Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Network node scanning detection method and system for LAN environment

A network node, scanning detection technology, applied in the field of computer networks, to achieve the effect of reducing accuracy

Inactive Publication Date: 2008-05-21
BEIJING VENUS INFORMATION TECH
View PDF0 Cites 28 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The purpose of the present invention is to overcome the shortcomings that the existing network scanning detection system cannot correctly distinguish between the normal network access traffic sent by the host node and the possible network scanning access traffic, by analyzing whether there is relevant DNS resolution for each outbound network access of each host node Operate to distinguish between normal network access traffic and possible network scanning access traffic, and further analyze the corresponding rate and target IP address divergence of possible network scanning access traffic to effectively detect various covert network scanning events in the local area network

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Network node scanning detection method and system for LAN environment
  • Network node scanning detection method and system for LAN environment
  • Network node scanning detection method and system for LAN environment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0021] This embodiment is a network node scanning detection method suitable for a local area network environment. FIG. 1 is a schematic diagram of a system used in the method of the present invention.

[0022] The basic idea of ​​this embodiment is that detecting network scanning events can be distinguished from the context of network access behavior sequences. There is a difference between the network access traffic sent by the network scanning host node and the network access traffic sent by the normal network access host node: under normal circumstances, when a normal network access node sends out a normal outbound network access attempt, it will first send a The DNS (Domain Naming System, domain name resolution system) resolution operation related to the target IP address of an outbound network access; and a network scanning access issued by a network scanning host node, its related target IP address is randomly constructed, so there is no The DNS resolution operation rela...

Embodiment 2

[0030] This embodiment is a refinement of Embodiment 1, and is about the preferred scheme of the data acquisition step. The data acquisition module first collects all data packets on the local area network. After the data acquisition module captures network data packets, it needs to divide these network data packets into three categories:

[0031] 1) Network data packets related to DNS domain name resolution, where the network data packets are marked with TCP or UDP port 53, and this type of network data packets will be forwarded to the DNS resolution monitoring module for further analysis.

[0032] 2) network data packets related to the network access request and response sent by the host node, the present embodiment only considers TCP-SYN, TCP-SYN-ACK, ICMP-Request and ICMP-Reply type messages, and this type of network data packets will Forward to the suspicious network access filtering module in the background.

[0033] 3) other network data packets, this type of network ...

Embodiment 3

[0038] This embodiment is a refinement of Embodiment 1, and is about an optimal solution for DNS resolution monitoring steps.

[0039] This step receives all network data packets related to the DNS domain name resolution protocol from the data acquisition module, performs DNS protocol resolution on them, extracts the list of IP addresses resolved by the DNS domain name, and dynamically maintains a data cache about these IP address lists.

[0040] When the DNS resolution monitoring module caches the list of IP addresses resolved by the DNS domain name, it also records the latest DNS resolution time of each IP address, adopts a fast hash table structure, and uses the IP address as an index to index all DNS domain names. IP addresses and their associated resolution times are stored into a fast hash table.

[0041] The network data packets related to the DNS domain name resolution protocol can be divided into two types: DNS domain name resolution request data packets and DNS domai...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a network node scanning detection method and system applicable to both the local network environment and the high-speed local network environment, comprising a network terminal and a local network. The invention is composed of a data gathering procedure, a DNS analysis and monitoring procedure, a suspected network visiting and filtering procedure, a suspected network visiting statistics procedure and a network scanning and detecting procedure. The invention is characterized in that all the network visiting access requests sent by the nodes of each mainframe are correlated with the IP address lists analyzed by the DNS recently in the local network and the network visiting access requests related to the normal network visiting flow rate are filtered to the maximum extent. By adopting the suspected network visiting access request response rate and the target IP address divergence of the suspected network visiting access request as the network scanning detection index, the invention has the advantages of the application to the network safety products of monitoring the scanning behavior of the nodes of each mainframe in the local network by the network node scanning detection system in the local network environment.

Description

technical field [0001] The invention relates to a network node scanning detection method and system suitable for a local area network environment, belonging to the technical field of computer networks. Background technique [0002] With the rapid development of the Internet, security incidents on the network have gradually increased, from the early worm attacks to the current denial of service attacks and botnet incidents, these network security incidents have brought great economic losses to individuals and society . How to detect and prevent these network security incidents has become a research hotspot in the field of network security. Whether it is a worm attack, a denial of service attack, or a botnet event, the early attack behavior is to scan the Internet to find available network nodes in the Internet, and, in order to avoid being discovered, most network attacks use A stealthier network slow scan method. [0003] According to different detection indicators, exist...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L12/24H04L12/26
Inventor 叶润国李博胡振宇华东明骆拥政
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com