local area network, such as a wireless switch or a wireless router, or A terminal device with a wireless hotspot function, such as a smart phone or a tablet computer.
  • AP wireless access node
  • the wireless AP may be a node device capable of implementing wireless network access of a wireless local area network, such as a wireless switch or a wireless router, or A terminal device with a wireless hotspot function, such as a smart phone or a tablet computer.
  • the specific implementation process of the terminal accessing the WLAN network includes:
  • the terminal starts its own WiFi connection function, and the WiFi connection function can automatically search for the hotspot within the set range; the terminal sends a handshake message to the wireless AP, triggers the authentication process, and when receiving the handshake message sent by the terminal, starts to The terminal performs authentication; if the terminal fails to authenticate each time in the preset time period, the number of authentication failures in the preset time period is counted; if the terminal authentication succeeds in the preset time period, Enter the AP to start data service.
  • Step S101 Perform malicious attack detection on the terminal according to the number of authentication failures and a preset threshold number of authentication failures.
  • the dictionary password of the malicious attack is mainly detected. Therefore, the threshold of the number of authentication failures needs to be set according to the frequency of the dictionary password transmission.
  • the dictionary password includes a password that is habitually set by the user, and is mainly used to cooperate with the password deciphering software to improve the success rate of the password deciphering and shorten the deciphering time.
  • the malicious attack detection on the terminal according to the number of the authentication failures and the preset number of authentication failures includes:
  • the terminal is not detected as the terminal that performs the malicious attack, and the process is terminated.
  • the terminal is a terminal that performs a malicious attack.
  • the terminal may be prompted to send a handshake message again, trigger the authentication process, and then return to step S100.
  • the method further includes: pre-configuring a blacklist list of the MAC address of the malicious attack terminal, and performing a malicious attack detection on the terminal in step S101, where the terminal is a terminal that performs a malicious attack. Thereafter, the method further includes:
  • Step S102 Add the MAC address of the terminal to the blacklist. Further, the timer of the terminal is used to control the storage time of the MAC address of the terminal in the blacklist, and if the timer expires, the MAC address of the terminal is from the blacklist. Delete; or,
  • the MAC address of the terminal is permanently added to the blacklist.
  • step S100 after receiving the handshake message sent by the terminal in the WLAN, acquiring the MAC address of the terminal in the handshake message; according to the obtained MAC address and the black The MAC address stored in the list is used to perform malicious attack detection on the terminal.
  • the malicious attack detection on the terminal according to the obtained MAC address and the MAC address stored in the blacklist including:
  • the terminal When the obtained MAC address is queried in the blacklist, the terminal is detected as a terminal that is maliciously attacked, and the process is terminated.
  • the terminal is authenticated.
  • the terminal is detected as a malicious attacking terminal, and the AP does not process any of the terminals sent by the terminal within the set time of the timer.
  • the message; or, the AP permanently does not process any message sent by the terminal to prevent malicious attacks.
  • the terminal when receiving the handshake message sent by the terminal in the WLAN, the terminal is authenticated; if the terminal fails to perform authentication every time within the preset time period, the preset time period is counted.
  • the number of authentication failures; the malicious attack detection is performed on the terminal according to the number of authentication failures and the preset number of authentication failure thresholds, so that malicious attacks can be detected, thereby performing malicious attacks when detecting malicious attacks. Blocking, thus ensuring the information security of the WLAN network.
  • Step 11 Pre-configure a blacklist of MAC addresses of malicious attack terminals
  • Step 12 Acquire the MAC address of the terminal in the handshake message when receiving the handshake message sent by the terminal in the WLAN; and according to the obtained MAC address and the MAC address stored in the blacklist, The terminal performs a malicious attack detection to obtain a detection result;
  • Step 13 When the detection result is that the obtained MAC address is in the blacklist, the terminal is detected as a malicious attack terminal, and the current processing flow is ended;
  • Step 14 When the detection result is that the obtained MAC address is not in the blacklist, the terminal is authenticated; if the terminal fails in each authentication within a preset time period, the pre-count is calculated. Set the number of authentication failures in the time period;
  • Step 15 Compare the number of authentication failures with a preset threshold of authentication failure times to obtain a comparison result
  • Step 16 When the comparison result is that the number of authentication failures is less than a preset threshold of the number of authentication failures, the terminal is not detected as a terminal for performing a malicious attack, and the process is terminated.
  • Step 17 When the comparison result is that the number of authentication failures is greater than or equal to a preset threshold of the number of authentication failures, detecting that the terminal is a terminal that performs a malicious attack, adding the MAC address of the terminal to the blacklist. In the list, and control the MAC of the terminal through a timer The storage time of the address in the blacklist list; when the timer expires, the MAC address of the terminal is deleted from the blacklist; or the MAC address of the terminal is permanent sexually added to the blacklist.
  • the embodiment of the present invention further provides a terminal.
  • the principle and method for solving the problem are similar. Therefore, the implementation process and implementation principles of the terminal can be described in the implementation process and the implementation principle of the foregoing method. It will not be repeated here.
  • FIG. 2 is a schematic structural diagram of a terminal according to an embodiment of the present invention; as shown in FIG. 2, the terminal provided by the embodiment of the present invention includes: a statistics unit 200 and a detecting unit 201;
  • the statistic unit 200 is configured to perform authentication on the terminal when receiving the handshake message sent by the terminal in the WLAN; if the terminal fails to perform authentication every time in the preset time period, the preset time is counted. The number of authentication failures in the segment;
  • the detecting unit 201 is configured to perform malicious attack detection on the terminal according to the number of authentication failures and a preset threshold number of authentication failures.
  • the detecting unit 201 is configured to compare the number of authentication failures with a preset number of authentication failure thresholds; if the number of authentication failures is less than a preset threshold of authentication failures, wait for the terminal The authentication process is triggered again. If the number of authentication failures is greater than or equal to the preset number of authentication failure thresholds, the terminal is detected as a terminal for malicious attack.
  • the terminal further includes:
  • the setting unit 202 is configured to pre-configure a blacklist of MAC addresses of malicious attack terminals
  • the control unit 203 is configured to: after the detection result of the malicious attack detection on the terminal is that the terminal is a terminal that performs a malicious attack, add the MAC address of the terminal to the black name. Single list.
  • control unit 203 is further configured to control, by using a timer, a storage time of the MAC address of the terminal in the blacklist, and when the timing of the timer expires, the terminal is The MAC address is deleted from the blacklist; or,
  • the MAC address of the terminal is permanently added to the blacklist.
  • the terminal further includes:
  • the pre-detection unit 204 is configured to: after receiving the handshake message sent by the terminal in the WLAN, obtain the MAC address of the terminal in the handshake message; and obtain the MAC address stored in the blacklist according to the obtained MAC address. Performing malicious attack detection on the terminal;
  • the terminal that detects the terminal as a malicious attack is detected
  • the terminal is authenticated.
  • the statistical unit 200, the detecting unit 201, the setting unit 202, the control unit 203, and the pre-detecting unit 204 may be processed by a central processing unit (CPU) located in the terminal.
  • CPU central processing unit
  • MPU digital signal processor
  • FPGA field programmable gate array
  • the terminal may be a wireless AP
  • the wireless AP may be a node device capable of implementing wireless network access of a wireless local area network, such as a wireless switch or a wireless router, or a terminal device having a wireless hotspot function.
  • a wireless local area network such as a wireless switch or a wireless router
  • a terminal device having a wireless hotspot function such as smart phones, tablets and other equipment.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • the terminal when the handshake message sent by the terminal in the WLAN is received, the terminal is authenticated; if the terminal fails to perform authentication every time in the preset time period, the preset time period is counted.
  • the embodiment of the present invention can detect malicious attacks, thereby preventing malicious attacks when detecting malicious attacks. It ensures the information security of the WLAN network.

Abstract

Disclosed in an embodiment of the present invention is a malicious attack detection method, the method comprising: upon receipt of a handshaking packet transmitted by a terminal in a wireless local area network (WLAN), authenticating the terminal; if the terminal authentication fails every time within a predetermined period, calculating the times of authentication failure within the predetermined period; and performing malicious attack detection on the terminal according to the times of authentication failure and a preset threshold for the times of authentication failure. Also disclosed in the embodiment of the present invention are a terminal and computer storage medium.

Description

一种恶意攻击检测方法、终端及计算机存储介质Malicious attack detection method, terminal and computer storage medium 技术领域Technical field
本发明涉及无线通信中的网络检测技术,尤其涉及一种恶意攻击检测方法、终端及计算机存储介质。The present invention relates to network detection technologies in wireless communication, and in particular, to a malicious attack detection method, a terminal, and a computer storage medium.
背景技术Background technique
具有无线保真(Wireless Fidelity,WiFi)认证的产品符合IEEE 802.11b无线网络规范,IEEE 802.11b是无限局域网(WLAN)中当前应用最为广泛的标准,采用波段是2.4GHz。在全球范围内,基于WiFi技术的WLAN已经日趋普及,覆盖范围也越来越广泛,WLAN以其自由无限的魅力成为越来越多人尤其是成为年轻人的网络生活新方式,人们希望在越来越多的公共场所也能使用WLAN快速便捷地到网上冲浪、浏览或下载信息。Products with Wireless Fidelity (WiFi) certification comply with the IEEE 802.11b wireless network specification. IEEE 802.11b is the most widely used standard in wireless LAN (WLAN), with a band of 2.4 GHz. Globally, WLAN based WiFi technology has become more and more popular, and its coverage has become more and more extensive. WLAN has become a new way for more and more people, especially young people, to live online. More and more public places can use WLAN to quickly and easily surf, browse or download information online.
现有终端接入WLAN网络时,如果终端具有恶意攻击行为,则会威胁WLAN网络的信息安全,例如,终端根据WiFi热点的相关信息,如厂商、服务集标识(SSID,Service Set Identifier)、鉴权方式、介质访问控制(MAC,Media Access Control)地址、以及网友分享的密码和收集的各种WiFi密码,使用相应的字典资源在一段时间内多次暴力破解获取WiFi密码;或者,终端根据热点和其他终端的交互报文,例如,握手报文,得到PMK、PTK或MIC校验码,然后,再根据获取的PMK、PTK或MIC校验码进行字典式攻击获取WiFi密码。When an existing terminal accesses a WLAN network, if the terminal has a malicious attack behavior, the information security of the WLAN network may be threatened. For example, the terminal according to the information related to the WiFi hotspot, such as a vendor, a service set identifier (SSID, Service Set Identifier), The right mode, the medium access control (MAC) address, and the password shared by the netizen and the collected various WiFi passwords, use the corresponding dictionary resources to brute force to obtain the WiFi password multiple times in a period of time; or, the terminal according to the hotspot The interaction message with other terminals, for example, the handshake message, obtains the PMK, PTK or MIC check code, and then performs a dictionary attack according to the acquired PMK, PTK or MIC check code to obtain the WiFi password.
由此可见,目前亟需一种接入WLAN时对恶意攻击进行检测的技术方案。 It can be seen that there is a need for a technical solution for detecting malicious attacks when accessing a WLAN.
发明内容Summary of the invention
本发明实施例期望提供一种恶意攻击检测方法、终端及计算机存储介质,能够对恶意攻击进行检测,从而可以对恶意攻击行为进行阻止,进而保障WLAN网络的信息安全。The embodiments of the present invention are intended to provide a malicious attack detection method, a terminal, and a computer storage medium, which can detect malicious attacks, thereby preventing malicious attacks, thereby ensuring information security of the WLAN network.
为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, the technical solution of the present invention is achieved as follows:
本发明实施例提供了一种恶意攻击检测方法,所述方法包括:The embodiment of the invention provides a malicious attack detection method, and the method includes:
接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;And receiving the handshake message sent by the terminal in the WLAN, and authenticating the terminal; if the terminal fails to perform the authentication in the preset time period, the number of authentication failures in the preset time period is counted;
根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测。And performing malicious attack detection on the terminal according to the number of authentication failures and a preset threshold of the number of authentication failures.
在另一实施例中,所述根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测,包括:In another embodiment, the malicious attack detection on the terminal according to the number of the authentication failures and the preset number of authentication failures includes:
将所述认证失败次数与预设的认证失败次数阈值进行比较;Comparing the number of authentication failures with a preset threshold of authentication failure times;
若所述认证失败次数小于预设的认证失败次数阈值,则未检测出所述终端为进行恶意攻击的终端,结束本次处理流程;If the number of the authentication failures is less than the threshold of the number of authentication failures, the terminal is not detected as the terminal that performs the malicious attack, and the process is terminated.
若所述认证失败次数大于等于预设的认证失败次数阈值,则检测出所述终端为进行恶意攻击的终端。And if the number of the authentication failures is greater than or equal to a preset threshold of the number of authentication failures, detecting that the terminal is a terminal that performs a malicious attack.
在另一实施例中,所述方法还包括:In another embodiment, the method further includes:
预先配置恶意攻击终端的介质访问控制MAC地址的黑名单列表;Pre-configure a blacklist of media access control MAC addresses of malicious attack terminals;
对所述终端进行恶意攻击检测的检测结果为所述终端为进行恶意攻击的终端之后,所述方法还包括:After the detection result of the malicious attack detection on the terminal is that the terminal is a terminal that performs a malicious attack, the method further includes:
将所述终端的MAC地址添加到所述黑名单列表中。Adding the MAC address of the terminal to the blacklist.
在另一实施例中,所述方法还包括:通过定时器控制所述终端的MAC地址在所述黑名单列表中的存储时间,当所述定时器的定时时间到时,则 将所述终端的MAC地址从所述黑名单列表中删除;或者,In another embodiment, the method further includes: controlling, by using a timer, a storage time of the MAC address of the terminal in the blacklist, when the timing of the timer expires, Deleting the MAC address of the terminal from the blacklist; or
将所述终端的MAC地址永久性地添加到所述黑名单列表中。The MAC address of the terminal is permanently added to the blacklist.
在另一实施例中,所述接收到无线局域网中终端发送的握手报文之后,所述方法还包括:In another embodiment, after the receiving the handshake message sent by the terminal in the WLAN, the method further includes:
获取所述握手报文中所述终端的MAC地址;Obtaining a MAC address of the terminal in the handshake message;
根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测;Performing malicious attack detection on the terminal according to the obtained MAC address and the MAC address stored in the blacklist list;
所述根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测,包括:And performing malicious attack detection on the terminal according to the obtained MAC address and the MAC address stored in the blacklist, including:
当查询到获取的MAC地址在所述黑名单列表中时,则检测出所述终端为恶意攻击的终端,并结束本次处理流程;When the obtained MAC address is queried in the blacklist, the terminal is detected as a terminal that is maliciously attacked, and the process is terminated.
当未查询到获取的MAC地址在所述黑名单列表中时,则开始对所述终端进行认证。When the obtained MAC address is not found in the blacklist, the terminal is authenticated.
本发明实施例还提供了一种终端,所述终端包括:统计单元和检测单元;其中,An embodiment of the present invention further provides a terminal, where the terminal includes: a statistics unit and a detecting unit;
所述统计单元,配置为接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;The statistic unit is configured to perform the authentication on the terminal when receiving the handshake message sent by the terminal in the WLAN; if the terminal fails to perform the authentication in the preset time period, the preset time period is calculated. Number of failed authentications;
所述检测单元,配置为根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测。The detecting unit is configured to perform malicious attack detection on the terminal according to the number of authentication failures and a preset threshold of the number of authentication failures.
在另一实施例中,所述检测单元,配置为将所述认证失败次数与预设的认证失败次数阈值进行比较;In another embodiment, the detecting unit is configured to compare the number of authentication failures with a preset number of authentication failure thresholds;
若所述认证失败次数小于预设的认证失败次数阈值,则未检测出所述终端为进行恶意攻击的终端,结束本次处理流程;If the number of the authentication failures is less than the threshold of the number of authentication failures, the terminal is not detected as the terminal that performs the malicious attack, and the process is terminated.
若所述认证失败次数大于等于预设的认证失败次数阈值,则检测出所 述终端为进行恶意攻击的终端。If the number of authentication failures is greater than or equal to a preset threshold of the number of authentication failures, the detection is performed. The terminal is a terminal that performs a malicious attack.
在另一实施例中,所述终端还包括:In another embodiment, the terminal further includes:
设置单元,配置为预先配置恶意攻击终端的MAC地址的黑名单列表;The setting unit is configured to pre-configure a blacklist of MAC addresses of malicious attack terminals;
控制单元,配置为对所述终端进行恶意攻击检测的检测结果为所述终端为进行恶意攻击的终端之后,将所述终端的MAC地址添加到所述黑名单列表中。The control unit is configured to add a MAC address of the terminal to the blacklist after the terminal detects that the terminal is a malicious attack.
在另一实施例中,所述控制单元,还配置为通过定时器控制所述终端的MAC地址在所述黑名单列表中的存储时间,当所述定时器的定时时间到时,则将所述终端的MAC地址从所述黑名单列表中删除;或者,In another embodiment, the control unit is further configured to control, by using a timer, a storage time of the MAC address of the terminal in the blacklist, when the timer expires, The MAC address of the terminal is deleted from the blacklist; or
将所述终端的MAC地址永久性地添加到所述黑名单列表中。The MAC address of the terminal is permanently added to the blacklist.
在另一实施例中,所述终端还包括:In another embodiment, the terminal further includes:
预检测单元,配置为接收到无线局域网中终端发送的握手报文之后,获取所述握手报文中所述终端的MAC地址;根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测;The pre-detection unit is configured to: after receiving the handshake message sent by the terminal in the WLAN, obtain the MAC address of the terminal in the handshake message; and according to the obtained MAC address and the MAC address stored in the blacklist list, Performing malicious attack detection on the terminal;
当查询到获取的MAC地址在所述黑名单列表中时,则检测出所述终端为恶意攻击的终端,并结束本次处理流程;When the obtained MAC address is queried in the blacklist, the terminal is detected as a terminal that is maliciously attacked, and the process is terminated.
当未查询到获取的MAC地址在所述黑名单列表中时,则开始对所述终端进行认证。When the obtained MAC address is not found in the blacklist, the terminal is authenticated.
本发明实施例还提供了一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行本发明实施例所述的恶意攻击检测方法。The embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the malicious attack detection method according to the embodiment of the invention.
本发明实施例所提供的恶意攻击检测方法、终端及计算机存储介质,接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;根据所述认证失败次数及预设的认证失败次数阈值,对所述终端 进行恶意攻击检测。如此,本发明实施例能够对恶意攻击进行检测,从而在检测出恶意攻击时对恶意攻击行为进行阻止,进而保障了WLAN网络的信息安全。The malicious attack detection method, the terminal, and the computer storage medium provided by the embodiment of the present invention perform authentication on the terminal when receiving the handshake message sent by the terminal in the WLAN; if the terminal is in the preset time period If the authentication fails, the number of authentication failures in the preset time period is counted. According to the number of authentication failures and the preset number of authentication failures, the terminal is Conduct malicious attack detection. As such, the embodiment of the present invention can detect malicious attacks, thereby preventing malicious attacks when detecting malicious attacks, thereby ensuring information security of the WLAN network.
附图说明DRAWINGS
图1为本发明实施例恶意攻击检测方法的实现流程示意图;1 is a schematic flowchart of implementing a malicious attack detection method according to an embodiment of the present invention;
图2为本发明实施例终端的组成结构示意图。FIG. 2 is a schematic structural diagram of a terminal of an embodiment of the present invention.
具体实施方式detailed description
本发明各种实施例中,接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测。In the embodiment of the present invention, when receiving the handshake message sent by the terminal in the WLAN, the terminal is authenticated; if the terminal fails to perform authentication every time in the preset time period, the preset time is counted. The number of authentication failures in the segment; performing malicious attack detection on the terminal according to the number of authentication failures and the preset number of authentication failure thresholds.
这里,需要先经过具有WiFi功能的终端进行恶意攻击检测,具有WiFi功能的终端可以是运行在发起认证的终端的操作系统底层的软件模块,即:发起认证的终端的内部模块,也可称为恶意攻击检测模块,由恶意攻击检测模块对终端进行恶意攻击检测。Here, the terminal having the WiFi function needs to perform the malicious attack detection first, and the terminal having the WiFi function may be the software module running under the operating system of the terminal that initiates the authentication, that is, the internal module of the terminal that initiates the authentication, which may also be called The malicious attack detection module detects malicious attacks on the terminal by the malicious attack detection module.
下面结合附图和具体实施方式对本发明所述方法和装置作进一步说明。The method and apparatus of the present invention are further described below in conjunction with the drawings and specific embodiments.
本发明实施例提出了一种恶意攻击检测方法,图1为本发明实施例恶意攻击检测方法的实现流程示意图;如图1所示,所述方法包括:The embodiment of the present invention provides a malicious attack detection method. FIG. 1 is a schematic flowchart of a malicious attack detection method according to an embodiment of the present invention; as shown in FIG. 1 , the method includes:
步骤S100:接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数。Step S100: When receiving the handshake message sent by the terminal in the WLAN, the terminal is authenticated; if the terminal fails to authenticate each time within the preset time period, the authentication failure in the preset time period is counted. frequency.
这里,所述预设时间段可基于正常情况下WiFi客户端接入一次认证的总耗时来设定,可将所述预设时间段设置为N个总耗时之和,N为正整数, 这样,所述预设时间段内可以包括N次认证过程;N设置的数值越高安全性越高,但会影响整体接入时间;N设置的数值越低,则有可能将正常用户认定为恶意用户;本发明实施例对所述预设时间段不作具体限定。Here, the preset time period may be set based on a total time consumption of the WiFi client accessing the authentication in a normal situation, and the preset time period may be set as a sum of N total time consumptions, where N is a positive integer. , In this way, the preset time period may include N authentication processes; the higher the value set by N, the higher the security, but the overall access time is affected; the lower the value set by N, the normal user may be identified as A malicious user; the preset time period is not specifically limited in the embodiment of the present invention.
本实施例的恶意攻击检测方法可应用于无线访问节点(Access Point,AP)中,所述无线AP具体可以是无线交换机、无线路由器等能够实现无线局域网的无线网络接入的节点设备,或者是具有无线热点功能的终端设备,如智能手机、平板电脑等设备。The malicious attack detection method in this embodiment may be applied to a wireless access node (AP), and the wireless AP may be a node device capable of implementing wireless network access of a wireless local area network, such as a wireless switch or a wireless router, or A terminal device with a wireless hotspot function, such as a smart phone or a tablet computer.
这里,所述终端接入WLAN网络的具体实现过程包括:Here, the specific implementation process of the terminal accessing the WLAN network includes:
所述终端开启自身的WiFi连接功能,通过WiFi连接功能可以自动搜索到设定范围内的热点;终端向无线AP发送握手报文,触发认证过程,接收到终端发送的握手报文时,开始对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;若在预设时间段内所述终端认证成功,则接入到所述AP开始数据业务。The terminal starts its own WiFi connection function, and the WiFi connection function can automatically search for the hotspot within the set range; the terminal sends a handshake message to the wireless AP, triggers the authentication process, and when receiving the handshake message sent by the terminal, starts to The terminal performs authentication; if the terminal fails to authenticate each time in the preset time period, the number of authentication failures in the preset time period is counted; if the terminal authentication succeeds in the preset time period, Enter the AP to start data service.
步骤S101:根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测。Step S101: Perform malicious attack detection on the terminal according to the number of authentication failures and a preset threshold number of authentication failures.
这里,主要是对恶意攻击的字典式密码进行检测,因此,所述认证失败次数阈值需要根据字典式密码发送的频率设定。其中,所述字典式密码中包括用户习惯性设置的密码,主要为了配合密码破译软件使用,提高密码破译的成功率,缩短破译时间。Here, the dictionary password of the malicious attack is mainly detected. Therefore, the threshold of the number of authentication failures needs to be set according to the frequency of the dictionary password transmission. The dictionary password includes a password that is habitually set by the user, and is mainly used to cooperate with the password deciphering software to improve the success rate of the password deciphering and shorten the deciphering time.
具体的,所述根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测,包括:Specifically, the malicious attack detection on the terminal according to the number of the authentication failures and the preset number of authentication failures includes:
将所述认证失败次数与预设的认证失败次数阈值进行比较;Comparing the number of authentication failures with a preset threshold of authentication failure times;
若所述认证失败次数小于预设的认证失败次数阈值,则未检测出所述终端为进行恶意攻击的终端,结束本次处理流程;If the number of the authentication failures is less than the threshold of the number of authentication failures, the terminal is not detected as the terminal that performs the malicious attack, and the process is terminated.
若所述认证失败次数大于等于预设的认证失败次数阈值,则检测出所 述终端为进行恶意攻击的终端。If the number of authentication failures is greater than or equal to a preset threshold of the number of authentication failures, the detection is performed. The terminal is a terminal that performs a malicious attack.
这里,若未检测出所述终端为进行恶意攻击的终端,则可以提示终端再次发送握手报文,触发认证过程,再返回步骤S100。Here, if the terminal is not detected as a terminal for malicious attack, the terminal may be prompted to send a handshake message again, trigger the authentication process, and then return to step S100.
作为一种实施方式,所述方法还包括:预先配置恶意攻击终端的MAC地址的黑名单列表,在步骤S101中对所述终端进行恶意攻击检测的检测结果为所述终端为进行恶意攻击的终端之后,所述方法还包括:As an implementation manner, the method further includes: pre-configuring a blacklist list of the MAC address of the malicious attack terminal, and performing a malicious attack detection on the terminal in step S101, where the terminal is a terminal that performs a malicious attack. Thereafter, the method further includes:
步骤S102:将所述终端的MAC地址添加到所述黑名单列表中。进一步地,通过定时器控制所述终端的MAC地址在所述黑名单列表中的存储时间,若所述定时器的定时时间到时,则将所述终端的MAC地址从所述黑名单列表中删除;或者,Step S102: Add the MAC address of the terminal to the blacklist. Further, the timer of the terminal is used to control the storage time of the MAC address of the terminal in the blacklist, and if the timer expires, the MAC address of the terminal is from the blacklist. Delete; or,
将所述终端的MAC地址永久性地添加到所述黑名单列表中。The MAC address of the terminal is permanently added to the blacklist.
在一种实施方式中,在步骤S100中,所述接收到无线局域网中终端发送的握手报文之后,获取所述握手报文中所述终端的MAC地址;根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测;In an embodiment, in step S100, after receiving the handshake message sent by the terminal in the WLAN, acquiring the MAC address of the terminal in the handshake message; according to the obtained MAC address and the black The MAC address stored in the list is used to perform malicious attack detection on the terminal.
具体的,所述根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测,包括:Specifically, the malicious attack detection on the terminal according to the obtained MAC address and the MAC address stored in the blacklist, including:
当查询到获取的MAC地址在所述黑名单列表中时,则检测出所述终端为恶意攻击的终端,并结束本次处理流程;When the obtained MAC address is queried in the blacklist, the terminal is detected as a terminal that is maliciously attacked, and the process is terminated.
当未查询到获取的MAC地址在所述黑名单列表中时,则开始对所述终端进行认证。When the obtained MAC address is not found in the blacklist, the terminal is authenticated.
这里,若查询到获取的终端的MAC地址在所述黑名单列表中,则检测出所述终端为恶意攻击的终端,AP在所述定时器设定时间内不再处理所述终端发送的任何报文;或者,所述AP永久性地不再处理所述终端发送的任何报文,以达到阻止恶意攻击的目的。 Here, if the MAC address of the obtained terminal is queried in the blacklist, the terminal is detected as a malicious attacking terminal, and the AP does not process any of the terminals sent by the terminal within the set time of the timer. The message; or, the AP permanently does not process any message sent by the terminal to prevent malicious attacks.
本发明实施例中,接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测,如此,能够对恶意攻击进行检测,从而在检测出恶意攻击时对恶意攻击行为进行阻止,进而保障了WLAN网络的信息安全。In the embodiment of the present invention, when receiving the handshake message sent by the terminal in the WLAN, the terminal is authenticated; if the terminal fails to perform authentication every time within the preset time period, the preset time period is counted. The number of authentication failures; the malicious attack detection is performed on the terminal according to the number of authentication failures and the preset number of authentication failure thresholds, so that malicious attacks can be detected, thereby performing malicious attacks when detecting malicious attacks. Blocking, thus ensuring the information security of the WLAN network.
为了更清楚地对本发明实施例进行说明,下面以具体实施例对本发明实施例中的恶意检测流程进行详细描述:In order to explain the embodiment of the present invention more clearly, the malicious detection process in the embodiment of the present invention is described in detail below by using specific embodiments:
实施例一Embodiment 1
步骤11:预先配置恶意攻击终端的MAC地址的黑名单列表;Step 11: Pre-configure a blacklist of MAC addresses of malicious attack terminals;
步骤12:接收到无线局域网中终端发送的握手报文时,获取所述握手报文中所述终端的MAC地址;根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测,获得检测结果;Step 12: Acquire the MAC address of the terminal in the handshake message when receiving the handshake message sent by the terminal in the WLAN; and according to the obtained MAC address and the MAC address stored in the blacklist, The terminal performs a malicious attack detection to obtain a detection result;
步骤13:当所述检测结果为获取的MAC地址在所述黑名单列表中时,则检测出所述终端为恶意攻击的终端,并结束本次处理流程;Step 13: When the detection result is that the obtained MAC address is in the blacklist, the terminal is detected as a malicious attack terminal, and the current processing flow is ended;
步骤14:当所述检测结果为获取的MAC地址不在所述黑名单列表中,则开始对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;Step 14: When the detection result is that the obtained MAC address is not in the blacklist, the terminal is authenticated; if the terminal fails in each authentication within a preset time period, the pre-count is calculated. Set the number of authentication failures in the time period;
步骤15:将所述认证失败次数与预设的认证失败次数阈值进行比较,获得比较结果;Step 15: Compare the number of authentication failures with a preset threshold of authentication failure times to obtain a comparison result;
步骤16:当所述比较结果为所述认证失败次数小于预设的认证失败次数阈值,则未检测出所述终端为进行恶意攻击的终端,结束本次处理流程;Step 16: When the comparison result is that the number of authentication failures is less than a preset threshold of the number of authentication failures, the terminal is not detected as a terminal for performing a malicious attack, and the process is terminated.
步骤17:当所述比较结果为所述认证失败次数大于等于预设的认证失败次数阈值,则检测出所述终端为进行恶意攻击的终端,将所述终端的MAC地址添加到所述黑名单列表中,并通过定时器控制所述终端的MAC 地址在所述黑名单列表中的存储时间;当所述定时器的定时时间到时,则将所述终端的MAC地址从所述黑名单列表中删除;或者,将所述终端的MAC地址永久性地添加到所述黑名单列表中。Step 17: When the comparison result is that the number of authentication failures is greater than or equal to a preset threshold of the number of authentication failures, detecting that the terminal is a terminal that performs a malicious attack, adding the MAC address of the terminal to the blacklist. In the list, and control the MAC of the terminal through a timer The storage time of the address in the blacklist list; when the timer expires, the MAC address of the terminal is deleted from the blacklist; or the MAC address of the terminal is permanent Sexually added to the blacklist.
为实现上述方法,本发明实施例还提供了一种终端,由于该终端解决问题的原理与方法相似,因此,终端的实施过程及实施原理均可以参见前述方法的实施过程及实施原理描述,重复之处不再赘述。In order to implement the foregoing method, the embodiment of the present invention further provides a terminal. The principle and method for solving the problem are similar. Therefore, the implementation process and implementation principles of the terminal can be described in the implementation process and the implementation principle of the foregoing method. It will not be repeated here.
图2为本发明实施例终端的组成结构示意图;如图2所示,本发明实施例提供的终端,包括:统计单元200和检测单元201;其中,2 is a schematic structural diagram of a terminal according to an embodiment of the present invention; as shown in FIG. 2, the terminal provided by the embodiment of the present invention includes: a statistics unit 200 and a detecting unit 201;
所述统计单元200,配置为接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;The statistic unit 200 is configured to perform authentication on the terminal when receiving the handshake message sent by the terminal in the WLAN; if the terminal fails to perform authentication every time in the preset time period, the preset time is counted. The number of authentication failures in the segment;
所述检测单元201,配置为根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测。The detecting unit 201 is configured to perform malicious attack detection on the terminal according to the number of authentication failures and a preset threshold number of authentication failures.
以上功能单元或模块的划分方式仅为本发明实施例给出的一种优选实现方式,功能单元或模块的划分方式不构成对本发明实施例的限制。The manner of dividing the above functional units or modules is only a preferred implementation manner of the embodiments of the present invention. The manner in which the functional units or modules are divided does not constitute a limitation on the embodiments of the present invention.
作为其中一种实施方式,所述检测单元201,配置为将所述认证失败次数与预设的认证失败次数阈值进行比较;若所述认证失败次数小于预设的认证失败次数阈值,则等待终端再次触发认证过程;若所述认证失败次数大于等于预设的认证失败次数阈值,则检测出所述终端为进行恶意攻击的终端。As an implementation manner, the detecting unit 201 is configured to compare the number of authentication failures with a preset number of authentication failure thresholds; if the number of authentication failures is less than a preset threshold of authentication failures, wait for the terminal The authentication process is triggered again. If the number of authentication failures is greater than or equal to the preset number of authentication failure thresholds, the terminal is detected as a terminal for malicious attack.
作为其中一种实施方式,所述终端还包括:As an implementation manner, the terminal further includes:
设置单元202,配置为预先配置恶意攻击终端的MAC地址的黑名单列表;The setting unit 202 is configured to pre-configure a blacklist of MAC addresses of malicious attack terminals;
控制单元203,配置为对所述终端进行恶意攻击检测的检测结果为所述终端为进行恶意攻击的终端之后,将所述终端的MAC地址添加到所述黑名 单列表。The control unit 203 is configured to: after the detection result of the malicious attack detection on the terminal is that the terminal is a terminal that performs a malicious attack, add the MAC address of the terminal to the black name. Single list.
具体的,所述控制单元203,还配置为通过定时器控制所述终端的MAC地址在所述黑名单列表中的存储时间,当所述定时器的定时时间到时,则将所述终端的MAC地址从所述黑名单列表中删除;或者,Specifically, the control unit 203 is further configured to control, by using a timer, a storage time of the MAC address of the terminal in the blacklist, and when the timing of the timer expires, the terminal is The MAC address is deleted from the blacklist; or,
将所述终端的MAC地址永久性地添加到所述黑名单列表中。The MAC address of the terminal is permanently added to the blacklist.
作为其中一种实施方式,所述终端还包括:As an implementation manner, the terminal further includes:
预检测单元204,配置为接收到无线局域网中终端发送的握手报文之后,获取所述握手报文中所述终端的MAC地址;根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测;The pre-detection unit 204 is configured to: after receiving the handshake message sent by the terminal in the WLAN, obtain the MAC address of the terminal in the handshake message; and obtain the MAC address stored in the blacklist according to the obtained MAC address. Performing malicious attack detection on the terminal;
当查询到获取的MAC地址在所述黑名单列表中时,则检测出所述终端为恶意攻击的终端;When it is found that the obtained MAC address is in the blacklist, the terminal that detects the terminal as a malicious attack is detected;
当未查询到获取的MAC地址在所述黑名单列表中时,则开始对所述终端进行认证。When the obtained MAC address is not found in the blacklist, the terminal is authenticated.
在实际应用中,所述统计单元200、所述检测单元201、所述设置单元202、所述控制单元203、所述预检测单元204可由位于所述终端的中央处理器(CPU)、微处理器(MPU)、数字信号处理器(DSP)、或现场可编程门阵列(FPGA)实现。In practical applications, the statistical unit 200, the detecting unit 201, the setting unit 202, the control unit 203, and the pre-detecting unit 204 may be processed by a central processing unit (CPU) located in the terminal. (MPU), digital signal processor (DSP), or field programmable gate array (FPGA) implementation.
本发明实施例中,所述终端可以是无线AP,所述无线AP具体可以是无线交换机、无线路由器等能够实现无线局域网的无线网络接入的节点设备,或者是具有无线热点功能的终端设备,如智能手机、平板电脑等设备。In the embodiment of the present invention, the terminal may be a wireless AP, and the wireless AP may be a node device capable of implementing wireless network access of a wireless local area network, such as a wireless switch or a wireless router, or a terminal device having a wireless hotspot function. Such as smart phones, tablets and other equipment.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。 Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.
工业实用性Industrial applicability
本发明实施例通过接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测。如此,本发明实施例能够对恶意攻击进行检测,从而在检测出恶意攻击时对恶意攻击行为进行阻止,进 而保障了WLAN网络的信息安全。 In the embodiment of the present invention, when the handshake message sent by the terminal in the WLAN is received, the terminal is authenticated; if the terminal fails to perform authentication every time in the preset time period, the preset time period is counted. The number of authentication failures; performing malicious attack detection on the terminal according to the number of authentication failures and the preset number of authentication failure thresholds. As such, the embodiment of the present invention can detect malicious attacks, thereby preventing malicious attacks when detecting malicious attacks. It ensures the information security of the WLAN network.

Claims (11)

  1. 一种恶意攻击检测方法,所述方法包括:A malicious attack detection method, the method comprising:
    接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;And receiving the handshake message sent by the terminal in the WLAN, and authenticating the terminal; if the terminal fails to perform the authentication in the preset time period, the number of authentication failures in the preset time period is counted;
    根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测。And performing malicious attack detection on the terminal according to the number of authentication failures and a preset threshold of the number of authentication failures.
  2. 根据权利要求1所述的方法,其中,所述根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测,包括:The method according to claim 1, wherein the malicious attack detection on the terminal according to the number of the authentication failures and the preset number of authentication failures includes:
    将所述认证失败次数与预设的认证失败次数阈值进行比较;Comparing the number of authentication failures with a preset threshold of authentication failure times;
    若所述认证失败次数小于预设的认证失败次数阈值,则未检测出所述终端为进行恶意攻击的终端,结束本次处理流程;If the number of the authentication failures is less than the threshold of the number of authentication failures, the terminal is not detected as the terminal that performs the malicious attack, and the process is terminated.
    若所述认证失败次数大于等于预设的认证失败次数阈值,则检测出所述终端为进行恶意攻击的终端。And if the number of the authentication failures is greater than or equal to a preset threshold of the number of authentication failures, detecting that the terminal is a terminal that performs a malicious attack.
  3. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    预先配置恶意攻击终端的介质访问控制MAC地址的黑名单列表;Pre-configure a blacklist of media access control MAC addresses of malicious attack terminals;
    对所述终端进行恶意攻击检测的检测结果为所述终端为进行恶意攻击的终端之后,所述方法还包括:After the detection result of the malicious attack detection on the terminal is that the terminal is a terminal that performs a malicious attack, the method further includes:
    将所述终端的MAC地址添加到所述黑名单列表中。Adding the MAC address of the terminal to the blacklist.
  4. 根据权利要求3所述的方法,其中,所述方法还包括:通过定时器控制所述终端的MAC地址在所述黑名单列表中的存储时间;当所述定时器的定时时间到时,则将所述终端的MAC地址从所述黑名单列表中删除;或者,The method according to claim 3, wherein the method further comprises: controlling, by a timer, a storage time of the MAC address of the terminal in the blacklist; when the timing of the timer expires, Deleting the MAC address of the terminal from the blacklist; or
    将所述终端的MAC地址永久性地存储在所述黑名单列表中。The MAC address of the terminal is permanently stored in the blacklist.
  5. 根据权利要求3所述的方法,其中,所述接收到无线局域网中终端 发送的握手报文之后,所述方法还包括:The method of claim 3 wherein said receiving a terminal in a wireless local area network After the handshake message is sent, the method further includes:
    获取所述握手报文中所述终端的MAC地址;Obtaining a MAC address of the terminal in the handshake message;
    根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测;Performing malicious attack detection on the terminal according to the obtained MAC address and the MAC address stored in the blacklist list;
    所述根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测,包括:And performing malicious attack detection on the terminal according to the obtained MAC address and the MAC address stored in the blacklist, including:
    当查询到获取的MAC地址在所述黑名单列表中时,则检测出所述终端为恶意攻击的终端,并结束本次处理流程;When the obtained MAC address is queried in the blacklist, the terminal is detected as a terminal that is maliciously attacked, and the process is terminated.
    当未查询到获取的MAC地址在所述黑名单列表中时,则开始对所述终端进行认证。When the obtained MAC address is not found in the blacklist, the terminal is authenticated.
  6. 一种终端,所述终端包括:统计单元和检测单元;其中,A terminal, the terminal comprising: a statistical unit and a detecting unit; wherein
    所述统计单元,配置为接收到无线局域网中终端发送的握手报文时,对所述终端进行认证;若在预设时间段内所述终端每次认证均失败,则统计出预设时间段内的认证失败次数;The statistic unit is configured to perform the authentication on the terminal when receiving the handshake message sent by the terminal in the WLAN; if the terminal fails to perform the authentication in the preset time period, the preset time period is calculated. Number of failed authentications;
    所述检测单元,配置为根据所述认证失败次数及预设的认证失败次数阈值,对所述终端进行恶意攻击检测。The detecting unit is configured to perform malicious attack detection on the terminal according to the number of authentication failures and a preset threshold of the number of authentication failures.
  7. 根据权利要求6所述的终端,其中,所述检测单元,配置为将所述认证失败次数与预设的认证失败次数阈值进行比较;The terminal according to claim 6, wherein the detecting unit is configured to compare the number of authentication failures with a preset number of authentication failure thresholds;
    若所述认证失败次数小于预设的认证失败次数阈值,则未检测出所述终端为进行恶意攻击的终端,结束本次处理流程;If the number of the authentication failures is less than the threshold of the number of authentication failures, the terminal is not detected as the terminal that performs the malicious attack, and the process is terminated.
    若所述认证失败次数大于等于预设的认证失败次数阈值,则检测出所述终端为进行恶意攻击的终端。And if the number of the authentication failures is greater than or equal to a preset threshold of the number of authentication failures, detecting that the terminal is a terminal that performs a malicious attack.
  8. 根据权利要求6所述的终端,其中,所述终端还包括:The terminal of claim 6, wherein the terminal further comprises:
    设置单元,配置为预先配置恶意攻击终端的MAC地址的黑名单列表;The setting unit is configured to pre-configure a blacklist of MAC addresses of malicious attack terminals;
    控制单元,配置为对所述终端进行恶意攻击检测的检测结果为所述终 端为进行恶意攻击的终端之后,将所述终端的MAC地址添加到所述黑名单列表中。a control unit configured to perform a malicious attack detection on the terminal as the end result After the terminal is a terminal that performs a malicious attack, the MAC address of the terminal is added to the blacklist.
  9. 根据权利要求8所述的终端,其中,所述控制单元,还配置为通过定时器控制所述终端的MAC地址在所述黑名单列表中的存储时间,当所述定时器的定时时间到时,则将所述终端的MAC地址从所述黑名单列表中删除;或者,The terminal according to claim 8, wherein the control unit is further configured to control, by using a timer, a storage time of a MAC address of the terminal in the blacklist, when a timer time of the timer expires , deleting the MAC address of the terminal from the blacklist; or
    将所述终端的MAC地址永久性地添加到所述黑名单列表中。The MAC address of the terminal is permanently added to the blacklist.
  10. 根据权利要求8所述的终端,其中,所述终端还包括:The terminal of claim 8, wherein the terminal further comprises:
    预检测单元,配置为接收到无线局域网中终端发送的握手报文之后,获取所述握手报文中所述终端的MAC地址;根据获取的MAC地址与所述黑名单列表中存储的MAC地址,对所述终端进行恶意攻击检测;The pre-detection unit is configured to: after receiving the handshake message sent by the terminal in the WLAN, obtain the MAC address of the terminal in the handshake message; and according to the obtained MAC address and the MAC address stored in the blacklist list, Performing malicious attack detection on the terminal;
    当查询到获取的MAC地址在所述黑名单列表中时,则检测出所述终端为恶意攻击的终端,并结束本次处理流程;When the obtained MAC address is queried in the blacklist, the terminal is detected as a terminal that is maliciously attacked, and the process is terminated.
    当未查询到获取的MAC地址在所述黑名单列表中时,则开始对所述终端进行认证。When the obtained MAC address is not found in the blacklist, the terminal is authenticated.
  11. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求1至5任一项所述的恶意攻击检测方法。 A computer storage medium storing computer executable instructions for performing the malicious attack detection method according to any one of claims 1 to 5.
PCT/CN2015/075973 2014-09-25 2015-04-07 Malicious attack detection method, terminal, and computer storage medium WO2016045347A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410499857.2A CN105516987A (en) 2014-09-25 2014-09-25 Malicious attack detection method and terminal
CN201410499857.2 2014-09-25

Publications (1)

Publication Number Publication Date
WO2016045347A1 true WO2016045347A1 (en) 2016-03-31

Family

ID=55580229

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/075973 WO2016045347A1 (en) 2014-09-25 2015-04-07 Malicious attack detection method, terminal, and computer storage medium

Country Status (2)

Country Link
CN (1) CN105516987A (en)
WO (1) WO2016045347A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172831A (en) * 2021-12-03 2022-03-11 杭州安恒信息技术股份有限公司 Brute force cracking method, system, computer and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107547345B (en) * 2017-07-19 2021-01-29 新华三技术有限公司 VXLAN dynamic access method, device, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812340A (en) * 2005-01-26 2006-08-02 华为技术有限公司 Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network
CN101034989A (en) * 2007-02-14 2007-09-12 华为技术有限公司 Method, system and router for originating the authentication request via the user terminal
CN101355556A (en) * 2007-07-26 2009-01-28 富士施乐株式会社 Authentication information processing device, authentication information processing method, storage medium, and data signal
CN102185871A (en) * 2011-06-09 2011-09-14 杭州华三通信技术有限公司 Method and equipment for processing messages
CN103684792A (en) * 2013-12-23 2014-03-26 加弘科技咨询(上海)有限公司 Safety authentication method for OAM (Operation, Administration and Maintenance) and OAM message sending/receiving device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8756690B2 (en) * 2009-09-30 2014-06-17 Symbol Technologies, Inc. Extensible authentication protocol attack detection systems and methods

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812340A (en) * 2005-01-26 2006-08-02 华为技术有限公司 Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network
CN101034989A (en) * 2007-02-14 2007-09-12 华为技术有限公司 Method, system and router for originating the authentication request via the user terminal
CN101355556A (en) * 2007-07-26 2009-01-28 富士施乐株式会社 Authentication information processing device, authentication information processing method, storage medium, and data signal
CN102185871A (en) * 2011-06-09 2011-09-14 杭州华三通信技术有限公司 Method and equipment for processing messages
CN103684792A (en) * 2013-12-23 2014-03-26 加弘科技咨询(上海)有限公司 Safety authentication method for OAM (Operation, Administration and Maintenance) and OAM message sending/receiving device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172831A (en) * 2021-12-03 2022-03-11 杭州安恒信息技术股份有限公司 Brute force cracking method, system, computer and storage medium

Also Published As

Publication number Publication date
CN105516987A (en) 2016-04-20

Similar Documents

Publication Publication Date Title
US11405780B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US9843575B2 (en) Wireless network authentication method and wireless network authentication apparatus
US8594632B1 (en) Device to-device (D2D) discovery without authenticating through cloud
US9553897B2 (en) Method and computer device for monitoring wireless network
AU2017336079B2 (en) Protecting mobile devices from unauthorized device resets
WO2016086763A1 (en) Wireless access node detecting method, wireless network detecting system and server
US10382271B2 (en) Method and network node device for controlling the run of technology specific push-button configuration sessions within a heterogeneous or homogeneous wireless network and heterogeneous or homogeneous wireless network
US9154946B2 (en) Secure coupling of hardware components
Vanhoef et al. Protecting wi-fi beacons from outsider forgeries
US20150082429A1 (en) Protecting wireless network from rogue access points
WO2013185709A1 (en) Call authentication method, device, and system
WO2015196679A1 (en) Authentication method and apparatus for wireless access
KR101892882B1 (en) Method for accessing lte network, electronic device, and computing storage medium
WO2016045347A1 (en) Malicious attack detection method, terminal, and computer storage medium
WO2016062017A1 (en) Wireless network connection method and apparatus, and computer storage medium
EP2907330B1 (en) Method and apparatus for disabling algorithms in a device
CN104125566B (en) Multiplexing intelligent terminal wireless AP network-rubbing prevention method
WO2017016415A1 (en) Access authentication method, server and authentication system of wireless local area network
WO2018152961A1 (en) Information transmission method and device
TWI727503B (en) Method of obtain attacking in wireless communication and electronic device
Sadeghian Analysis of wps security in wireless access points
WO2019076041A1 (en) Method for paired connection of access devices, and access devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15844583

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15844583

Country of ref document: EP

Kind code of ref document: A1