CN106549960A - A kind of method and system based on network monitoring pursuit attack person - Google Patents
A kind of method and system based on network monitoring pursuit attack person Download PDFInfo
- Publication number
- CN106549960A CN106549960A CN201610953329.9A CN201610953329A CN106549960A CN 106549960 A CN106549960 A CN 106549960A CN 201610953329 A CN201610953329 A CN 201610953329A CN 106549960 A CN106549960 A CN 106549960A
- Authority
- CN
- China
- Prior art keywords
- packet
- return data
- malicious code
- network monitoring
- set form
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of method and system based on network monitoring pursuit attack person, including:Malicious code of the analysis with return data, obtains the set form and passback IP of return data;Forgery possesses the packet of the set form, and adds the labelling for network monitoring device detection in the packet;Packet spoof is sent to the passback IP;Monitor whole backhaul lines and then the seat offence person of the packet spoof.Technical scheme of the present invention can overcome traditional detection method be accurately positioned the problem of malicious attacker.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of method based on network monitoring pursuit attack person and
System.
Background technology
Most network monitoring device is that this holds back to a certain extent for the purpose of finding and prevent malicious code to propagate
The infection of malicious code is made.Hacker's tissue now prevents malice generation using technologies such as substantial amounts of free to kill, encryption return datas
Code is propagated and return data is found, to reduce the probability found by network monitoring device.Also, the malicious code of the overwhelming majority
Author or attacker not directly by the data back for stealing in the computer of oneself, but through multi-Agent server
Or broiler redirect after attack, control and steal user profile and data are passed back in the computer of attacker oneself, this is difficult to
Malicious code authors or the real IP of attacker are navigated to, tracking is also significantly increased and is positioned malicious code authors or attack
The probability of person.
The content of the invention
For above-mentioned technical problem, technical solutions according to the invention pass through according to return data fake data bag, and will
The packet is sent to passback IP, by backhaul lines and then the seat offence person of the labeled packet of monitoring.
The present invention adopts with the following method to realize:A kind of method based on network monitoring pursuit attack person, including:
Malicious code of the analysis with return data, obtains the set form and passback IP of return data;
Forgery possesses the packet of the set form, and adds the labelling for network monitoring device detection in the packet;
Packet spoof is sent to the passback IP;
Monitor whole backhaul lines and then the seat offence person of the packet spoof.
Further, the malicious code of the analysis with return data, obtains set form and the passback of return data
IP, specially:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system;
Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
Further, the whole backhaul lines of the monitoring packet spoof and then seat offence person, specially:
By the flag update in network monitoring device;
The whole backhaul lines of packet spoof, seat offence are monitored using the network monitoring device for being deployed in network key node
The real IP of person.
In said method, the set form refers to the usual form of the data message that malicious code is stolen.
The present invention can be realized using following system:A kind of system based on network monitoring pursuit attack person, including:
Analysis module, for malicious code of the analysis with return data, obtains the set form and passback IP of return data;
Module is forged, possesses the packet of the set form for forging, and added in the packet and set for network monitoring
The labelling of standby detection;
Sending module, for sending packet spoof to the passback IP;
Locating module, for monitoring whole backhaul lines and then the seat offence person of the packet spoof.
Further, the analysis module, specifically for:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system;
Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
Further, the locating module, specifically for:
By the flag update in network monitoring device;Monitor pseudo- using the network monitoring device for being deployed in network key node
Make the whole backhaul lines of packet, the real IP of seat offence person.
In said system, the set form refers to the usual form of the data message that malicious code is stolen.
To sum up, the present invention provides a kind of method and system based on network monitoring pursuit attack person, technology of the present invention
Possess the malicious code of the return data of set form, record set form and passback IP in scheme by acquisition, foundation is fixed
Form packet spoof, and add the labelling for network monitoring device detection in the packet;Return back IP and send forgery number
According to bag, using the whole backhaul lines of the markd packet of network monitoring device monitoring band for being deployed in each network key node
And then seat offence person.
Have the beneficial effect that:Technical scheme of the present invention can not only be followed the trail of and seat offence person, and to containing network
Crime, strike hacker's tissue play the role of positive.
Description of the drawings
In order to be illustrated more clearly that technical scheme, letter will be made to accompanying drawing to be used needed for embodiment below
Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area
For those of ordinary skill, on the premise of not paying creative work, can be with according to these other accompanying drawings of accompanying drawings acquisition.
A kind of 1 flow chart of embodiment of the method based on network monitoring pursuit attack person that Fig. 1 is provided for the present invention;
A kind of 2 flow chart of embodiment of the method based on network monitoring pursuit attack person that Fig. 2 is provided for the present invention;
A kind of 1 structure chart of system embodiment based on network monitoring pursuit attack person that Fig. 3 is provided for the present invention.
Specific embodiment
The present invention gives a kind of method and system embodiment based on network monitoring pursuit attack person, in order that this technology
The personnel in field more fully understand the technical scheme in the embodiment of the present invention, and make the above objects, features and advantages of the present invention
Can become apparent from understandable, below in conjunction with the accompanying drawings technical scheme in the present invention is described in further detail:
Present invention firstly provides a kind of embodiment of the method 1 based on network monitoring pursuit attack person, as shown in figure 1, including:
S101:Malicious code of the analysis with return data, obtains the set form and passback IP of return data;
S102:Forgery possesses the packet of the set form, and adds for network monitoring device detection in the packet
Labelling;
S103:Packet spoof is sent to the passback IP;
S104:Monitor whole backhaul lines and then the seat offence person of the packet spoof.
Preferably, the malicious code of the analysis with return data, obtains the set form and passback IP of return data,
Specially:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system;
Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
Preferably, the whole backhaul lines of the monitoring packet spoof and then seat offence person, specially:
By the flag update in network monitoring device;Monitor pseudo- using the network monitoring device for being deployed in network key node
Make the whole backhaul lines of packet, the real IP of seat offence person.Wherein, the network key node is set in network foundation
The multiple key nodes being distributed in the link applied, for example:Save network egress etc..
In said method embodiment, the set form refers to the usual form of the data message that malicious code is stolen.Dislike
The similar data message of the meaning class stolen of code possesses similar usual form, such as GID information format, Net silver account
Number information format etc..
Invention also provides a kind of embodiment of the method 2 based on network monitoring pursuit attack person, as shown in Fig. 2 bag
Include:
S201:Malicious code of the analysis with passback Net silver account information, obtains set form and the passback of Net silver account information
IP;
Wherein, the set form of the Net silver account information is included but is not limited to:Bank's name, Bank Account Number and password, form letter
Turn to:" bank=*, Account=*, psw=* ";
S202:Forgery possesses the Net silver account information of the set form, and adds in Net silver account information for network prison
The labelling of control equipment detection, and by the flag update in network monitoring device;
Wherein, the Net silver account information of forgery can be:" bank=China Construction Bank, Account=
2016010187654321, psw=AutoSignatures ", the labelling of the addition can be from the Net silver account information forged
Specify, for example:" Account=2016010187654321 ", or " psw=AutoSignatures ", it is also possible to according to need
Add required labelling;
S203:The Net silver account information forged is sent to the passback IP for obtaining;
S204:The whole passback of the Net silver account information forged is monitored using the network monitoring device for being deployed in network key node
Circuit, the real IP of seat offence person.
Secondly the present invention provides a kind of system embodiment 1 based on network monitoring pursuit attack person, as shown in figure 3, bag
Include:
Analysis module 301, for malicious code of the analysis with return data, obtains set form and the passback of return data
IP;
Module 302 is forged, for forging the packet for possessing the set form, and is added for network monitoring in the packet
The labelling of equipment detection;
Sending module 303, for sending packet spoof to the passback IP;
Locating module 304, for monitoring whole backhaul lines and then the seat offence person of the packet spoof.
Preferably, the analysis module, specifically for:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system;
Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
Preferably, the locating module, specifically for:
By the flag update in network monitoring device;
The whole backhaul lines of packet spoof, seat offence are monitored using the network monitoring device for being deployed in network key node
The real IP of person.
In said system embodiment, the set form refers to the usual form of the data message that malicious code is stolen.
Each embodiment in this specification is described by the way of progressive, same or analogous between each embodiment
Part is mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for system
For embodiment, as which is substantially similar to embodiment of the method, so description is fairly simple, related part is implemented referring to method
The part explanation of example.
As described above, above-described embodiment gives a kind of method and system based on network monitoring pursuit attack person implementing
Example, is analyzed to the malicious code of the return data for having set form, obtains set form and passback IP;According to set form
The packet of passback is copied, and adds the labelling for network monitoring device detection in return data bag, the labelling is easy to net
Network monitoring device is tracked positioning to the packet;By being deployed in the network monitoring device on each network key node to institute
State packet to be monitored, and then obtain the whole backhaul lines of the packet, and then position the true of malicious code attacker
Real IP address.
Above-described embodiment provided by the present invention passes through to copy return data bag, and using the network at network key node
Monitoring device carries out location tracking to the packet forged, and then positions final attacker, solve traditional detection method without
Method is accurately positioned the problem of attacker.
Above example is to illustrative and not limiting technical scheme.Appointing without departing from spirit and scope of the invention
What modification or local are replaced, and all should cover in the middle of scope of the presently claimed invention.
Claims (8)
1. a kind of method based on network monitoring pursuit attack person, it is characterised in that include:
Malicious code of the analysis with return data, obtains the set form and passback IP of return data;
Forgery possesses the packet of the set form, and adds the labelling for network monitoring device detection in the packet;
Packet spoof is sent to the passback IP;
Monitor whole backhaul lines and then the seat offence person of the packet spoof.
2. the method for claim 1, it is characterised in that the analysis has the malicious code of return data, obtains back
The set form and passback IP of data are passed, specially:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system;
Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
3. the method for claim 1, it is characterised in that the whole backhaul lines of the monitoring packet spoof enter
And attacker is positioned, specially:
By the flag update in network monitoring device;
The whole backhaul lines of packet spoof, seat offence are monitored using the network monitoring device for being deployed in network key node
The real IP of person.
4. the method as described in claim 1-3 is arbitrary, it is characterised in that the set form refers to the number that malicious code is stolen
It is believed that the usual form of breath.
5. a kind of system based on network monitoring pursuit attack person, it is characterised in that include:
Analysis module, for malicious code of the analysis with return data, obtains the set form and passback IP of return data;
Module is forged, possesses the packet of the set form for forging, and added in the packet and set for network monitoring
The labelling of standby detection;
Sending module, for sending packet spoof to the passback IP;
Locating module, for monitoring whole backhaul lines and then the seat offence person of the packet spoof.
6. system as claimed in claim 5, it is characterised in that the analysis module, specifically for:
Dynamic behaviour analysis, malicious code of the record with return data are carried out to malicious code using automatic analysis system;
Filter out the malicious code of the return data for possessing set form;Analyze and record the set form and passback IP of return data.
7. system as claimed in claim 5, it is characterised in that the locating module, specifically for:
By the flag update in network monitoring device;Monitor pseudo- using the network monitoring device for being deployed in network key node
Make the whole backhaul lines of packet, the real IP of seat offence person.
8. the system as described in claim 5-7 is arbitrary, it is characterised in that the set form refers to the number that malicious code is stolen
It is believed that the usual form of breath.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610953329.9A CN106549960A (en) | 2016-10-27 | 2016-10-27 | A kind of method and system based on network monitoring pursuit attack person |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610953329.9A CN106549960A (en) | 2016-10-27 | 2016-10-27 | A kind of method and system based on network monitoring pursuit attack person |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106549960A true CN106549960A (en) | 2017-03-29 |
Family
ID=58393590
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610953329.9A Pending CN106549960A (en) | 2016-10-27 | 2016-10-27 | A kind of method and system based on network monitoring pursuit attack person |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106549960A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
CN101978376A (en) * | 2008-03-19 | 2011-02-16 | 网圣公司 | Method and system for protection against information stealing software |
CN105024977A (en) * | 2014-04-25 | 2015-11-04 | 湖北大学 | Network tracking system based on digital watermarking and honeypot technology |
CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
-
2016
- 2016-10-27 CN CN201610953329.9A patent/CN106549960A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101978376A (en) * | 2008-03-19 | 2011-02-16 | 网圣公司 | Method and system for protection against information stealing software |
CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
CN105024977A (en) * | 2014-04-25 | 2015-11-04 | 湖北大学 | Network tracking system based on digital watermarking and honeypot technology |
CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Alieyan et al. | A survey of botnet detection based on DNS | |
Wang et al. | Attack detection and distributed forensics in machine-to-machine networks | |
CN107770125A (en) | A kind of network security emergency response method and emergency response platform | |
Zhong et al. | Stealthy malware traffic-not as innocent as it looks | |
Momand et al. | A systematic and comprehensive survey of recent advances in intrusion detection systems using machine learning: Deep learning, datasets, and attack taxonomy | |
Kumar et al. | Post Pandemic Cyber Attacks Impacts and Countermeasures: A Systematic Review | |
Coppolino et al. | A framework for mastering heterogeneity in multi-layer security information and event correlation | |
CN106549960A (en) | A kind of method and system based on network monitoring pursuit attack person | |
Roshna et al. | Botnet detection using adaptive neuro fuzzy inference system | |
Boyanapalli et al. | A comparative study of techniques, datasets and performances for intrusion detection systems in IoT | |
Ning et al. | Design and implementation of a decentralized prototype system for detecting distributed attacks | |
Yarochkin et al. | Investigating DNS traffic anomalies for malicious activities | |
Gupta et al. | Internet Traffic Surveillance & Network Monitoring in India: Case Study of NETRA. | |
CN107959596A (en) | A kind of method and network system of the monitoring network based on network system | |
CN207612279U (en) | A kind of food processing factory's network security management system | |
CN104702451A (en) | Method for monitoring risk of sent public mail based on keyword extraction strategy | |
CN105337983A (en) | DoS attack defending method | |
Milton Joe et al. | Modelling and detection of worm propagation for web vehicular ad hoc network (WVANET) | |
Zhao et al. | An algorithm of traffic perception of DDoS attacks against SOA based on time united conditional entropy | |
Wang et al. | Study of Network-based Intrusion Detection System for Virtualization | |
CN205693790U (en) | A kind of special network management system of public safety video | |
Lee et al. | An Analysis of Intrusion Prevention Data against HPC Services in KISTI | |
CN104699703A (en) | Method for monitoring risk of database received data, based on keyword extraction strategy | |
Ahanger et al. | Reliable Mechanism to Detect Traditional Cyber Attack Using Artificial Neural Networks | |
Bherde et al. | Technique for Detecting Zero Day Attack by using Signature based and Knowledge Based Method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
CB02 | Change of applicant information |
Address after: 100080 Beijing city Haidian District minzhuang Road No. 3, Tsinghua Science Park Building 1 Yuquan Huigu a Applicant after: Beijing ahtech network Safe Technology Ltd Address before: 100080 Zhongguancun Haidian District street, No. 14, layer, 1 1415-16 Applicant before: Beijing Antiy Electronic Installation Co., Ltd. |
|
CB02 | Change of applicant information | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170329 |
|
WD01 | Invention patent application deemed withdrawn after publication |