CN111405548B - Fishing wifi detection method and device - Google Patents
Fishing wifi detection method and device Download PDFInfo
- Publication number
- CN111405548B CN111405548B CN202010269895.4A CN202010269895A CN111405548B CN 111405548 B CN111405548 B CN 111405548B CN 202010269895 A CN202010269895 A CN 202010269895A CN 111405548 B CN111405548 B CN 111405548B
- Authority
- CN
- China
- Prior art keywords
- wifi
- new
- determining
- arp
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/79—Radio fingerprint
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application discloses a detection method and device of fishing wifi, comprising: after a new wifi signal is detected, acquiring a fingerprint characteristic of the new wifi signal; based on the fingerprint characteristics, determining whether the new wifi is malicious wifi or not by adopting an anti-attack identity authentication mode; and if the new wifi is malicious wifi, prohibiting the user terminal from establishing connection with the new wifi. The detection method and the device for the fishing wifi can actively detect the states of surrounding offices and wireless networks, and actively start the detection of the new wifi security after detecting the new wifi signal, so that the detection method and the device have good autonomous implementation; in addition, whether the detected new wifi is safe or not is determined by adopting an anti-attack identity authentication mode based on the acquired fingerprint characteristics, so that the detection range is more comprehensive, and the daily safety detection requirement of a user can be met.
Description
Technical Field
The invention relates to the field of network security, in particular to a detection method and device for fishing wifi.
Background
In recent years, with the continuous popularization of WLAN, wifi security issues are increasingly emerging, and research on wireless network security technology in the field is also continuously in progress.
Some existing detection technologies of fishing wifi have characteristics, but have some defects. For example, one detection technique is to collect local wireless transmission network data by means of WIDS (Wireless Intrusion Detection System ), obtain the network state of the user, analyze and identify malicious attacks, thereby raising an alarm for unconventional network traffic, striking a wireless network violating rules, and realizing detection of rogue APs and unauthorized APs; but this approach cannot detect active fishing attacks as well as MITM (Man-in-the-middleat) attacks. For another example, in one detection technique, the model of the device is summarized by comparing the physical information of the device connected to the wireless lan with information in a database, such as information having identification such as a MAC address; because the AP (Access Point) information in the database is very limited, the mode cannot compare the model and information of all devices connected to the wlan, so an erroneous determination result is often generated.
Based on the above, how to provide a more comprehensive and effective detection method for fishing wifi becomes a problem to be solved urgently by those skilled in the art.
Disclosure of Invention
In view of this, the present invention provides the following technical solutions:
a detection method of fishing wifi includes:
after a new wifi signal is detected, acquiring a fingerprint characteristic of the new wifi signal;
based on the fingerprint characteristics, determining whether the new wifi is malicious wifi or not by adopting an anti-attack identity authentication mode;
and if the new wifi is malicious wifi, prohibiting the user terminal from establishing connection with the new wifi.
Optionally, if a new MAC management frame is acquired during scanning the surrounding local wireless network, it is determined that a new WiFi signal is detected.
Optionally, based on the fingerprint feature, determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode includes:
based on the fingerprint characteristics, an anti-ARP spoofing identity verification mode or an anti-AP identity verification mode is adopted to determine whether the new wifi is malicious wifi.
Optionally, the determining, based on the fingerprint feature, whether the new wifi is malicious wifi by using an anti-ARP spoofing authentication method or an anti-AP authentication method includes:
constructing and sending an ARP request packet according to the IP address of the gateway of the new wifi;
if the ARP response packet of the ARP request packet is not received, determining that the new wifi is malicious wifi;
if an ARP response packet of the ARP request packet is received, comparing and detecting a source MAC address based on the ARP response packet, and determining that the new wifi is a safe wifi under the condition that a comparison and detection result is correct; and under the condition of error comparison detection results, determining the new wifi as malicious wifi.
Optionally, the determining, based on the fingerprint feature, whether the new wifi is malicious wifi by using an anti-ARP spoofing authentication method or an anti-AP authentication method includes:
extracting the new wifi digital characteristic from the fingerprint characteristic;
verifying the digital characteristic by adopting a reverse AP identity verification mode;
if the verification is correct, determining that the new wifi is a safe wifi;
if the verification is wrong, determining that the new wifi is malicious wifi.
Optionally, before determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode based on the fingerprint feature, the method further includes:
and determining that the new wifi is public wifi or private wifi through the fingerprint characteristics.
Optionally, based on the fingerprint feature, determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode includes:
under the condition that the new wifi is private wifi, sending a private network verification data packet based on the fingerprint characteristics;
determining whether return data corresponding to the verification data packet is received;
if not, the new wifi is malicious wifi;
if received, verifying whether the received returned data is correct, and determining that the new wifi is safe wifi under the condition of correctness, otherwise determining that the new wifi is malicious wifi.
Optionally, based on the fingerprint feature, determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode includes:
under the condition that the new wifi is public wifi, sending a primary verification data packet based on the fingerprint characteristics, wherein the primary verification data packet comprises a beacon frame;
determining whether primary return data of the primary verification data packet is received;
if the detection reply frame is received, a secondary verification data packet is sent, wherein the secondary verification data packet comprises the content of the detection reply frame in the MAC management frame;
receiving secondary return data of the secondary verification data packet;
and if the format of the secondary returned data accords with the format of the detection reply frame, determining that the new wifi is safe wifi, otherwise, determining that the new wifi is malicious wifi.
Optionally, after the prohibiting the user terminal from establishing a connection with the new wifi, the method further includes:
and sending data containing the detection result of the new wifi to a user terminal, wherein the detection result comprises whether the new wifi is malicious wifi or not.
A detection device for fishing wifi, comprising:
the fingerprint acquisition module is used for acquiring the fingerprint characteristics of the new wifi after detecting the new wifi signal;
the wifi judging module is used for determining whether the new wifi is malicious wifi or not by adopting an anti-attack identity authentication mode based on the fingerprint characteristics;
and the connection management module is used for prohibiting the user terminal from establishing connection with the new wifi under the condition that the new wifi is malicious wifi.
Compared with the prior art, the embodiment of the invention discloses a detection method and a detection device for fishing wifi, which comprise the following steps: after a new wifi signal is detected, acquiring a fingerprint characteristic of the new wifi signal; based on the fingerprint characteristics, determining whether the new wifi is malicious wifi or not by adopting an anti-attack identity authentication mode; and if the new wifi is malicious wifi, prohibiting the user terminal from establishing connection with the new wifi. The detection method and the device for the fishing wifi can actively detect the states of surrounding offices and wireless networks, and actively start the detection of the new wifi security after detecting the new wifi signal, so that the detection method and the device have good autonomous implementation; in addition, whether the detected new wifi is safe or not is determined by adopting an anti-attack identity authentication mode based on the acquired fingerprint characteristics, so that the detection range is more comprehensive, and the daily safety detection requirement of a user can be met.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a detection method of fishing wifi according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a functional module of a detection method of fishing wifi according to an embodiment of the present invention;
FIG. 3 is a workflow diagram of a specific detection method for fishing wifi according to an embodiment of the present invention;
FIG. 4 is a flow chart of an exemplary decision module implementation method disclosed in an embodiment of the present invention;
FIG. 5 is a flowchart of clock bias detection and identification of a phishing AP according to an embodiment of the present invention;
FIG. 6 is a flow chart of the active detection of ARP spoofing attacks disclosed in an embodiment of the present invention;
FIG. 7 is a block diagram illustrating an exemplary data module execution flow in accordance with an embodiment of the present invention;
FIG. 8 is a flow chart of an exemplary method for executing a service module according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a detection device for fishing wifi according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a flowchart of a detection method of fishing wifi, which is disclosed in the embodiment of the present invention, and referring to fig. 1, the detection method of fishing wifi may include:
step 101: after detecting a new wifi signal, acquiring the fingerprint characteristics of the new wifi.
The detection method for phishing wifi disclosed by the embodiment of the application can be implemented in the user terminal, can exist in the form of an application program, and is executed by combining with a user terminal processor.
According to the detection method for the fishing wifi disclosed by the embodiment of the application, the surrounding wireless network environment can be actively detected, and whether new wifi appears around is further determined. When a new wifi appears in the surrounding environment, firstly, the identity of the new wifi needs to be detected and identified, and under the condition that the new wifi is determined to be the safe wifi, the user terminal can be allowed to be connected with the new wifi; if the new wifi is detected to be malicious wifi, the user terminal and the new wifi need to be forbidden to be connected in a network mode, so that leakage of important information of a user is avoided.
Step 102: based on the fingerprint characteristics, determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode.
The fingerprint feature may include, but is not limited to, service set identifier SSID, whether to encrypt, encryption mode, IP address, MAC address, etc. In a specific implementation, different types of malicious wifi can be performed by adopting different fingerprint features; in this embodiment, based on fingerprint feature, adopt the counterattack identity authentication mode to confirm whether new wifi is malicious wifi, can detect many types of malicious wifi. In the following embodiments, detailed description will be made on a specific implementation of determining whether a new wifi is a malicious wifi by adopting an anti-attack identity authentication mode based on fingerprint features, and will not be described in any more.
Step 103: and if the new wifi is malicious wifi, prohibiting the user terminal from establishing connection with the new wifi.
If the new wifi is detected to be the malicious wifi, the user terminal needs to be prohibited from establishing connection with the new wifi, so that leakage of user information is avoided, and harm is caused to a user.
The detection method of the fishing wifi can actively detect the states of surrounding offices and wireless networks, and after a new wifi signal is detected, the detection of the new wifi safety is actively started, so that the detection method has good autonomous implementation; in addition, whether the detected new wifi is safe or not is determined by adopting an anti-attack identity authentication mode based on the acquired fingerprint characteristics, so that the detection range is more comprehensive, and the daily safety detection requirement of a user can be met.
In the above embodiment, when the newly added MAC management frame is acquired during scanning the surrounding local wireless network, it may be determined that a new WiFi signal is detected.
Specifically, when the surrounding local wireless network changes, a new data traffic packet is generated, for example, under the Linux environment, capturing and analyzing the MAC management frame can be realized through the Libpcap open source library, and if a new wireless access point is added in the local area network, the new MAC management frame is obtained when scanning again. After the detection method of the fishing wifi disclosed by the embodiment of the application is started, a new data flow packet is always monitored and prepared to be acquired, so that once a local wireless network changes, a system for executing the detection method of the fishing wifi is awakened and starts to detect the wireless network of the surrounding environment, whether the network is a public network is judged, a verification data packet is sent, and whether the network is a safety network is judged according to returned data.
Based on the above, determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode based on the fingerprint feature may include: based on the fingerprint feature, determining whether the new wifi is malicious wifi by adopting an anti-ARP (Address Resolution Protocol ) spoofed identity verification mode or an anti-AP (Access Point) identity verification mode.
In addition to the single ARP spoofing or DNS (Domain Name System, domain name system (service) protocol) attack, in practical situations, ARP spoofing and DNS attack may be used in combination to launch man-in-the-middle attack on a user of a wireless network, and for this two-dimensional attack mode, the present invention uses an anti-ARP spoofing authentication mode to construct and send an ARP request packet according to the IP address of a WiFi gateway, and then compares and detects the source MAC address according to the ARP reply packet to determine whether the wireless network has attack.
For wifi containing ARP spoofing and DNS attacks, an implementation of detecting whether a new wifi is a malicious wifi may include: constructing and sending an ARP request packet according to the IP address of the gateway of the new wifi; if the ARP response packet of the ARP request packet is not received, determining that the new wifi is malicious wifi; if an ARP response packet of the ARP request packet is received, comparing and detecting a source MAC address based on the ARP response packet, and determining that the new wifi is a safe wifi under the condition that a comparison and detection result is correct; and under the condition of error comparison detection results, determining the new wifi as malicious wifi.
In another implementation, in addition to the single pseudo AP spoofing or DoS attack, in actual situations, there may be malicious wifi that exists in combination with the pseudo AP spoofing and DoS (Disk Operating System ) attack, which may induce the victim to connect to the false hotspot, and slow the network, even fail to surf the internet, gateway paralysis, etc. Aiming at the malicious wifi existing by combining the pseudo AP spoofing and the DoS attack, the invention utilizes the characteristic fingerprint technology to extract the digital characteristic of the AP to be detected, adopts the mode of anti-AP identity verification to verify the AP and judges whether the AP is a security network hotspot.
For wifi including pseudo AP spoofing and DoS attacks, an implementation of detecting whether the new wifi is malicious wifi may include: extracting the new wifi digital characteristic from the fingerprint characteristic; verifying the digital characteristic by adopting a reverse AP identity verification mode; if the verification is correct, determining that the new wifi is a safe wifi; if the verification is wrong, determining that the new wifi is malicious wifi.
In other embodiments, the method for detecting the phishing wifi may further include, before determining whether the new wifi is a malicious wifi by adopting an anti-attack identity authentication method based on the fingerprint feature: and determining that the new wifi is public wifi or private wifi through the fingerprint characteristics.
Based on this, in one implementation, determining whether the new wifi is malicious wifi by adopting an attack-against identity authentication mode based on the fingerprint feature may include:
under the condition that the new wifi is private wifi, sending a private network verification data packet based on the fingerprint characteristics;
determining whether return data corresponding to the verification data packet is received;
if not, the new wifi is malicious wifi;
if received, verifying whether the received returned data is correct, and determining that the new wifi is safe wifi under the condition of correctness, otherwise determining that the new wifi is malicious wifi.
In another implementation, determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode based on the fingerprint feature may include:
under the condition that the new wifi is public wifi, sending a primary verification data packet based on the fingerprint characteristics, wherein the primary verification data packet comprises a beacon frame;
determining whether primary return data of the primary verification data packet is received;
if the detection reply frame is received, a secondary verification data packet is sent, wherein the secondary verification data packet comprises the content of the detection reply frame in the MAC management frame;
receiving secondary return data of the secondary verification data packet;
and if the format of the secondary returned data accords with the format of the detection reply frame, determining that the new wifi is safe wifi, otherwise, determining that the new wifi is malicious wifi.
In other embodiments, the method for detecting a fishing wifi may further include, after prohibiting the user terminal from establishing a connection with the new wifi: and sending data containing the detection result of the new wifi to a user terminal, wherein the detection result comprises whether the new wifi is malicious wifi or not. And feeding back the detection result to the user so that the user can know the wifi condition of the surrounding environment.
In an exemplary implementation, the functional modules of the detection method of phishing wifi may be as shown in fig. 2, and mainly comprise a decision module, a data module and a service module. The specific module design logic is as follows: firstly, the decision module is responsible for scanning the whole local area network, and an effective logic framework is designed according to the scanned fingerprint characteristics of the AP and is used for matching checking of the fingerprint characteristics, such as SSID and MAC address. Among them, the attack modes about malicious WiFi can be divided into two types, the first is ARP spoofing combined with DNS spoofing attack. The attack mode can cheat the user, jump to the appointed website and then induce false information, so that personal information and property of the user are cheated. The second is that false APs and DoS attacks combine to deplete system resources so that users cannot connect to the network. Aiming at different malicious WiFi attacks, the decision module can adopt a corresponding counter attack identity authentication mode to detect whether the WiFi attack is malicious WiFi or not. After the decision module is matched with the malicious attacked WiFi, the malicious attacked WiFi is pulled into a blacklist by the decision module, and information of the malicious WiFi is stored through the data module. The service module is responsible for counting the information and printing out the information for user interaction.
Fig. 3 is a workflow diagram of a specific detection method for fishing wifi according to an embodiment of the present invention, and the following may be understood in conjunction with fig. 3:
(1) And judging whether the wireless hot spot (new wifi) is an encrypted network, if so, sending a prompt to a user to be the encrypted network.
(2) Whether the network is an operator or a commercial encryption network is judged by attribute information such as Service Set Identification (SSID). The method for obtaining the attribute information such as Service Set Identifier (SSID) includes the following steps: step 1, setting a wireless network card to be in a hybrid mode; step 2, the wireless network card captures a detection frame data packet and sends the detection frame data packet to the analysis device; step 3, the analyzing device analyzes the detection frame data packet to obtain an MAC address; and 4, the analyzing device compares the MAC address with the MAC address information list built in the storage device.
(3) If the network is an operator or a commercial network, the network detection is switched to the operator and the commercial network. If a private network verification data packet is sent to the private network, whether the data is returned or not is detected, whether the data is a malicious attack hot spot or not is judged, and whether the received data packet verification correctness is a phishing hot spot or not is judged.
(4) If the wireless hotspot is an unencrypted network, the wireless hotspot is sent to a user to remind the user that the hotspot is not provided with a password, and the user is required to use the wireless hotspot cautiously.
(5) And judging whether the network is an operator or a commercial non-encryption network or not through attribute information such as service set identification. Three different types of frames in the 802.11 protocol, wherein the management frame relates to authentication and connection services, so that the field containing inherent information representing the WiFi hot spot in the management frame is also used as a service set identifier to be extracted in the application. Under the Linux environment, capturing and analyzing a beacon frame and a detection reply frame in the MAC management frame can be realized through a Libpcap open source library. If the network is connectable to the private network, the primary verification information is analyzed next to judge whether the network is a malicious hotspot.
(6) And judging as an operator and a commercial network, firstly, sending a primary verification data packet, namely the content of a beacon frame, including the name of an access point, MAC information, signal intensity, channel frequency, a chip provider and the like, and detecting the connectivity of the network, wherein the network which cannot acquire the primary verification information is an unconnected network, and otherwise, the network is considered as the connectable network. If the network is connectable, the primary verification information is analyzed in the next step, and whether the network is a malicious hot spot is judged. If the data can be returned, a secondary verification data packet is sent, wherein the secondary verification data packet refers to the content of a detection reply frame in the MAC management frame, and compared with the beacon frame, a requested information field special to the detection reply frame can be used for judging the fake hot spot.
(7) Whether the wireless hotspot is a camouflage phishing hotspot is judged according to the correctness of the return format of the data packet, for example: if the client is attacked by DNS, the client can receive at least two or more response packets, one legal response packet and one fake illegal packet. DNS spoofing can thus be detected by packets, and first, all DNS requests and reply packets are intercepted and captured by placing sniffer in the network. The data packet is judged as follows: if two or more reply packets are obtained from a DNS request within a certain time interval, a DNS attack may be suffered. If the user is a phishing hotspot, a prompt is popped up to the user, and the user is recommended to disconnect the network so as to ensure that personal information is not stolen.
Fig. 4 is a flowchart of an exemplary implementation method of a decision module according to an embodiment of the present invention, and in conjunction with the implementation content shown in fig. 4, the implementation content may include:
(1) After the system is started, the current wireless network is scanned, active detection frame information is sent, available APs are detected, and an AP list is summarized.
(2) And synchronizing the collected latest list to the service module in time, so that the user can conveniently interact with the service module.
(3) After the disconnection permission of the wireless WiFi of the user is obtained, when the phishing WiFi is detected, a warning is given, and the WiFi function of the user is disconnected.
When different attack modes are detected respectively, the implementation process is different, and when the existing clock deviation detection is used for identifying the phishing AP, the specific implementation flow can be seen in fig. 5. A flow chart for active detection of ARP spoofing attacks can be seen in fig. 6. Since clock bias detection identifies phishing APs and active detection of ARP spoofing attacks is already a relatively mature implementation in the prior art, it will not be described here too much.
FIG. 7 is a block diagram illustrating an exemplary execution flow of a data module according to an embodiment of the present invention, and in conjunction with the embodiment shown in FIG. 7, the execution content may include: and analyzing and comparing the AP list provided by the decision module, reading AP characteristics, judging the safety of the AP characteristics, and storing main data. The data module mainly stores the information of the AP equipment, including SSID name, encryption or not, encryption mode, IP address, MAC address and other characteristic fingerprints. And the policy module needs the data information of the used security policy pair.
Fig. 8 is a flowchart of an exemplary service module execution method according to an embodiment of the present invention, and in conjunction with the description shown in fig. 8, the execution content may include: and locally, the service module receives an AP list from the data module, wherein the AP list comprises AP fingerprint information and a judging result, and gathers the number of the safe WiFi. And the obtained results are summarized and transmitted to a user, and a printing function is provided.
Based on the above, in the implementation of the invention, a data storage analysis model can be established, the data captured by the decision module is analyzed and compared by the data module, and after the stored information of the AP equipment comprises SSID (service set identifier) name, encryption or not, encryption mode, IP (Internet protocol) address, MAC (media access control) address and other characteristic fingerprints, the security of the wireless network is guaranteed with high probability. The invention supports collaborative processing analysis, and multiple devices can concurrently judge so as to improve analysis accuracy.
For the foregoing method embodiments, for simplicity of explanation, the methodologies are shown as a series of acts, but one of ordinary skill in the art will appreciate that the present invention is not limited by the order of acts, as some steps may, in accordance with the present invention, occur in other orders or concurrently. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
The method is described in detail in the embodiments disclosed in the present invention, and the method can be implemented by using various types of devices, so that the present invention also discloses a device, and specific embodiments are given below for details.
Fig. 9 is a schematic structural diagram of a detection device for fishing wifi according to an embodiment of the present invention, and as shown in fig. 9, a detection device 90 for fishing wifi may include:
the fingerprint acquisition module 901 is used for acquiring the fingerprint characteristics of new wifi after detecting new wifi signals.
The wifi judging module 902 is configured to determine whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode based on the fingerprint feature.
The connection management module 903 is configured to prohibit the user terminal from establishing connection with the new wifi when the new wifi is a malicious wifi.
The detection device for fishing wifi can actively detect the states of surrounding offices and wireless networks, and after a new wifi signal is detected, the detection of the new wifi safety is actively started, so that the detection device has good autonomous implementation; in addition, whether the detected new wifi is safe or not is determined by adopting an anti-attack identity authentication mode based on the acquired fingerprint characteristics, so that the detection range is more comprehensive, and the daily safety detection requirement of a user can be met.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. The detection method of the fishing wifi is characterized by comprising the following steps:
after a new wifi signal is detected, acquiring a fingerprint characteristic of the new wifi signal;
based on the fingerprint characteristics, determining whether the new wifi is malicious wifi or not by adopting an anti-attack identity authentication mode;
if the new wifi is malicious wifi, prohibiting the user terminal from establishing connection with the new wifi;
based on the fingerprint feature, determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode comprises:
the identity verification method for anti-ARP spoofing comprises the following steps:
constructing and sending an ARP request packet according to the IP address of the gateway of the new wifi;
if the ARP response packet of the ARP request packet is not received, determining that the new wifi is malicious wifi;
if an ARP response packet of the ARP request packet is received, comparing and detecting a source MAC address based on the ARP response packet, and determining that the new wifi is a safe wifi under the condition that a comparison and detection result is correct; under the condition of error comparison detection results, determining that the new wifi is malicious wifi;
acquiring a gateway IP of a current wifi network and an MAC address corresponding to the IP in a local ARP cache table;
constructing an ARP request packet aiming at a gateway according to the gateway IP of the current wifi network and sending the ARP request packet;
all ARP response messages received within 60 seconds are stored in a queue;
judging whether the queue is empty or not;
under the condition that the queue is empty, determining that ARP attack does not exist;
under the condition that the queue is not empty, one piece of ARP response information is taken out from the queue, and a source address and a source MAC address are analyzed from the ARP response information;
judging whether the gateway IP of the current wifi network is equal to a source address analyzed from ARP response information and whether the MAC address corresponding to the IP in the local ARP cache table is equal to the source MAC address analyzed from the ARP response information;
if the ARP response information is equal to the ARP response information, deleting the ARP response information from the queue, and returning to execute the step of judging whether the queue is empty; if not, determining that ARP attacks exist;
or;
the anti-AP authentication mode comprises the following steps:
extracting the new wifi digital characteristic from the fingerprint characteristic;
verifying the digital characteristic by adopting a reverse AP identity verification mode;
if the verification is correct, determining that the new wifi is a safe wifi;
if the verification is wrong, determining that the new wifi is malicious wifi;
acquiring a training data set from an authorized access point in a wireless network;
acquiring a time stamp from a beacon frame;
calculating and storing the clock deviation of the AP by using a least square fitting algorithm as the clock deviation of the legal AP;
establishing an unauthorized AP data set;
calculating clock deviation of the unauthorized AP by using a least square fitting algorithm;
comparing whether the clock deviation of the legal AP and the unauthorized AP is the same;
if the access points are the same, determining that the unauthorized AP is legal; otherwise, determining that the unauthorized AP is illegal.
2. The method for detecting phishing WiFi according to claim 1, wherein the detection of a new WiFi signal is determined if a new MAC management frame is acquired while scanning the surrounding local area wireless network.
3. The method for detecting phishing wifi according to claim 2, wherein before the step of determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication method based on the fingerprint feature, further comprises:
and determining that the new wifi is public wifi or private wifi through the fingerprint characteristics.
4. The method for detecting phishing wifi according to claim 3, wherein the determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode based on the fingerprint features includes:
sending a private network verification data packet based on the fingerprint feature under the condition that the new wifi is private wifi;
determining whether return data corresponding to the verification data packet is received;
if not, the new wifi is malicious wifi;
if received, verifying whether the received returned data is correct, and determining that the new wifi is safe wifi under the condition of correctness, otherwise determining that the new wifi is malicious wifi.
5. The method for detecting phishing wifi according to claim 3, wherein the determining whether the new wifi is malicious wifi by adopting an anti-attack identity authentication mode based on the fingerprint features includes:
under the condition that the new wifi is public wifi, sending a primary verification data packet based on the fingerprint characteristics, wherein the primary verification data packet comprises a beacon frame;
determining whether primary return data of the primary verification data packet is received;
if the detection reply frame is received, a secondary verification data packet is sent, wherein the secondary verification data packet comprises the content of the detection reply frame in the MAC management frame;
receiving secondary return data of the secondary verification data packet;
and if the format of the secondary returned data accords with the format of the detection reply frame, determining that the new wifi is safe wifi, otherwise, determining that the new wifi is malicious wifi.
6. The method for detecting fishing wifi according to any one of claims 1-5, further comprising, after the prohibiting the user terminal from establishing a connection with the new wifi:
and sending data containing the detection result of the new wifi to a user terminal, wherein the detection result comprises whether the new wifi is malicious wifi or not.
7. Detection device of fishing wifi, its characterized in that includes:
the fingerprint acquisition module is used for acquiring the fingerprint characteristics of the new wifi after detecting the new wifi signal;
the wifi judging module is used for determining whether the new wifi is malicious wifi or not by adopting an anti-attack identity authentication mode based on the fingerprint characteristics;
the connection management module is used for prohibiting the user terminal from establishing connection with the new wifi under the condition that the new wifi is malicious wifi;
the wifi judging module is specifically used for:
the identity verification of the anti-ARP spoofing comprises:
constructing and sending an ARP request packet according to the IP address of the gateway of the new wifi;
if the ARP response packet of the ARP request packet is not received, determining that the new wifi is malicious wifi;
if an ARP response packet of the ARP request packet is received, comparing and detecting a source MAC address based on the ARP response packet, and determining that the new wifi is a safe wifi under the condition that a comparison and detection result is correct; under the condition of error comparison detection results, determining that the new wifi is malicious wifi;
acquiring a gateway IP of a current wifi network and an MAC address corresponding to the IP in a local ARP cache table;
constructing an ARP request packet aiming at a gateway according to the gateway IP of the current wifi network and sending the ARP request packet;
all ARP response messages received within 60 seconds are stored in a queue;
judging whether the queue is empty or not;
under the condition that the queue is empty, determining that ARP attack does not exist;
under the condition that the queue is not empty, one piece of ARP response information is taken out from the queue, and a source address and a source MAC address are analyzed from the ARP response information;
judging whether the gateway IP of the current wifi network is equal to a source address analyzed from ARP response information and whether the MAC address corresponding to the IP in the local ARP cache table is equal to the source MAC address analyzed from the ARP response information;
if the ARP response information is equal to the ARP response information, deleting the ARP response information from the queue, and returning to execute the step of judging whether the queue is empty; if not, determining that ARP attacks exist;
or;
anti-AP authentication includes:
extracting the new wifi digital characteristic from the fingerprint characteristic;
verifying the digital characteristic by adopting a reverse AP identity verification mode;
if the verification is correct, determining that the new wifi is a safe wifi;
if the verification is wrong, determining that the new wifi is malicious wifi;
acquiring a training data set from an authorized access point in a wireless network;
acquiring a time stamp from a beacon frame;
calculating and storing the clock deviation of the AP by using a least square fitting algorithm as the clock deviation of the legal AP;
establishing an unauthorized AP data set;
calculating clock deviation of the unauthorized AP by using a least square fitting algorithm;
comparing whether the clock deviation of the legal AP and the unauthorized AP is the same;
if the access points are the same, determining that the unauthorized AP is legal; otherwise, determining that the unauthorized AP is illegal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010269895.4A CN111405548B (en) | 2020-04-08 | 2020-04-08 | Fishing wifi detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010269895.4A CN111405548B (en) | 2020-04-08 | 2020-04-08 | Fishing wifi detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111405548A CN111405548A (en) | 2020-07-10 |
| CN111405548B true CN111405548B (en) | 2023-07-21 |
Family
ID=71431492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010269895.4A Active CN111405548B (en) | 2020-04-08 | 2020-04-08 | Fishing wifi detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111405548B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073968B (en) * | 2020-08-19 | 2022-05-31 | 青岛大学 | Full-model pseudo AP detection method and detection device based on phase error drift range |
| CN114390522A (en) * | 2020-10-21 | 2022-04-22 | 展讯通信(上海)有限公司 | Network equipment validity identification method and device, storage medium, terminal equipment and base station |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105119901A (en) * | 2015-07-17 | 2015-12-02 | 中国科学院信息工程研究所 | Method and system for detecting phishing hotspot |
| CN105681272A (en) * | 2015-12-08 | 2016-06-15 | 哈尔滨工业大学(威海) | Method for detecting and defensing fishing WiFi of mobile terminal |
| CN108574674A (en) * | 2017-03-10 | 2018-09-25 | 武汉安天信息技术有限责任公司 | A kind of ARP message aggressions detection method and device |
| CN109428862A (en) * | 2017-08-29 | 2019-03-05 | 武汉安天信息技术有限责任公司 | A kind of method and apparatus detecting ARP attack in local area network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2508166B (en) * | 2012-11-21 | 2018-06-06 | Traffic Observation Via Man Limited | Intrusion prevention and detection in a wireless network |
-
2020
- 2020-04-08 CN CN202010269895.4A patent/CN111405548B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105119901A (en) * | 2015-07-17 | 2015-12-02 | 中国科学院信息工程研究所 | Method and system for detecting phishing hotspot |
| CN105681272A (en) * | 2015-12-08 | 2016-06-15 | 哈尔滨工业大学(威海) | Method for detecting and defensing fishing WiFi of mobile terminal |
| CN108574674A (en) * | 2017-03-10 | 2018-09-25 | 武汉安天信息技术有限责任公司 | A kind of ARP message aggressions detection method and device |
| CN109428862A (en) * | 2017-08-29 | 2019-03-05 | 武汉安天信息技术有限责任公司 | A kind of method and apparatus detecting ARP attack in local area network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111405548A (en) | 2020-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6019033B2 (en) | Method and apparatus for fingerprinting a wireless communication device | |
| JP5682083B2 (en) | Suspicious wireless access point detection | |
| CN107197456B (en) | Detection method and detection device for identifying pseudo AP (access point) based on client | |
| CN105681272B (en) | The detection of mobile terminal fishing WiFi a kind of and resist method | |
| Vanhoef et al. | Protecting wi-fi beacons from outsider forgeries | |
| CN112243507A (en) | Abnormal access point detection | |
| CN111405548B (en) | Fishing wifi detection method and device | |
| CN106961683B (en) | Method and system for detecting illegal AP and discoverer AP | |
| Gill et al. | Specification-based intrusion detection in WLANs | |
| Jain et al. | ETGuard: Detecting D2D attacks using wireless evil twins | |
| Lovinger et al. | Detection of wireless fake access points | |
| Anmulwar et al. | Rogue access point detection methods: A review | |
| US8724506B2 (en) | Detecting double attachment between a wired network and at least one wireless network | |
| CN112073968B (en) | Full-model pseudo AP detection method and detection device based on phase error drift range | |
| CN106982434B (en) | Wireless local area network security access method and device | |
| CN105792216B (en) | Wireless fishing based on certification accesses point detecting method | |
| Ma et al. | RAP: Protecting commodity wi-fi networks from rogue access points | |
| CN118301617A (en) | Pseudo AP attack detection and defense method based on fusion fingerprint characteristics | |
| Zhu et al. | Scaffisd: a scalable framework for fine-grained identification and security detection of wireless routers | |
| Chen et al. | Development and implementation of anti phishing wi-fi and information security protection app based on android | |
| Timofte | Wireless intrusion prevention systems | |
| Jung et al. | A study on MAC address spoofing attack detection structure in wireless sensor network environment | |
| Wofford | Rogue Access Points: The Threat to Public Wireless Networks | |
| Hasan et al. | Protecting Regular and Social Network Users in a Wireless Network by Detecting Rogue Access Point: Limitations and Countermeasures | |
| Letsoalo et al. | A model to mitigate session hijacking attacks in wireless networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |