patents.google.com

CN106534182A - Traceless network evidence acquisition method based on user state protocol stack - Google Patents

  • ️Wed Mar 22 2017

CN106534182A - Traceless network evidence acquisition method based on user state protocol stack - Google Patents

Traceless network evidence acquisition method based on user state protocol stack Download PDF

Info

Publication number
CN106534182A
CN106534182A CN201611134473.6A CN201611134473A CN106534182A CN 106534182 A CN106534182 A CN 106534182A CN 201611134473 A CN201611134473 A CN 201611134473A CN 106534182 A CN106534182 A CN 106534182A Authority
CN
China
Prior art keywords
network
protocol stack
user space
public network
taking equipment
Prior art date
2016-12-10
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611134473.6A
Other languages
Chinese (zh)
Inventor
庞叶蒙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Bai Hong Software Technology Co Ltd
Original Assignee
Wuhan Bai Hong Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
2016-12-10
Filing date
2016-12-10
Publication date
2017-03-22
2016-12-10 Application filed by Wuhan Bai Hong Software Technology Co Ltd filed Critical Wuhan Bai Hong Software Technology Co Ltd
2016-12-10 Priority to CN201611134473.6A priority Critical patent/CN106534182A/en
2017-03-22 Publication of CN106534182A publication Critical patent/CN106534182A/en
Status Pending legal-status Critical Current

Links

  • 238000000034 method Methods 0.000 title claims abstract description 17
  • 238000012544 monitoring process Methods 0.000 claims abstract description 4
  • 238000004891 communication Methods 0.000 claims description 8
  • 238000012546 transfer Methods 0.000 claims description 5
  • 238000005516 engineering process Methods 0.000 abstract description 7
  • 230000000694 effects Effects 0.000 description 4
  • 238000010586 diagram Methods 0.000 description 2
  • 241001269238 Data Species 0.000 description 1
  • 230000009286 beneficial effect Effects 0.000 description 1
  • 238000012986 modification Methods 0.000 description 1
  • 230000004048 modification Effects 0.000 description 1

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/26Special purpose or proprietary protocols or architectures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a traceless network evidence acquisition method based on a user state protocol stack. An evidence acquisition device grabs an IP address of a public network to which a monitoring object terminal accesses, accesses a target server through the obtained IP address and the user state protocol stack, and sends the evidence acquisition data to the target server, that is, the evidence acquisition device can still transmit electronic evidence to a background server through the IP address of the public network on other devices on the circuit by using the user state protocol stack technology in an environment in which the public network cannot be accessed.

Description

A kind of seamless network forensics method based on User space protocol stack

Technical field

The present invention relates to information network evidence obtaining field, and in particular to a kind of seamless network forensics based on User space protocol stack Method.

Background technology

Network forensics technology has been achieved with tremendous expansion in China at present, and network forensics are based primarily upon some means and network Core routing communication data evidence-obtaining system obtains the illegal network behavior in destination object part and network crime evidence, by target The network communication equipment porch carry of object computer access Internet faces detects evidence taking equipment, destination object is performed short Time, the analysis of in-plant network service behavior and monitoring, so obtain the first hand network unlawful activities of destination object and The electronic evidence of behavior.

But in actual evidence obtaining work, evidence taking equipment is because some reasons need to be deployed in connect public network Environment, causes evidence taking equipment timely and effectively cannot be passed back to the electronic evidence of the network unlawful activities and behavior of destination object Server.

The content of the invention

It is an object of the invention to provide a kind of seamless network forensics method based on User space protocol stack, by User space Agreement stack technology can utilize the public network IP address of other equipment on circuit that electronic evidence is passed back to background server.

For achieving the above object, the present invention proposes a kind of seamless network forensics method based on User space protocol stack, wraps Include following steps:

(a)First, monitored object terminal passes through router access public network;

(b)Secondly, evidence taking equipment obtains the public network IP address of monitored object terminal by capturing router network data traffic;

(c)Finally, evidence taking equipment accesses the destination service for accessing public network by User space protocol stack and the public network IP address of crawl Device, and forensic data is transferred to into the destination server.

Further, in the seamless network forensics method based on User space protocol stack, evidence taking equipment is by crawl Router network data traffic obtains the public network IP address of monitored object terminal, comprises the following steps:

(b1)Evidence taking equipment accesses the router;

(b2)Evidence taking equipment captures the network packet of the router by a packet capturing program, and the network packet is TCP Network data protocol package or UDP network data protocol packages;

(b3)Evidence taking equipment is by an analysis program to step(b2)The network packet of middle acquisition is parsed, and obtains monitoring right As the public network IP address of terminal.

Further, in the seamless network forensics method based on User space protocol stack, evidence taking equipment is by user State protocol stack, and the public network IP address for obtaining, access the destination server for accessing public network, and forensic data are transferred to described Destination server, specifically includes following steps:

(c1)User space protocol stack program is run on evidence taking equipment;

(c2)The public network IP address of the acquisition is configured to into the Internet of User space protocol stack;

(c3)A web application is created in User space protocol stack application layer, evidence taking equipment and destination server are by described Web application sets up communication;

(c4)After evidence taking equipment and destination server set up communication, evidence taking equipment is by web application using agreement of giving out a contract for a project Forensic data is sent to into destination server.

Further, it is in the seamless network forensics method based on User space protocol stack, described to give out a contract for a project agreement for TCP Network data transfer protocol or UDP network data transfer protocols.

Compared with prior art, the invention has the beneficial effects as follows:Evidence taking equipment is accessed by capturing monitored object terminal The IP address of public network, and the IP address by obtaining and the stack addressing of User space agreement forensic data is sent to into destination service Device, i.e. evidence taking equipment in the environment that cannot access public network, still can by User space agreement stack technology using on circuit its Electronic evidence is passed back to background server by the public network IP address of equipment by him.

Description of the drawings

Fig. 1 is the seamless network forensics method schematic diagram in one embodiment of the invention based on User space protocol stack.

Specific embodiment

Below in conjunction with seamless network forensics method based on User space protocol stack of the schematic diagram to the present invention, carry out more detailed Thin description, which show the preferred embodiments of the present invention, it should be appreciated that those skilled in the art can change and be described herein The present invention, and still realize the present invention advantageous effects.Therefore, description below is appreciated that for people in the art Member's is widely known, and is not intended as limitation of the present invention.

As shown in figure 1, the seamless network forensics method based on User space protocol stack proposed by the present invention, including following step Suddenly:

(a)First, monitored object terminal 1 accesses public network 4 by router 2;

(b)Secondly, evidence taking equipment 3 obtains the public network IP ground of monitored object terminal 1 by capturing 2 network traffic data of router Location, specifically includes step:

(b1)Evidence taking equipment 3 accesses the router 2;

(b2)Evidence taking equipment 3 captures the network packet of the router 2 by a packet capturing program, and the network packet is TCP network datas protocol package or UDP network data protocol packages;

(b3)Evidence taking equipment 3 is by an analysis program to step(b2)The network packet of middle acquisition is parsed and is obtained series connection The public network IP address of monitored object terminal 1 on circuit;

(c)Finally, evidence taking equipment 3 accesses the target clothes for accessing public network 4 by User space protocol stack and the public network IP address of crawl Business device 5, and forensic data is transferred to into the destination server 5, specifically include following steps:

(c1)User space protocol stack program is run on evidence taking equipment 3;

(c2)The public network IP address of the acquisition is configured to into the Internet of User space protocol stack;

(c3)A web application is created in User space protocol stack application layer, evidence taking equipment 3 and destination server 5 pass through institute State web application and set up communication;

(c4)After evidence taking equipment 3 and destination server 5 set up communication, evidence taking equipment 3 is utilized by web application gives out a contract for a project Forensic data is sent to destination server by agreement, wherein, it is described to give out a contract for a project agreement for TCP network data transfer protocols or UDP nets Network Data Transport Protocol.

To sum up, in the seamless network forensics method based on User space protocol stack provided in an embodiment of the present invention, evidence obtaining sets The standby IP address by capturing the accessed public network of monitored object terminal, and the IP address by obtaining and User space agreement stack addressing And forensic data is sent to into destination server, i.e. evidence taking equipment in the environment that cannot access public network, can still pass through to use Electronic evidence is passed back to background server using the public network IP address of other equipment on circuit by family state agreement stack technology.

The preferred embodiments of the present invention are above are only, any restriction effect is not played to the present invention.Belonging to any Those skilled in the art, in the range of without departing from technical scheme, to the invention discloses technical scheme and Technology contents make the variation such as any type of equivalent or modification, belong to the content without departing from technical scheme, still Belong within protection scope of the present invention.

Claims (4)

1. a kind of seamless network forensics method based on User space protocol stack, it is characterised in that comprise the following steps:

(a)First, monitored object terminal passes through router access public network;

(b)Secondly, evidence taking equipment obtains the public network IP address of monitored object terminal by capturing router network data traffic;

(c)Finally, evidence taking equipment accesses the destination service for accessing public network by User space protocol stack and the public network IP address of crawl Device, and forensic data is transferred to into the destination server.

2. the seamless network forensics method based on User space protocol stack according to claim 1, it is characterised in that evidence obtaining sets The standby public network IP that monitored object terminal is obtained by capturing router network data traffic, comprises the following steps:

(b1)Evidence taking equipment accesses the router;

(b2)Evidence taking equipment captures the network packet of the router by a packet capturing program, and the network packet is TCP Network data protocol package or UDP network data protocol packages;

(b3)Evidence taking equipment is by an analysis program to step(b2)The network packet of middle acquisition is parsed and is obtained monitoring The public network IP address of object terminal.

3. the seamless network forensics method based on User space protocol stack according to claim 1, it is characterised in that evidence obtaining sets It is standby that by User space protocol stack, and the public network IP address for obtaining accesses the destination server for accessing public network, and by forensic data The destination server is transferred to, following steps are specifically included:

(c1)User space protocol stack program is run on evidence taking equipment;

(c2)The public network IP address of the acquisition is configured to into the Internet of User space protocol stack;

(c3)A web application is created in User space protocol stack application layer, evidence taking equipment and destination server are by described Web application sets up communication;

(c4)After evidence taking equipment and destination server set up communication, evidence taking equipment is by web application using agreement of giving out a contract for a project Forensic data is sent to into destination server.

4. the seamless network forensics method based on User space protocol stack according to claim 3, it is characterised in that described Packet protocol is TCP network data transfer protocols or UDP network data transfer protocols.

CN201611134473.6A 2016-12-10 2016-12-10 Traceless network evidence acquisition method based on user state protocol stack Pending CN106534182A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611134473.6A CN106534182A (en) 2016-12-10 2016-12-10 Traceless network evidence acquisition method based on user state protocol stack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611134473.6A CN106534182A (en) 2016-12-10 2016-12-10 Traceless network evidence acquisition method based on user state protocol stack

Publications (1)

Publication Number Publication Date
CN106534182A true CN106534182A (en) 2017-03-22

Family

ID=58341500

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611134473.6A Pending CN106534182A (en) 2016-12-10 2016-12-10 Traceless network evidence acquisition method based on user state protocol stack

Country Status (1)

Country Link
CN (1) CN106534182A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111294316A (en) * 2018-12-07 2020-06-16 网宿科技股份有限公司 Network isolation method and device based on user-mode protocol stack virtual router
CN113259400A (en) * 2021-07-14 2021-08-13 南京易科腾信息技术有限公司 Network interaction system, method and storage medium based on network protocol

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909504A (en) * 2006-01-11 2007-02-07 郑凯 Method for controlling LAN host machine public net message based on by-pass interception technology
WO2009093226A2 (en) * 2008-01-15 2009-07-30 Alcatel Lucent A method and apparatus for fingerprinting systems and operating systems in a network
US8145733B1 (en) * 2006-02-15 2012-03-27 Trend Micro Incorporated Identification of computers located behind an address translation server
CN102594635A (en) * 2012-02-15 2012-07-18 中国联合网络通信集团有限公司 Home-gateway-based terminal access method and system, and home gateway
CN205249280U (en) * 2015-12-11 2016-05-18 山东科大机电科技股份有限公司 Healthy management system of remote equipment based on cloud storage
CN106027612A (en) * 2016-05-09 2016-10-12 北京中科海讯数字科技股份有限公司 Remote intelligent monitoring system
CN106100928A (en) * 2016-06-21 2016-11-09 北京百度网讯科技有限公司 It is applied to transmission method and the device of the monitoring data of data center
CN106101066A (en) * 2016-05-27 2016-11-09 中国联合网络通信集团有限公司 A kind of monitoring method of server service and monitoring system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909504A (en) * 2006-01-11 2007-02-07 郑凯 Method for controlling LAN host machine public net message based on by-pass interception technology
US8145733B1 (en) * 2006-02-15 2012-03-27 Trend Micro Incorporated Identification of computers located behind an address translation server
WO2009093226A2 (en) * 2008-01-15 2009-07-30 Alcatel Lucent A method and apparatus for fingerprinting systems and operating systems in a network
CN102594635A (en) * 2012-02-15 2012-07-18 中国联合网络通信集团有限公司 Home-gateway-based terminal access method and system, and home gateway
CN205249280U (en) * 2015-12-11 2016-05-18 山东科大机电科技股份有限公司 Healthy management system of remote equipment based on cloud storage
CN106027612A (en) * 2016-05-09 2016-10-12 北京中科海讯数字科技股份有限公司 Remote intelligent monitoring system
CN106101066A (en) * 2016-05-27 2016-11-09 中国联合网络通信集团有限公司 A kind of monitoring method of server service and monitoring system
CN106100928A (en) * 2016-06-21 2016-11-09 北京百度网讯科技有限公司 It is applied to transmission method and the device of the monitoring data of data center

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111294316A (en) * 2018-12-07 2020-06-16 网宿科技股份有限公司 Network isolation method and device based on user-mode protocol stack virtual router
CN111294316B (en) * 2018-12-07 2022-07-01 网宿科技股份有限公司 Network isolation method and device based on user-mode protocol stack virtual router
CN113259400A (en) * 2021-07-14 2021-08-13 南京易科腾信息技术有限公司 Network interaction system, method and storage medium based on network protocol
CN113259400B (en) * 2021-07-14 2021-09-28 南京易科腾信息技术有限公司 Network interaction system, method and storage medium based on network protocol

Similar Documents

Publication Publication Date Title
Liang et al. 2016 A denial of service attack method for an iot system
JP4664257B2 (en) 2011-04-06 Attack detection system and attack detection method
CN103023924B (en) 2015-10-14 The ddos attack means of defence of the cloud distribution platform of content-based distributing network and system
CN101286850B (en) 2010-12-15 Defensive installation for security of router, defense system and method
CN103609089B (en) 2016-08-31 A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet
CN101567884B (en) 2011-12-14 Method for detecting network theft Trojan
CN102055627B (en) 2012-06-13 Method and device for identifying peer-to-peer (P2P) application connection
CN109314664B (en) 2021-07-06 Zombie main control machine discovery equipment and method
CN103428224A (en) 2013-12-04 Method and device for intelligently defending DDoS attacks
CN106506486A (en) 2017-03-15 A kind of intelligent industrial-control network information security monitoring method based on white list matrix
CN103139315A (en) 2013-06-05 Application layer protocol analysis method suitable for home gateway
WO2007100388A3 (en) 2008-07-31 Techniques for network protection based on subscriber-aware application proxies
CN108156210A (en) 2018-06-12 The acquisition methods and device of target resource
CN104320378B (en) 2018-05-04 Intercept the method and system of web data
CN106936791A (en) 2017-07-07 Intercept the method and apparatus that malice network address is accessed
CN101577729A (en) 2009-11-11 Method for blocking bypass by combining DNS redirection with Http redirection
CN111526132B (en) 2022-04-29 Attack transfer method, device, equipment and computer readable storage medium
CN109587156A (en) 2019-04-05 Abnormal network access connection identification and blocking-up method, system, medium and equipment
CN102739684A (en) 2012-10-17 Portal authentication method based on virtual IP address, and server thereof
CN104734903A (en) 2015-06-24 Safety protection method of OPC protocol based on dynamic tracking technology
CN107360247A (en) 2017-11-17 The method and the network equipment of processing business
CN102984165B (en) 2016-04-13 Wireless network secure supervisory control system and method
CN104519129A (en) 2015-04-15 Data transmission method, device and system
CN101964804A (en) 2011-02-02 Attack defense system under IPv6 protocol and implementation method thereof
CN106899500A (en) 2017-06-27 A kind of message processing method and device across virtual expansible LAN

Legal Events

Date Code Title Description
2017-03-22 C06 Publication
2017-03-22 PB01 Publication
2017-04-19 SE01 Entry into force of request for substantive examination
2017-04-19 SE01 Entry into force of request for substantive examination
2020-05-01 RJ01 Rejection of invention patent application after publication
2020-05-01 RJ01 Rejection of invention patent application after publication

Application publication date: 20170322