技术领域Technical field
本发明涉及信息安全技术领域,具体为一种基于网络代理自动发现无客户端违规外联监测方法。The invention relates to the technical field of information security, and is specifically a method for automatically discovering client-free external connection monitoring based on network agents.
背景技术Background technique
随着互联网技术的不断发展和普及,各类终端设备层出不穷,越来越多的桌面终端和多元化的私有终端接入企业内网已成为未来发展的必然趋势。在某些企业或者单位的网络环境中,往往都是直连网,并不允许网内的电脑同时连接内网和互联网。但有些员工在内网中私自搭建子网,在子网中连接互联网,出现员工违规外联的现象,这会给企业网带来很大的安全风险;内网或专网网络之内违规外联行为的监测,已有的技术大多基于部署客户端程序的方式,通过在终端计算机上部署客户端程序,通过各种方式持续进行外联尝试,如果连接成功即可认定为违规外联,进而产生日志和告警或更多阻断动作,而一些不依赖客户端程序的方式,则依赖终端上部署的一些特定应用程序,或者依赖网关流量做协议劫持等,或依赖交换机镜像流量做流量分析。With the continuous development and popularization of Internet technology, various types of terminal devices are emerging one after another. It has become an inevitable trend for future development for more and more desktop terminals and diversified private terminals to access corporate intranets. In the network environment of some enterprises or units, they are often directly connected to the network, and computers in the network are not allowed to connect to the intranet and the Internet at the same time. However, some employees privately build subnets in the intranet and connect to the Internet in the subnets. Employees violate regulations for external contact, which will bring great security risks to the corporate network; To monitor connection behavior, most of the existing technologies are based on the method of deploying client programs. By deploying the client program on the terminal computer, external connection attempts are continued through various methods. If the connection is successful, it will be deemed as illegal external connection, and then Generate logs and alarms or more blocking actions, while some methods that do not rely on client programs rely on some specific applications deployed on the terminal, or rely on gateway traffic for protocol hijacking, etc., or rely on switch mirror traffic for traffic analysis.
现有技术中对于通过客户端监测违规外联的方式,最大的问题就是有些场景下不适合部署客户端,例如具有人员流动性的场合,每一次接入的计算机可能都是新的,在没有安装客户端的间隙,可能已经进行了违规外联,此时内网或专网网络则处于危险之中。In the existing technology, the biggest problem with the method of monitoring illegal outreach through clients is that it is not suitable to deploy clients in some scenarios. For example, in situations with personnel mobility, the computers connected each time may be new. During the gap between installing the client, illegal outreach may have been carried out, and at this time, the internal network or private network is at risk.
发明内容Contents of the invention
针对现有技术的不足,本发明提供了一种基于网络代理自动发现无客户端违规外联监测方法,解决了有些不适合部署客户端的场景下,每一次接入的计算机可能都是新的,在没有安装客户端的间隙,可能已经进行了违规外联,从而将内网或者专网网络处于危险之中的问题。In view of the shortcomings of the existing technology, the present invention provides a method for automatically discovering non-client violation external connection monitoring based on network agents, which solves the problem that in some scenarios that are not suitable for deploying clients, the computers connected each time may be new. When the client is not installed, illegal external connections may have been made, putting the intranet or private network at risk.
为实现以上目的,本发明通过以下技术方案予以实现:一种基于网络代理自动发现无客户端违规外联监测方法,其特征在于,包括以下步骤:In order to achieve the above objectives, the present invention is implemented through the following technical solutions: a method for automatically discovering client-free external connection monitoring based on network proxy, which is characterized by including the following steps:
步骤一:在内网或专网内部部署内网探针,使用UDP协议监听0.0.0.0的LLMNR的端口,即5355端口,并加入组播组224.0.0.252,监听组播内容,当内网违规计算机有网络活动时,会在局域网依据网络代理自动发现协议探测网络内的代理服务器,朝224.0.0.252的5355端口发包,请求代理服务器的IP地址;Step 1: Deploy an intranet probe inside the intranet or private network, use the UDP protocol to listen to the LLMNR port of 0.0.0.0, that is, port 5355, and join the multicast group 224.0.0.252 to monitor the multicast content. When the intranet violates the rules When the computer has network activity, it will detect the proxy server in the network based on the network proxy automatic discovery protocol on the LAN, send a packet to port 5355 of 224.0.0.252, and request the IP address of the proxy server;
步骤二:内网探针收到这个请求,将内网探针的地址当作代理服务器的IP地址应答发出;Step 2: The intranet probe receives this request and responds with the address of the intranet probe as the IP address of the proxy server;
步骤三:内网违规计算机获取到代理服务器地址之后,便会朝此地址发起HTTP请求,URI为 wpad.dat,端口为80,并向内网探针请求下载wpad文件;Step 3: After the offending computer on the intranet obtains the proxy server address, it will initiate an HTTP request to this address, with the URI being wpad.dat, port 80, and requesting the intranet probe to download the wpad file;
步骤四:内网探针收到wpad.dat的网络请求之后,通过其来源IP地址查询其MAC地址、计算机名等资料,然后通过HTTP redirect重定向该HTTP请求,重定向的目标地址是互联网取证服务器的地址;Step 4: After the intranet probe receives the network request from wpad.dat, it queries its MAC address, computer name and other information through its source IP address, and then redirects the HTTP request through HTTP redirect. The redirected target address is Internet Forensics The address of the server;
步骤五:内网违规计算机收到重定向的HTTP应答后,转而向互联网取证服务器发起HTTP请求。若此时内网违规计算机果真建立了互联网访问通道,则该请求会被互联网取证服务器接收,否则,该请求会无任何反应,代理获取过程自然失败:Step 5: After receiving the redirected HTTP response, the offending computer on the intranet then initiates an HTTP request to the Internet forensics server. If the offending computer on the intranet does establish an Internet access channel at this time, the request will be received by the Internet forensics server. Otherwise, there will be no response to the request, and the proxy acquisition process will naturally fail:
步骤六:联网取证服务器工作在互联网上,对外暴露web服务,监听来自互联网的HTTP请求,内网违规计算机的互联网请求被收到后,互联网取证服务器将解析其网络请求,验证校验和是否正确,抛弃一切校验和不正确的请求;Step 6: The network forensics server works on the Internet, exposes web services to the outside world, and monitors HTTP requests from the Internet. After the Internet request from the offending computer on the intranet is received, the Internet forensics server will parse its network request and verify whether the checksum is correct. , discard all requests with incorrect checksums;
步骤七:对于校验和正确的HTTP请求,可以断定此时已经发生了违规外联,互联网取证服务器应获取此次请求的互联网出口地址和归属地,连同请求URI中携带的内网违规计算机的IP、MAC、计算机名等信息一同记录日志,并依照预定义的策略通过短信、邮件等方式向管理员告警;Step 7: For HTTP requests with correct checksums, it can be concluded that a violation has occurred. The Internet forensics server should obtain the Internet exit address and location of the request, together with the name of the intranet violation computer carried in the request URI. IP, MAC, computer name and other information are logged together, and alerts are sent to the administrator through SMS, email, etc. according to predefined policies;
步骤八:根据步骤七,对互联网取证服务器对HTTP请求进行应答,将其再次重定向到内网探针,此时URI中额外包含外网出口地址、归属地、外联时间和违规外联已取证的信息等;Step 8: According to Step 7, the Internet forensic server responds to the HTTP request and redirects it to the intranet probe again. At this time, the URI additionally includes the external network exit address, home location, external connection time and the illegal external connection. Evidence collection information, etc.;
步骤九:内网违规计算机再次向内网探针发起请求,将步骤八中违规外联已取证的信息汇报给内网探针,内网探针收到请求之后,记录日志,在内网产生告警并依据预定义策略和防火墙、准入控制系统等进行联动,阻断违规计算机的内网或专网接入权限。Step 9: The offending computer in the intranet initiates a request to the intranet probe again, and reports the evidence obtained by the illegal outreach in step 8 to the intranet probe. After receiving the request, the intranet probe records the log and generates a log on the intranet. Alarms and linkage with firewalls, access control systems, etc. based on predefined policies to block intranet or private network access rights of violating computers.
优选的,所述IP地址中文名为中文名是网络之间互连的协议,是用来给Internet上的电脑一个编号。Preferably, the Chinese name of the IP address is a protocol for interconnection between networks, and is used to give a number to computers on the Internet.
优选的,所述URI为统一资源标识符,它是一个字符串用来标示抽象或物理资源。Preferably, the URI is a uniform resource identifier, which is a string used to identify abstract or physical resources.
优选的,所述步骤四中重定向的目标地址是互联网取证服务器的地址,URI中包含内网违规计算机的IP、MAC、计算机名,为了防止恶意请求,还应当在URI中包含自定义校验和,所述MAC全称叫做媒体访问控制地址,也称作局域网地址。Preferably, the redirected target address in step 4 is the address of the Internet forensics server, and the URI contains the IP, MAC, and computer name of the offending computer on the intranet. In order to prevent malicious requests, a custom check should also be included in the URI. And, the full name of the MAC is called media access control address, also called LAN address.
优选的,所述HTTP为超文本传输协议,是互联网上应用最为广泛的一种网络协议。Preferably, the HTTP is Hypertext Transfer Protocol, which is the most widely used network protocol on the Internet.
优选的,所述步骤四中HTTP Redirect是一种在Web服务器和客户端之间进行页面或资源跳转的机制。Preferably, HTTP Redirect in step 4 is a mechanism for page or resource jump between the web server and the client.
优选的,所述内网探针是指在局域网或内部网络中部署的一种监控工具或设备,用于主动发现、识别和监视网络内部的主机、设备和流量。Preferably, the intranet probe refers to a monitoring tool or device deployed in a local area network or internal network, and is used to actively discover, identify and monitor hosts, devices and traffic within the network.
优选的,所述步骤一中UDP协议是一种在网络通信中常用的传输协议,是在IP上层的一种无连接协议。Preferably, the UDP protocol in step one is a transmission protocol commonly used in network communications and is a connectionless protocol on the upper layer of IP.
优选的,所述步骤一中LLMNR是一种在局域网中用于主机名称解析的协议,它允许在没有DNS服务器的情况下,通过在本地网络上广播查询来解析主机名。Preferably, in step one, LLMNR is a protocol used for host name resolution in a local area network, which allows host names to be resolved by broadcasting queries on the local network without a DNS server.
优选的,所述步骤一中5355端口用于多个网络协议的服务的默认端口。Preferably, port 5355 in step one is used as the default port for services of multiple network protocols.
本发明提供了一种基于网络代理自动发现无客户端违规外联监测方法。具备以下有益效果:The invention provides a method for automatically discovering non-client illegal external connection monitoring based on network agents. It has the following beneficial effects:
1、本发明通过较底层的网络代理自动发现协议,不依赖在终端部署客户端程序,并且网络代理自动发现协议广泛存在于计算机设备、移动设备的操作系统协议栈中,且默认处于启用状态,因此不存在安装客户端的间隙,从而不会将内网或专网网络则处于危险之中。1. The present invention uses a lower-level network agent automatic discovery protocol and does not rely on the deployment of client programs on the terminal. The network agent automatic discovery protocol widely exists in the operating system protocol stacks of computer equipment and mobile devices, and is enabled by default. Therefore, there is no gap to install the client, so the intranet or private network is not put at risk.
2、本发明通过所有的网络通信完全使用应用层网络请求实现,不需要交换机流量支持,不需要捕获网络数据包的文件格式和库等驱动发包支持,极大降低了部署难度,并且对各种操作系统的非特定类型联网设备都能起到很好的监测效果。2. The present invention completely uses application layer network requests to implement all network communications. It does not require switch traffic support, file formats and libraries for capturing network data packets and other driver packet support, which greatly reduces the difficulty of deployment and is suitable for various applications. Non-specific types of networked devices with operating systems can achieve good monitoring results.
附图说明Description of the drawings
图1为本发明的流程图。Figure 1 is a flow chart of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of the present invention.
实施例:Example:
请参阅附图1,本发明实施例提供一种基于网络代理自动发现无客户端违规外联监测方法,包括以下步骤:Please refer to Figure 1. An embodiment of the present invention provides a method for automatically discovering client-free external connection monitoring based on network proxy, which includes the following steps:
步骤一:在内网或专网内部部署内网探针,使用UDP协议监听0.0.0.0的LLMNR的端口,即5355端口,并加入组播组224.0.0.252,监听组播内容,当内网违规计算机有网络活动时,会在局域网依据网络代理自动发现协议探测网络内的代理服务器,朝224.0.0.252的5355端口发包,请求代理服务器的IP地址;Step 1: Deploy an intranet probe inside the intranet or private network, use the UDP protocol to listen to the LLMNR port of 0.0.0.0, that is, port 5355, and join the multicast group 224.0.0.252 to monitor the multicast content. When the intranet violates the rules When the computer has network activity, it will detect the proxy server in the network based on the network proxy automatic discovery protocol on the LAN, send a packet to port 5355 of 224.0.0.252, and request the IP address of the proxy server;
步骤二:内网探针收到这个请求,将内网探针的地址当作代理服务器的IP地址应答发出;Step 2: The intranet probe receives this request and responds with the address of the intranet probe as the IP address of the proxy server;
步骤三:内网违规计算机获取到代理服务器地址之后,便会朝此地址发起HTTP请求,URI为 wpad.dat,端口为80,并向内网探针请求下载wpad文件;Step 3: After the offending computer on the intranet obtains the proxy server address, it will initiate an HTTP request to this address, with the URI being wpad.dat, port 80, and requesting the intranet probe to download the wpad file;
步骤四:内网探针收到wpad.dat的网络请求之后,通过其来源IP地址查询其MAC地址、计算机名等资料,然后通过HTTP redirect重定向该HTTP请求,重定向的目标地址是互联网取证服务器的地址;Step 4: After the intranet probe receives the network request from wpad.dat, it queries its MAC address, computer name and other information through its source IP address, and then redirects the HTTP request through HTTP redirect. The redirected target address is Internet Forensics The address of the server;
步骤五:内网违规计算机收到重定向的HTTP应答后,转而向互联网取证服务器发起HTTP请求。若此时内网违规计算机果真建立了互联网访问通道,则该请求会被互联网取证服务器接收,否则,该请求会无任何反应,代理获取过程自然失败:Step 5: After receiving the redirected HTTP response, the offending computer on the intranet then initiates an HTTP request to the Internet forensics server. If the offending computer on the intranet does establish an Internet access channel at this time, the request will be received by the Internet forensics server. Otherwise, there will be no response to the request, and the proxy acquisition process will naturally fail:
步骤六:联网取证服务器工作在互联网上,对外暴露web服务,监听来自互联网的HTTP请求,内网违规计算机的互联网请求被收到后,互联网取证服务器将解析其网络请求,验证校验和是否正确,抛弃一切校验和不正确的请求;Step 6: The network forensics server works on the Internet, exposes web services to the outside world, and monitors HTTP requests from the Internet. After the Internet request from the offending computer on the intranet is received, the Internet forensics server will parse its network request and verify whether the checksum is correct. , discard all requests with incorrect checksums;
步骤七:对于校验和正确的HTTP请求,可以断定此时已经发生了违规外联,互联网取证服务器应获取此次请求的互联网出口地址和归属地,连同请求URI中携带的内网违规计算机的IP、MAC、计算机名等信息一同记录日志,并依照预定义的策略通过短信、邮件等方式向管理员告警;Step 7: For HTTP requests with correct checksums, it can be concluded that a violation has occurred. The Internet forensics server should obtain the Internet exit address and location of the request, together with the name of the intranet violation computer carried in the request URI. IP, MAC, computer name and other information are logged together, and alerts are sent to the administrator through SMS, email, etc. according to predefined policies;
步骤八:根据步骤七,对互联网取证服务器对HTTP请求进行应答,将其再次重定向到内网探针,此时URI中额外包含外网出口地址、归属地、外联时间、违规外联已取证的信息等;Step 8: According to Step 7, the Internet forensic server responds to the HTTP request and redirects it to the intranet probe again. At this time, the URI additionally includes the external network exit address, home location, external connection time, and the illegal external connection. Evidence collection information, etc.;
步骤九:内网违规计算机再次向内网探针发起请求,将步骤八中违规外联已取证的信息汇报给内网探针,内网探针收到请求之后,记录日志,在内网产生告警并依据预定义策略和防火墙、准入控制系统等进行联动,阻断违规计算机的内网或专网接入权限。Step 9: The offending computer in the intranet initiates a request to the intranet probe again, and reports the evidence obtained by the illegal outreach in step 8 to the intranet probe. After receiving the request, the intranet probe records the log and generates a log on the intranet. Alarms and linkage with firewalls, access control systems, etc. based on predefined policies to block intranet or private network access rights of violating computers.
所述IP地址中文名为中文名是网络之间互连的协议,是用来给Internet 上的电脑一个编号。The Chinese name of the IP address is a protocol for interconnection between networks, and is used to give a number to computers on the Internet.
所述URI为统一资源标识符,它是一个字符串用来标示抽象或物理资源。The URI is a Uniform Resource Identifier, which is a string used to identify abstract or physical resources.
Web上可用的每种资源,例如,HTML文档、图像、音频、视频片段、程序等,都由一个通用资源标识符进行定位,所述wpad.dat为网络代理自动发现协议,在检测和下载配置文件后,它可以执行配置文件以测定特定URI应使用的代理。Every resource available on the Web, such as HTML documents, images, audio, video clips, programs, etc., is located by a universal resource identifier, the wpad.dat is the Web Agent Automatic Discovery Protocol, which is configured in the detection and download file, it can execute the configuration file to determine which proxy should be used for a specific URI.
所述步骤四中重定向的目标地址是互联网取证服务器的地址,URI中包含内网违规计算机的IP、MAC、计算机名,为了防止恶意请求,还应当在URI中包含自定义校验和,所述MAC全称叫做媒体访问控制地址,也称作局域网地址,以太网地址或者物理地址。The redirected target address in step 4 is the address of the Internet forensics server. The URI contains the IP, MAC, and computer name of the offending computer on the intranet. In order to prevent malicious requests, a custom checksum should also be included in the URI. The full name of the above MAC is called media access control address, also known as LAN address, Ethernet address or physical address.
媒体访问控制地址用于在网络中唯一标示一个网卡,一台设备若有一或多个网卡,则每个网卡都需要并会有一个唯一的MAC地址。The media access control address is used to uniquely identify a network card in the network. If a device has one or more network cards, each network card needs and will have a unique MAC address.
所述HTTP为超文本传输协议,是互联网上应用最为广泛的一种网络协议。The HTTP is Hypertext Transfer Protocol, which is the most widely used network protocol on the Internet.
所述步骤四中HTTP Redirect是一种在Web服务器和客户端之间进行页面或资源跳转的机制。HTTP Redirect in step 4 is a mechanism for page or resource jump between the web server and the client.
HTTP Redirect是HTTP 协议的一部分,在服务器端返回特定的响应状态码和重定向目标URI,告诉客户端将请求重新定向到新的URI。HTTP Redirect is a part of the HTTP protocol that returns a specific response status code and redirection target URI on the server side, telling the client to redirect the request to a new URI.
所述内网探针是指在局域网或内部网络中部署的一种监控工具或设备,用于主动发现、识别和监视网络内部的主机、设备和流量。The intranet probe refers to a monitoring tool or device deployed in a local area network or internal network, and is used to actively discover, identify and monitor hosts, devices and traffic within the network.
内网探针可以帮助网络管理员或安全团队实时了解网络内部的活动情况,包括主机的上线和下线、设备的连接状态、流量的走向和特征等,通常通过网络流量分析、端口扫描、协议识别等技术手段来收集信息,并将信息汇报给中心服务器或管理平台进行处理和分析。探针可以监测内网中的主机活动、端口开放情况、网络流量负载、异常行为等,帮助发现潜在的安全风险或网络问题。同时,内网探针也可以用于网络性能优化、带宽管理、流量监控等应用场景,并且内网探针的部署通常需要获得网络管理员或组织授权,并严格遵循合规性和隐私保护的原则,确保所收集的信息在合法、安全、隐私保护的范围内进行处理和使用。Intranet probes can help network administrators or security teams understand the activities within the network in real time, including host online and offline, device connection status, traffic direction and characteristics, etc., usually through network traffic analysis, port scanning, protocol Identification and other technical means are used to collect information, and the information is reported to the central server or management platform for processing and analysis. Probes can monitor host activities, port openings, network traffic loads, abnormal behaviors, etc. in the intranet to help discover potential security risks or network problems. At the same time, intranet probes can also be used in application scenarios such as network performance optimization, bandwidth management, and traffic monitoring. The deployment of intranet probes usually requires authorization from the network administrator or organization and strictly follows compliance and privacy protection regulations. principles to ensure that the collected information is processed and used within the scope of lawfulness, security, and privacy protection.
所述步骤一中UDP协议是一种在网络通信中常用的传输协议,是在IP上层的一种无连接协议。The UDP protocol in step one is a transmission protocol commonly used in network communications and is a connectionless protocol on the upper layer of IP.
UDP协议提供了一种简单的、不可靠的数据传输服务,通常用于快速传输数据和实时应用,如音频、视频和游戏等,由于UDP是一种无连接协议,意味着在数据传输之前不需要建立连接,并且UDP将数据分割成小的数据包,每个数据包都带有源端口号和目标端口号,然后通过网络单独发送,同时UDP没有连接的概念,因此无需等待建立连接或维护连接状态,这使得UDP具有较低的开销和延迟。The UDP protocol provides a simple, unreliable data transmission service. It is usually used for fast transmission of data and real-time applications, such as audio, video, and games. Since UDP is a connectionless protocol, it means that there is no connection before data transmission. A connection needs to be established, and UDP splits the data into small packets, each packet has a source port number and a destination port number, and then is sent individually through the network. At the same time, UDP has no concept of a connection, so there is no need to wait for the connection to be established or maintained. Connection state, which allows UDP to have lower overhead and latency.
所述步骤一中LLMNR是一种在局域网(LAN)中用于主机名称解析的协议,它允许在没有DNS服务器的情况下,通过在本地网络上广播查询来解析主机名。In step one, LLMNR is a protocol used for host name resolution in a local area network (LAN), which allows host names to be resolved by broadcasting queries on the local network without a DNS server.
LLMNR常用于IPv4网络中,当某个主机想要解析一个本地主机名时,它会发送一个LLMNR查询消息到本地网络上的目标主机,如果有目标主机响应了该查询消息,它会回复带有相应的主机名称和IP地址的回应消息。在这个过程中,LLMNR使用UDP进行通信,并使用IPv4的端口号5355,同时LLMNR主要用于局域网中的名称解析,特别是在没有连接到有权威DNS服务器的情况下,它可以帮助在局域网内部快速解析主机名,从而避免依赖外部的DNS服务器。LLMNR is often used in IPv4 networks. When a host wants to resolve a local host name, it will send an LLMNR query message to the target host on the local network. If a target host responds to the query message, it will reply with Response message with the corresponding host name and IP address. In this process, LLMNR uses UDP for communication and uses the IPv4 port number 5355. At the same time, LLMNR is mainly used for name resolution in the LAN, especially when there is no connection to an authoritative DNS server. It can help within the LAN. Quickly resolve hostnames to avoid relying on external DNS servers.
所述步骤一中5355端口用于多个网络协议的服务的默认端口。In step one, port 5355 is used as the default port for services of multiple network protocols.
LLMNR使用UDP端口5355进行通信,使用5355端口作为默认端口,用于在局域网内进行主机名称解析和服务发现,以便设备能够相互识别和通信,需要注意的是同一台设备上只应该有一个应用程序使用5355端口,以避免冲突。LLMNR uses UDP port 5355 for communication. Port 5355 is used as the default port for host name resolution and service discovery within the LAN so that devices can identify and communicate with each other. It should be noted that there should only be one application on the same device. Use port 5355 to avoid conflicts.
尽管已经示出和描述了本发明的实施例,对于本领域的普通技术人员而言,可以理解在不脱离本发明的原理和精神的情况下可以对这些实施例进行多种变化、修改、替换和变型,本发明的范围由所附权利要求及其等同物限定。Although the embodiments of the present invention have been shown and described, those of ordinary skill in the art will understand that various changes, modifications, and substitutions can be made to these embodiments without departing from the principles and spirit of the invention. and modifications, the scope of the invention is defined by the appended claims and their equivalents.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310952769.2ACN116886389A (en) | 2023-08-01 | 2023-08-01 | A method for automatically discovering client-less violations and external connection monitoring based on network agents |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310952769.2ACN116886389A (en) | 2023-08-01 | 2023-08-01 | A method for automatically discovering client-less violations and external connection monitoring based on network agents |
| Publication Number | Publication Date |
|---|---|
| CN116886389Atrue CN116886389A (en) | 2023-10-13 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310952769.2APendingCN116886389A (en) | 2023-08-01 | 2023-08-01 | A method for automatically discovering client-less violations and external connection monitoring based on network agents |
| Country | Link |
|---|---|
| CN (1) | CN116886389A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6567857B1 (en)* | 1999-07-29 | 2003-05-20 | Sun Microsystems, Inc. | Method and apparatus for dynamic proxy insertion in network traffic flow |
| US20140013001A1 (en)* | 2012-07-06 | 2014-01-09 | Microsoft Corporation | Parallel probing for efficient proxy selection in networked environments |
| CN107276979A (en)* | 2017-04-26 | 2017-10-20 | 浙江远望信息股份有限公司 | A kind of method that automatic detection terminal device intranet and extranet interconnect behavior |
| CN109413097A (en)* | 2018-11-30 | 2019-03-01 | 深信服科技股份有限公司 | A kind of lawless exterior joint detecting method, device, equipment and storage medium |
| CN112738095A (en)* | 2020-12-29 | 2021-04-30 | 杭州迪普科技股份有限公司 | Method, device, system, storage medium and equipment for detecting illegal external connection |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6567857B1 (en)* | 1999-07-29 | 2003-05-20 | Sun Microsystems, Inc. | Method and apparatus for dynamic proxy insertion in network traffic flow |
| US20140013001A1 (en)* | 2012-07-06 | 2014-01-09 | Microsoft Corporation | Parallel probing for efficient proxy selection in networked environments |
| CN107276979A (en)* | 2017-04-26 | 2017-10-20 | 浙江远望信息股份有限公司 | A kind of method that automatic detection terminal device intranet and extranet interconnect behavior |
| CN109413097A (en)* | 2018-11-30 | 2019-03-01 | 深信服科技股份有限公司 | A kind of lawless exterior joint detecting method, device, equipment and storage medium |
| CN112738095A (en)* | 2020-12-29 | 2021-04-30 | 杭州迪普科技股份有限公司 | Method, device, system, storage medium and equipment for detecting illegal external connection |
| Title |
|---|
| 机场信息系统研究员: "WPAD:Web ProxyAutoDiscovery,Web代理服务器自动发现", Retrieved from the Internet <URL:https://blog.csdn.net/lejuo/article/details/9222951?ops_request_misc=%257B%2522request%255Fid%2522%253A%25224ccc55983617080dab9697f2c383650b%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=4ccc55983617080dab9697f2c383650b&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduend~default-2-9222951-null-null.142^v102^pc_search_result_base9&utm_term=wpad&spm=1018.2226.3001.4187>* |
| Publication | Publication Date | Title |
|---|---|---|
| US8230480B2 (en) | Method and apparatus for network security based on device security status | |
| US10009230B1 (en) | System and method of traffic inspection and stateful connection forwarding among geographically dispersed network appliances organized as clusters | |
| US7325248B2 (en) | Personal firewall with location dependent functionality | |
| US5848233A (en) | Method and apparatus for dynamic packet filter assignment | |
| US7360242B2 (en) | Personal firewall with location detection | |
| EP2739003B1 (en) | Systems and methods to detect and respond to distributed denial of service (DDoS) attacks | |
| US20070192858A1 (en) | Peer based network access control | |
| US8219679B2 (en) | Detection and control of peer-to-peer communication | |
| US20070192500A1 (en) | Network access control including dynamic policy enforcement point | |
| Spognardi et al. | A methodology for P2P file-sharing traffic detection | |
| WO2007079044A2 (en) | Method and system for transparent bridging and bi-directional management of network data | |
| US20170104630A1 (en) | System, Method, Software, and Apparatus for Computer Network Management | |
| US20050207447A1 (en) | IP address duplication monitoring device, IP address duplication monitoring method and IP address duplication monitoring program | |
| Syed et al. | Analysis of Dynamic Host Control Protocol Implementation to Assess DoS Attacks | |
| EP1479191B1 (en) | System and method for intercepting network access | |
| CN116886389A (en) | A method for automatically discovering client-less violations and external connection monitoring based on network agents | |
| CN112565203B (en) | Centralized management platform | |
| Cisco | Command Reference | |
| Cisco | Global Configuration Mode Commands | |
| JP3880530B2 (en) | Client safety screening system using dynamic address assignment server | |
| Cisco | Release Notes for the PIX Firewall (Covers all 4.2 versions) | |
| Cisco | Command Reference | |
| JP2008535304A (en) | Method, apparatus, and computer program for detecting network attacks (network attack detection) | |
| Takemori et al. | Host-based traceback; tracking bot and C&C server | |
| Atul et al. | Prevention of PAC file based attack using DHCP snooping |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |