CN115664833B - Network hijacking detection method based on local area network safety equipment - Google Patents
Network hijacking detection method based on local area network safety equipment Download PDFInfo
- Publication number
- CN115664833B CN115664833B CN202211368185.2A CN202211368185A CN115664833B CN 115664833 B CN115664833 B CN 115664833B CN 202211368185 A CN202211368185 A CN 202211368185A CN 115664833 B CN115664833 B CN 115664833B
- Authority
- CN
- China
- Prior art keywords
- information
- ttl
- session
- network
- hijacking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 38
- 230000006854 communication Effects 0.000 claims abstract description 6
- 238000000034 method Methods 0.000 claims description 23
- 230000002159 abnormal effect Effects 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 12
- 238000004364 calculation method Methods 0.000 claims description 4
- 230000003993 interaction Effects 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 claims description 2
- 238000001914 filtration Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 4
- 238000005516 engineering process Methods 0.000 abstract description 2
- 230000006399 behavior Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000032683 aging Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to computer communication, network security technology, in order to realize hijacking detection by using multi-layer protocol header fields, subdivide various hijacking conditions; the data flow in the network can be detected in real time, and the system resource consumption is low; it is not necessary to detect whether there is hijacking by means of other network resources or to build up a database of normal information in advance. The technical scheme adopted by the invention is that the network hijacking detection method based on the local area network safety equipment comprises the following steps: detecting the data packet head information, recording the data packet head information, and matching rules to obtain a detection result. The invention is mainly applied to network communication security occasions.
Description
Technical Field
The invention relates to computer communication and network security, in particular to a network hijacking detection method based on local area network security equipment.
Background
With the rapid development of the internet, the problem of network hijacking is increasingly aggravated, network traffic hijacking can be classified into hijacking in a local area network and hijacking outside the local area network, and the existing network traffic hijacking mainly is clear text transmission hijacking outside the local area network, and clear text network traffic transmission is intercepted by an attacker or is implanted with malicious data, so that a user cannot obtain normal network service and even damages user equipment. For example, the content of the website accessed by the user cannot be displayed normally, the target website cannot be accessed, or the application program cannot be run due to errors. An attacker mainly aims at a TCP (transmission control protocol) connection and an HTTP (hypertext transfer protocol) connection established on the TCP, and the connections adopt plaintext transmission, and legal data packets are caused by the false, so that a user host computer processes received messages wrongly. Although many vendors currently use the encrypted transmission protocol to interact with users, a large part of the internet still uses the plaintext transmission, so the session hijacking detection of the part is still very important and significant.
The current session hijacking attack detection method for plaintext transmission mainly comprises the following steps:
the detection method 1 comprises the following steps: the IP and port numbers of the proxy servers in each region are crawled by using a web crawler technology, the browser is configured to access the target website by using the proxy servers and record website contents, then the target website is accessed without using the proxy servers, whether the contents before and after the target website change is compared, and if the contents before and after the target website change, hijacking is proved to exist. (patent No. 201410403660.4)
The detection method 2 comprises the following steps: and counting network flows corresponding to each IP in a period of time in a core routing network, recording the TTL value and IPID number change of each data packet, and judging that hijacking exists if the TTL value and the IPID number change exceed a set threshold and reach a certain number. (patent No. 201710112616.1)
The detection method 3 comprises the following steps: and detecting whether the webpage of the user is abnormal, if so, capturing a screenshot to save the interface content, obtaining detection data, carrying out ping operation on the detection data one by one, submitting the ping packet loss rate, the screenshot content and a result log to a server for model detection, and judging whether the network is hijacked by the server. (patent No. 202010567944.2)
State of the related art
For the above detection method 1, normal data is accessed by means of network resources in other regions, and whether the network is hijacked or not can be known by comparing the data accessed by the network with the normal data, if other networks are also hijacked, whether the network is hijacked or not cannot be determined. And cannot be detected in real time.
For the detection method 2 described above, the detection tool is arranged at the core routing network node, and it is only possible to distinguish between data flows for each port above IP for IP. The current TCP/IP protocol stack has been generating IPID values from assigning separate IPID counters based on different IPs, and in 2014, in Linux 3.16, the kernel developer recognized that there is a performance problem with using separate counters for each IP destination, so the global up-counter is not preferable, and they adopted a hybrid approach consisting of 2048 global up-counters. To determine which counter to use for an IP datagram, the destination address of the datagram will be hashed using a secret value that is randomly generated at system start-up. The resulting hash (mod 211) is used to determine the index of the counter. Each counter is 32 bits to accommodate IPv6, while for IPv4, IPID is extracted from the lower 16 bits of the counter.
The generated IPID value does not increase linearly, each time a counter is used to assign an IPID, rather than incrementing it by 1, the kernel will add to it a number that is evenly distributed between 1 and the number of system beats since the last use of the counter. For the TCP data packet of the IPv6 version, the IPID thereof does not necessarily exist, and if the byte size of the IPv6 data packet does not trigger the slicing operation, the TCP/IP protocol stack does not allocate an IPID value to the TCP data packet. It is known from this that the packet transmission interval is unpredictable and has a large difference, and the generated IPID value fluctuates very much. And the IPID value does not have to be present in every TCP datagram.
Because IPID values have become unpredictable and there have been increasing numbers of vendors using new TCP/IP protocol stacks, the effectiveness of TCP hijacking detection based on this dimension may be worse. In addition, the information of each IP data stream needs to be collected within a period of time, so that the consumption of system resources is huge, and the specific port numbers of the transmission layers of each IP are not subdivided for classification and identification, so that excessive false alarms can be caused, and the hijacking cannot be detected in real time.
For the above detection method 3, a knowledge base with normal access needs to be established in advance, the server can know whether the server is hijacked or not through comparison, the establishment of the knowledge base needs to consume huge energy, and it is difficult to update the changes of each website in real time, and the detection effect is reduced over time.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention aims at realizing:
1. hijacking detection is carried out by using a multi-layer protocol header field, and various hijacking conditions are subdivided.
2. The data flow in the network can be detected in real time, and the system resource consumption is low.
3. It is not necessary to detect whether there is hijacking by means of other network resources or to build up a database of normal information in advance.
Therefore, the technical scheme adopted by the invention is that the network hijacking detection method based on the local area network safety equipment comprises the following steps: detecting the data packet head information, recording the data packet head information, and matching rules to obtain a detection result.
The detailed steps are as follows:
(1) Filtering non-TCP protocol and HTTP protocol packet based on TCP protocol by using firewall equipment, carrying out deep packet analysis on the obtained data packet, and extracting header field information of a network layer and an application layer;
mainly comprises the following steps: source IP, source port number, destination IP, destination port number, TTL value, flag information bit of TCP layer and HTTP response status code;
(2) The obtained header field information is arranged to generate item information, and whether the item information in the cache is to be updated or stored is judged subsequently;
1) Initially, the entry information of the system is empty, and the new data packet directly stores the entry information in the cache according to the quadruple information, wherein the quadruple information has the following structure:
tetrad= (src_ip, src_port, dst_ip, dst_port)
Wherein src_IP represents source IP, src_port represents source port, dst_IP represents destination IP, dst_port represents destination port
2) If the cache is not empty, judging whether quadruple information in the newly generated item information exists in the cache, if not, directly storing the newly generated item information in the cache, otherwise, comparing the newly generated item information with TTL values of the item information in the corresponding cache, and judging as follows:
(a) If the absolute value of the comparison exceeds the threshold value, the abnormal conversation flow is considered to exist, and subsequent judgment is needed to refine various conditions;
(b) If the absolute value of the comparison does not exceed the threshold value, the current session flow is considered to be normal, and the TTL value of the corresponding item information in the cache needs to be updated;
the formula for generating TTL_Mean is as follows:
TTL_Mean=(TTL_Mean*(n-1)+TTL)/n
the newly generated TTL value has the following calculation formula:
where New TTL is an integer number,for downward rounding, TTL_Mean is the average value of TTLs of the data stream, TTL is a newly generated entry TTL value, and n is the total number of current data stream packets;
3) The setting of the threshold requires actual statistical observation, by two methods:
(a) The method comprises the following steps Comparing the extreme differences of a plurality of data streams, if the extreme difference of one stream is small, the data stream is considered not to be subject to attack hijacking; conversely, it can be considered to be subject to hijacking attacks; in the data interaction between the terminal and the external network test server, the content of the return packet of the server is set, whether the front and rear contents are changed or not is checked, the change of the TTL of the data stream is observed, and whether the hijacking is suffered or not is judged;
(b) The method comprises the following steps By means of the method, whether correct content is returned or not, whether malicious advertisements are implanted or not is observed, whether other irrelevant webpages are jumped to or not is observed, change of TTL of data streams is observed, whether hijacking is suffered or not is judged, a current network environment is considered, and a proper size is found to distinguish normal data streams from abnormal data streams;
(3) Establishing a matching rule corresponding to the subsequent judgment under the condition that TTL exceeds a threshold value:
1): TCP protocol Flags bits: the TCP protocol has a plurality of flag bits, different flag bits represent the current state of the TCP session, and whether the TCP session is normal or not and the problems occur are known through the change of flag bits, wherein the flag state bits are as follows:
f: session end
P: immediate transmission
A: acknowledgement bit
R: reset bit
S: synchronization bit
R, if the field is 1, the TCP session is considered to have serious errors in the process, the session is ended, and a new session is reconstructed;
a TCP packet contains a plurality of information bits at the same time.
The flag information bit is SA, then the TCP session handshake process is considered to be hijacked;
the flag information is FPA, and the session can be primarily considered to be abnormal, and can be further judged by combining HTTP layer information;
the flag information bit is R, then the attacker can be considered to reset in the session communication process;
the flag information bit is F, the session can be primarily considered to be abnormal, and the HTTP layer information can be combined for further judgment;
2): HTTP protocol status code: the state code is detailed information obtained from the target server, the state of the target server and the operation to be performed next can be known according to different state codes, and the main state code is given to the state feedback of the data request and the like:
200: page request success 30{0-7}, understand page redirection.
The flag information bit is FPA, and the HTTP status bit is 30{0-7}, then determine that some files in the session stream are hijacked and tampered;
flag information bit is F and HTTP status bit is 200, then it is determined that the session was tampered with by an attacker and the session is ended.
The invention has the characteristics and beneficial effects that:
the invention mainly aims at network hijacking detection of local area network safety, the intranet client side interacts with the Internet server, the flow can be hijacked or tampered in the process of returning to the local area network, and the abnormal part in the data flow is mined and warned through continuous monitoring of the data flow, so that the invention can obtain the following beneficial effects:
1. aiming at the session hijacking behavior of the current network, the user can not interact with the target server normally, and even serious property loss is caused. The invention carries out rule matching through the information of the multi-layer protocol, refines hijacking behavior, can concretely know the generated hijacking behavior, and can indicate the direction for the subsequent precaution work.
2. Aiming at the aging problem of network hijacking detection, the scheme is deployed on the fireproof wall through which the incoming and outgoing flows must pass, and is used as a detection module for detecting whether each data flow is abnormal or not in real time, so that an alarm can be timely made, and larger damage and loss are avoided.
3. Aiming at the characteristics of firewall equipment, the invention does not occupy more system resources, has less data calculation amount, belongs to a lightweight detection method and reduces the influence on the performance of firewall data forwarding.
Description of the drawings:
fig. 1 is a complete detection flow chart.
Fig. 2 is a flowchart of a matching rule corresponding to the subsequent judgment in the case that the TTL exceeds the threshold value.
Fig. 3 is a current lan topology.
Fig. 4 is a schematic diagram of the program recording and monitoring the status of each session flow.
If hijacking is carried out during the running process of the program in fig. 5, a warning log diagram is output.
Detailed Description
The whole flow of this scheme mainly includes: detecting the data packet head information, recording the data packet head information, and matching rules to obtain a detection result.
The complete detection flow of the invention is shown in figure 1.
The method is mainly deployed on the firewall equipment of the local area network as a detection module, and the external network traffic enters the local area network and passes through the firewall first, and the traffic reaches the internal network equipment after the firewall detection. The network administrator can choose whether to turn on the detection module according to the current network situation.
The detailed description is as follows:
(1) The firewall device filters out non-TCP protocol and HTTP protocol packets based on TCP protocol, and deep packet parsing is performed on the obtained data packets to extract header field information (if any) of the network layer and the application layer. Mainly comprises the following steps: source IP, source port number, destination IP, destination port number, TTL value, flag information bits of the TCP layer, and HTTP response status code (if any).
(2) And finishing the obtained header field information to generate item information, and then judging whether to update the item information in the cache or store the item information in the cache.
1) Initially, the entry information of the system is empty, and the new data packet directly stores the entry information in the cache according to the quadruple information. The four-tuple information structure is as follows:
tetrad= (src_ip, src_port, dst_ip, dst_port)
Wherein src_IP represents source IP, src_port represents source port, dst_IP represents destination IP, dst_port represents destination port
2) If the cache is not empty, judging whether quadruple information in the newly generated item information exists in the cache, if not, directly storing the newly generated item information in the cache, otherwise, comparing the newly generated item information with TTL values of the item information in the corresponding cache, and judging as follows:
(a) If the absolute value of the comparison exceeds the threshold, it is considered that there is an abnormal session flow, and a subsequent judgment is required to refine various cases.
(b) If the absolute value of the comparison does not exceed the threshold value, the current session flow is considered normal, and the TTL value of the corresponding item information in the cache needs to be updated.
The formula for generating TTL_Mean is as follows:
TTL_Mean=(TTL_Mean*(n-1)+TTL)/n
the newly generated TTL value has the following calculation formula:
where New TTL is an integer number,to round down, the ttl_mean is the average value of the TTL of the data stream, the TTL is the newly generated entry TTL value, and n is the total number of current data stream packets.
3) The setting of the threshold requires actual statistical observation, mainly by the following two methods:
(a) The method comprises the following steps Comparing the range of a plurality of data streams, if the range of one stream is very small, the data stream can be basically considered not to be subject to attack hijacking; in contrast, the terminal can be considered to be subjected to hijacking attack, in fact, in the process of carrying out data interaction between the terminal and the external network test server, the content of the returned packet of the server is set, whether the content is changed before and after the data is checked, and whether the terminal is subjected to hijacking can be judged by observing the change of TTL (transistor-transistor logic) of the data flow.
(b) The method comprises the following steps By observing whether to return correct content, whether to implant malicious advertisements, whether to jump to other irrelevant webpages, and observing the change of the TTL of the data stream, whether to suffer hijacking can be judged. Considering the current network environment, a proper size is found to distinguish normal data flow from abnormal data flow.
(3) In the case that the TTL exceeds the threshold, the matching rule corresponding to the subsequent judgment is as shown in fig. 2:
1): TCP protocol Flags bits: the TCP protocol has a plurality of flag bits, different flag bits represent the current state of the TCP session, and whether the TCP session is normal or not and the problems can be known through the change of the flag bits. Table 1 gives the main Flags status bits:
TABLE 1
| F | P | A | R | S |
| Session end | Immediate transmission | Acknowledgement bit | Reset bit | Synchronization bit |
R, if the field is 1, the TCP session is considered to have serious errors in the process, the session is ended, and a new session is reconstructed;
a TCP packet may contain multiple information bits simultaneously.
The Flags information bit is SA, then the TCP session handshake process is considered to be subject to hijacking.
The flag information is FPA, and the session can be primarily considered to be abnormal, and can be further judged by combining HTTP layer information.
The flag information bit is R, then it can be considered that an attacker has reset during the session communication.
The flag information bit is F, and the session can be primarily considered to be abnormal, and can be further judged by combining HTTP layer information.
2): HTTP protocol status code: the state code is detailed information obtained from the target server, the state of the target server and the operation to be performed next can be known according to different state codes, and the main state code is given to the state feedback of the data request and the like:
200: page request success 30{0-7}, which can be understood as page redirection.
The flag information bit is FPA and the HTTP status bit is 30{0-7}, then it can be determined that some files in the session stream are hijacked and tampered.
The flag information bit is F and the HTTP status bit is 200, it can be determined that the session was tampered with by an attacker and the session is ended.
The technical scheme of the invention is described in detail below with reference to the accompanying drawings and specific examples.
A practical example is described below:
assume that the current lan topology is as shown in fig. 3.
The in-out of the intranet flow is filtered by the firewall, the detection program is deployed on the firewall or the port of the firewall is mirrored, the flow is stored on the bypass equipment, and non-real-time detection can be performed on the bypass equipment.
The traffic in the current network is continuously captured and the program records and monitors the status of each session flow as shown in fig. 4.
The program continuously records the information of each data stream, if the new data packet detection field does not break through the threshold value, the new TTL value is calculated and stored in an entry corresponding to the system cache, if the TTL of the head field of the new data packet breaks through the threshold value, the detection result is output according to the rule set in advance, and if the program is hijacked during running, the warning log is output, as shown in fig. 5.
The invention can detect different hijacking behaviors and output the detection result in real time.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the scope of the present invention.
Claims (1)
1. A network hijacking detection method based on local area network safety equipment is characterized by comprising the following steps: detecting the data packet head information, recording the data packet head information, and matching rules to obtain a detection result; the method comprises the following specific steps:
(1) Filtering non-TCP protocol and HTTP protocol packet based on TCP protocol by using firewall equipment, carrying out deep packet analysis on the obtained data packet, and extracting header field information of a network layer and an application layer;
mainly comprises the following steps: source IP, source port number, destination IP, destination port number, TTL value, flag information bit of TCP layer and HTTP response status code;
(2) The obtained header field information is arranged to generate item information, and whether the item information in the cache is to be updated or stored is judged subsequently;
1) Initially, the entry information of the system is empty, and the new data packet directly stores the entry information in the cache according to the quadruple information, wherein the quadruple information has the following structure:
tetrad= (src_ip, src_port, dst_ip, dst_port)
Wherein src_ip represents a source IP, src_port represents a source port, dst_ip represents a destination IP, dst_port represents a destination port;
2) If the cache is not empty, judging whether quadruple information in the newly generated item information exists in the cache, if not, directly storing the newly generated item information in the cache, otherwise, comparing the newly generated item information with TTL values of the item information in the corresponding cache, and judging as follows:
(a) If the absolute value of the comparison exceeds the threshold value, the abnormal conversation flow is considered to exist, and subsequent judgment is needed to refine various conditions;
(b) If the absolute value of the comparison does not exceed the threshold value, the current session flow is considered to be normal, and the TTL value of the corresponding item information in the cache needs to be updated;
the formula for generating TTL_Mean is as follows:
TTL_Mean=(TTL_Mean*(n-1)+TTL)/n
the newly generated TTL value has the following calculation formula:
where New TTL is an integer number,for downward rounding, TTL_Mean is the TTL average value of the data stream, TTL is the newly generated entry TTL value, and n is the total number of current data stream packets;
3) The setting of the threshold requires actual statistical observation, by two methods:
(a) The method comprises the following steps Comparing the extreme differences of a plurality of data streams, if the extreme difference of one stream is small, the data stream is considered not to be subject to attack hijacking; conversely, it is considered to be subject to hijacking attacks; in the data interaction between the terminal and the external network test server, the content of the return packet of the server is set, whether the front and rear contents are changed or not is checked, the change of the TTL of the data stream is observed, and whether the hijacking is suffered or not is judged;
(b) The method comprises the following steps By means of the method, whether correct content is returned or not, whether malicious advertisements are implanted or not is observed, whether other irrelevant webpages are jumped to or not is observed, change of TTL of data streams is observed, whether hijacking is suffered or not is judged, a current network environment is considered, and a proper size is found to distinguish normal data streams from abnormal data streams;
(3) Establishing a matching rule corresponding to the subsequent judgment under the condition that TTL exceeds a threshold value:
1): TCP protocol Flags bits: the TCP protocol has a plurality of flag bits, different flag bits represent the current state of the TCP session, and whether the TCP session is normal or not and the problems occur are known through the change of flag bits, wherein the flag state bits are as follows: f: session end
P: immediate transmission
A: acknowledgement bit
R: reset bit
S: synchronization bit
R, if the field is 1, the TCP session is considered to have serious errors in the process, the session is ended, and a new session is reconstructed;
a TCP data packet simultaneously comprises a plurality of information bits;
the flag information bit is SA, then the TCP session handshake process is considered to be hijacked;
the flag information is FPA, and the session is initially considered to be abnormal, and further judged by combining HTTP layer information;
the flag information bit is R, and the attacker is considered to reset in the session communication process;
the flag information bit is F, and the session is initially considered to be abnormal, and further judgment is carried out by combining HTTP layer information;
2): HTTP protocol status code: the state code is detailed information obtained from the target server, the state of the target server and the operation to be performed next are known according to different state codes, and the main state code is given to the state feedback of the data request:
200: page request success 30{0-7}, understand page redirection;
the flag information bit is FPA, and the HTTP status bit is 30{0-7}, then determine that some files in the session stream are hijacked and tampered;
flag information bit is F and HTTP status bit is 200, then it is determined that the session was tampered with by an attacker and the session is ended.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211368185.2A CN115664833B (en) | 2022-11-03 | 2022-11-03 | Network hijacking detection method based on local area network safety equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211368185.2A CN115664833B (en) | 2022-11-03 | 2022-11-03 | Network hijacking detection method based on local area network safety equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115664833A CN115664833A (en) | 2023-01-31 |
| CN115664833B true CN115664833B (en) | 2024-04-02 |
Family
ID=84995825
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211368185.2A Active CN115664833B (en) | 2022-11-03 | 2022-11-03 | Network hijacking detection method based on local area network safety equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664833B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117395082B (en) * | 2023-12-11 | 2024-03-22 | 深圳市移卡科技有限公司 | Service processing method, electronic device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107566320A (en) * | 2016-06-30 | 2018-01-09 | 中国电信股份有限公司 | A kind of network kidnaps detection method, device and network system |
| CN108959923A (en) * | 2018-05-31 | 2018-12-07 | 深圳壹账通智能科技有限公司 | Comprehensive safety cognitive method, device, computer equipment and storage medium |
| WO2020062644A1 (en) * | 2018-09-25 | 2020-04-02 | 平安科技(深圳)有限公司 | Json hijack bug detection method, apparatus and device, and storage medium |
| WO2021197292A1 (en) * | 2020-03-30 | 2021-10-07 | 上海连尚网络科技有限公司 | Method for detecting dhcp hijacking, and device |
-
2022
- 2022-11-03 CN CN202211368185.2A patent/CN115664833B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107566320A (en) * | 2016-06-30 | 2018-01-09 | 中国电信股份有限公司 | A kind of network kidnaps detection method, device and network system |
| CN108959923A (en) * | 2018-05-31 | 2018-12-07 | 深圳壹账通智能科技有限公司 | Comprehensive safety cognitive method, device, computer equipment and storage medium |
| WO2020062644A1 (en) * | 2018-09-25 | 2020-04-02 | 平安科技(深圳)有限公司 | Json hijack bug detection method, apparatus and device, and storage medium |
| WO2021197292A1 (en) * | 2020-03-30 | 2021-10-07 | 上海连尚网络科技有限公司 | Method for detecting dhcp hijacking, and device |
Non-Patent Citations (1)
| Title |
|---|
| 深度报文检测的性能提升与安全增强;刘立坤;中国博士学位论文全文数据库信息科技辑(第第02期期);说明书第[0055]-[0091]段 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115664833A (en) | 2023-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9848004B2 (en) | Methods and systems for internet protocol (IP) packet header collection and storage | |
| CN101803305B (en) | Network monitoring device, network monitoring method, and network monitoring program | |
| EP2961111B1 (en) | Network monitoring device, network monitoring method, and network monitoring program | |
| US7903566B2 (en) | Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data | |
| US8726382B2 (en) | Methods and systems for automated detection and tracking of network attacks | |
| US9860278B2 (en) | Log analyzing device, information processing method, and program | |
| CN105099821B (en) | Method and device for monitoring flow in virtual environment based on cloud | |
| CN102487339B (en) | Attack preventing method for network equipment and device | |
| US7995496B2 (en) | Methods and systems for internet protocol (IP) traffic conversation detection and storage | |
| EP2661049B1 (en) | System and method for malware detection | |
| US20140047543A1 (en) | Apparatus and method for detecting http botnet based on densities of web transactions | |
| US8762515B2 (en) | Methods and systems for collection, tracking, and display of near real time multicast data | |
| US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
| US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
| CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
| CN115664833B (en) | Network hijacking detection method based on local area network safety equipment | |
| CN107864110B (en) | Botnet main control terminal detection method and device | |
| Satrya et al. | The detection of DDOS flooding attack using hybrid analysis in IPv6 networks | |
| WO2005111805A1 (en) | Method of network traffic signature detection | |
| US7266088B1 (en) | Method of monitoring and formatting computer network data | |
| CN114172881B (en) | Network security verification method, device and system based on prediction | |
| Ezenwe et al. | Mitigating Denial of Service Attacks with Load Balancing | |
| AT&T | ||
| US8869267B1 (en) | Analysis for network intrusion detection | |
| Rodas et al. | A novel classification-based hybrid ids |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |