CN113949540A - Man-in-the-middle attack detection method and device, electronic equipment and storage medium - Google Patents
Man-in-the-middle attack detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113949540A CN113949540A CN202111143309.2A CN202111143309A CN113949540A CN 113949540 A CN113949540 A CN 113949540A CN 202111143309 A CN202111143309 A CN 202111143309A CN 113949540 A CN113949540 A CN 113949540A
- Authority
- CN
- China
- Prior art keywords
- stream
- man
- data stream
- fingerprint information
- middle attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a man-in-the-middle attack detection method and device, electronic equipment and a storage medium. The method comprises the following steps: receiving a data stream transmitted in a streaming network; the data stream comprises stream fingerprint information generated and embedded by a last embedding node; and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information. According to the method and the device, the security detection channel between adjacent embedded nodes is established through the flow fingerprint information embedded in the data flow in the flow network transmission process, and the man-in-the-middle attack behavior is positioned and detected based on the security detection channel between the embedded nodes, so that the measures of source address forgery, man-in-the-middle attack and the like existing in the traditional network are effectively resisted, and the security capability of the network for dealing with unknown threats is improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a man-in-the-middle attack detection method, apparatus, electronic device, and storage medium.
Background
man-In-The-Middle attack (mitm) (man In The Middle attack) means that an attacker creates independent contacts with both ends of communication respectively and exchanges received data, so that both ends of communication think that each is talking directly with The opposite side through a private connection, but The whole conversation is actually controlled completely by The attacker.
The existing man-in-the-middle attack detection method comprises bidirectional authentication or secure channel authentication based on a secret key mechanism. The man-in-the-middle attack detection method based on the bidirectional authentication comprises the following steps: the client uses the public key to verify the received data stream information, so that false information can be distinguished from real data stream information; the man-in-the-middle attack detection method based on the secure channel authentication comprises the following steps: the client verifies the received data stream information by distinguishing whether the channel is authorized.
However, the man-in-the-middle attack detection method lacks a mechanism for tracking and positioning attack flows, is difficult to detect malicious attack behaviors of man-in-the-middle data in time, and is easy to suffer from multi-flow attacks.
Disclosure of Invention
Because the existing methods have the above problems, embodiments of the present application provide a man-in-the-middle attack detection method, apparatus, electronic device, and storage medium.
Specifically, the embodiment of the present application provides the following technical solutions:
in a first aspect, an embodiment of the present application provides a man-in-the-middle attack detection method, applied to an embedded node in a stream network, including:
receiving a data stream transmitted in a streaming network; the data stream comprises stream fingerprint information generated and embedded by a last embedding node;
and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information.
Optionally, before determining whether there is man-in-the-middle attack in the transmission process of the data stream according to the stream fingerprint information, the method further includes:
and extracting first stream fingerprint information which is generated and embedded by a last embedding node in the data stream, and generating second stream fingerprint information of the data stream according to the characteristic information of the data stream.
Optionally, determining whether a man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information includes:
and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the first stream fingerprint information and the second stream fingerprint information.
Optionally, determining whether a man-in-the-middle attack exists in the data stream in the transmission process according to the first stream fingerprint information and the second stream fingerprint information, includes:
calculating a stream fingerprint error based on the first stream fingerprint information and the second stream fingerprint information;
and if the stream fingerprint error is smaller than a preset threshold value, sending the data stream to a next embedded node, otherwise, determining that man-in-the-middle attack exists in the stream data in the sending process of the previous embedded node.
Optionally, if the stream fingerprint error is smaller than a preset threshold, before sending the data stream to the next embedded node, the method further includes:
and according to the second stream fingerprint information, repairing the distortion of the first stream fingerprint information in the transmission process.
In a second aspect, an embodiment of the present application provides a man-in-the-middle attack detection apparatus, including:
a receiving module, configured to receive a data stream transmitted in a streaming network; the data stream comprises stream fingerprint information generated and embedded by a last embedding node;
and the processing module is used for judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information.
Optionally, before the processing module determines whether there is man-in-the-middle attack in the data stream in the transmission process according to the stream fingerprint information, the processing module is further specifically configured to:
and extracting first stream fingerprint information which is generated and embedded by a last embedding node in the data stream, and generating second stream fingerprint information of the data stream according to the characteristic information of the data stream.
Optionally, the processing module is further specifically configured to:
and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the first stream fingerprint information and the second stream fingerprint information.
In a third aspect, an embodiment of the present application further provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the man-in-the-middle attack detection method according to the first aspect when executing the computer program.
In a fourth aspect, the present application further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the man-in-the-middle attack detection method according to the first aspect.
As can be seen from the above technical solutions, the embodiments of the present application provide a man-in-the-middle attack detection method, where an embedded node in a stream network receives a data stream transmitted in the stream network; the data stream comprises stream fingerprint information generated and embedded by a previous embedded node, and whether man-in-the-middle attack exists in the data stream in the transmission process is judged according to the stream fingerprint information. Therefore, according to the method and the device, the security detection channel between adjacent embedded nodes is established through the flow fingerprint information embedded in the data flow in the flow network transmission process, and the man-in-the-middle attack behavior is positioned and detected based on the security detection channel between the embedded nodes, so that the measures of source address forgery, man-in-the-middle attack and the like existing in the traditional network are effectively resisted, and the security capability of the network for dealing with unknown threats is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart illustrating steps of a man-in-the-middle attack detection method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an internal structure of an embedded node according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of address resolution protocol spoofing provided by an embodiment of the present application;
fig. 4 is a schematic diagram of domain name system spoofing provided by an embodiment of the present application;
fig. 5 is a schematic structural diagram of a man-in-the-middle attack detection apparatus provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
As shown in fig. 1, a man-in-the-middle attack detection method provided in the embodiment of the present application includes:
step 101: receiving a data stream transmitted in a streaming network; the data stream comprises stream fingerprint information generated and embedded by a last embedding node;
in this step, it should be noted that each embedded node in the stream network is configured to generate unique stream fingerprint information for identifying a received data stream, and forward the data stream to a next embedded node according to a forwarding table after embedding the fingerprint information in the data stream. It should be noted that the purpose of embedding the stream fingerprint information into the data stream is to make the middleman pretend the source address and the like invalid without being perceived and cracked by the middleman.
Step 102: and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information.
In this step, after the embedded node in the stream network receives the data stream forwarded by the previous embedded node, the stream fingerprint information generated and embedded by the previous embedded node is firstly extracted from the data stream. And then generating stream fingerprint information which uniquely identifies the data stream according to the data stream information. Finally, comparing the extracted stream fingerprint information with the regenerated stream fingerprint information to obtain a stream fingerprint error of the data stream, and if the error is smaller than a preset threshold value, indicating that the data stream is not attacked by a man-in-the-middle in the current forwarding path, so as to continuously forward the data stream to the next embedded node; and if the error is larger than a preset threshold value, the data stream is considered to be attacked by a man-in-the-middle in the current forwarding path. Optionally, when an error between the regenerated stream fingerprint information and the extracted stream fingerprint information is within a preset threshold range, new stream fingerprint information may be regenerated and embedded for the data stream according to the communication data volume of the data stream. The new stream fingerprint information is used for correcting the distortion of the fingerprint in the previous path, so that the fingerprint embedded in the data stream always keeps a lower distortion rate in data transmission, and the detection accuracy is improved. It will be appreciated that each embedded node in the streaming network repeats the above steps until the data stream reaches the destination. Therefore, the embodiment of the application utilizes the characteristics of stream network transmission, based on the stream fingerprint technology, the fingerprint which uniquely identifies the data stream is hidden in the data stream, the fingerprint is extracted and embedded in each embedded node (transponder or router), and the safety authentication out-of-band channel between the embedded nodes is established, so that the malicious attack behavior of the man-in-the-middle data can be detected in real time.
As can be seen from the above technical solutions, the embodiments of the present application provide a man-in-the-middle attack detection method, where an embedded node in a stream network receives a data stream transmitted in the stream network; the data stream comprises stream fingerprint information generated and embedded by a previous embedded node, and whether man-in-the-middle attack exists in the data stream in the transmission process is judged according to the stream fingerprint information. Therefore, according to the method and the device, the security authentication out-of-band channel between adjacent embedded nodes is established through the flow fingerprint information embedded in the data flow in the flow network transmission process, and the man-in-the-middle attack behavior is positioned and detected based on the security detection channel between the embedded nodes, so that the measures of source address forgery, man-in-the-middle attack and the like existing in the traditional network are effectively resisted, and the security capability of the network for dealing with unknown threats is improved. In addition, the man-in-the-middle attack detection method provided by the embodiment of the application opens up an invisible secret communication channel, the fingerprint is generated based on the self attribute of the stream, unique fingerprint information can be embedded in different streams, and the defects that the existing watermark technology cannot be associated with multiple flows at the same time and is easy to suffer from multi-stream attack are overcome. The embedded stream fingerprint can be used for effectively detecting the man-in-the-middle attack of the network stream. Optionally, different fingerprint information may be embedded in multiple data streams in the embodiment of the present application, so that the embedded fingerprint information may detect a multi-stream attack.
In addition, it should be noted that in the embodiment of the present application, generation, embedding, and extraction of stream fingerprint information are implemented by an embedded node in a stream network, so that the embedded node can discard, delay, modulate packets, and the like for a data stream when conditions are met, detect man-in-the-middle attacks of the data stream in a transmission process in time, and send an alarm. Optionally, when the data stream flows through the embedded node in the path, distortion of the fingerprint can be repaired at any time according to real-time network conditions, so that the fingerprint is more robustly embedded when the data stream flows through the path, the data stream is not easy to distort, the error rate of detection is reduced, and man-in-the-middle attack can be more timely and more accurately detected.
Based on the content of the foregoing embodiment, in this embodiment, before determining whether there is a man-in-the-middle attack in the data stream during transmission according to the stream fingerprint information, the method further includes:
and extracting first stream fingerprint information which is generated and embedded by a last embedding node in the data stream, and generating second stream fingerprint information of the data stream according to the characteristic information of the data stream.
Based on the content of the foregoing embodiment, in this embodiment, determining whether a man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information includes:
and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the first stream fingerprint information and the second stream fingerprint information.
Based on the content of the foregoing embodiment, in this embodiment, determining whether a man-in-the-middle attack exists in the data stream in the transmission process according to the first stream fingerprint information and the second stream fingerprint information includes:
calculating a stream fingerprint error based on the first stream fingerprint information and the second stream fingerprint information;
and if the stream fingerprint error is smaller than a preset threshold value, sending the data stream to a next embedded node, otherwise, determining that man-in-the-middle attack exists in the stream data in the sending process of the previous embedded node.
Based on the content of the foregoing embodiment, in this embodiment, if the stream fingerprint error is smaller than a preset threshold, before sending the data stream to a next embedded node, the method further includes:
and according to the second stream fingerprint information, repairing the distortion of the first stream fingerprint information in the transmission process.
In this embodiment, it should be noted that, if an error between the fingerprint generated by the current embedded node and the extracted fingerprint is within a preset threshold, distortion of the extracted fingerprint in the transmission process is repaired according to the fingerprint generated by the current embedded node, so as to enhance robustness of the fingerprint.
The following is illustrated by specific examples:
the first embodiment:
in this embodiment, the method is applied to a controller and a switch in a software Defined network sdn (software Defined network). Specifically, the controller and the repeater are provided with a flow fingerprint generation, embedding and extraction module, and set parameter information of each module. The controller communicates with the switch when collecting topology information, such as sending a flow table or collecting switch feedback information, generates fingerprint information uniquely identifying the data flow according to the information of the communication data flow, and generates a fingerprint sequence according to the size of the communication data volume. The method for generating the fingerprint is mutually unified, the fingerprint is embedded into the data stream, the two parties of communication need to extract the fingerprint from the data stream each time of communication, the fingerprint is compared with the generated fingerprint, the error is calculated, the error is compared with the threshold value, and when the error is within the threshold value, the communication is continued; if the error exceeds the threshold value, the man-in-the-middle attack is considered to exist, the communication is immediately stopped, and the abnormity is processed. The embodiment of the application ensures that the controller or the switch cannot be disguised for communication and the topology of the switch or the normal flow direction of the data flow is tampered in the communication process of the controller and the repeater.
Second embodiment:
in the embodiment, in the case that the controller is in secure communication with the switch, the stream fingerprint generation module, the embedding module and the extraction module are all started in the repeater. The repeater on the data flow path generates unique fingerprint information for identifying the data flow according to the characteristics of the fingerprint. And the repeater embeds fingerprints into the data streams and forwards the data streams embedded with the fingerprint information according to the flow table. After the next switch receives the first data packet, the following operations are carried out:
1. extracting the stream fingerprint;
2. a fingerprint generating module of the switch generates fingerprint information of the unique identification data stream according to the information of the data stream;
3. comparing the extracted fingerprint with the generated fingerprint; if the error between the generated fingerprint and the extracted fingerprint is within the threshold value, optionally, adjusting the time for sending the packet according to the fingerprint sequence in programmable packet scheduling according to the distortion rate of the extracted fingerprint and the real-time network condition, and correcting the distortion of the fingerprint in the previous path, so that the fingerprint embedded in the data stream always maintains a lower distortion rate in data transmission, and the detection accuracy is improved; if the error exceeds the threshold value, the man-in-the-middle attack exists, the abnormal forwarding module is started, and the message is fed back to the controller. Wherein, the internal processing of the repeater is shown in fig. 2, each repeater in the forwarding path can optionally repeat the above operations until the data stream reaches the destination.
The third embodiment:
in this embodiment, as shown in fig. 3, since the network traffic of the lan is transmitted according to a physical address, such as MAC (media Access control), instead of the internet Protocol address (ip), the computer identifies a machine according to the MAC. Each host has an Address Resolution Protocol (ARP) cache table, in which the MAC addresses of all hosts communicating with the host in the local area network are recorded, and when the host needs to communicate with another host, the local ARP table is firstly inquired, and the data packet is encapsulated by the MAC address of the other host. One spoofing way of ARP is: there are three users, user A, user B and user C, user B sends response packet to user A and user C at the same time, tells user A that its IP address is that of user C, MAC address is that of user B, tells user C that its IP address is that of user A, MAC address is that of user B, so that user A, C communication will pass through B, and user B completes two-way deception. In order to detect the above fraud, in the embodiment of the present application, a generation module, an embedding module, and an extraction module of a stream fingerprint are installed in a user a and a user C, and parameter information of each module is set. First, user A, C initiates the stream fingerprint generation module, the embedding module, and the extraction module. User A, C then generates unique fingerprint information that identifies the data stream based on the characteristics of the data stream, embeds the fingerprint in the data stream, and transmits the data stream. When both users A, C receive the data stream, they first extract the stream fingerprint. And then generating fingerprint information for uniquely identifying the data stream according to the information of the data stream through a fingerprint generation module. And finally, comparing the extracted fingerprint with the generated fingerprint. If the error between the generated fingerprint and the extracted fingerprint is within the threshold value, the man-in-the-middle attack does not exist, and the communication is safe. If the error exceeds the threshold value, the man-in-the-middle attack exists, ARP deception exists, the abnormal forwarding module is started, and the message is fed back.
The fourth embodiment:
in this embodiment, as shown in fig. 4, the basic principle of spoofing based on the domain Name system dns (domain Name system) is as follows: impersonating the domain name server to redirect the url requested by the victim host to the attacker IP address. Thus, the user can only see the homepage of the attacker when surfing the internet, but not the homepage of the website which the user wants to obtain. In order to solve the above problem, the embodiment of the present application installs modules for generating, embedding, and extracting a stream fingerprint on www.xxx.com hosts and www.yyy.com hosts, and sets parameter information of each module. The stream fingerprint generation module, the embedding module and the extraction module are started firstly, unique fingerprint information for identifying the data stream is generated on www.xxx.com hosts and www.yyy.com hosts according to the characteristics of the data stream, the fingerprint is embedded into the data stream, and finally the data stream is sent. At www.xxx.com host and www.yyy.com host, the stream fingerprints are first extracted after both receive the data stream. Fingerprint generation modules of www.xxx.com host and www.yyy.com host then generate fingerprint information uniquely identifying the data stream from the information of the data stream. And finally, comparing the extracted fingerprint with the generated fingerprint. If the error between the generated fingerprint and the extracted fingerprint is within the threshold value, the man-in-the-middle attack does not exist, and the access is safe; if the error exceeds the threshold value, the man-in-the-middle attack exists, the DNS cheating exists, the abnormal forwarding module is started, and the message is fed back.
Based on the same inventive concept, another embodiment of the present application provides a man-in-the-middle attack detection apparatus, as shown in fig. 5, the man-in-the-middle attack detection apparatus provided by the embodiment of the present application, including:
a receiving module 1, configured to receive a data stream transmitted in a streaming network; the data stream comprises stream fingerprint information generated and embedded by a last embedding node;
and the processing module 2 is used for judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information.
In this embodiment, it should be noted that each embedded node in the stream network is configured to generate unique stream fingerprint information for identifying a received data stream, and embed the fingerprint information in the data stream and forward the data stream to a next embedded node according to a forwarding table.
In this embodiment, after an embedded node in the stream network receives a data stream forwarded by a previous embedded node, first, stream fingerprint information generated and embedded by the previous embedded node is extracted from the data stream. And then generating stream fingerprint information which uniquely identifies the data stream according to the data stream information. Finally, comparing the extracted stream fingerprint information with the regenerated stream fingerprint information to obtain a stream fingerprint error of the data stream, and if the error is smaller than a preset threshold value, indicating that the data stream is not attacked by a man-in-the-middle in the current forwarding path, so as to continuously forward the data stream to the next embedded node; and if the error is larger than a preset threshold value, the data stream is considered to be attacked by a man-in-the-middle in the current forwarding path. Optionally, when an error between the regenerated stream fingerprint information and the extracted stream fingerprint information is within a preset threshold range, the distortion of the extracted fingerprint in the transmission process is repaired according to the fingerprint generated by the current embedded node, so that the fingerprint embedded in the data stream always maintains a lower distortion rate in the data transmission process, thereby enhancing the robustness of the fingerprint. .
As can be seen from the above technical solutions, the embodiments of the present application provide a man-in-the-middle attack detection method, where an embedded node in a stream network receives a data stream transmitted in the stream network; the data stream comprises stream fingerprint information generated and embedded by a previous embedded node, and whether man-in-the-middle attack exists in the data stream in the transmission process is judged according to the stream fingerprint information. Therefore, according to the method and the device, the security detection channel between adjacent embedded nodes is established through the flow fingerprint information embedded in the data flow in the flow network transmission process, and the man-in-the-middle attack behavior is positioned and detected based on the security detection channel between the embedded nodes, so that the measures of source address forgery, man-in-the-middle attack and the like existing in the traditional network are effectively resisted, and the security capability of the network for dealing with unknown threats is improved.
Based on the content of the foregoing embodiment, in this embodiment, before the processing module determines whether a man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information, the processing module is further specifically configured to:
and extracting first stream fingerprint information which is generated and embedded by a last embedding node in the data stream, and generating second stream fingerprint information of the data stream according to the characteristic information of the data stream.
Based on the content of the foregoing embodiment, in this embodiment, the processing module is further specifically configured to:
and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the first stream fingerprint information and the second stream fingerprint information.
The man-in-the-middle attack detection device described in this embodiment may be used to implement the above method embodiments, and the principle and technical effect are similar, which are not described herein again.
Based on the same inventive concept, another embodiment of the present invention provides an electronic device, which refers to the schematic structural diagram of the electronic device shown in fig. 6, and specifically includes the following contents: a processor 601, a memory 602, a communication interface 603, and a communication bus 604;
the processor 601, the memory 602 and the communication interface 603 complete mutual communication through the communication bus 604; the communication interface 603 is used for implementing information transmission between the devices;
the processor 601 is configured to call a computer program in the memory 602, and when executing the computer program, the processor implements all the steps of one of the man-in-the-middle attack detection methods, for example, receiving a data stream transmitted in a streaming network; the data stream comprises stream fingerprint information generated and embedded by a last embedding node; and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information.
Based on the same inventive concept, yet another embodiment of the present invention provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor implements all the steps of a man-in-the-middle attack detection method described above, for example, receiving a data stream transmitted in a streaming network; the data stream comprises stream fingerprint information generated and embedded by a last embedding node; and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information.
In addition, the logic instructions in the memory may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the above technical solutions may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the man-in-the-middle attack detection method according to the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A man-in-the-middle attack detection method is applied to an embedded node in a stream network, and comprises the following steps:
receiving a data stream transmitted in a streaming network; the data stream comprises stream fingerprint information generated and embedded by a last embedding node;
and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information.
2. The man-in-the-middle attack detection method according to claim 1, before determining whether the man-in-the-middle attack exists in the data stream during transmission according to the stream fingerprint information, further comprising:
and extracting first stream fingerprint information which is generated and embedded by a last embedding node in the data stream, and generating second stream fingerprint information of the data stream according to the characteristic information of the data stream.
3. The man-in-the-middle attack detection method according to claim 2, wherein judging whether the data stream has man-in-the-middle attack in the transmission process according to the stream fingerprint information comprises:
and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the first stream fingerprint information and the second stream fingerprint information.
4. The man-in-the-middle attack detection method according to claim 3, wherein judging whether the data stream has the man-in-the-middle attack in the transmission process according to the first stream fingerprint information and the second stream fingerprint information comprises:
calculating a stream fingerprint error based on the first stream fingerprint information and the second stream fingerprint information;
and if the stream fingerprint error is smaller than a preset threshold value, sending the data stream to a next embedded node, otherwise, determining that man-in-the-middle attack exists in the stream data in the sending process of the previous embedded node.
5. The man-in-the-middle attack detection method according to claim 4, wherein if the stream fingerprint error is smaller than a preset threshold, before sending the data stream to a next embedded node, further comprising:
and according to the second stream fingerprint information, repairing the distortion of the first stream fingerprint information in the transmission process.
6. A man-in-the-middle attack detection apparatus, comprising:
a receiving module, configured to receive a data stream transmitted in a streaming network; the data stream comprises stream fingerprint information generated and embedded by a last embedding node;
and the processing module is used for judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information.
7. The man-in-the-middle attack detection device according to claim 6, wherein the processing module, before determining whether the man-in-the-middle attack exists in the data stream in the transmission process according to the stream fingerprint information, is further specifically configured to:
and extracting first stream fingerprint information which is generated and embedded by a last embedding node in the data stream, and generating second stream fingerprint information of the data stream according to the characteristic information of the data stream.
8. The man-in-the-middle attack detection device according to claim 7, wherein the processing module is further specifically configured to:
and judging whether man-in-the-middle attack exists in the data stream in the transmission process according to the first stream fingerprint information and the second stream fingerprint information.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the man-in-the-middle attack detection method according to any one of claims 1-5 are implemented when the program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the man-in-the-middle attack detection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111143309.2A CN113949540A (en) | 2021-09-28 | 2021-09-28 | Man-in-the-middle attack detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111143309.2A CN113949540A (en) | 2021-09-28 | 2021-09-28 | Man-in-the-middle attack detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113949540A true CN113949540A (en) | 2022-01-18 |
Family
ID=79329384
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111143309.2A Pending CN113949540A (en) | 2021-09-28 | 2021-09-28 | Man-in-the-middle attack detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113949540A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2025087143A1 (en) * | 2023-10-24 | 2025-05-01 | 华为技术有限公司 | Alarm method, apparatus and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108965288A (en) * | 2018-07-09 | 2018-12-07 | 中国人民解放军战略支援部队信息工程大学 | A method of it is traced to the source based on stream the cross-domain of fingerprint |
| CN112491867A (en) * | 2020-11-24 | 2021-03-12 | 北京航空航天大学 | SSH man-in-the-middle attack detection system based on session similarity analysis |
| US11016824B1 (en) * | 2017-06-12 | 2021-05-25 | Pure Storage, Inc. | Event identification with out-of-order reporting in a cloud-based environment |
| CN113422783A (en) * | 2021-07-09 | 2021-09-21 | 深圳市高德信通信股份有限公司 | Network attack protection method |
-
2021
- 2021-09-28 CN CN202111143309.2A patent/CN113949540A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11016824B1 (en) * | 2017-06-12 | 2021-05-25 | Pure Storage, Inc. | Event identification with out-of-order reporting in a cloud-based environment |
| CN108965288A (en) * | 2018-07-09 | 2018-12-07 | 中国人民解放军战略支援部队信息工程大学 | A method of it is traced to the source based on stream the cross-domain of fingerprint |
| CN112491867A (en) * | 2020-11-24 | 2021-03-12 | 北京航空航天大学 | SSH man-in-the-middle attack detection system based on session similarity analysis |
| CN113422783A (en) * | 2021-07-09 | 2021-09-21 | 深圳市高德信通信股份有限公司 | Network attack protection method |
Non-Patent Citations (3)
| Title |
|---|
| 网络空间安全军民融合创新中心: "网络攻防新前沿:加密流量对抗", 《HTTPS://WWW.SECRSS.COM/ARTICLES/12314》 * |
| 袁开银等: "网络抖动下疑似攻击流指纹有效监测方法研究", 《计算机仿真》 * |
| 马海龙等: "路由器拟态防御能力测试与分析", 《信息安全学报》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2025087143A1 (en) * | 2023-10-24 | 2025-05-01 | 华为技术有限公司 | Alarm method, apparatus and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10157280B2 (en) | System and method for identifying security breach attempts of a website | |
| Fadlullah et al. | DTRAB: Combating against attacks on encrypted protocols through traffic-feature analysis | |
| CN101617516B (en) | Method and apparatus to control application messages between a client and a server having a private network address | |
| CN101415012B (en) | Method and system for defending address analysis protocol message aggression | |
| US7908480B2 (en) | Authenticating an endpoint using a STUN server | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| CN103916389B (en) | Defend the method and fire wall of HttpFlood attacks | |
| CN100563149C (en) | A kind of DHCP listening method and device thereof | |
| CN101360019A (en) | A detection method, system and equipment of a botnet | |
| CN101321055A (en) | An attack defense method and device | |
| CN101180826A (en) | Higher level protocol authentication | |
| Pandey | Prevention of ARP spoofing: A probe packet based technique | |
| JP6435695B2 (en) | Controller and its attacker detection method | |
| Foroushani et al. | TDFA: traceback-based defense against DDoS flooding attacks | |
| CN107911219A (en) | A kind of anti-CC methods of API based on key signature | |
| CN106789882A (en) | Defence method and system that a kind of domain name request is attacked | |
| CN106603501A (en) | Method, system and firewall device for preventing hijacking of domain name | |
| CN108965309B (en) | Data transmission processing method, device, system and equipment | |
| RU2307392C1 (en) | Method (variants) for protecting computer networks | |
| CN102457415B (en) | IPS check processing method, Network Security Device and system | |
| CN113949540A (en) | Man-in-the-middle attack detection method and device, electronic equipment and storage medium | |
| Huang et al. | Detecting Stepping-stone intruders by identifying crossover packets in SSH connections | |
| Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
| CN105792216B (en) | Wireless fishing based on certification accesses point detecting method | |
| Wang et al. | Hijacking spoofing attack and defense strategy based on Internet TCP sessions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220118 |