CN106549960A - A kind of method and system based on network monitoring pursuit attack person - Google Patents

A kind of method and system based on network monitoring pursuit attack person Download PDF

Info

Publication number
CN106549960A
CN106549960A CN201610953329.9A CN201610953329A CN106549960A CN 106549960 A CN106549960 A CN 106549960A CN 201610953329 A CN201610953329 A CN 201610953329A CN 106549960 A CN106549960 A CN 106549960A
Authority
CN
China
Prior art keywords
packet
return data
malicious code
network monitoring
set form
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610953329.9A
Other languages
Chinese (zh)
Inventor
高喜宝
李柏松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Electronic Equipment Co Ltd
Original Assignee
Beijing Antiy Electronic Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Electronic Equipment Co Ltd filed Critical Beijing Antiy Electronic Equipment Co Ltd
Priority to CN201610953329.9A priority Critical patent/CN106549960A/en
Publication of CN106549960A publication Critical patent/CN106549960A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of method and system based on network monitoring pursuit attack person, including:Malicious code of the analysis with return data, obtains the set form and passback IP of return data;Forgery possesses the packet of the set form, and adds the labelling for network monitoring device detection in the packet;Packet spoof is sent to the passback IP;Monitor whole backhaul lines and then the seat offence person of the packet spoof.Technical scheme of the present invention can overcome traditional detection method be accurately positioned the problem of malicious attacker.

Description

A kind of method and system based on network monitoring pursuit attack person
Technical field
The present invention relates to technical field of network security, more particularly to a kind of method based on network monitoring pursuit attack person and System.
Background technology
Most network monitoring device is that this holds back to a certain extent for the purpose of finding and prevent malicious code to propagate The infection of malicious code is made.Hacker's tissue now prevents malice generation using technologies such as substantial amounts of free to kill, encryption return datas Code is propagated and return data is found, to reduce the probability found by network monitoring device.Also, the malicious code of the overwhelming majority Author or attacker not directly by the data back for stealing in the computer of oneself, but through multi-Agent server Or broiler redirect after attack, control and steal user profile and data are passed back in the computer of attacker oneself, this is difficult to Malicious code authors or the real IP of attacker are navigated to, tracking is also significantly increased and is positioned malicious code authors or attack The probability of person.
The content of the invention
For above-mentioned technical problem, technical solutions according to the invention pass through according to return data fake data bag, and will The packet is sent to passback IP, by backhaul lines and then the seat offence person of the labeled packet of monitoring.
The present invention adopts with the following method to realize:A kind of method based on network monitoring pursuit attack person, including:
Malicious code of the analysis with return data, obtains the set form and passback IP of return data;
Forgery possesses the packet of the set form, and adds the labelling for network monitoring device detection in the packet;
Packet spoof is sent to the passback IP;
Monitor whole backhaul lines and then the seat offence person of the packet spoof.
Further, the malicious code of the analysis with return data, obtains set form and the passback of return data IP, specially:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system; Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
Further, the whole backhaul lines of the monitoring packet spoof and then seat offence person, specially:
By the flag update in network monitoring device;
The whole backhaul lines of packet spoof, seat offence are monitored using the network monitoring device for being deployed in network key node The real IP of person.
In said method, the set form refers to the usual form of the data message that malicious code is stolen.
The present invention can be realized using following system:A kind of system based on network monitoring pursuit attack person, including:
Analysis module, for malicious code of the analysis with return data, obtains the set form and passback IP of return data;
Module is forged, possesses the packet of the set form for forging, and added in the packet and set for network monitoring The labelling of standby detection;
Sending module, for sending packet spoof to the passback IP;
Locating module, for monitoring whole backhaul lines and then the seat offence person of the packet spoof.
Further, the analysis module, specifically for:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system; Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
Further, the locating module, specifically for:
By the flag update in network monitoring device;Monitor pseudo- using the network monitoring device for being deployed in network key node Make the whole backhaul lines of packet, the real IP of seat offence person.
In said system, the set form refers to the usual form of the data message that malicious code is stolen.
To sum up, the present invention provides a kind of method and system based on network monitoring pursuit attack person, technology of the present invention Possess the malicious code of the return data of set form, record set form and passback IP in scheme by acquisition, foundation is fixed Form packet spoof, and add the labelling for network monitoring device detection in the packet;Return back IP and send forgery number According to bag, using the whole backhaul lines of the markd packet of network monitoring device monitoring band for being deployed in each network key node And then seat offence person.
Have the beneficial effect that:Technical scheme of the present invention can not only be followed the trail of and seat offence person, and to containing network Crime, strike hacker's tissue play the role of positive.
Description of the drawings
In order to be illustrated more clearly that technical scheme, letter will be made to accompanying drawing to be used needed for embodiment below Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area For those of ordinary skill, on the premise of not paying creative work, can be with according to these other accompanying drawings of accompanying drawings acquisition.
A kind of 1 flow chart of embodiment of the method based on network monitoring pursuit attack person that Fig. 1 is provided for the present invention;
A kind of 2 flow chart of embodiment of the method based on network monitoring pursuit attack person that Fig. 2 is provided for the present invention;
A kind of 1 structure chart of system embodiment based on network monitoring pursuit attack person that Fig. 3 is provided for the present invention.
Specific embodiment
The present invention gives a kind of method and system embodiment based on network monitoring pursuit attack person, in order that this technology The personnel in field more fully understand the technical scheme in the embodiment of the present invention, and make the above objects, features and advantages of the present invention Can become apparent from understandable, below in conjunction with the accompanying drawings technical scheme in the present invention is described in further detail:
Present invention firstly provides a kind of embodiment of the method 1 based on network monitoring pursuit attack person, as shown in figure 1, including:
S101:Malicious code of the analysis with return data, obtains the set form and passback IP of return data;
S102:Forgery possesses the packet of the set form, and adds for network monitoring device detection in the packet Labelling;
S103:Packet spoof is sent to the passback IP;
S104:Monitor whole backhaul lines and then the seat offence person of the packet spoof.
Preferably, the malicious code of the analysis with return data, obtains the set form and passback IP of return data, Specially:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system; Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
Preferably, the whole backhaul lines of the monitoring packet spoof and then seat offence person, specially:
By the flag update in network monitoring device;Monitor pseudo- using the network monitoring device for being deployed in network key node Make the whole backhaul lines of packet, the real IP of seat offence person.Wherein, the network key node is set in network foundation The multiple key nodes being distributed in the link applied, for example:Save network egress etc..
In said method embodiment, the set form refers to the usual form of the data message that malicious code is stolen.Dislike The similar data message of the meaning class stolen of code possesses similar usual form, such as GID information format, Net silver account Number information format etc..
Invention also provides a kind of embodiment of the method 2 based on network monitoring pursuit attack person, as shown in Fig. 2 bag Include:
S201:Malicious code of the analysis with passback Net silver account information, obtains set form and the passback of Net silver account information IP;
Wherein, the set form of the Net silver account information is included but is not limited to:Bank's name, Bank Account Number and password, form letter Turn to:" bank=*, Account=*, psw=* ";
S202:Forgery possesses the Net silver account information of the set form, and adds in Net silver account information for network prison The labelling of control equipment detection, and by the flag update in network monitoring device;
Wherein, the Net silver account information of forgery can be:" bank=China Construction Bank, Account= 2016010187654321, psw=AutoSignatures ", the labelling of the addition can be from the Net silver account information forged Specify, for example:" Account=2016010187654321 ", or " psw=AutoSignatures ", it is also possible to according to need Add required labelling;
S203:The Net silver account information forged is sent to the passback IP for obtaining;
S204:The whole passback of the Net silver account information forged is monitored using the network monitoring device for being deployed in network key node Circuit, the real IP of seat offence person.
Secondly the present invention provides a kind of system embodiment 1 based on network monitoring pursuit attack person, as shown in figure 3, bag Include:
Analysis module 301, for malicious code of the analysis with return data, obtains set form and the passback of return data IP;
Module 302 is forged, for forging the packet for possessing the set form, and is added for network monitoring in the packet The labelling of equipment detection;
Sending module 303, for sending packet spoof to the passback IP;
Locating module 304, for monitoring whole backhaul lines and then the seat offence person of the packet spoof.
Preferably, the analysis module, specifically for:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system; Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
Preferably, the locating module, specifically for:
By the flag update in network monitoring device;
The whole backhaul lines of packet spoof, seat offence are monitored using the network monitoring device for being deployed in network key node The real IP of person.
In said system embodiment, the set form refers to the usual form of the data message that malicious code is stolen.
Each embodiment in this specification is described by the way of progressive, same or analogous between each embodiment Part is mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for system For embodiment, as which is substantially similar to embodiment of the method, so description is fairly simple, related part is implemented referring to method The part explanation of example.
As described above, above-described embodiment gives a kind of method and system based on network monitoring pursuit attack person implementing Example, is analyzed to the malicious code of the return data for having set form, obtains set form and passback IP;According to set form The packet of passback is copied, and adds the labelling for network monitoring device detection in return data bag, the labelling is easy to net Network monitoring device is tracked positioning to the packet;By being deployed in the network monitoring device on each network key node to institute State packet to be monitored, and then obtain the whole backhaul lines of the packet, and then position the true of malicious code attacker Real IP address.
Above-described embodiment provided by the present invention passes through to copy return data bag, and using the network at network key node Monitoring device carries out location tracking to the packet forged, and then positions final attacker, solve traditional detection method without Method is accurately positioned the problem of attacker.
Above example is to illustrative and not limiting technical scheme.Appointing without departing from spirit and scope of the invention What modification or local are replaced, and all should cover in the middle of scope of the presently claimed invention.

Claims (8)

1. a kind of method based on network monitoring pursuit attack person, it is characterised in that include:
Malicious code of the analysis with return data, obtains the set form and passback IP of return data;
Forgery possesses the packet of the set form, and adds the labelling for network monitoring device detection in the packet;
Packet spoof is sent to the passback IP;
Monitor whole backhaul lines and then the seat offence person of the packet spoof.
2. the method for claim 1, it is characterised in that the analysis has the malicious code of return data, obtains back The set form and passback IP of data are passed, specially:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system; Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
3. the method for claim 1, it is characterised in that the whole backhaul lines of the monitoring packet spoof enter And attacker is positioned, specially:
By the flag update in network monitoring device;
The whole backhaul lines of packet spoof, seat offence are monitored using the network monitoring device for being deployed in network key node The real IP of person.
4. the method as described in claim 1-3 is arbitrary, it is characterised in that the set form refers to the number that malicious code is stolen It is believed that the usual form of breath.
5. a kind of system based on network monitoring pursuit attack person, it is characterised in that include:
Analysis module, for malicious code of the analysis with return data, obtains the set form and passback IP of return data;
Module is forged, possesses the packet of the set form for forging, and added in the packet and set for network monitoring The labelling of standby detection;
Sending module, for sending packet spoof to the passback IP;
Locating module, for monitoring whole backhaul lines and then the seat offence person of the packet spoof.
6. system as claimed in claim 5, it is characterised in that the analysis module, specifically for:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system; Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
7. system as claimed in claim 5, it is characterised in that the locating module, specifically for:
By the flag update in network monitoring device;Monitor pseudo- using the network monitoring device for being deployed in network key node Make the whole backhaul lines of packet, the real IP of seat offence person.
8. the system as described in claim 5-7 is arbitrary, it is characterised in that the set form refers to the number that malicious code is stolen It is believed that the usual form of breath.
CN201610953329.9A 2016-10-27 2016-10-27 A kind of method and system based on network monitoring pursuit attack person Pending CN106549960A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610953329.9A CN106549960A (en) 2016-10-27 2016-10-27 A kind of method and system based on network monitoring pursuit attack person

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610953329.9A CN106549960A (en) 2016-10-27 2016-10-27 A kind of method and system based on network monitoring pursuit attack person

Publications (1)

Publication Number Publication Date
CN106549960A true CN106549960A (en) 2017-03-29

Family

ID=58393590

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610953329.9A Pending CN106549960A (en) 2016-10-27 2016-10-27 A kind of method and system based on network monitoring pursuit attack person

Country Status (1)

Country Link
CN (1) CN106549960A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262351A (en) * 2008-05-13 2008-09-10 华中科技大学 A network tracking system
CN101978376A (en) * 2008-03-19 2011-02-16 网圣公司 Method and system for protection against information stealing software
CN105024977A (en) * 2014-04-25 2015-11-04 湖北大学 Network tracking system based on digital watermarking and honeypot technology
CN105323247A (en) * 2015-10-13 2016-02-10 华中科技大学 Intrusion detection system for mobile terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101978376A (en) * 2008-03-19 2011-02-16 网圣公司 Method and system for protection against information stealing software
CN101262351A (en) * 2008-05-13 2008-09-10 华中科技大学 A network tracking system
CN105024977A (en) * 2014-04-25 2015-11-04 湖北大学 Network tracking system based on digital watermarking and honeypot technology
CN105323247A (en) * 2015-10-13 2016-02-10 华中科技大学 Intrusion detection system for mobile terminal

Similar Documents

Publication Publication Date Title
Alieyan et al. A survey of botnet detection based on DNS
Wang et al. Attack detection and distributed forensics in machine-to-machine networks
CN107770125A (en) A kind of network security emergency response method and emergency response platform
Zhong et al. Stealthy malware traffic-not as innocent as it looks
Momand et al. A systematic and comprehensive survey of recent advances in intrusion detection systems using machine learning: Deep learning, datasets, and attack taxonomy
Kumar et al. Post Pandemic Cyber Attacks Impacts and Countermeasures: A Systematic Review
Coppolino et al. A framework for mastering heterogeneity in multi-layer security information and event correlation
CN106549960A (en) A kind of method and system based on network monitoring pursuit attack person
Roshna et al. Botnet detection using adaptive neuro fuzzy inference system
Boyanapalli et al. A comparative study of techniques, datasets and performances for intrusion detection systems in IoT
Ning et al. Design and implementation of a decentralized prototype system for detecting distributed attacks
Yarochkin et al. Investigating DNS traffic anomalies for malicious activities
Gupta et al. Internet Traffic Surveillance & Network Monitoring in India: Case Study of NETRA.
CN107959596A (en) A kind of method and network system of the monitoring network based on network system
CN207612279U (en) A kind of food processing factory's network security management system
CN104702451A (en) Method for monitoring risk of sent public mail based on keyword extraction strategy
CN105337983A (en) DoS attack defending method
Milton Joe et al. Modelling and detection of worm propagation for web vehicular ad hoc network (WVANET)
Zhao et al. An algorithm of traffic perception of DDoS attacks against SOA based on time united conditional entropy
Wang et al. Study of Network-based Intrusion Detection System for Virtualization
CN205693790U (en) A kind of special network management system of public safety video
Lee et al. An Analysis of Intrusion Prevention Data against HPC Services in KISTI
CN104699703A (en) Method for monitoring risk of database received data, based on keyword extraction strategy
Ahanger et al. Reliable Mechanism to Detect Traditional Cyber Attack Using Artificial Neural Networks
Bherde et al. Technique for Detecting Zero Day Attack by using Signature based and Knowledge Based Method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information

Address after: 100080 Beijing city Haidian District minzhuang Road No. 3, Tsinghua Science Park Building 1 Yuquan Huigu a

Applicant after: Beijing ahtech network Safe Technology Ltd

Address before: 100080 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16

Applicant before: Beijing Antiy Electronic Installation Co., Ltd.

CB02 Change of applicant information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170329

WD01 Invention patent application deemed withdrawn after publication