CN113132406A - Detection method, device and medium for discovering network threat based on SSH flow - Google Patents
Detection method, device and medium for discovering network threat based on SSH flow Download PDFInfo
- Publication number
- CN113132406A CN113132406A CN202110471714.0A CN202110471714A CN113132406A CN 113132406 A CN113132406 A CN 113132406A CN 202110471714 A CN202110471714 A CN 202110471714A CN 113132406 A CN113132406 A CN 113132406A
- Authority
- CN
- China
- Prior art keywords
- client
- determining
- algorithms
- fingerprint
- ssh
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 22
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 81
- 238000000034 method Methods 0.000 claims abstract description 73
- 238000012544 monitoring process Methods 0.000 claims abstract description 24
- 238000012545 processing Methods 0.000 claims abstract description 16
- 238000003860 storage Methods 0.000 claims description 14
- 230000002159 abnormal effect Effects 0.000 claims description 11
- 230000003993 interaction Effects 0.000 claims description 10
- 230000006835 compression Effects 0.000 claims description 6
- 238000007906 compression Methods 0.000 claims description 6
- 238000005336 cracking Methods 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000000903 blocking effect Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 241001397173 Kali <angiosperm> Species 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a detection method, equipment and medium for discovering a network threat based on SSH flow, wherein the method comprises the following steps: determining that a client and a server interact through SSH, and acquiring exchange information of the client in a key exchange stage through flow monitoring; determining the arrangement sequence of a plurality of algorithms in the exchange information; splicing the names of the algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client; and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client. According to the embodiment of the application, the fingerprints of certain types of clients can be obtained and used for distinguishing SSH clients of different types, and then the fingerprints are matched by generating the fingerprint library in advance, so that malicious clients can be identified, and the malicious clients can be blocked in time, and the accuracy of network security detection is improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a medium for detecting a network threat based on SSH traffic discovery.
Background
Secure Shell protocol (SSH), established by the Network Group of the IETF; the secure shell protocol is a secure protocol established on an application layer basis. The secure shell protocol is a relatively reliable protocol that is dedicated to providing security for telnet sessions and other network services.
Due to the fact that the possibility of being attacked exists in the network, the obtained attack information is not comprehensive enough, and the network attack identification efficiency is low.
Disclosure of Invention
The embodiment of the application provides a detection method, equipment and medium for discovering a network threat based on SSH flow, which are used for solving the problem that the network attack identification efficiency is low due to the fact that the acquired attack information is not comprehensive enough in an SSH environment.
The embodiment of the application adopts the following technical scheme:
in one aspect, an embodiment of the present application provides a detection method for discovering a cyber threat based on SSH traffic, where the method includes: determining that a client and a server interact through SSH, and acquiring exchange information of the client in a key exchange stage through flow monitoring; determining the arrangement sequence of a plurality of algorithms in the exchange information; splicing the names of the algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client; and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client.
In one example, the concatenating the names of the plurality of algorithms according to the arrangement order, and processing the concatenated data to obtain the fingerprint of the client specifically includes: splicing the names of the algorithms according to the arrangement sequence and a preset splicing formula to obtain a spliced character string; and encrypting the spliced character string to obtain the fingerprint of the client.
In one example, the determining the ranking order of the plurality of algorithms in the exchange information specifically includes: determining algorithm types corresponding to a plurality of algorithms existing in the exchange information; the algorithm type comprises at least one of a secret key interaction method, an encryption method, a message authentication method and a compression method; determining a preset sequence corresponding to the algorithm type; and determining the arrangement sequence of the plurality of algorithms according to the preset sequence.
In one example, the matching the fingerprint in a pre-generated fingerprint library to verify the security of the client specifically includes: determining that a network exchange protocol router exists between the client and the server under an SSH environment; matching the fingerprints in the pre-generated fingerprint library, and determining that the client is a brute force cracking client; and blocking the client.
In one example, the matching the fingerprint in a pre-generated fingerprint library to verify the security of the client specifically includes: determining firmware built in the Internet of things equipment in the client; and matching the fingerprints in the pre-generated fingerprint library to identify that the client is a client which concealingly reveals data.
In one example, the encrypting the concatenated string to obtain the fingerprint of the client specifically includes: performing hash calculation on the spliced character string to generate a hash value; and taking the hash value as the fingerprint of the client.
In one example, determining the preset splicing manner specifically includes: respectively reversing the characters in the names of the algorithms; and splicing the reverse order names of the algorithms front and back.
In one example, after matching the fingerprints in a pre-generated fingerprint library to verify the security of the client, the method further comprises: if the matching is unsuccessful, acquiring the IP address of the client; identifying the IP address; if the IP address is abnormal, alarming so that relevant personnel can check the safety of the client; determining the client as an abnormal client; and adding the client into a blacklist of the fingerprint database.
On the other hand, an embodiment of the present application provides a detection device for discovering a cyber threat based on SSH traffic, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to: determining that a client and a server interact through SSH, and acquiring exchange information of the client in a key exchange stage through flow monitoring; determining the arrangement sequence of a plurality of algorithms in the exchange information; splicing the names of the algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client; and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client.
In another aspect, an embodiment of the present application provides a non-volatile computer storage medium for detecting a cyber threat based on SSH traffic discovery, where the non-volatile computer storage medium stores computer-executable instructions, and the computer-executable instructions are configured to: determining that a client and a server interact through SSH, and acquiring exchange information of the client in a key exchange stage through flow monitoring; determining the arrangement sequence of a plurality of algorithms in the exchange information; splicing the names of the algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client; and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client.
The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects:
according to the method and the device, the names of the algorithms are spliced through the arrangement sequence of the algorithms of the client side in the key exchange stage, the spliced data are processed, the fingerprints of the client side of a certain type are obtained, the SSH client sides of different types can be distinguished, then the fingerprints are matched through the fingerprint library generated in advance, malicious client sides can be identified, the malicious client sides can be blocked in time, and the accuracy of network security detection is improved.
Drawings
In order to more clearly explain the technical solutions of the present application, some embodiments of the present application will be described in detail below with reference to the accompanying drawings, in which:
fig. 1 is a schematic flowchart of a detection method for discovering a cyber threat based on SSH traffic according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a detection device for discovering a cyber threat based on SSH traffic according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following embodiments and accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Some embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flowchart of a detection method for discovering a cyber threat based on SSH traffic according to an embodiment of the present application. The method can be applied to different business fields, such as the field of internet financial business, the field of network security supervision business, the field of instant messaging business, the field of official business and the like. The flow may be performed by computing devices of the respective domains.
The process in fig. 1 may include the following steps:
s101: and determining that the client and the server interact through SSH, and acquiring the exchange information of the client in the key exchange stage through flow monitoring.
In some implementations of the present application, a login process of a Secure Shell (SSH) includes a plaintext interaction phase and a ciphertext interaction phase, and in the plaintext interaction phase, in a process of an SSH connection, a three-way handshake and version number negotiation phase of a Transmission Control Protocol (TCP) are first completed, and then a key exchange phase is entered. In the key exchange, a key exchange operation is required. Wherein the key exchange phase comprises: and a key and algorithm negotiation stage.
When a key exchange operation is performed, the operation is divided into a client side and a server side. The exchange information in key exchange is an important component that ultimately forms the encrypted SSH channel configuration.
The exchange information refers to a plurality of algorithms supported by the client.
It should be noted that the execution subject in the embodiment of the present application may be any platform or software that needs to verify the security of the client, such as an intrusion detection system, an intrusion prevention system, and the like. For convenience of description, the monitoring platform is explained below.
S102: the ranking order of the plurality of algorithms in the exchanged information is determined.
The arrangement sequence needs to be set according to the preset arrangement sequence of each algorithm.
S103: and splicing the names of the plurality of algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client.
In some implementations of the present application, since the content and ordering of the multiple algorithms is unique and relatively unique to different software products, the multiple algorithms, after being processed, can be treated as a fingerprint for the client.
It should be noted that the name of the algorithm in the embodiment of the present application is a description in a software implementation.
S104: and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client.
In some implementations of the present application, in the process of obtaining the pre-generated fingerprint library, the monitoring platform is applied to the method in S101 to S103, and collects a large number of fingerprints of various clients, identifies the fingerprints, and then stores the fingerprints of the various clients.
In the pre-generated fingerprint library, different client types can be classified and stored so as to identify abnormal clients more efficiently. For example, in the fingerprint library, a black list is set, and the abnormal client is added to the black list.
It should be noted that the pre-generated fingerprint library may also be a fixed common SSH client fingerprint library, and only the client whose fingerprint exceeds the fingerprint library needs to alarm.
It should be noted that, in the embodiment of the present application, not only the security of the client is verified, but also the security of the server is verified, and the verification principles are the same, so for the verification process of the server, please refer to the relevant description of verifying the security of the client, that is, the client in the embodiment of the present application may refer to the server instead.
It should be noted that, although the embodiment of the present application describes steps S101 to S104 in sequence with reference to fig. 1, this does not mean that steps S101 to S104 must be executed in strict sequence. The embodiment of the present application sequentially describes steps S101 to S104 according to the sequence shown in fig. 1, so as to facilitate those skilled in the art to understand the technical solutions of the embodiment of the present application. In other words, in the embodiment of the present application, the sequence between step S101 and step S104 may be appropriately adjusted according to actual needs.
Through the method of fig. 1, in the embodiment of the application, names of a plurality of algorithms are spliced through the arrangement sequence of the plurality of algorithms in the key exchange stage of the client, the spliced data is processed to obtain fingerprints of a certain type of client, the fingerprints can be used for distinguishing different types of SSH clients, and then the fingerprints are matched by generating a fingerprint library in advance, so that malicious clients can be identified, the malicious clients can be blocked in time, and the accuracy of network security detection is improved.
Based on the method of fig. 1, the examples of the present application also provide some specific embodiments and extensions of the method, and the following description is continued.
In some implementations of the present application, in order to more accurately determine the arrangement order of the plurality of algorithms in the exchange information, the monitoring platform obtains the algorithm types corresponding to the plurality of algorithms existing in the exchange information. The algorithm type comprises at least one of a key interaction method, an encryption method, a message authentication method and a compression method.
That is, in each algorithm type, there is a corresponding algorithm supported by the client, respectively.
For example, the monitoring platform obtains multiple algorithms supported by the client in the key interaction method, obtains multiple algorithms supported by the client in the encryption method, obtains multiple algorithms supported by the client in the message authentication method, and obtains multiple algorithms supported by the client in the compression method.
After the algorithm types corresponding to the algorithms in the exchange information are obtained, the monitoring platform determines a preset sequence corresponding to the algorithm types, and determines an arrangement sequence of the algorithms according to the preset sequence. That is, after the order of the algorithm types is determined, the order of the corresponding algorithms included in the algorithm types is also determined accordingly.
Further, the order of the corresponding algorithms included in each algorithm type is arranged according to the length of the character, and the order may be sequentially shortened or sequentially lengthened. And the ordering between algorithm types may be different. For example, the sorting mode of the algorithms in the key interaction method may be sequentially shortened, and the sorting mode of the algorithms in the encryption method may be sequentially lengthened.
It should be noted that, for different execution subjects, the arrangement order of the algorithm types may be different. For example, in the monitoring platform, the algorithm types are arranged in a key interaction method, an encryption method, a message authentication method and a compression method. In the intrusion detection system of the power grid, the arrangement sequence of the algorithm types is a secret key interaction method, a message authentication method, an encryption method and a compression method.
In some implementations of the application, in order to obtain the client fingerprint more quickly, the monitoring platform splices the names of a plurality of algorithms according to a preset splicing formula, so as to obtain a spliced character string, and encrypts the spliced character string, so as to obtain the fingerprint of the client.
Further, the monitoring platform performs hash calculation on the spliced character string to generate a hash value, and then the hash value is used as the fingerprint of the client.
Further, in order to improve the security of the client fingerprint and prevent the client fingerprint forged by a network attacker, in the process of determining the preset splicing mode, the monitoring platform respectively performs reverse order on characters in the names of the plurality of algorithms, and then performs front-back splicing on the reverse order names of the plurality of algorithms.
That is, in the process of splicing the names of the plurality of algorithms at the client, the characters related to the names of the algorithms are sequentially inverted by taking the last character as the first character until the first character is taken as the last character, and then the inverted names of the plurality of algorithms are spliced front and back.
In some implementations of the present application, since Network Address Translation (NAT) may be involved after the process of SSH login, the NAT method may be used when some hosts inside the private Network have already been assigned a local IP Address (i.e., a private Address used only within the private Network), but now want to communicate with hosts on the internet (without encryption).
When a network exchange protocol router is arranged between the client and the server, namely in an SSH NAT environment, the monitoring platform can determine the fingerprint of the client, match the fingerprint in a pre-generated fingerprint library and identify the brute force cracking client, so that the brute force cracking client is blocked in time.
Because attack sources cannot be distinguished behind the NAT, the embodiment of the application identifies the client software type through the fingerprint of the client instead of positioning according to the source IP address under the NAT environment, and can more accurately detect the brute force cracking positioning client type.
Further, the monitoring platform may also collect and store SSH client fingerprints of some malware (kali, Meterpreter, Powershell Empire) in the fingerprint library. And then the method is applied to an intrusion detection system, an intrusion prevention system, and a feature library and a model of the attitude, so that the malicious software can be identified in the fingerprint library through the fingerprint of the malicious software, an alarm is given, and then the malicious software is blocked in time.
Therefore, in the embodiment of the application, malicious clients behind the NAT can be blocked in a finer-grained manner in the intrusion detection system, the intrusion prevention system and the feature library and the model of the attitude.
In some implementations of the present application, since the client type may be a new type, the client fingerprint is not stored in the pre-generated fingerprint library, and therefore, the security of the client type cannot be verified during the matching process.
Therefore, when the fingerprint of the client is unsuccessfully matched in a fingerprint library generated in advance, the monitoring platform acquires the IP address of the client, then identifies the IP address through malicious IP address detection, alarms if the IP address is identified to be abnormal, so that relevant personnel check, if the client is the abnormal client, the client is added into a blacklist of the fingerprint library, and is blocked in time, and loss is avoided.
If the IP address is normal, a prompt is sent out, and the client is automatically added into the fingerprint database.
For example, a public network IP corresponds to a host, many addresses on the public network are NAT addresses, and a malicious client attacks the target of the external network in the unit a, so that the outlet public network address of the unit a is likely to be marked as a malicious IP address, but all clients in the unit a are not malicious clients. Therefore, the IP address is firstly identified through malicious IP address detection, and if the IP address is identified to be abnormal, an alarm is given to ensure that relevant personnel check and finally determine whether the client is an abnormal client.
According to the embodiment of the application, for the NAT scene, the public network IP can not be blocked, but the malicious client can be blocked aiming at the malicious client, so that the malicious client in front of the NAT can be blocked in a finer granularity, and the identification accuracy of the malicious client is improved.
In some implementations of the application, the data may be sent from the trusted environment to the untrusted extranet environment within a series of SSH _ MSG _ KEXINIT packets due to the specially encoded SSH client. Similar to the scenario of data leakage through DNS, data can be sent as a series of attempted, incomplete connections to the SSH server, where the data is reassembled and decoded back at the server. To date, no mature means and security device record exists for this method of information leakage.
Therefore, if the client is built in the firmware of the internet of things device and used for revealing data, the monitoring platform determines the fingerprint of the client and matches the fingerprint in the fingerprint library, so that the client which conceals the data can be easily identified.
For example, by collecting SSH client fingerprints, such as a camera, a microphone, a keylogger, a wiretap, etc., of a device that detects the theft of the known internet of things embedded system, a covert encryption channel is used to communicate with the control server.
According to the embodiment of the application, the abnormal detection or alarm is carried out by monitoring the SSH clients of different types, and the sensitive data exudation of the clients can be easily detected.
Based on the same idea, some embodiments of the present application further provide a device and a non-volatile computer storage medium corresponding to the above method.
Fig. 2 is a schematic structural diagram of a detection apparatus for discovering cyber threats based on SSH traffic, which corresponds to fig. 1 and is provided in an embodiment of the present application, where the apparatus includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
determining that the client and the server interact through SSH, and acquiring exchange information of the client in a key exchange stage through flow monitoring;
determining the arrangement sequence of a plurality of algorithms in the exchange information;
splicing the names of the algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client;
and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client.
Some embodiments of the present application provide a non-transitory computer storage medium for SSH traffic-based discovery of cyber threats corresponding to fig. 1, storing computer-executable instructions configured to:
determining that the client and the server interact through SSH, and acquiring exchange information of the client in a key exchange stage through flow monitoring;
determining the arrangement sequence of a plurality of algorithms in the exchange information;
splicing the names of the algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client;
and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client.
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the device and media embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference may be made to some descriptions of the method embodiments for relevant points.
The device and the medium provided by the embodiment of the application correspond to the method one to one, so the device and the medium also have the similar beneficial technical effects as the corresponding method, and the beneficial technical effects of the method are explained in detail above, so the beneficial technical effects of the device and the medium are not repeated herein.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the technical principle of the present application shall fall within the protection scope of the present application.
Claims (10)
1. A detection method for discovering network threats based on SSH traffic, which is characterized in that the method comprises the following steps:
determining that a client and a server interact through SSH, and acquiring exchange information of the client in a key exchange stage through flow monitoring;
determining the arrangement sequence of a plurality of algorithms in the exchange information;
splicing the names of the algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client;
and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client.
2. The method according to claim 1, wherein the concatenating the names of the plurality of algorithms according to the arrangement order and processing the concatenated data to obtain the fingerprint of the client specifically includes:
splicing the names of the algorithms according to the arrangement sequence and a preset splicing formula to obtain a spliced character string;
and encrypting the spliced character string to obtain the fingerprint of the client.
3. The method according to claim 1, wherein the determining an order of arrangement of a plurality of algorithms in the exchanged information specifically comprises:
determining algorithm types corresponding to a plurality of algorithms existing in the exchange information; the algorithm type comprises at least one of a secret key interaction method, an encryption method, a message authentication method and a compression method;
determining a preset sequence corresponding to the algorithm type;
and determining the arrangement sequence of the plurality of algorithms according to the preset sequence.
4. The method according to claim 1, wherein the matching of the fingerprints in a pre-generated fingerprint library to verify the security of the client comprises:
determining that a network exchange protocol router exists between the client and the server under an SSH environment;
matching the fingerprints in the pre-generated fingerprint library, and determining that the client is a brute force cracking client;
and blocking the client.
5. The method according to claim 1, wherein the matching of the fingerprints in a pre-generated fingerprint library to verify the security of the client comprises:
determining firmware built in the Internet of things equipment in the client;
and matching the fingerprints in the pre-generated fingerprint library to identify that the client is a client which concealingly reveals data.
6. The method according to claim 2, wherein the encrypting the concatenated string to obtain the fingerprint of the client specifically includes:
performing hash calculation on the spliced character string to generate a hash value;
and taking the hash value as the fingerprint of the client.
7. The method according to claim 2, wherein determining the preset splicing manner specifically comprises:
respectively reversing the characters in the names of the algorithms;
and splicing the reverse order names of the algorithms front and back.
8. The method of claim 1, wherein after matching the fingerprints in a pre-generated fingerprint library to verify the security of the client, the method further comprises:
if the matching is unsuccessful, acquiring the IP address of the client;
identifying the IP address;
if the IP address is abnormal, alarming so that relevant personnel can check the safety of the client;
determining the client as an abnormal client;
and adding the client into a blacklist of the fingerprint database.
9. A detection device for discovering cyber threats based on SSH traffic, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
determining that a client and a server interact through SSH, and acquiring exchange information of the client in a key exchange stage through flow monitoring;
determining the arrangement sequence of a plurality of algorithms in the exchange information;
splicing the names of the algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client;
and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client.
10. A non-transitory computer storage medium for detecting cyber threats based on SSH traffic discovery, the computer storage medium having stored thereon computer-executable instructions configured to:
determining that a client and a server interact through SSH, and acquiring exchange information of the client in a key exchange stage through flow monitoring;
determining the arrangement sequence of a plurality of algorithms in the exchange information;
splicing the names of the algorithms according to the arrangement sequence, and processing the spliced data to obtain the fingerprint of the client;
and matching the fingerprints in a pre-generated fingerprint library to verify the security of the client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110471714.0A CN113132406B (en) | 2021-04-29 | 2021-04-29 | Detection method, device and medium for discovering network threat based on SSH flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110471714.0A CN113132406B (en) | 2021-04-29 | 2021-04-29 | Detection method, device and medium for discovering network threat based on SSH flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113132406A true CN113132406A (en) | 2021-07-16 |
| CN113132406B CN113132406B (en) | 2022-06-07 |
Family
ID=76780867
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110471714.0A Active CN113132406B (en) | 2021-04-29 | 2021-04-29 | Detection method, device and medium for discovering network threat based on SSH flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113132406B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113596065A (en) * | 2021-10-08 | 2021-11-02 | 成都数默科技有限公司 | SSH protocol login state detection method based on machine learning |
| CN114928452A (en) * | 2022-05-17 | 2022-08-19 | 壹沓科技(上海)有限公司 | Access request verification method, device, storage medium and server |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070234063A1 (en) * | 2006-03-30 | 2007-10-04 | Yukiya Ueda | System, method and program for off-line user authentication |
| CN101706870A (en) * | 2009-10-26 | 2010-05-12 | 中山大学 | GPU-based system for realizing media qualification characteristic recognition and method |
| CN101888383A (en) * | 2010-06-30 | 2010-11-17 | 北京交通大学 | Method for implementing extensible trusted SSH |
| US20130247184A1 (en) * | 2011-04-27 | 2013-09-19 | Mcafee, Inc. | Stealth Network Attack Monitoring |
| CN103345602A (en) * | 2013-06-14 | 2013-10-09 | 腾讯科技(深圳)有限公司 | Client-side code integrality detection method, device and system |
| US9531736B1 (en) * | 2012-12-24 | 2016-12-27 | Narus, Inc. | Detecting malicious HTTP redirections using user browsing activity trees |
| CN112000942A (en) * | 2020-10-30 | 2020-11-27 | 成都掌控者网络科技有限公司 | Authority list matching method, device, equipment and medium based on authorization behavior |
| CN112019574A (en) * | 2020-10-22 | 2020-12-01 | 腾讯科技(深圳)有限公司 | Abnormal network data detection method and device, computer equipment and storage medium |
-
2021
- 2021-04-29 CN CN202110471714.0A patent/CN113132406B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070234063A1 (en) * | 2006-03-30 | 2007-10-04 | Yukiya Ueda | System, method and program for off-line user authentication |
| CN101706870A (en) * | 2009-10-26 | 2010-05-12 | 中山大学 | GPU-based system for realizing media qualification characteristic recognition and method |
| CN101888383A (en) * | 2010-06-30 | 2010-11-17 | 北京交通大学 | Method for implementing extensible trusted SSH |
| US20130247184A1 (en) * | 2011-04-27 | 2013-09-19 | Mcafee, Inc. | Stealth Network Attack Monitoring |
| US9531736B1 (en) * | 2012-12-24 | 2016-12-27 | Narus, Inc. | Detecting malicious HTTP redirections using user browsing activity trees |
| CN103345602A (en) * | 2013-06-14 | 2013-10-09 | 腾讯科技(深圳)有限公司 | Client-side code integrality detection method, device and system |
| CN112019574A (en) * | 2020-10-22 | 2020-12-01 | 腾讯科技(深圳)有限公司 | Abnormal network data detection method and device, computer equipment and storage medium |
| CN112000942A (en) * | 2020-10-30 | 2020-11-27 | 成都掌控者网络科技有限公司 | Authority list matching method, device, equipment and medium based on authorization behavior |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113596065A (en) * | 2021-10-08 | 2021-11-02 | 成都数默科技有限公司 | SSH protocol login state detection method based on machine learning |
| CN113596065B (en) * | 2021-10-08 | 2021-12-07 | 成都数默科技有限公司 | SSH protocol login state detection method based on machine learning |
| CN114928452A (en) * | 2022-05-17 | 2022-08-19 | 壹沓科技(上海)有限公司 | Access request verification method, device, storage medium and server |
| CN114928452B (en) * | 2022-05-17 | 2024-02-13 | 壹沓科技(上海)有限公司 | Access request verification method, device, storage medium and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113132406B (en) | 2022-06-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20170324555A1 (en) | System and method for preemptive self-healing security | |
| US9275237B2 (en) | Method and apparatus for privacy and trust enhancing sharing of data for collaborative analytics | |
| US10382562B2 (en) | Verification of server certificates using hash codes | |
| Cheema et al. | [Retracted] Prevention Techniques against Distributed Denial of Service Attacks in Heterogeneous Networks: A Systematic Review | |
| JP2016136735A (en) | System, device, program, and method for protocol fingerprint acquisition and evaluation correlation | |
| CN113132406B (en) | Detection method, device and medium for discovering network threat based on SSH flow | |
| CN110417717B (en) | Login behavior identification method and device | |
| US10073980B1 (en) | System for assuring security of sensitive data on a host | |
| US10931691B1 (en) | Methods for detecting and mitigating brute force credential stuffing attacks and devices thereof | |
| Kumar et al. | Review on security and privacy concerns in Internet of Things | |
| US9350754B2 (en) | Mitigating a cyber-security attack by changing a network address of a system under attack | |
| US10277576B1 (en) | Diameter end-to-end security with a multiway handshake | |
| US11882112B2 (en) | Information security system and method for phishing threat prevention using tokens | |
| US11792224B2 (en) | Information security system and method for phishing threat detection using tokens | |
| CN118368080A (en) | Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium | |
| Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
| Tan et al. | Securing password authentication for web-based applications | |
| Prabhu et al. | A novel cloud security enhancement scheme to defend against DDoS attacks by using deep learning strategy | |
| CN111259400B (en) | Vulnerability detection method, device and system | |
| Hajdarevic et al. | Internal penetration testing of Bring Your Own Device (BYOD) for preventing vulnerabilities exploitation | |
| KR100862321B1 (en) | Method and apparatus for detecting and blocking network attack without attack signature | |
| CN110830498A (en) | Continuous attack detection method and system based on mining | |
| Müller | Evaluating the Security and Resilience of Typical off the Shelf CoAP IoT Devices: Assessing CoAP and Wi-Fi vulnerabilities | |
| Bolannavar | Privacy-Preserving Public Auditing using TPA for Secure Cloud Storage | |
| Sree et al. | Secure logging scheme for forensic analysis in cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |