[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107484173A - Wireless network intrusion detection method and device - Google Patents

Wireless network intrusion detection method and device Download PDF

Info

Publication number
CN107484173A
CN107484173A CN201710945011.0A CN201710945011A CN107484173A CN 107484173 A CN107484173 A CN 107484173A CN 201710945011 A CN201710945011 A CN 201710945011A CN 107484173 A CN107484173 A CN 107484173A
Authority
CN
China
Prior art keywords
electronic equipment
access
information
network
wireless network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710945011.0A
Other languages
Chinese (zh)
Inventor
柴坤哲
曹鸿健
王永涛
杨卿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201710945011.0A priority Critical patent/CN107484173A/en
Publication of CN107484173A publication Critical patent/CN107484173A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a kind of wireless network intrusion detection method and device, this method to include:Obtain network traffic information caused by the electronic equipment of invasion wireless network;Analyzed for the network traffic information, the device identification of the electronic equipment and the device attribute information corresponding with the device identification are determined according to analysis result;According to the device attribute information, the positional information of the electronic equipment is detected.As can be seen here, the present invention can determine the device identification of electronic equipment and the device attribute information corresponding with the device identification by network traffic information according to caused by the electronic equipment of the invasion wireless network got, and according to the positional information of device attribute infomation detection electronic equipment, targetedly protected so as to realize.

Description

Wireless network intrusion detection method and device
Technical field
The present invention relates to network communication technology field, and in particular to a kind of wireless network intrusion detection method and device.
Background technology
With the continuous development of the communication technology, internet has incorporated the every aspect of life.However, hacking technique is made For the derivative of internet development, also become all-pervasive, threaten network security increasingly seriously.
For by taking wireless network as an example, although wireless network has won increasing use with its conveniently accessible advantage Family.But realize that the event of assault is also increasingly occurred frequently by invading wireless network.Therefore, occur various Mean of defense tackles the invasion of hacker.In traditional defense mechanism, mainly by strengthening the security of wireless network in itself To realize defence, for example, the password of wireless network to be reset to the content for being not easy to crack;And for example, in network insertion link, strengthen For the checking of access device, to prevent malice access of illegality equipment etc..
But it is as follows to have found that aforesaid way of the prior art is at least present during the present invention is realized by inventor Problem:Existing mode mainly realized by passive defense measures before invasion, i.e.,:Wireless network is attempted access in electronic equipment Before network, raise obstacles to obstruct the malice of illegal electronic equipment to access.But once defence failure, invades wireless network Electronic equipment can implement malicious act wantonly, and the electronic equipment that existing mode can not then be directed to invasion wireless network is carried out Effective detection.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on State the wireless network intrusion detection method and device of problem.
According to one aspect of the present invention, there is provided a kind of wireless network intrusion detection method, including:
Obtain network traffic information caused by the electronic equipment of invasion wireless network;
Analyzed for the network traffic information, according to analysis result determine the device identification of the electronic equipment with And the device attribute information corresponding with the device identification;
According to the device attribute information, the positional information of the electronic equipment is detected.
According to another aspect of the present invention, there is provided a kind of wireless network invasion detecting device, including:
Acquisition module, suitable for obtaining network traffic information caused by the electronic equipment of invasion wireless network;
Analysis module, suitable for being analyzed for the network traffic information, determine that the electronics is set according to analysis result Standby device identification and the device attribute information corresponding with the device identification;
Detection module, suitable for according to the device attribute information, detecting the positional information of the electronic equipment.
According to a further aspect of the invention, there is provided a kind of electronic equipment, including:Processor, memory, communication interface And communication bus, the processor, the memory and the communication interface complete mutual lead to by the communication bus Letter;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device above-mentioned Operated corresponding to wireless network intrusion detection method.
According to a further aspect of the invention, there is provided a kind of computer-readable storage medium, be stored with the storage medium An at least executable instruction, the executable instruction make to grasp corresponding to the above-mentioned wireless network intrusion detection method of computing device Make.
In wireless network intrusion detection method provided by the invention and device, first, the electricity of invasion wireless network is obtained Network traffic information caused by sub- equipment;Then, analyzed for network traffic information, electronics is determined according to analysis result The device identification of equipment and the device attribute information corresponding with the device identification;Finally, according to device attribute information, detection The positional information of electronic equipment.As can be seen here, the present invention can produce according to the electronic equipment of the invasion wireless network got Network traffic information determine the device identification of electronic equipment and the device attribute information corresponding with the device identification, and According to the positional information of device attribute infomation detection electronic equipment, targetedly protected so as to realize.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows the flow chart for the wireless network intrusion detection method that one embodiment of the invention provides;
Fig. 2 shows a kind of structure chart of wireless network intrusion detection system;
Fig. 3 shows the structural representation of the multilayer loop in wireless network intrusion detection system;
Fig. 4 shows the structure chart for the wireless network invasion detecting device that one embodiment of the invention provides;
Fig. 5 shows the structural representation of the electronic equipment provided according to one embodiment of the invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.
Fig. 1 shows a kind of flow chart for wireless network intrusion detection method that one embodiment of the invention provides.Such as Fig. 1 Shown, this method comprises the following steps:
Step S110:Obtain network traffic information caused by the electronic equipment of invasion wireless network.
Specifically, obtaining the mode of network traffic information can be accomplished in several ways.For example, as the execution master of this method Body is a default equipment in wireless network, and when multiple default equipment are included in wireless network, in order to obtain electricity exactly Caused network traffic information between sub- equipment and each default equipment, in this step, can be set by network transmission module etc. Back-up does not obtain electronic equipment and invaded after wireless network for point to point network caused by each default equipment in wireless network Flow information, and the point to point network flow information got is provided to corresponding default equipment.Wherein, each default equipment Wireless network is accessed in a manner of bridging.Wherein, the default equipment mentioned in the present embodiment can be that intrusion detection module etc. is all kinds of Equipment.
Step S120:Analyzed for network traffic information, the device identification of electronic equipment is determined according to analysis result And the device attribute information corresponding with the device identification.
Wherein, device attribute information includes but is not limited to:Browser version, operating system version, device screen resolution ratio, Browser plug-in information, social account information, device-fingerprint, plugin information, time-zone information, GPU information and equipment language letter The much informations such as breath.
Step S130:According to device attribute information, the positional information of electronic equipment is detected.
For example, can be with the position of Positioning Electronic Devices according to device-fingerprint, the time-zone information etc. included in device attribute information Put, to trace to the source it.Furthermore it is also possible to by the storage of device attribute information into default device attribute table, so as to fast The relevant information of current all electronic equipments accessed is ask in quick checking, and the operation such as according to Query Result is positioned and traced to the source.
Further optionally, in order to get the more information of electronic equipment, the electricity of invasion wireless network is obtained in the present invention Caused by sub- equipment the step of network traffic information before, further comprise:Previously generate for the pre- of access preset website If access script;Wherein, the default script that accesses is used to insert in the website visiting request that the electronic equipment intercepted is sent;Then The step of device identification of electronic equipment and the device attribute information corresponding with the device identification are determined according to analysis result Specifically include:The device attribute letter of electronic equipment is determined with reference to the access result data corresponding with default website got Breath.Wherein, default website includes:The social network sites logged in by social account, then the device attribute information of electronic equipment include: The social account information that result determines is accessed according to caused by for social network sites.
Further optionally, the executive agent of this method is that (i.e. the performing environment of this method is virtualization for virtual machine or sandbox Environment), monitoring and the record to invading electronic equipment can be realized by virtual machine or sandbox, still, inventor is implementing this Being found during invention, some experienced attackers can test for virtualized environment, once according to assay Being defined as virtualized environment can then flee from rapidly, so as to bring difficulty for follow-up information and positioning action.In order to solve This problem, alternatively, the method in the present invention further comprise following steps:
Step S140:When monitoring the access request message for accessing virtual machine or sandbox, the access request is determined Whether message is the message of preset kind, if so, intercepting the access request message.
Wherein, the access request message can be monitored by network traffic information, can also be carried out by other means Monitoring.For example it may be predetermined that for accessing the application programming interfaces corresponding to the access request message of virtual machine or sandbox (API) hooking function, is set for these application programming interfaces;Wherein, hooking function passes through application programming interfaces for monitoring The access request message of triggering.
Step S150:It is determined that the access result data corresponding with the access request message, and determine to access result data Data type.
Specifically, it is determined that the process of the access result data corresponding with the access request message is:First, parsing accesses The parameter included in request message, the access object of the access request message is determined according to analysis result;Then, it is determined that the access The characteristic parameter of object, the access number of results corresponding with the access request message is determined according to the characteristic parameter for accessing object According to.
Step S160:The prevention policies that inquiry matches with accessing the data type of result data, it is anti-according to what is inquired Shield strategy carries out protective treatment to access request message.
Wherein, accessing the data type of result data includes:Primary sources type and/or secondary sources type.Phase Ying Di, include with the prevention policies of primary sources type matching:The access number of results of primary sources type is directed in advance According to pseudo- result data corresponding to setting, when the access request that the access result data intercepted for primary sources type is sent During message, the pseudo- result corresponding with the access result data of the primary sources type is returned for the access request message Data.Include with the prevention policies of secondary sources type matching:When intercepting the access knot for secondary sources type During the access request message that fruit data are sent, null message is returned for the access request message.
Aforesaid way can effectively confuse the attacker corresponding to electronic equipment, it can not be penetrated virtualized environment, And then lure that it exposes more information into.
Above-mentioned step S140 to step S160 execution opportunity can flexibly set, for example, not only can be in step Perform, can also be performed before step S110 or S120 after S130, or, can also be with step S110 to step S130 simultaneously Row is performed, and the present invention is not limited this.
As can be seen here, the present invention network traffics can believe according to caused by the electronic equipment for invading wireless network got Cease to determine the device identification of electronic equipment and the device attribute information corresponding with the device identification, and according to device attribute The positional information of infomation detection electronic equipment, targetedly protected so as to realize.
For the ease of understanding the present invention, Fig. 2 shows a kind of specific wireless network intrusion detection system provided by the invention The structural representation of system, correspondingly, the wireless network intrusion detection method in the present invention can be based on the system and realize.Such as Fig. 2 institutes Show, the system includes:Radio access module 21, network transmission module 22, the first intrusion detection module 23 and the second invasion inspection Survey module 24.Wherein, the quantity of the second intrusion detection module 24 shown in Fig. 2 is multiple, in actual conditions, the second intrusion detection The quantity of module 24 may also be only one.Also, in the other embodiments of the present invention, the number of the first intrusion detection module 23 Amount can also be multiple.
In the present embodiment, wireless network intrusion detection system is mainly used in luring that attacker accesses into, monitors and records and attacks The facility information for the person of hitting and attack, correspondingly, it is possible to achieve targetedly defensive measure, can also implement when necessary Alarm, attacker can also be directed to and carry out tracing etc..Therefore, the wireless network intrusion detection system in the present embodiment also may be used To be interpreted as the honey pot system realized by Honeypot Techniques, the honey pot system can realize multiple functions.Introducing separately below should The concrete structure and operation principle of modules in system:
First, radio access module
The outermost layer of system is radio access module 21.Radio access module 21 is suitable to monitor whether exist by default Network hole invades the electronic equipment of wireless network;When monitoring result for be when, obtain the electronic equipment device identification and The equipment access information corresponding with the device identification;Optionally, can also be analyzed for the equipment access information, according to Analysis result positions to the electronic equipment.As can be seen here, radio access module 21 is main possesses both sides function:One side Face, network hole is actively set, to lure that attacker accesses into;On the other hand, once finding that the electronics of access wireless network is set Device identification that is standby then recording the electronic equipment and equipment access information.
First, the specific implementation that network hole is set is introduced:Specifically, radio access module 21 is default wireless Network hole is set in access device, wireless network is accessed for the electronic equipment of outside.Wherein, radio reception device can be All kinds of access points that can be used in accessing wireless network such as router.Specifically, can be by opening nothing when network hole is set The various ways such as the line network port, and/or reduction wireless network password are realized.Wherein, network hole is it can be appreciated that trap, It is mainly used in inveigling attacker's access.The present invention is not limited the specific implementation for setting network hole.
Then, the device identification of recorded electronic equipment and the specific implementation of equipment access information are introduced.Wherein, if Standby mark can be the various information for being capable of one electronic equipment of unique mark, in order in subsequent process according to device identification The relevant information of the electronic equipment is tracked.Equipment access information refers to:The process of wireless network can be accessed in equipment In get with the device-dependent information.Correspondingly, the record of radio access module 21 connects the implementor name of the wireless network The equipment access information such as title, IP address, MAC Address, so as to the physical location of seat offence person, attacker one is set to access wireless network Network is at monitored state.Optionally, in order to force attacker to reveal more information, in the present embodiment, wireless access Module 21 is obtaining the device identification of the electronic equipment and during the equipment access information corresponding with the device identification, can be with Preset web further is pushed to electronic equipment, the electronic equipment is obtained and result is accessed caused by preset web, according to visit Ask the equipment access information that result determines the electronic equipment.Wherein, preset web includes:The social network logged in by social account Page or other need by personal information and the page logged in, correspondingly, the equipment access information of electronic equipment further comprises: The social account information that result determines is accessed according to caused by for social webpage, for example, microblog account and encrypted message, QQ accounts Number and encrypted message etc..In addition, during electronic equipment accesses webpage, others can also further be got and set Standby access information, for example, browser version, operating system version, device screen resolution ratio and browser plug-in information etc. are set Standby access information.Radio access module 21 associates the equipment access information of the electronic equipment with the device identification of the electronic equipment Store in default equipment access table, in case subsequent query.
As can be seen here, radio access module is mainly used in luring that attacker accesses and obtains corresponding equipment access information into, To realize the functions such as positioning or early warning.
2nd, network transmission module
The secondary outer layer of system is network transmission module 22.Network transmission module 22 is suitable to obtain electronic equipment access wireless network Caused network traffic information after network, and after being supplied to the first intrusion detection module 23 to carry out the network traffic information got Continuous analysis.In addition, network transmission module 22 is further adapted for determining that electronic equipment accesses caused network traffic information after wireless network In whether include the network traffics triggered by the access behavior for meeting default early warning rule, if so, then generating attack early warning signal. When it is implemented, network transmission module 22 obtains network traffic information caused by the electronic equipment of invasion wireless network;For this Network traffic information is analyzed, and the network access behavior of electronic equipment is determined according to analysis result;Judge the electronic equipment Whether network access behavior meets default early warning rule, if so, then generating the attack early warning signal for early warning.
Wherein, network transmission module mainly obtains the net after electronic equipment accesses wireless network by modes such as network packet capturings Network flow information.In addition, inventor has found during the present invention is realized:Traditional network packet capturing mode can only get electricity Sub- equipment by the flow of wireless network access external website, and can not get electronic equipment with it is each inside wireless network Flow between equipment.For example, in the present embodiment, due to including the first intrusion detection module and multiple the in wireless network Multiple default equipment such as two intrusion detection modules, therefore, each intrusion detection is directed in order to more accurately obtain electronic equipment Network traffic information caused by module, in the present embodiment, by each first intrusion detection module and the second intrusion detection mould Block accesses wireless network in a manner of bridging, and correspondingly, network transmission module obtains pin after electronic equipment invasion wireless network respectively To each default equipment in wireless network (i.e.:First intrusion detection module and the second intrusion detection module) caused by point pair Spot net flow information, and the point to point network flow information is supplied to corresponding default equipment.For example, for getting Electronic equipment accesses the network traffic information of the first intrusion detection module, and the subnetwork flow information is supplied into the first invasion Detection module carries out subsequent analysis processing.As can be seen here, the present invention by bridge joint mode can be accurately obtained electronic equipment with Point-to-point flow information between each intrusion detection module, consequently facilitating determining that electronic equipment is directed to each intrusion detection respectively The network behavior that module is implemented.
By analyzing the above-mentioned network traffic information got, can know electronic equipment network access behavior (for example, The webpage quantity of opening and web page address etc.).Optionally, in the present embodiment, network transmission module can also be according to default Early warning rule determines whether the network access behavior triggering pre-warning signal for electronic equipment, so as to realize forewarning function.Early warning Rule includes the early warning rule of multiple network safety grades, and correspondingly, network transmission module first has to determine current network peace Congruent level, then, the early warning rule that selection matches with current network safety grade.For example, can be by network safety grade It is divided into three safe classes:High safety grade, middle safe class and lower security grade, correspondingly, respectively every kind of safety etc. Early warning rule corresponding to level setting.System operation personnel can set network safety grade according to the demand of current business.Accordingly Ground, early warning rule can include at least one in following three kinds of rules:
The first early warning rule is:The rule of early warning are carried out when monitoring and implementing scanning behavior by presetting scanning tools Then.Wherein, network transmission module can obtain the scanning tools that hacker commonly uses in advance, and the scanning tools storage got is arrived In hack tool list, once monitor that electronic equipment utilizes the scanning tools in hack tool list according to network traffic information The behavior for implementing scanning then carries out early warning.Wherein, the scanning tools stored in hack tool list can include:NMAP、 SQLMAP, WVS etc..Second of early warning rule be:When the default equipment for monitoring to be directed in wireless network implements exploratory connection Behavior when carry out early warning rule.The rule can be applied in the network settings of high safety grade, by the rule, as long as hair The behavior for now attempting a connection to the default equipment such as intrusion detection module then carries out early warning.The third early warning rule is:When monitoring pin The rule of early warning is carried out during to the behavior of the default equipment successful connection in wireless network.The rule can be applied to middle safe class Or in the network settings of lower security grade, by the rule, early warning is just carried out when being only found the behavior of successful connection.For example, Early warning is then triggered when detecting the access request for the triggering of intrusion detection module.
As can be seen here, transport network layer can monitor the network traffic information in network-wide basis, and be entered according to monitoring result Row early warning, with the security of lifting system.Wherein, early warning rule can flexibly be set by those skilled in the art, and the present invention is to this Do not limit.
Optionally, in order to get the more information of electronic equipment, in the present embodiment, network transmission module can also enter One step implements following operate:The network traffic information according to caused by electronic equipment, intercept the website visiting that electronic equipment is sent and ask Ask, the default access script for access preset website is inserted in the website visiting request intercepted;Receive and default website Corresponding access result data, the device attribute information of electronic equipment is determined according to the access result data.Correspondingly, network Transport module can also be further according to device attribute Information locating electronic equipment.When it is implemented, first, pre-set and wait to block The type of the website visiting request cut, for example, could be arranged to be intercepted for the access request of the searching class websites such as Baidu Deng.Then, the default access script for access preset website is inserted in the website visiting request intercepted.Wherein, this is pre- If accessing script to be responsible for generating and safeguarded by the first intrusion detection module, network transmission module need to only call the script. The default script that accesses can be realized by JS scripts or URL network address, for accessing the net of the social types such as Renren Network, microblogging Stand.Finally, the access result data corresponding with default website is received, setting for electronic equipment is determined according to the access result data Standby attribute information, wherein it is determined that the operation of device attribute information can be realized by the first intrusion detection module, correspondingly, network passes The access result data that the default website received is fed back is sent to the first intrusion detection module by defeated module, for the first invasion Detection module combines the device attribute information that the access result data determines electronic equipment.As can be seen here, network transmission module exists Following functions are mainly realized in said process:On the one hand, sent instead of user to the server of default website for default net The access request stood;On the other hand, the access result returned instead of user's the reception server.Therefore, network transmission module can be with Access preset website and access result is obtained in the case where the user of the electronic equipment of invasion wireless network knows nothing, and then Obtain the relevant information of electronic equipment.Wherein, device attribute information and the main distinction of equipment access information are:The two is obtained Opportunity and acquisition main body it is different.Specifically, equipment access information is obtained in access phase by radio access module, and is set Standby attribute information is then when electronic equipment is penetrated into wireless network and accesses the first intrusion detection module, by the first intrusion detection Module obtains, for reflecting the attribute information of equipment.In actual conditions, the content of equipment access information and device attribute information can Intersected with existing.
3rd, the first intrusion detection module
First intrusion detection module is located between transport network layer and the second intrusion detection module, for analyzing network transmission The network traffic information that module provides, the device attribute information of electronic equipment is determined according to analysis result.When it is implemented, first Intrusion detection module can be realized by a variety of implementations, for example, can using Honeypot Techniques by virtual machine or sandbox come real It is existing.Honeypot Techniques are substantially a kind of technologies cheated to attacker, by arranging that some are used as the main frame of bait, network Service or information, lure that attacker implements to attack to them into, so as to be captured and analyzed to attack, understanding is attacked Instrument used in the person of hitting and method, thus it is speculated that attack intension and motivation, defender can be allowed clearly to understand what itself was faced Security threat, and strengthen by technology and management means the security protection ability of real system.In the present embodiment, first enters Invade detection module for web types honey jar (i.e.:Service type honey jar), also, the interactivity of the first intrusion detection module enters less than second Detection module is invaded, accordingly it is also possible to which the first intrusion detection module is referred to as into the low interactivity intrusion detection module of Web types.Below In, for convenience, the first intrusion detection module is referred to as the low interactivity honey jar of Web types.
The low interactivity honey jar of Web types can obtain network traffic information caused by the electronic equipment of invasion wireless network; Analyzed for the network traffic information, according to analysis result determine electronic equipment device identification and with the device identification Corresponding device attribute information.Optionally, the low interactivity honey jar of Web types can also be set according to device attribute infomation detection electronics Standby positional information, to be positioned or to be traced to the source to electronic equipment.As can be seen here, the low interactivity honey jar of Web types is mainly used in Further collect the information of attacker.Specifically, the device attribute information for being available for collecting includes but is not limited to:Browser version, Operating system version, device screen resolution ratio, browser plug-in information, social account information, device-fingerprint, plugin information, when Area's information, GPU information and equipment language message etc..
In addition, for the ease of collecting more information, the low interactivity honey jar of Web types is further used for:Previously generate for visiting Ask the default access script of default website;Wherein, preset and access the website that script is used to insert the electronic equipment transmission intercepted In access request.Correspondingly, the low interactivity honey jar of Web types according to analysis result determine electronic equipment device identification and with this During the corresponding device attribute information of device identification, determined with reference to the access result data corresponding with default website got The device attribute information of electronic equipment.Wherein, default website includes:Social network sites logged in by social account etc., this is default Accessing script can be realized by JS scripts or URL network address, for accessing the default website such as Renren Network, microblogging.Correspondingly, electronics The device attribute information of equipment includes:The social account information that result determines is accessed according to caused by for social network sites.Also It is to say, the low interactivity honey jar of Web types is responsible for safeguarding default access script, so that network transmission module calls;Also, Web types are low Interactivity honey jar is further used for analyzing the obtained network traffic information of network transmission module and accesses result data etc., so as to Determine the device attribute information of electronic equipment.As can be seen here, the phase of the low interactivity honey jar of Web types and network transmission module is passed through Mutually coordinate, automatic access preset website and relevant information can be obtained in the case where the user of electronic equipment has no to discover, More valuable information are provided for follow-up attacker's positioning and the operation such as trace to the source.
4th, the second intrusion detection module
Second intrusion detection module is located at the innermost layer of whole system, for obtaining the behavior characteristic information of electronic equipment, When it is determined that behavior characteristic information meets preset alarm rule, intrusion alarm signal is generated.When it is implemented, the second intrusion detection Module can also be realized by a variety of implementations, for example, can be realized using Honeypot Techniques by virtual machine or sandbox.At this In embodiment, the interactivity of the second intrusion detection module is higher than the first intrusion detection module, accordingly it is also possible to which the second invasion is examined Survey module and be referred to as high interactivity intrusion detection module.In addition, the second intrusion detection module both can apply to Windows systems, Linux system can also be applied to, correspondingly, the species of the second intrusion detection module can be divided into two kinds, be Windows respectively The high interactivity honey jar of type and the high interactivity honey jar of Linux types.In the present embodiment, mainly with the high interactivity honey jar of Windows types Exemplified by be introduced.
Specifically, the behavior characteristic information for the electronic equipment that the high interactivity honey jar of Windows types is got can include more Kind, correspondingly, preset alarm rule can also include multiple rule:
The first rule is:Determine whether behavior characteristic information matches with the malicious commands stored in default blacklist, if It is then to generate intrusion alarm signal (being also behavior intrusion alarm signal).Specifically, the high interactivity honey jar monitoring of Windows types Every behavior of system activity and electronic equipment, if monitoring, electronic equipment performs the malice life stored in default blacklist When making, then intrusion alarm signal is triggered.Wherein, blacklist is preset to be used to store every attack life that predetermined hacker commonly uses Order.Table 1, table 2 and table 3 show the schematic diagram of the part malicious commands stored in blacklist.
Table 1
Sequentially Order Perform number Option
1 tasklist 119 /s/v
2 ver 92
3 ipconfig 58 /all
4 Net time 30
5 systeminfo 24
6 netstat 22 -ano
7 qprocess 15
8 query 14 user
9 whoami 14 /all
10 Net start 10
11 nslookup 4
12 fsutil 3 Fsinfo drives
13 time 2 /t
14 set 1
Table 2
Table 3
Sequentially Order Perform number Option
1 at 98
2 reg 29 Add export query
3 wmic 24
4 Netsh advfirewall 4
5 sc 4 Qc query
6 wusa 2
Second of rule be:, will be with behaviour by the file record that electronic device is crossed into default operation file list Make the file in listed files and the file record for presetting incidence relation be present into default apocrypha list, pass through to monitor and grasp Make the file in listed files and apocrypha list and (be also file intrusion alarm to determine whether to generate intrusion alarm signal Signal).For example, when monitoring that the file in apocrypha list is performed, file intrusion alarm signal is generated.The rule Stain tracer technique can be referred to as, main thought is:Continue to monitor and follow the trail of the All Files relevant with electronic equipment, and It was found that doubtful situations alarm.
For example, each generic operation such as the establishment of file, modification, deletion can be monitored, these files are all set as electronics The standby file record operated is into default operation file list.As can be seen here, operation file list is set for recorded electronic The standby All Files directly operated, action type include polytype.In addition, further determine that with operation file list The file of default incidence relation be present in file.Wherein, the file that default incidence relation be present includes but is not limited to:With operation file The file of bundle relation be present in the file in list.For example, if electronic equipment is while establishment file A, further create File A bundled files A ' has been built, correspondingly, file A recorded in operation file list, file A ' be recorded into suspicious text In part list.Also, in subsequent process, persistently it is monitored for operation file list and apocrypha list.Once Monitor that the file in apocrypha list is performed, alarm at once.That is, electricity during file in operation file list The file that sub- equipment directly operates, and to be then electronic equipment not yet operate the file in apocrypha list or not yet directly operation The file of (possible indirect operation or implicit operation).This two class file is respectively stored in different lists, is easy to according to every The characteristics of kind file is respectively that it sets different monitoring mode and type of alarm.For example, why electronic equipment will create bundle File is tied up, its purpose is often that generally, bundled files are not present in table in order to which the monitoring evaded for operation file list operates In plane system, not real file, only exist in internal memory, therefore, there is stronger disguise, still, once such is literary Part is carried out, and system can be damaged.Therefore, in the present embodiment by the associated with list such as bundled files, hidden file Solely storage is easy to implement the partial document monitoring of stronger control and monitoring, to prevent from applying evil in fact into apocrypha list Meaning behavior.
In addition, the high interactivity honey jar of Windows types can also further monitoring process establishment, and to suspicious process Monitor.dll (dynamic link library for being used for monitoring process) is injected, to track process behavior.Moreover, it is also possible to process is set Blacklist, for example, nonsystematic level process is all included in process blacklist, each process in process blacklist is held Continuous monitoring, alarm is triggered if the establishment for finding dangerous process operates.In addition, the high interactivity honey jar of Windows types can be with Registry operations are monitored, in order to find hazardous act.
In addition, each high interactivity honey jar of Windows types can also carry out daily record, the processing of warning message, also, may be used also With the communication realized and between the first intrusion detection module or the high interactivity honey jar of other Windows types, to realize whole system Linkage processing.Therefore, radio access module is further adapted for:By the equipment access information of electronic equipment and setting for electronic equipment Standby mark associated storage;And first intrusion detection module be further adapted for:The device attribute information of electronic equipment is set with electronics Standby device identification associated storage;Then the second intrusion detection module is further adapted for:When it is determined that behavior characteristic information meet it is default Alarm behavior rule when, obtain and analyze and the equipment access information of the device identification associated storage of the electronic equipment and set Standby attribute information etc..That is, in the present system, relevant information that each module is got for electronic equipment (including set Standby access information, device attribute information and behavior characteristic information etc.) device identification associated storage all with the electronic equipment, phase Ying Di, modules can get the full detail with the device identification associated storage by device identification.I.e.:Each module The information of itself determination can not only be got, additionally it is possible to the information of other modules determination is got, so as to realize being total to for information Enjoy.Correspondingly, the first intrusion detection module and/or the second intrusion detection module can also be further adapted for:According to electronic equipment Equipment access information, device attribute information and/or behavior characteristic information determine the user mark corresponding with electronic equipment with And user's characteristic information, to be traced to the source according to user's mark and user's characteristic information.
As can be seen here, the first intrusion detection module and/or the second intrusion detection module are mainly used in leaving to attacker prominent Cut, attacker is set to have an opportunity to sign in in system;Then, the system activity of attacker is recorded, hazardous act is alarmed, And the sample corresponding to malicious act is captured, to be analyzed using sandbox technology.
In addition, the system substantial use of multilayer loop to realize the overall monitor to invading equipment, Fig. 3, which is shown, is The structural representation of multilayer loop in system.As shown in figure 3, the system is divided into shellring from outside to inside, positioned at outermost ring 3 Mainly it is made up of radio access module, the ring 2 positioned at centre is mainly by the first intrusion detection module composition, positioned at the ring of innermost layer 1 mainly by the second intrusion detection module composition.Network transmission module is between ring 3 and ring 2.As can be seen here, the system passes through The design method of multilayer loop lures that attacker penetrates into by ring into, and reveals more information;Also, the information being collected into each ring can With the inquiry that links.
In addition, the first intrusion detection module and the second intrusion detection module in ring 2 and ring 3 are to be provided with true behaviour Make the virtual machine of system, in order to preferably collect information.Also, in order to prevent the electronic equipment of invasion from penetrating honey jar mechanism, The fingerprint feature information of virtual machine is managed by running on the pre-set programs plug-in unit of system layer;Wherein, fingerprint feature information Including:Network interface card information, registry information and/or key value information etc..Wherein, fingerprint feature information belongs to the one of environmental characteristic information Kind.Also, the view plug-ins run on system layer, it runs the authority for other processes that authority is more than in electronic equipment, therefore, It is possible to prevente effectively from other processes access the fingerprint feature information of virtual machine.
When it is implemented, for the virtualized environment to the first intrusion detection module and the second intrusion detection inside modules Protected, to prevent electronic equipment from penetrating, the first intrusion detection module and/or the second intrusion detection module can also be further Perform following operate:When monitoring the access request message of environmental characteristic information for accessing virtualized environment, intercepting should Access request message;It is determined that the access result data corresponding with the access request message, and determine to access the number of result data According to type;The prevention policies that inquiry matches with accessing the data type of result data, according to the prevention policies inquired to this Access request message carries out protective treatment.
In particular it is required that the access request message institute for predefining the environmental characteristic information for accessing virtualized environment is right The application programming interfaces (API) answered, hooking function is set for these application programming interfaces;Wherein, hooking function is used to monitor The access request message triggered by application programming interfaces.Wherein, the environmental characteristic information of virtualized environment includes and system ring The related all features in border, it may for example comprise the fingerprint feature information of above-mentioned virtual machine.It is determined that for accessing virtualized environment Environmental characteristic information access request message corresponding to application programming interfaces when, can monitor invasion virtualized environment electricity Sub- equipment is directed to the access behavior that virtualized environment is sent, and the ring for accessing the virtualized environment is determined according to access behavior The access request message of border characteristic information.For example, due to invading the electronic equipment of virtualized environment often consciously Obtain virtualized environment environmental characteristic information, so as to determine current system environments whether be by Honeypot Techniques realize void Planization environment, then can be from once electronic equipment finds that current system environments is the virtualized environment realized by Honeypot Techniques Open current environment.Therefore, by monitoring the access behavior of electronic equipment, it can determine that electronic equipment is usually used in obtaining virtualization ring API corresponding to the access request message of the environmental characteristic information in border, and be monitored for these API.For example, in this implementation In example, find that electronic equipment typically passes through following several means when detecting virtual machine by the access behavior for monitoring electronic equipment Realize:Detect the particular CPU instruction in performing environment, the specific registration table information in detection performing environment and configuration information, inspection Survey performing environment in specific process and service, detection performing environment in file system and specific hardware information (MAC Address, Hard disk), detection performing environment in memory features, detect performing environment configuration (hard disk size, memory size, CPU core number Deng).Further, since the intrusion detection module in the present embodiment can also be realized by sandbox, therefore, by monitoring electronic equipment Access behavior find that typically passing through following several means during electronic equipment detection sandbox realizes:Detect performing environment in whether There is specific User Activity (such as mouse movement, access some network address etc.), Sleep is performed again for a period of time, circulation delay is held Capable, detection hook Hook (including:User Hook, kernel Hook etc.), detection network connectivty, detection user's name, only in spy Execution, the detection time of fixing the date, which accelerate, terminates analysis tool performs, detection browser record, operation program, the program installed Deng.Also, electronic equipment would generally realize that the detection of virtual machine and sandbox operates using multimedia combination, therefore, this Embodiment determines access request message corresponding to aforesaid operations and its right by monitoring the aforesaid operations of electronic equipment in advance The API answered, correspondingly, hooking function is set at the API, disappeared to intercept and capture and handle the access request sent by the API Breath.
For the access request message intercepted, it is determined that the access result data corresponding with the access request message, and It is determined that access the data type of result data;The prevention policies that inquiry matches with accessing the data type of result data, according to The prevention policies inquired carry out protective treatment to the access request message.In the present embodiment, in advance by access request message Corresponding access result data is divided into primary sources type and secondary sources type.
Wherein, primary sources type includes:The number being provided simultaneously with virtualized environment and in non-virtualized environment According to corresponding type.For example, either virtualized environment or non-virtualized environment, are required for possessing network interface card information and registration Table information, therefore, using the access result data corresponding to the category information as primary sources type.Due to the data of the type It is all existing in all environment, therefore, it is necessary to electronic equipment backward reference result, otherwise can causes electronic equipment user Suspection.On the other hand, the present embodiment including with the prevention policies of primary sources type matching of setting:It is directed to the first kind in advance The access result data of data type set corresponding to pseudo- result data, when intercepting the access knot for primary sources type During the access request message that fruit data are sent, the access number of results with primary sources type is returned for the access request message According to corresponding pseudo- result data.That is, for the access result data of primary sources type, the data are predefined Numerical value whether can reveal the feature of virtualized environment, if so, then for the data set corresponding to pseudo- result data, and to electricity Pseudo- result data corresponding to sub- equipment return.For example, for physical network card, although virtualized environment and non-virtualized environment All possess physical network card, still, network cards feature in two kinds of environment may be different, on the other hand, for the access result data of network interface card, Corresponding pseudo- result data (i.e. the data consistent with non-virtualized environment) is set for it, once electronic equipment requests network interface card number According to, then can receive corresponding to pseudo- result data so that electronic equipment can not penetrate virtualized environment.
Secondary sources type includes:The data for possessing in virtualized environment and not possessing in non-virtualized environment Corresponding type.Because the data of the type are existed only in virtualized environment, therefore, once returned to electronic equipment Corresponding data can then make electronic equipment penetrate virtualized environment.Therefore, set in the present embodiment with secondary sources type The prevention policies to match include:When the access request that the access result data intercepted for secondary sources type is sent disappears During breath, null message is returned for the access request message.That is, the access request corresponding to for secondary sources type Message not returns to response results, so that electronic equipment can not get the data for identifying virtualized environment feature.Thus It can be seen that the virtualized environment in the present embodiment includes:Virtualized environment by virtual machine construction, and/or the void by sandbox construction Planization environment.Either which type of virtualized environment, protection can be realized by two kinds of above-mentioned strategies.
In addition, the protection of virtualized environment can also be accomplished by the following way in the present embodiment:(1) utilize and increase income Hardware virtualization software, source code compiling are removed or change virtual machine particular fingerprint information, make the Malware in electronic equipment examine Dendrometry is imitated;(2) change sandbox hardware configuration makes it (can also optionally be returned more like a real machine by Hook modes False configuration information);(3) normal configuration system, popular software is installed, to increase fascination;(4) analog subscriber normal operating (mouse is clicked on, network access), to prevent from being penetrated by electronic equipment;(5) detection time is suitably increased;(6) it is non-to fall some by Hook Normal operating (is restarted, shut down);(7) corresponding confrontation is done for Hook detections;(8) by way of other can evade detection Configure virtual network environment etc..
As can be seen here, the first intrusion detection module in the system and the second intrusion detection module can be to virtualized environments It is hidden, to prevent from identifying honey jar environment by electronic equipment, so as to the availability of lifting system.
In addition, the system can also be attacked against each other according to information realization hacker's portrait function that modules are collected into realizing The positioning for the person of hitting.Correspondingly, the system further performs following operate:When detecting the electronic equipment of invasion wireless network, Record the equipment access information (function that i.e. above-mentioned radio access module is realized) of the electronic equipment;Obtain the electronic equipment production Raw network traffic information, the device attribute information of electronic equipment and relative with electronic equipment is determined according to network traffic information The customer attribute information answered;Set by the equipment access information of electronic equipment, the device attribute information of electronic equipment and with electronics Standby corresponding customer attribute information is associated analysis, and the attack user corresponding with electronic equipment is determined according to analysis result Information;Wherein, user profile is attacked to be used for seat offence person and/or detect the position of electronic equipment.Wherein, equipment access information And the specific intension and acquisition modes of device attribute information have hereinbefore been described by, here is omitted.With electronics The corresponding customer attribute information of equipment is primarily referred to as the personal behavior information related to attacker, and the partial information can both lead to The determination of device attribute information is crossed, can also be determined according to the behavior characteristic information being mentioned above.In the present embodiment, user belongs to Property information can include subscriber identity information, such as including:Social account information, attack tool information, remote control Trojan are reached the standard grade Address information and the login password information at back door.That is, in the present embodiment, can be by equipment category mentioned above The information related to user behavior is isolated as customer attribute information in property information.
In order to make it easy to understand, below by taking device-fingerprint category information as an example, several frequently seen device attribute information is enumerated, specifically Including:IP address, geographical position, network identity, device-fingerprint, operating system, browser etc..In addition, device attribute is believed Breath (User Agent, can also be used by WebRTC (Web Real-Time Communication, webpage real-time Communication for Power), UA Family act on behalf of), draw (Canvas), resolution ratio (including:Size, color 16/24), plug-in unit, time zone, language (language), GPU The auxiliary such as (Graphics Processing Unit, graphics processor), AudioContext determines.Specifically, utilize WebRTC agreements can obtain the IP address of intranet and extranet, even if having VPN (Virtual Private Network, Virtual Private Network Network) it can also get.Browser version and operating system version can interpolate that by UA.In addition, when drawing Canvas pictures, Same Canvas draws code, the picture feature drawn in different machines and browser be it is identical and unique, Based on this characteristic, the present invention only need to extract simplest CRC (Cyclic Redundancy Code, CRC) value Can be with unique mark and one electronic equipment of tracking and its corresponding user.By the resolution ratio for obtaining attacker's electronic equipment As subsidiary conditions, the uniqueness of electronic equipment can be more accurately determined.Also, by obtaining attacker's electronic equipment Plug-in unit judges the software of attacker's installation and as subsidiary conditions, can more accurately determine the uniqueness of electronic equipment. Also, by obtaining the time zone of attacker's electronic equipment, the country belonging to attacker is can interpolate that, and be used as assistant strip Part determines the uniqueness of electronic equipment.By obtaining the GPU models of attacker's electronic equipment, subsidiary conditions can be used as true Determine the uniqueness of electronic equipment.In addition, on language (i.e. language) mentioned above, current browser institute is not limited to The language used, but all language supported including system, such as simplified Chinese character, traditional Chinese, English.Inventor is realizing Found in the process of the present invention, not ready-made calling interface obtains the language message of system in the prior art, to understand Certainly this problem, following manner is taken in the present embodiment:It is required that the user of electronic equipment is write in the page with all language Two words, if system supports the language, then just can normally write out;If it does not, what is shown is exactly square frame, lead to The language of system support can be obtained by crossing this method, and then the language auxiliary supported by system determines the unique of electronic equipment Property and the identity information of electronic equipment user.When it is implemented, it can intercept what electronic equipment was sent by hooking function Preset instructions, and realize that the operation logic of writing determines that system is supported by various language respectively by what is set in hooking function Language.As can be seen here, the device attribute information in the present embodiment can include plurality of kinds of contents, also, partial information therein It can be also used for auxiliary and determine customer attribute information.
Several frequently seen customer attribute information is described below:
First, customer attribute information includes subscriber identity information.E.g., including got by mode mentioned above User account information.Wherein, user account information includes account and the corresponding encrypted message that user registers in major website.Remove Outside user account information, the other kinds information that can reflect user identity can also be included.
Secondly, customer attribute information also includes user behavior information, and the user behavior information is mainly used in determining attacker Attack tool and attacking wayses.Specifically, the attack tool and attacking wayses that use of capture attacker, the spy in extracting tool Sign, such as:URL, IP, the MD5 of sample, the address of reaching the standard grade of remote control Trojan, the login password etc. at back door;Determined by features described above Whether two attackers are same person, also, can also determine the grade of attacker.For example, same attacker, its is each The sample downloaded after logging in is identical, and therefore, the MD5 of sample is inevitable also identical.Also, same attacker, its remote control wood The login password at reach the standard grade address and the back door of horse is inevitable also identical.Correspondingly, one can uniquely be determined by above- mentioned information Individual attacker.
After above-mentioned equipment access information, device attribute information and customer attribute information is obtained, by above- mentioned information Analysis is associated, the attack user profile corresponding with the electronic equipment is determined according to analysis result.So-called association analysis, it is Finger is analyzed after according to device identification, above-mentioned every terms of information is associated.Because the equipment of same user accesses letter Device identification all same corresponding to breath, device attribute information and customer attribute information, therefore, it can be incited somebody to action by device identification The every terms of information of same user is interrelated, and using the result obtained after association as attack user profile.
Next, after the attack user profile corresponding with electronic equipment is determined according to analysis result, further set Put the attack user corresponding with attack user profile to identify, using attack user profile with attacking user's mark as a data Associated storage is recorded into default attack user list.Here, attack user's mark and the difference of device identification is:Equipment Mark is mainly used in uniquely determining an electronic equipment, and therefore, the hardware characteristics of device identification and electronic equipment are interrelated, For example, the hardware characteristics such as the video card of an electronic equipment, resolution ratio, network interface card are constant, therefore, device identification is mainly used in marking Know an electronic equipment in itself.However, attack user's mark is mainly used in uniquely determining an attacker, it is generally the case that Used electronic equipment is identical during each attack of one attacker, therefore, it is generally the case that device identification is used with attack The effect of family mark can be substituted for each other.But, however not excluded that it is some in particular cases, it is used during each attack of attacker Electronic equipment is different, and now, device identification and the intension of attack user's mark and effect are then completely different.Popular says, attack User's mark is interrelated with the customer attribute information of attacker, for example, the social account information of same attacker is constant , and the attacking wayses of same attacker and attack tool are changeless, therefore, attack user's mark is mainly used in marking Know an attacker in itself.
When it is implemented, can be using equipment access information and device attribute information as one-to-one with device identification Information, one-to-one information is identified using customer attribute information as with attack user.Correspondingly, the side in the present invention is passed through Formula, it can not only uniquely determine an electronic equipment, additionally it is possible to an attacker is uniquely determined, so as to can both realize pair The positioning of electronic equipment, the information to attacker and lookup can also be realized.
Correspondingly, when determining the attack user profile corresponding with electronic equipment according to analysis result, further inquiry Whether the data record to match with analysis result is included in the attack user list;If so, the number is updated according to analysis result According to record.Specifically, respectively for every data record in attack user list, determine in the data record whether comprising with Item of information value identical item of information in analysis result;If so, judge the title and/or quantity of the value identical item of information Whether preset matching rule is met, if so, determining that the data record matches with analysis result.It can be passed through by this kind of mode Attack user list and store the information of each attacker, and positioned and inquired about for attacker, so as to the peace of lifting system Quan Xing.
In summary, by system provided by the invention, it can lure that attacker enters honey jar, and exposure relevant information into. Modules in system collect many information in a manner of successively progressive, also, these information can link inquiry.Should System is also supported to carry out attack alarm by modes such as short message or mails.Moreover, it is also possible to by seat offence person position and Prevent the modes such as attack and realize emergency processing.In addition, the system can also by check attack logs realize trace to the source, The purpose of forensics analysis.
In addition, the second intrusion detection module of the system in the present embodiment is by taking the high interactivity honey jar of Windows types as an example It is introduced, substantially, the second intrusion detection module in the system can also be the high interactivity honey jar of Linux types.In addition, Modules in system can be run on same hardware device, and correspondingly, the modules in the system can also close And be less module (such as merging into a module), or more modules are split as, specific reality of the present invention to the system Existing mode does not limit.
In summary, the wireless network intrusion detection method in the present invention can be by the first intrusion detection mould in said system Block realizes, certainly, other modules in said system (such as radio access module, network transmission module, the second intrusion detection mould Block) in realize function also can be applied to the present invention in wireless network intrusion detection method in.Correspondingly, on this hair The detail in wireless network intrusion detection method in bright can refer to the description of appropriate section in said system.
Fig. 4 shows a kind of structural representation for wireless network invasion detecting device that another embodiment of the present invention provides Figure, as shown in figure 4, the device includes:
Acquisition module 41, suitable for obtaining network traffic information caused by the electronic equipment of invasion wireless network;
Analysis module 42, suitable for being analyzed for the network traffic information, the electronics is determined according to analysis result The device identification of equipment and the device attribute information corresponding with the device identification;
Detection module 43, suitable for according to the device attribute information, detecting the positional information of the electronic equipment.
Alternatively, described device further comprises:
Script generation module 44, suitable for previously generating the default access script for access preset website;Wherein, it is described pre- If access script to be used to insert in the website visiting request that the electronic equipment intercepted is sent;
Then the analysis module is particularly adapted to:With reference to the access result data corresponding with the default website got Determine the device attribute information of the electronic equipment.
Alternatively, the default website includes:The social network sites logged in by social account, then the electronic equipment set Standby attribute information includes:The social account information that result determines is accessed according to caused by for social network sites.
Alternatively, the device attribute information includes at least one of the following:Device-fingerprint, plugin information, time zone letter Breath, GPU information and equipment language message.
Alternatively, described device is virtual machine or sandbox, then described device further comprises:
Protection module 45, suitable for when monitoring the access request message for accessing the virtual machine or sandbox, it is determined that Whether the access request message is the message of preset kind, if so, intercepting the access request message;It is determined that with the access The corresponding access result data of request message, and determine the data type of the access result data;Inquiry and the access The prevention policies that the data type of result data matches, the access request message is carried out according to the prevention policies inquired Protective treatment.
Alternatively, the data type for accessing result data includes:Primary sources type and/or secondary sources class Type;
Wherein, the prevention policies with primary sources type matching include:The visit of primary sources type is directed in advance Ask result data set corresponding to pseudo- result data, when intercepting what the access result data for primary sources type was sent During access request message, returned for the access request message corresponding with the access result data of the primary sources type Pseudo- result data;
Include with the prevention policies of secondary sources type matching:When intercepting the access for secondary sources type During the access request message that result data is sent, null message is returned for the access request message.
Wherein, the device can be realized by the first intrusion detection module in said system.
A kind of nonvolatile computer storage media is provided according to one embodiment of the invention, the computer storage is situated between Matter is stored with an at least executable instruction, and the computer executable instructions can perform the wireless network in above-mentioned any means embodiment Network intrusion detection method.
Fig. 5 shows the structural representation of the electronic equipment provided according to one embodiment of the invention, of the invention specific real Specific implementation of the example not to electronic equipment is applied to limit.
As shown in figure 5, the electronic equipment can include:Processor (processor) 502, communication interface (Communications Interface) 504, memory (memory) 506 and communication bus 508.
Wherein:Processor 502, communication interface 504 and memory 506 complete mutual lead to by communication bus 508 Letter.
Communication interface 504, for being communicated with the network element of miscellaneous equipment such as client or other servers etc..
Processor 502, for configuration processor 510, it can specifically perform the correlation in above-mentioned performance test methods embodiment Step.
Specifically, program 510 can include program code, and the program code includes computer-managed instruction.
Processor 502 is probably central processor CPU, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or it is arranged to implement the integrated electricity of one or more of the embodiment of the present invention Road.The one or more processors that electronic equipment includes, can be same type of processor, such as one or more CPU;Also may be used To be different types of processor, such as one or more CPU and one or more ASIC.
Memory 506, for depositing program 510.Memory 506 may include high-speed RAM memory, it is also possible to also include Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 510 specifically can be used for so that processor 502 performs following operation:
Obtain network traffic information caused by the electronic equipment of invasion wireless network;
Analyzed for the network traffic information, according to analysis result determine the device identification of the electronic equipment with And the device attribute information corresponding with the device identification;
According to the device attribute information, the positional information of the electronic equipment is detected.
Program 510 specifically can be used for so that processor 502 performs following operation:Previously generate and be used for access preset website Default access script;Wherein, the default script that accesses is used to insert the website visit that the electronic equipment intercepted is sent Ask in request;The equipment for determining the electronic equipment with reference to the access result data corresponding with the default website got Attribute information.
Wherein, the default website includes:The equipment of the social network sites logged in by social account, the then electronic equipment Attribute information includes:The social account information that result determines is accessed according to caused by for social network sites.
Wherein, the device attribute information includes at least one of the following:Device-fingerprint, plugin information, time-zone information, GPU information and equipment language message.
Wherein, the executive agent of methods described is virtual machine or sandbox, and program 510 specifically can be used for so that processor 502 perform following operate:When monitoring the access request message for accessing the virtual machine or sandbox, the access is determined Whether request message is the message of preset kind, if so, intercepting the access request message;
It is determined that the access result data corresponding with the access request message, and determine the number of the access result data According to type;
The prevention policies that the data type of inquiry and the access result data matches, according to the prevention policies inquired Protective treatment is carried out to the access request message.
Wherein, the data type for accessing result data includes:Primary sources type and/or secondary sources class Type;
Wherein, the prevention policies with primary sources type matching include:The visit of primary sources type is directed in advance Ask result data set corresponding to pseudo- result data, when intercepting what the access result data for primary sources type was sent During access request message, returned for the access request message corresponding with the access result data of the primary sources type Pseudo- result data;
Include with the prevention policies of secondary sources type matching:When intercepting the access for secondary sources type During the access request message that result data is sent, null message is returned for the access request message.
Program 510 specifically can be used for so that processor 502 performs following operation:The electronic equipment invasion is obtained respectively Point to point network flow information caused by each default equipment in the wireless network is directed to after wireless network, and by the point Default equipment corresponding to being supplied to spot net flow information;Wherein, each default equipment is accessed described wireless in a manner of bridging Network.
Program 510 specifically can be used for so that processor 502 performs following operation:The network flow according to caused by electronic equipment Information is measured, the website visiting request that the electronic equipment is sent is intercepted, is inserted in the website visiting request intercepted for visiting Ask the default access script of default website;
The access result data corresponding with the default website is received, the electricity is determined according to the access result data The device attribute information of sub- equipment;
Then it is described generate for early warning attack early warning signal the step of after, further comprise:According to the equipment category Property electronic equipment described in Information locating.
Network hole is set in default radio reception device, wireless network is accessed for the electronic equipment of outside;
Wherein, the network hole is accomplished by the following way:Open wireless network port, and/or reduction wireless network Password.
Program 510 specifically can be used for so that processor 502 performs following operation:
Preset web is pushed to the electronic equipment, the electronic equipment is obtained and is accessed caused by the preset web As a result, the equipment access information of the electronic equipment is determined according to the access result.
Wherein, the preset web includes:The equipment of the social webpage, the then electronic equipment that are logged in by social account Access information includes:The social account information that result determines is accessed according to caused by for social webpage.
Wherein, the equipment access information includes at least one of the following:It is device name, IP address, MAC Address, clear Look at device version, operating system version, device screen resolution ratio and browser plug-in information.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments Including some features rather than further feature, but the combination of the feature of different embodiments means to be in the scope of the present invention Within and form different embodiments.For example, in the following claims, embodiment claimed it is any it One mode can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) realize some or all portions in device according to embodiments of the present invention The some or all functions of part.The present invention is also implemented as the part or complete for performing method as described herein The equipment or program of device (for example, computer program and computer program product) in portion.Such program for realizing the present invention It can store on a computer-readable medium, or can have the form of one or more signal.Such signal can be with Download and obtain from internet website, either provide on carrier signal or provided in the form of any other.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.
The invention discloses a kind of wireless network intrusion detection methods of A1., including:
Obtain network traffic information caused by the electronic equipment of invasion wireless network;
Analyzed for the network traffic information, according to analysis result determine the device identification of the electronic equipment with And the device attribute information corresponding with the device identification;
According to the device attribute information, the positional information of the electronic equipment is detected.
A2. the method according to A1, wherein, network flow caused by the electronic equipment for obtaining invasion wireless network Before the step of measuring information, further comprise:Previously generate the default access script for access preset website;Wherein, it is described The default script that accesses is used to insert in the website visiting request that the electronic equipment intercepted is sent;
It is then described that the device identification of the electronic equipment and corresponding with the device identification is determined according to analysis result The step of device attribute information, specifically includes:Determined with reference to the access result data corresponding with the default website got The device attribute information of the electronic equipment.
A3. the method according to A2, wherein, the default website includes:The social network sites logged in by social account, Then the device attribute information of the electronic equipment includes:The social account that result determines is accessed according to caused by for social network sites Information.
A4. according to any described methods of A1-3, wherein, the device attribute information includes at least one of the following: Device-fingerprint, plugin information, time-zone information, GPU information and equipment language message.
A5. according to any described methods of A1-4, wherein, the executive agent of methods described is virtual machine or sandbox, then institute The method of stating further comprises step:
When monitoring the access request message for accessing the virtual machine or sandbox, the access request message is determined Whether it is the message of preset kind, if so, intercepting the access request message;
It is determined that the access result data corresponding with the access request message, and determine the number of the access result data According to type;
The prevention policies that the data type of inquiry and the access result data matches, according to the prevention policies inquired Protective treatment is carried out to the access request message.
A6. the method according to A5, wherein, the data type for accessing result data includes:Primary sources class Type and/or secondary sources type;
Wherein, the prevention policies with primary sources type matching include:The visit of primary sources type is directed in advance Ask result data set corresponding to pseudo- result data, when intercepting what the access result data for primary sources type was sent During access request message, returned for the access request message corresponding with the access result data of the primary sources type Pseudo- result data;
Include with the prevention policies of secondary sources type matching:When intercepting the access for secondary sources type During the access request message that result data is sent, null message is returned for the access request message.
B7. a kind of wireless network invasion detecting device, including:
Acquisition module, suitable for obtaining network traffic information caused by the electronic equipment of invasion wireless network;
Analysis module, suitable for being analyzed for the network traffic information, determine that the electronics is set according to analysis result Standby device identification and the device attribute information corresponding with the device identification;
Detection module, suitable for according to the device attribute information, detecting the positional information of the electronic equipment.
B8. the device according to B7, wherein, described device further comprises:
Script generation module, suitable for previously generating the default access script for access preset website;Wherein, it is described default Script is accessed to be used to insert in the website visiting request that the electronic equipment intercepted is sent;
Then the analysis module is particularly adapted to:With reference to the access result data corresponding with the default website got Determine the device attribute information of the electronic equipment.
B9. the device according to B8, wherein, the default website includes:The social network sites logged in by social account, Then the device attribute information of the electronic equipment includes:The social account that result determines is accessed according to caused by for social network sites Information.
B10. according to any described devices of B7-9, wherein, the device attribute information includes at least one of the following: Device-fingerprint, plugin information, time-zone information, GPU information and equipment language message.
B11. according to any described devices of B7-10, wherein, described device is virtual machine or sandbox, then described device is entered One step includes:
Protection module, suitable for when monitoring the access request message for accessing the virtual machine or sandbox, determining institute State whether access request message is the message of preset kind, if so, intercepting the access request message;It is determined that please with the access The access result data that message is corresponding is sought, and determines the data type of the access result data;Inquiry is tied with described access The prevention policies that the data type of fruit data matches, the access request message is prevented according to the prevention policies inquired Shield processing.
B12. the device according to B11, wherein, the data type for accessing result data includes:Primary sources Type and/or secondary sources type;
Wherein, the prevention policies with primary sources type matching include:The visit of primary sources type is directed in advance Ask result data set corresponding to pseudo- result data, when intercepting what the access result data for primary sources type was sent During access request message, returned for the access request message corresponding with the access result data of the primary sources type Pseudo- result data;
Include with the prevention policies of secondary sources type matching:When intercepting the access for secondary sources type During the access request message that result data is sent, null message is returned for the access request message.

Claims (10)

1. a kind of wireless network intrusion detection method, including:
Obtain network traffic information caused by the electronic equipment of invasion wireless network;
Analyzed for the network traffic information, according to analysis result determine the electronic equipment device identification and with The corresponding device attribute information of the device identification;
According to the device attribute information, the positional information of the electronic equipment is detected.
2. according to the method for claim 1, wherein, network caused by the electronic equipment of wireless network is invaded in the acquisition Before the step of flow information, further comprise:Previously generate the default access script for access preset website;Wherein, institute The default script that accesses is stated to be used to insert in the website visiting request that the electronic equipment intercepted is sent;
It is then described that the device identification of the electronic equipment and the equipment corresponding with the device identification are determined according to analysis result The step of attribute information, specifically includes:With reference to described in determining the access result data corresponding with the default website got The device attribute information of electronic equipment.
3. according to the method for claim 2, wherein, the default website includes:The social network logged in by social account Stand, then the device attribute information of the electronic equipment includes:The social activity that result determines is accessed according to caused by for social network sites Account information.
4. according to any described methods of claim 1-3, wherein, the device attribute information include it is following at least one It is individual:Device-fingerprint, plugin information, time-zone information, GPU information and equipment language message.
5. according to any described methods of claim 1-4, wherein, the executive agent of methods described is virtual machine or sandbox, then Methods described further comprises step:
When monitoring the access request message for accessing the virtual machine or sandbox, whether the access request message is determined For the message of preset kind, if so, intercepting the access request message;
It is determined that the access result data corresponding with the access request message, and determine the data class of the access result data Type;
The prevention policies that the data type of inquiry and the access result data matches, according to the prevention policies inquired to institute State access request message and carry out protective treatment.
6. according to the method for claim 5, wherein, the data type for accessing result data includes:Primary sources Type and/or secondary sources type;
Wherein, the prevention policies with primary sources type matching include:The access knot of primary sources type is directed in advance Pseudo- result data corresponding to the setting of fruit data, when the access that the access result data intercepted for primary sources type is sent During request message, the puppet corresponding with the access result data of the primary sources type is returned for the access request message Result data;
Include with the prevention policies of secondary sources type matching:When intercepting the access result for secondary sources type During the access request message that data are sent, null message is returned for the access request message.
7. a kind of wireless network invasion detecting device, including:
Acquisition module, suitable for obtaining network traffic information caused by the electronic equipment of invasion wireless network;
Analysis module, suitable for being analyzed for the network traffic information, the electronic equipment is determined according to analysis result Device identification and the device attribute information corresponding with the device identification;
Detection module, suitable for according to the device attribute information, detecting the positional information of the electronic equipment.
8. device according to claim 7, wherein, described device further comprises:
Script generation module, suitable for previously generating the default access script for access preset website;Wherein, the default access Script is used to insert in the website visiting request that the electronic equipment intercepted is sent;
Then the analysis module is particularly adapted to:Determined with reference to the access result data corresponding with the default website got The device attribute information of the electronic equipment.
9. a kind of electronic equipment, including:Processor, memory, communication interface and communication bus, the processor, the storage Device and the communication interface complete mutual communication by the communication bus;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device such as right will Ask and operated corresponding to the wireless network intrusion detection method any one of 1-6.
10. a kind of computer-readable storage medium, an at least executable instruction, the executable instruction are stored with the storage medium Make operation corresponding to wireless network intrusion detection method of the computing device as any one of claim 1-6.
CN201710945011.0A 2017-09-30 2017-09-30 Wireless network intrusion detection method and device Pending CN107484173A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710945011.0A CN107484173A (en) 2017-09-30 2017-09-30 Wireless network intrusion detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710945011.0A CN107484173A (en) 2017-09-30 2017-09-30 Wireless network intrusion detection method and device

Publications (1)

Publication Number Publication Date
CN107484173A true CN107484173A (en) 2017-12-15

Family

ID=60606186

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710945011.0A Pending CN107484173A (en) 2017-09-30 2017-09-30 Wireless network intrusion detection method and device

Country Status (1)

Country Link
CN (1) CN107484173A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833268A (en) * 2012-09-17 2012-12-19 福建星网锐捷网络有限公司 Method, equipment and system for resisting wireless network flooding attack
CN104486765A (en) * 2014-12-22 2015-04-01 上海斐讯数据通信技术有限公司 Wireless intrusion detecting system and detecting method
CN106878241A (en) * 2015-12-18 2017-06-20 北京奇虎科技有限公司 Malice hot spot detecting method and system
CN106878992A (en) * 2015-12-18 2017-06-20 北京奇虎科技有限公司 Wireless network secure detection method and system
CN107124434A (en) * 2017-07-06 2017-09-01 中国互联网络信息中心 A kind of discovery method and system of DNS malicious attacks flow
CN107196895A (en) * 2016-11-25 2017-09-22 北京神州泰岳信息安全技术有限公司 Network attack is traced to the source implementation method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833268A (en) * 2012-09-17 2012-12-19 福建星网锐捷网络有限公司 Method, equipment and system for resisting wireless network flooding attack
CN104486765A (en) * 2014-12-22 2015-04-01 上海斐讯数据通信技术有限公司 Wireless intrusion detecting system and detecting method
CN106878241A (en) * 2015-12-18 2017-06-20 北京奇虎科技有限公司 Malice hot spot detecting method and system
CN106878992A (en) * 2015-12-18 2017-06-20 北京奇虎科技有限公司 Wireless network secure detection method and system
CN107196895A (en) * 2016-11-25 2017-09-22 北京神州泰岳信息安全技术有限公司 Network attack is traced to the source implementation method and device
CN107124434A (en) * 2017-07-06 2017-09-01 中国互联网络信息中心 A kind of discovery method and system of DNS malicious attacks flow

Similar Documents

Publication Publication Date Title
CN107612924A (en) Attacker's localization method and device based on wireless network invasion
US9509714B2 (en) Web page and web browser protection against malicious injections
US9712560B2 (en) Web page and web browser protection against malicious injections
US9773109B2 (en) Alternate files returned for suspicious processes in a compromised computer network
CN107465702A (en) Method for early warning and device based on wireless network invasion
US9501639B2 (en) Methods, systems, and media for baiting inside attackers
EP2513800B1 (en) Methods and systems of detecting and analyzing correlated operations in a common storage
CN105184159B (en) The recognition methods of webpage tamper and device
US7941854B2 (en) Method and system for responding to a computer intrusion
CN105491053A (en) Web malicious code detection method and system
CN107579997A (en) Wireless network intrusion detection system
CN107566401A (en) The means of defence and device of virtualized environment
CN108768989A (en) It is a kind of using the APT attack defense methods of mimicry technology, system
CN105592017B (en) The defence method and system of cross-site scripting attack
Rasheed et al. Threat hunting using grr rapid response
CN107509200A (en) Equipment localization method and device based on wireless network invasion
CN104967628A (en) Deceiving method of protecting web application safety
CN108989294A (en) A kind of method and system for the malicious user accurately identifying website visiting
CN107733699B (en) Internet asset security management method, system, device and readable storage medium
CN116340943A (en) Application program protection method, device, equipment, storage medium and program product
CN107517226A (en) Alarm method and device based on wireless network invasion
CN107294994B (en) CSRF protection method and system based on cloud platform
CN107484173A (en) Wireless network intrusion detection method and device
Takata et al. Fine-grained analysis of compromised websites with redirection graphs and javascript traces
CN113923025A (en) Threat detection method in industrial control network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171215

RJ01 Rejection of invention patent application after publication