[go: up one dir, main page]

CN107276978B - A kind of hiding service source tracing method of the Anonymizing networks of Intrusion Detection based on host fingerprint - Google Patents

A kind of hiding service source tracing method of the Anonymizing networks of Intrusion Detection based on host fingerprint Download PDF

Info

Publication number
CN107276978B
CN107276978B CN201710278624.3A CN201710278624A CN107276978B CN 107276978 B CN107276978 B CN 107276978B CN 201710278624 A CN201710278624 A CN 201710278624A CN 107276978 B CN107276978 B CN 107276978B
Authority
CN
China
Prior art keywords
host
service
finger print
fingerprint information
print information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710278624.3A
Other languages
Chinese (zh)
Other versions
CN107276978A (en
Inventor
王学宾
谭庆丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710278624.3A priority Critical patent/CN107276978B/en
Publication of CN107276978A publication Critical patent/CN107276978A/en
Application granted granted Critical
Publication of CN107276978B publication Critical patent/CN107276978B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种基于主机指纹的匿名网络隐藏服务溯源方法,其步骤包括:1)构建全球IPv4地址空间的主机指纹信息库;其中每一个主机的指纹信息由所有运行在该主机上的网络服务的指纹信息的并集标识;2)提取匿名网络隐藏服务开放的端口的指纹信息;其中每一个匿名网络隐藏服务的指纹信息由该隐藏服务开放的所有端口的指纹信息的并集标识;3)将上述提取的匿名网络隐藏服务的指纹信息在所述全球IPv4地址空间的主机指纹信息库中进行匹配,以实现匿名网络隐藏服务溯源。该方法提高了匿名网络隐藏服务溯源的效率,同时可以广泛用于打击利用匿名网络的犯罪行为。

The present invention provides a method for tracing the source of anonymous network hidden services based on host fingerprints. The steps include: 1) Constructing a host fingerprint information database in the global IPv4 address space; wherein the fingerprint information of each host is obtained by all network services running on the host. 2) extract the fingerprint information of the ports opened by the anonymous network hidden service; wherein the fingerprint information of each anonymous network hidden service is identified by the union of the fingerprint information of all ports opened by the hidden service; 3) The fingerprint information of the anonymous network hidden service extracted above is matched in the host fingerprint information database of the global IPv4 address space, so as to realize the source tracing of the anonymous network hidden service. This method improves the efficiency of anonymous network hidden service traceability, and can be widely used to combat crimes using anonymous networks.

Description

一种基于主机指纹的匿名网络隐藏服务溯源方法A method for traceability of anonymous network hidden services based on host fingerprints

技术领域technical field

本发明涉及信息安全领域网络攻击溯源方向,尤其涉及一种基于主机指纹的匿名网络隐藏服务溯源方法。The invention relates to the source tracing direction of network attacks in the field of information security, in particular to a method for tracing the source of anonymous network hidden services based on host fingerprints.

背景技术Background technique

匿名通信技术作为一种主要的隐私增强技术被广泛应用于互联网的各个方面,现有的匿名通信技术主要是通过多次存储转发(利用Mix网络和洋葱路由技术)来改变消息的外观(报文延迟、乱序、报文填充等),并利用Mix网络的刷新机制消除消息间的对应关系,从而为在线用户提供隐私保护,典型的低时延匿名通信系统包括Tor,I2P等。As a major privacy-enhancing technology, anonymous communication technology is widely used in all aspects of the Internet. The existing anonymous communication technology mainly uses multiple store and forward (using Mix network and onion routing technology) to change the appearance of messages (packet Delay, out-of-order, message filling, etc.), and use the refresh mechanism of the Mix network to eliminate the correspondence between messages, thereby providing privacy protection for online users. Typical low-latency anonymous communication systems include Tor, I2P, etc.

这些匿名通信系统不仅提供了对Internet用户的身份信息的保护,同时实现了对服务提供者的身份信息保护,它们允许用户能够在确保服务器IP不被泄漏的前提下提供网络服务。我们将这些构建于匿名通信系统之上的隐藏网络服务统称为“暗网”。如Tor的Hidden Service,I2P的Eepsites。These anonymous communication systems not only protect the identity information of Internet users, but also protect the identity information of service providers. They allow users to provide network services on the premise of ensuring that the server IP is not leaked. We collectively refer to these hidden network services built on top of anonymous communication systems as "darknet". Such as Tor's Hidden Service, I2P's Eepsites.

然而,Tor等匿名网络独特的匿名性在保护正常用户隐私的同时,也为恐怖分子、谣言制造者、网络攻击者以及毒品、色情等非法交易提供了便利。卡巴斯基实验室的报告显示,Tor暗网已经成了僵尸网络、恶意软件指令服务器和网络黑市的庇护所,2013年以来,藏匿于Tor网络的非法服务快速增多,卡巴斯基实验室已经发现了至少有900个非法服务(包括毒品交易网站silk road、僵尸网络zombie等)使用Tor网络,动用共计5500个服务中继节点和1000个出口节点。研究发现,Tor网络中有高达32%的匿名服务涉及到色情和毒品交易。此外,匿名通信工具常常被用于传递敏感信息、发布谣言等,比如:哈佛学生通过Tor散播炸弹谣言,维基泄露中曼宁就是通过Tor网络交换敏感情报,斯诺登使用基于Tor的操作系统Tails传递情报信息。However, while the unique anonymity of Tor and other anonymous networks protects the privacy of normal users, it also facilitates terrorists, rumor makers, cyber attackers, and illegal transactions such as drugs and pornography. Kaspersky Lab's report shows that the Tor darknet has become a shelter for botnets, malware command servers, and online black markets. Since 2013, illegal services hidden in the Tor network have increased rapidly. Kaspersky Lab has discovered At least 900 illegal services (including drug trading website silk road, botnet zombie, etc.) use the Tor network, using a total of 5,500 service relay nodes and 1,000 exit nodes. Studies have found that up to 32% of anonymous services on the Tor network involve pornography and drug dealing. In addition, anonymous communication tools are often used to transmit sensitive information and release rumors, etc. For example, Harvard students spread bomb rumors through Tor, Wikipedia leaked that Manning exchanged sensitive information through the Tor network, and Snowden used the Tor-based operating system Tails Pass on intelligence information.

当前针对匿名网络隐藏服务溯源的方法主要是基于主被动流分析或者协议漏洞方法,也有一些工作研究了一种基于配置、网页内容中唯一ID等属性的匿名性破解方法。基于主被动流分析的匿名性破解技术需要攻击者同时控制匿名网络链路的入口节点(EntryGuard),从而监视互联网用户进入匿名网络入口节点和隐藏服务的入口节点,然后利用匿名网络流量的时间和包大小特征进行关联的方法,尽管该方法具有很高的准确性,但是攻击者能够同时控制匿名网络的入口和出口节点的概率非常低,而协议漏洞方法常常也被开发人员修复。The current methods for tracing the origin of anonymous network hidden services are mainly based on active and passive flow analysis or protocol vulnerability methods. There are also some works that study an anonymity cracking method based on attributes such as configuration and unique ID in web content. The anonymity cracking technology based on active and passive flow analysis requires the attacker to control the entry node (EntryGuard) of the anonymous network link at the same time, so as to monitor Internet users entering the entry node of the anonymous network and the entry node of the hidden service, and then use the time and Although this method has high accuracy, the probability that an attacker can control both the entry and exit nodes of an anonymous network is very low, and the protocol vulnerability method is often fixed by developers.

发明内容Contents of the invention

本发明的目的是提供一种基于主机指纹的匿名网络隐藏服务溯源方法,该方法提高了匿名网络隐藏服务溯源的效率,同时可以广泛用于打击利用匿名网络的犯罪行为。The purpose of the present invention is to provide a method for tracing the origin of anonymous network hidden services based on host fingerprints, which improves the efficiency of tracing the origin of anonymous network hidden services and can be widely used to combat crimes using anonymous networks.

针对上述目的,本发明所采用的技术方案为:For above-mentioned purpose, the technical scheme that the present invention adopts is:

一种基于主机指纹的匿名网络隐藏服务溯源方法,其步骤包括:A method for tracing the origin of anonymous network hidden services based on host fingerprints, the steps of which include:

1)构建全球IPv4地址空间的主机指纹信息库;其中每一个主机(IPv4地址)的指纹信息由所有运行在该主机上的网络服务的指纹信息的并集标识;1) Construct the host fingerprint information database of the global IPv4 address space; where the fingerprint information of each host (IPv4 address) is identified by the union of the fingerprint information of all network services running on the host;

2)提取匿名网络隐藏服务开放的端口的指纹信息;其中每一个匿名网络隐藏服务的指纹信息由该隐藏服务开放的所有端口的指纹信息的并集标识;2) extract the fingerprint information of the ports opened by the anonymous network hidden service; wherein the fingerprint information of each anonymous network hidden service is identified by the union of the fingerprint information of all ports opened by the hidden service;

3)将上述提取的匿名网络隐藏服务的指纹信息在所述全球IPv4地址空间的主机指纹信息库中进行匹配,以实现匿名网络隐藏服务溯源。3) Match the fingerprint information of the anonymous network hidden service extracted above in the host fingerprint information database of the global IPv4 address space, so as to realize the source tracing of the anonymous network hidden service.

进一步地,步骤1)中采用一种面向互联网(IPv4地址空间)的主机指纹标注方法来构建全球IPv4地址空间的主机指纹信息库。Further, in step 1), an Internet-oriented (IPv4 address space) host fingerprinting method is used to construct a host fingerprint information base of the global IPv4 address space.

更进一步地,所述面向互联网的主机指纹标注方法是指:对于每一个主机,通过Zmap网络扫描程序识别该主机开放的端口,并提取运行在该主机上的网络服务的指纹信息。Further, the Internet-oriented host fingerprinting method refers to: for each host, identify the ports opened by the host through the Zmap network scanning program, and extract the fingerprint information of the network service running on the host.

更进一步地,所述网络服务的指纹信息是指网络服务所固有信息的哈希值。Further, the fingerprint information of the network service refers to a hash value of inherent information of the network service.

进一步地,步骤1)及步骤2)中所述指纹信息包括HTTP、HTTPS、SSH、IMAP(s)、POP3(s)、BitCoin网络服务的指纹信息。Further, the fingerprint information in step 1) and step 2) includes fingerprint information of HTTP, HTTPS, SSH, IMAP(s), POP3(s), BitCoin network services.

进一步地,步骤3)中采用基于倒排索引的指纹信息快速查询方法将上述提取的匿名网络隐藏服务的指纹信息在所述全球IPv4地址空间的主机指纹信息库中进行匹配。Further, in step 3), the fingerprint information of the anonymous network hidden service extracted above is matched with the host fingerprint information database of the global IPv4 address space by using the inverted index-based fingerprint information fast query method.

更进一步地,所述基于倒排索引的指纹信息快速查询方法是指:对步骤1)中获取的每个主机的指纹信息,以每个网络端口的指纹信息作为关键字、主机作为值域构建倒排索引查询字典,并在该倒排索引查询字典中查询步骤2)中提取的匿名网络隐藏服务的指纹信息,将所有指纹信息对应的查询结果做交集得到匿名网络隐藏服务的IPv4地址集合。Further, the inverted index-based fingerprint information fast query method refers to: for the fingerprint information of each host obtained in step 1), the fingerprint information of each network port is used as a keyword and the host is used as a value field to construct The inverted index query dictionary, and the fingerprint information of the anonymous network hidden service extracted in step 2) is searched in the inverted index query dictionary, and the query results corresponding to all fingerprint information are intersected to obtain the IPv4 address set of the anonymous network hidden service.

本发明的有益效果在于:本发明提供一种基于主机指纹的匿名网络隐藏服务溯源方法,该方法首先利用大规模网络主机扫描方法,采集每一个IPv4主机地址的指纹信息,来构建全球IPv4地址空间的主机指纹信息库;其次,提取匿名网络隐藏服务的指纹信息,并在全球IPv4地址空间的主机指纹信息库中进行匹配,如果匹配成功则说明该隐藏服务位于某个IPv4地址上,从而破解其匿名性,实现隐藏服务的溯源。该方法具有如下优点:The beneficial effect of the present invention is that: the present invention provides a method for tracing the origin of anonymous network hidden services based on host fingerprints. The method first utilizes a large-scale network host scanning method to collect fingerprint information of each IPv4 host address to construct a global IPv4 address space Secondly, extract the fingerprint information of the anonymous network hidden service and match it in the host fingerprint information database of the global IPv4 address space. If the match is successful, it means that the hidden service is located on a certain IPv4 address, so as to crack its Anonymity to realize traceability of hidden services. This method has the following advantages:

1、利用主机指纹信息进行匿名网络隐藏服务溯源,不需要控制匿名网络任何节点,降低了匿名网络隐藏服务溯源的费用开销;1. Using the fingerprint information of the host to trace the source of anonymous network hidden services does not need to control any node in the anonymous network, which reduces the cost of anonymous network hidden service traceability;

2、主机指纹信息与匿名网络隐藏服务指纹信息容易获取,不需要匿名网络中的任何流量信息,解决了数据获取问题;2. Host fingerprint information and anonymous network hidden service fingerprint information are easy to obtain, without any traffic information in the anonymous network, which solves the problem of data acquisition;

3、该方法仅仅需要主机的指纹信息与匿名网络隐藏服务指纹信息即可进行匿名性破解,极大地降低了匿名网络隐藏服务溯源的难度。3. This method only needs the fingerprint information of the host and the fingerprint information of the anonymous network hidden service to perform anonymous cracking, which greatly reduces the difficulty of tracing the source of the anonymous network hidden service.

附图说明Description of drawings

图1为本发明一种基于主机指纹的匿名网络隐藏服务溯源方法流程图。FIG. 1 is a flow chart of a method for tracing the origin of anonymous network hidden services based on host fingerprints according to the present invention.

图2为本发明查询匿名网络隐藏服务的IPv4地址的过程示意图。Fig. 2 is a schematic diagram of the process of querying the IPv4 address of the anonymous network hidden service in the present invention.

图3为本发明一实施例的基于主机指纹的匿名网络隐藏服务溯源方法具体流程图。FIG. 3 is a specific flowchart of a method for tracing the origin of anonymous network hidden services based on host fingerprints according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的上述特征和优点能更明显易懂,下文特举实施例,并配合所附图作详细说明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.

本发明提供一种基于主机指纹的匿名网络隐藏服务溯源方法,如图1所示,其步骤包括:The present invention provides a host fingerprint-based anonymous network hidden service traceability method, as shown in Figure 1, the steps include:

1)构建全球IPv4地址空间的主机指纹信息库。1) Construct the host fingerprint information base of the global IPv4 address space.

本发明提出了一种面向互联网的主机指纹标注方法,即对于每一个主机,通过Zmap等网络扫描程序,识别该主机开放的端口,提取运行在该主机上的HTTP、HTTPS、SSH、IMAP(s)、POP3(s)、BitCoin等网络服务的指纹信息;其中每一个主机的指纹信息由所有运行在该主机上的网络服务的指纹信息的并集标识。且本发明所提取的网络服务指纹信息是某一主机的网络服务所固有的信息的哈希值,该指纹信息不随时间和客户端的改变而改变,如HTTP Server的类型、版本、协议头,HTTPS Server的类型、版本、协议头,证书信息,SSH的公钥信息等,其主机指纹生成算法(即算法1)如表1所示。该算法将每个主机所有开放的端口的网络服务的指纹信息的并集用于唯一标注该主机,其目标输出是将主机与某指纹信息集合进行关联,形成<IPv4,C>形式的信息库,进而构建全球IPv4地址空间的主机指纹信息库;其中IPv4用于标识主机,C用于标识该主机的指纹信息集合。The present invention proposes an Internet-oriented host fingerprinting method, that is, for each host, through network scanning programs such as Zmap, identify the ports opened by the host, and extract HTTP, HTTPS, SSH, IMAP (s) running on the host. ), POP3(s), BitCoin and other network service fingerprint information; where the fingerprint information of each host is identified by the union of fingerprint information of all network services running on the host. And the network service fingerprint information that the present invention extracts is the hash value of the inherent information of the network service of a certain host computer, and this fingerprint information does not change with the change of time and client, as the type, version, protocol header of HTTP Server, HTTPS The server type, version, protocol header, certificate information, SSH public key information, etc., and its host fingerprint generation algorithm (that is, algorithm 1) are shown in Table 1. This algorithm uses the union of fingerprint information of network services of all open ports of each host to uniquely mark the host, and its target output is to associate the host with a set of fingerprint information to form an information base in the form of <IPv4,C> , and then construct the host fingerprint information base of the global IPv4 address space; where IPv4 is used to identify the host, and C is used to identify the fingerprint information set of the host.

2)提取匿名网络隐藏服务的指纹信息。2) Extract the fingerprint information of the anonymous network hidden service.

本发明提出了一种面向匿名网络隐藏服务的指纹信息提取方法,以提取匿名网络隐藏服务的指纹信息。针对匿名网络隐藏服务,通过快速扫描识别某一隐藏服务是否存活,并验证特定端口是否开放,然后提取开放的端口的指纹信息;其中每一个匿名网络隐藏服务的指纹信息由该隐藏服务开放的所有端口的指纹信息的并集标识。所述提取的指纹信息包括HTTP、HTTPS、SSH、IMAP(s)、POP3(s)、BitCoin等网络服务的指纹信息。其匿名网络隐藏服务指纹生成算法(即算法2)如表2所示。该算法将每个匿名网络隐藏服务所有开放的端口的网络服务的指纹信息的并集用于唯一标注该匿名网络隐藏服务,其目标输出是将匿名网络隐藏服务与某指纹信息集合进行关联,形成<Onion,F>形式的信息库;其中Onion用于标识匿名网络隐藏服务,F用于标识该匿名网络隐藏服务的指纹信息集合。The invention proposes a method for extracting fingerprint information oriented to anonymous network hidden services, so as to extract the fingerprint information of anonymous network hidden services. For anonymous network hidden services, quickly scan to identify whether a hidden service is alive, verify whether a specific port is open, and then extract the fingerprint information of the open port; the fingerprint information of each anonymous network hidden service is obtained from all the hidden services opened by the hidden service. The union identifier of the fingerprint information of the port. The extracted fingerprint information includes fingerprint information of network services such as HTTP, HTTPS, SSH, IMAP(s), POP3(s), and BitCoin. Its anonymous network hidden service fingerprint generation algorithm (Algorithm 2) is shown in Table 2. This algorithm uses the union of the fingerprint information of all open ports of each anonymous network hidden service to uniquely mark the anonymous network hidden service, and its target output is to associate the anonymous network hidden service with a set of fingerprint information to form An information base in the form of <Onion, F>; where Onion is used to identify an anonymous network hidden service, and F is used to identify a fingerprint information set of the anonymous network hidden service.

表1:主机指纹生成算法Table 1: Host Fingerprint Generation Algorithm

表2:匿名网络隐藏服务指纹生成算法Table 2: Anonymous Network Hidden Service Fingerprint Generation Algorithm

3)将上述提取的匿名网络隐藏服务的指纹信息在所述全球IPv4地址空间的主机指纹信息库中进行匹配;如果匹配成功则说明该匿名网络隐藏服务位于某个IPv4地址上,从而破解其匿名性,实现匿名网络隐藏服务的溯源。3) Match the fingerprint information of the anonymous network hidden service extracted above in the host fingerprint information database of the global IPv4 address space; if the match is successful, it means that the anonymous network hidden service is located on a certain IPv4 address, thereby cracking its anonymity To realize the traceability of anonymous network hidden services.

表3:建立全球IPv4地址空间的主机指纹信息倒排索引算法Table 3: Inverted Index Algorithm for Establishing Host Fingerprint Information in the Global IPv4 Address Space

表4:匿名网络隐藏服务指纹信息快速匹配算法Table 4: Fast matching algorithm for fingerprint information of anonymous network hidden services

本发明提出了一种匿名网络隐藏服务指纹信息快速匹配算法,以将上述提取的匿名网络隐藏服务的指纹信息在所述全球IPv4地址空间的主机指纹信息库中进行匹配。该算法是基于倒排索引的指纹信息快速查询方法,即对步骤1)中获取的每个主机的指纹信息,以每个网络端口的指纹信息作为关键字、主机作为值域构建倒排索引查询字典,并在该倒排索引查询字典中查询步骤2)中提取的匿名网络隐藏服务的指纹信息,将所有指纹信息对应的查询结果做交集得到匿名网络隐藏服务的IPv4地址集合。其建立全球IPv4地址空间的主机指纹信息倒排索引算法(即算法3)如表3所示,匿名网络隐藏服务指纹信息快速匹配算法(即算法4)如表4所示。其中算法3的输入是步骤1)构建的全球IPv4地址空间的主机指纹信息库,对主机指纹信息库中的每个主机,以每个网络端口的指纹信息作为关键字、主机作为值域构建倒排索引查询字典,方便进行查询。该倒排索引查询字典将具有相同指纹信息的主机IPv4地址集合作为当前指纹信息的值域,当给定某个匿名网络隐藏服务的指纹信息时,通过查询该倒排索引查询字典,可以在较短时间内获取该指纹信息对应的所有可能的主机IPv4地址集合,极大地提高查询效率。算法4的输入是某个匿名网络隐藏服务的指纹信息集合F,对集合F中的每个指纹信息f,依次查询算法3构建的倒排索引查询字典,将所有指纹信息对应的查询结果进行交集集合操作,则得到该匿名网络隐藏服务的IPv4地址集合S。The present invention proposes a fast matching algorithm for anonymous network hidden service fingerprint information to match the above extracted fingerprint information of anonymous network hidden service in the host fingerprint information database of the global IPv4 address space. This algorithm is a fast fingerprint information query method based on inverted index, that is, for the fingerprint information of each host obtained in step 1), use the fingerprint information of each network port as a keyword and the host as a value field to construct an inverted index query dictionary, and query the fingerprint information of the anonymous network hidden service extracted in step 2) in the inverted index query dictionary, and intersect the query results corresponding to all fingerprint information to obtain the IPv4 address set of the anonymous network hidden service. Table 3 shows the host fingerprint information inverted index algorithm (ie Algorithm 3) for establishing the global IPv4 address space, and the fast matching algorithm (ie Algorithm 4) for anonymous network hidden service fingerprint information is shown in Table 4. The input of Algorithm 3 is the host fingerprint information base of the global IPv4 address space built in step 1). The row index query dictionary is convenient for query. The inverted index query dictionary uses the host IPv4 address set with the same fingerprint information as the value field of the current fingerprint information. When the fingerprint information of an anonymous network hidden service is given, by querying the inverted index query dictionary, you can compare All possible host IPv4 address sets corresponding to the fingerprint information are obtained in a short time, which greatly improves query efficiency. The input of Algorithm 4 is the fingerprint information set F of an anonymous network hidden service. For each fingerprint information f in the set F, query the inverted index query dictionary constructed by Algorithm 3 in turn, and intersect the query results corresponding to all fingerprint information Set operation, then obtain the IPv4 address set S of the anonymous network hidden service.

请参考图2,该图描述了给定一个匿名网络隐藏服务的指纹信息集合F,查询全球IPv4地址空间的主机指纹信息库输出匿名网络隐藏服务IPv4地址的过程,所述F是匿名网络隐藏服务的指纹信息集合,每个指纹信息使用f表示。譬如某个匿名网络隐藏服务开放了22、443、80三个端口,三个端口的指纹信息分别用f1、f2、f3表示。将三个指纹信息分别从基于全球IPv4地址空间的主机指纹信息库构建的倒排索引查询字典中查询对应的IPv4集合,分别记作S1、S2、S3,那么该匿名网络隐藏服务对应的IPv4地址则为S1∩S2∩S3Please refer to Figure 2, which describes the process of querying the host fingerprint information database of the global IPv4 address space to output the IPv4 address of the anonymous network hidden service given a fingerprint information set F of the hidden network service in the anonymous network. The said F is the hidden service of the anonymous network A set of fingerprint information, and each fingerprint information is represented by f. For example, an anonymous network hidden service opens three ports 22, 443, and 80, and the fingerprint information of the three ports is represented by f 1 , f 2 , and f 3 respectively. The three fingerprint information are respectively queried from the inverted index query dictionary constructed based on the host fingerprint information base of the global IPv4 address space, and the corresponding IPv4 sets are denoted as S 1 , S 2 , and S 3 , then the anonymous network hidden service corresponds to The IPv4 address of is S 1 ∩S 2 ∩S 3 .

下面以Tor匿名网络为例来解释说明本发明方法,其他的匿名网络如I2P匿名网络的主要步骤、方法都跟Tor匿名网络一致。The following uses the Tor anonymous network as an example to explain the method of the present invention. The main steps and methods of other anonymous networks such as the I2P anonymous network are consistent with the Tor anonymous network.

请参考图3,对于Tor匿名网络,采用本发明方法包括以下步骤:Please refer to Fig. 3, for Tor anonymous network, adopt the method of the present invention to comprise the following steps:

第一步,构建全球IPv4地址空间的主机指纹信息库;其具体包括:The first step is to construct a host fingerprint information database of the global IPv4 address space; which specifically includes:

1)添加黑名单,即对于Alex排名前100万的域名所对应的IPv4地址设置黑名单,以跳过这些IPv4地址的扫描。1) Add a blacklist, that is, set a blacklist for the IPv4 addresses corresponding to Alex's top 1 million domain names, so as to skip scanning of these IPv4 addresses.

2)利用开源工具Zmap等对IPv4地址空间的常见端口(如HTTP、HTTPS、SSH、IMAP(s)、POP3(s)、BitCoin)进行全网扫描。2) Use open source tools such as Zmap to scan the entire network for common ports in the IPv4 address space (such as HTTP, HTTPS, SSH, IMAP(s), POP3(s), and BitCoin).

3)基于步骤1),对每一个IPv4开放的端口进一步进行协议级的扫描验证,以提取协议特征码,如对于443号端口的HTTPS协议提取其证书信息。3) Based on step 1), each IPv4 open port is further scanned and verified at the protocol level to extract the protocol feature code, such as extracting its certificate information for the HTTPS protocol on port 443.

4)构建全球IPv4地址空间的主机指纹信息库,并利用Redis集群建立以每个网络端口的指纹信息作为关键字、主机作为值域的倒排索引查询字典,其中建立全球IPv4地址空间的主机指纹信息倒排索引算法(即算法3)如表3所示。4) Construct the host fingerprint information database of the global IPv4 address space, and use the Redis cluster to establish an inverted index query dictionary with the fingerprint information of each network port as the key and the host as the value field, among which the host fingerprint of the global IPv4 address space is established The information inverted index algorithm (namely Algorithm 3) is shown in Table 3.

第二步:提取匿名网络隐藏服务的指纹信息;其具体包括:Step 2: Extract the fingerprint information of the anonymous network hidden service; it specifically includes:

1)对每一个匿名网络隐藏服务的常见端口进行快速扫描。1) Quickly scan the common ports of every anonymous network hidden service.

2)基于步骤1),对每一个匿名网络隐藏服务开放的端口进一步进行协议级的扫描验证,以提取协议特征码,如对于443号端口的HTTPS协议提取其证书信息。2) Based on step 1), further perform protocol-level scanning and verification on each open port of the anonymous network hidden service to extract the protocol signature, such as extracting its certificate information for the HTTPS protocol on port 443.

3)根据步骤2)提取到的匿名网络隐藏服务的特征码生成指纹信息,将匿名网络隐藏服务与其指纹信息集合进行关联,记为<Onion,F>,其中Onion代表匿名网络隐藏服务,F是该匿名网络隐藏服务的指纹信息集合,每个指纹信息使用f表示。譬如某个匿名网络隐藏服务开放了22、443、80三个端口,三个端口的指纹信息分别用f1、f2、f3表示。3) Generate fingerprint information according to the feature code of the anonymous network hidden service extracted in step 2), associate the anonymous network hidden service with its fingerprint information set, and record it as <Onion, F>, where Onion represents the anonymous network hidden service, and F is The fingerprint information collection of the anonymous network hidden service, and each fingerprint information is represented by f. For example, an anonymous network hidden service opens three ports 22, 443, and 80, and the fingerprint information of the three ports is represented by f 1 , f 2 , and f 3 respectively.

第三步:从所述全球IPv4地址空间的主机指纹信息库中查询上述提取的匿名网络隐藏服务的指纹信息。利用算法3查询该匿名网络隐藏服务所对应的IPv4地址,以破解其匿名性,实现匿名网络隐藏服务的溯源。Step 3: Query the fingerprint information of the anonymous network hidden service extracted above from the host fingerprint information database in the global IPv4 address space. Algorithm 3 is used to query the IPv4 address corresponding to the anonymous network hidden service to crack its anonymity and realize the traceability of the anonymous network hidden service.

以上实施仅用以说明本发明的技术方案而非对其进行限制,本领域的普通技术人员可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明的精神和范围,本发明的保护范围应以权利要求书所述为准。The above implementation is only used to illustrate the technical solution of the present invention and not to limit it. Those skilled in the art can modify or equivalently replace the technical solution of the present invention without departing from the spirit and scope of the present invention. Protection of the present invention The scope should be defined by the claims.

Claims (5)

1. a kind of Anonymizing networks of Intrusion Detection based on host fingerprint hide service source tracing method, step includes:
1) using the host finger print information storehouse of the host fingerprint mask method building global ip v4 address space of Internet;Its In each host finger print information by all operation network services on the host finger print informations and set identifier;It is described The host fingerprint mask method of Internet refers to: for each host, identifying the master by Zmap network scanner The open port of machine, and extract the finger print information of the network service of operation on the host;
2) finger print information that Anonymizing networks hide the open port of service is extracted;Wherein each Anonymizing networks hides the finger of service Line information by this hide the finger print information of the open all of the port of service and set identifier;
3) Anonymizing networks of said extracted are hidden to host fingerprint of the finger print information in the global ip v4 address space of service It is matched in information bank, is traced to the source with realizing that Anonymizing networks hide service.
2. the method as described in claim 1, which is characterized in that the finger print information of the network service refers to that network service is consolidated There is the cryptographic Hash of information.
3. the method as described in claim 1, which is characterized in that finger print information described in step 1) and step 2) include HTTP, HTTPS, SSH, IMAP (s), POP3 (s), BitCoin network service finger print information.
4. the method as described in claim 1, which is characterized in that quick using the finger print information based on inverted index in step 3) Querying method refers to the finger print information that the Anonymizing networks of said extracted hide service in the host of the global ip v4 address space It is matched in line information bank.
5. method as claimed in claim 4, which is characterized in that the finger print information method for quickly querying based on inverted index Refer to: the finger print information to each host obtained in step 1), using the finger print information of each network port as keyword, master Machine as codomain construct inverted index queries dictionary, and the query steps 2 in the inverted index queries dictionary) in extract anonymity The corresponding query result of all finger print informations is done intersection and obtains the hiding service of Anonymizing networks by the finger print information of network concealed service IPv4 address set.
CN201710278624.3A 2017-04-25 2017-04-25 A kind of hiding service source tracing method of the Anonymizing networks of Intrusion Detection based on host fingerprint Active CN107276978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710278624.3A CN107276978B (en) 2017-04-25 2017-04-25 A kind of hiding service source tracing method of the Anonymizing networks of Intrusion Detection based on host fingerprint

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710278624.3A CN107276978B (en) 2017-04-25 2017-04-25 A kind of hiding service source tracing method of the Anonymizing networks of Intrusion Detection based on host fingerprint

Publications (2)

Publication Number Publication Date
CN107276978A CN107276978A (en) 2017-10-20
CN107276978B true CN107276978B (en) 2019-12-03

Family

ID=60074005

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710278624.3A Active CN107276978B (en) 2017-04-25 2017-04-25 A kind of hiding service source tracing method of the Anonymizing networks of Intrusion Detection based on host fingerprint

Country Status (1)

Country Link
CN (1) CN107276978B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201802347D0 (en) * 2018-02-13 2018-03-28 Nchain Holdings Ltd Computer-implemented system and method
CN110825950B (en) * 2019-09-25 2022-05-17 中国科学院信息工程研究所 A Metasearch-Based Hidden Service Discovery Method
CN111628993B (en) * 2020-05-26 2022-01-21 中国电子科技集团公司第五十四研究所 Network spoofing defense method and device based on host fingerprint hiding
CN112887329B (en) * 2021-02-24 2022-06-21 北京邮电大学 Hidden service traceability method, device and electronic equipment
CN115242674B (en) * 2022-07-25 2023-08-04 上海交通大学 A hidden service tracking system based on the timing characteristics of Tor protocol
CN115296891B (en) * 2022-08-02 2023-12-22 中国电子科技集团公司信息科学研究院 Data detection system and data detection method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101252592A (en) * 2008-04-14 2008-08-27 信息产业部电信传输研究所 Method and system for tracing network source of IP network
CN102045163A (en) * 2009-10-15 2011-05-04 中兴通讯股份有限公司 Source-tracing method and system for anonymous communication
CN105430109A (en) * 2015-10-30 2016-03-23 电子科技大学 A search method for Internet data center IP address based on traffic behavior
CN105915505A (en) * 2016-03-31 2016-08-31 中国科学院信息工程研究所 Anonymous network user traceablility method based on TCP/IP side channel
CN106506274A (en) * 2016-11-08 2017-03-15 东北大学秦皇岛分校 A dynamically scalable and efficient single-packet traceability method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101252592A (en) * 2008-04-14 2008-08-27 信息产业部电信传输研究所 Method and system for tracing network source of IP network
CN102045163A (en) * 2009-10-15 2011-05-04 中兴通讯股份有限公司 Source-tracing method and system for anonymous communication
CN105430109A (en) * 2015-10-30 2016-03-23 电子科技大学 A search method for Internet data center IP address based on traffic behavior
CN105915505A (en) * 2016-03-31 2016-08-31 中国科学院信息工程研究所 Anonymous network user traceablility method based on TCP/IP side channel
CN106506274A (en) * 2016-11-08 2017-03-15 东北大学秦皇岛分校 A dynamically scalable and efficient single-packet traceability method

Also Published As

Publication number Publication date
CN107276978A (en) 2017-10-20

Similar Documents

Publication Publication Date Title
CN107276978B (en) A kind of hiding service source tracing method of the Anonymizing networks of Intrusion Detection based on host fingerprint
Vinayakumar et al. Scalable framework for cyber threat situational awareness based on domain name systems data analysis
US10375102B2 (en) Malicious web site address prompt method and router
Chen et al. DNS covert channel detection method using the LSTM model
US9923913B2 (en) System and method for malware detection learning
Yu et al. Modeling malicious activities in cyber space
US10642906B2 (en) Detection of coordinated cyber-attacks
Yu et al. A feasible IP traceback framework through dynamic deterministic packet marking
CN106603519A (en) SSL/TLS encrypted malicious service discovery method based on certificate characteristic generalization and server change behavior
CN106559382A (en) Protection system of security gateway access control method based on OPC agreements
US8572366B1 (en) Authenticating clients
CN108632221B (en) Method, equipment and system for positioning controlled host in intranet
Kheir Behavioral classification and detection of malware through http user agent anomalies
Zhang et al. Systematic mining of associated server herds for malware campaign discovery
Zhong et al. Stealthy malware traffic-not as innocent as it looks
US20240323223A1 (en) Detecting visual similarity between dns fully qualified domain names
US8910281B1 (en) Identifying malware sources using phishing kit templates
Choi et al. Understanding the proxy ecosystem: A comparative analysis of residential and open proxies on the internet
Gamundani et al. A review of new trends in cyber attacks: A zoom into distributed database systems
Xu et al. Obfuscated tor traffic identification based on sliding window
TW202009767A (en) Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof
Williams et al. Security aspects of internet of things–a survey
Zheng et al. Detecting malicious tls network traffic based on communication channel features
TW201902174A (en) Malicious domain detection method combining domain intelligence information and network traffic comprising a cyber threat intelligence sharing platform to store the detected threat intelligence for sharing
CN207442908U (en) A network identity authentication device and a login device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant