Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

Huang Xiaobo,Pan Xuezeng

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.07.059

2007-01-01

Abstract:An algorithm based on SNMP and ICMP to discover topology structure of network and the method of visualizing them are introduced.The experience gained from development is summarized.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

LAI Hai-ming,ZHANG Jian-zhong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.09.009

2007-01-01

Abstract:Current network deception technologies are analyzed and compared.On the basis of adopting network/host copy scheme,a kind of data captured method based on Linux dynamic process shared library injection is proposed.This system is divided into deception client and server.The client is responsible for capturing and sending data;the server will store and display them either on command line or on graphic UI.This system also adopts some technologies such as communications between user space and kernel space,sending package from kernel mode,kernel module hiding,etc.

蒋卫华,李伟华,杜君

DOI: https://doi.org/10.3969/j.issn.1000-2758.2002.04.008

2002-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:IP (Internet Protocol) spoofing was first introduced in 1985. By IP spoofing and TCP (Transport Control Protocol) sequence number prediction, hackers can gain unauthorized access to remote machines. The existing firewalls and IDS (Intrusion Detection System) cannot solve the problem completely. In this paper, we first introduce the principles, methods, and tools of IP spoofing. Then through the tests on our local area network, we analyze the technical features and approaches of IP spoofing attacks, and provide the countermeasures to reduce the possibility of such attacks, including the configuration of boundary routers, the adoption of encrypted protocols, and the building of intelligent pattern matching strategies. These methods can effectively detect and prevent prevalent IP spoofing attacks.

MA Xiao-bo,YANG Guo-lin,MA Zhi-qiang,ZHUANG Xu-fei

2011-01-01

Microprocessors

Abstract:Network topology discovery is important for the modern network management,analysis of performance and localization of fault.According to the characteristics of actual heterogeneous network,after the analysis of the existing algorithm based on MAC address forwarding table,submits a new algorithm of physical topology discovery in heterogeneous IP network depended on SNMP protocol,the algorithm can discover physical layer topology in a efficient,accurate and complete way,which can be applied to discover not only the managed devices,but also the non-managed dumb devices(e.g.HUBs).

NIU Yong,ZHANG Xin-jia

DOI: https://doi.org/10.3969/j.issn.1671-1815.2007.14.064

2007-01-01

Abstract:Seveval kinds of communication ways used by backdoor in recent years is analyzed. Then a more concealed backdoor communication way is designed. The method has more penetrating force.It based on fake DNS and sniffer. Here,Fake DNS is a newly created communication method. At last, this communication methord is validated in lab.

WANG Guo-hao,CHEN Wen-zhi,SHI Jiao-ying

2005-01-01

Journal of Computer Applications

Abstract:A hot standby high available system based on Linux was introduced. It used IP address takeover to guarantee the smooth swift between the host system and the backup system when the network was failed.

王轶骏,薛质,李建华

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.18.003

2004-01-01

Abstract:Remote OS detection is an important technique in information network system security, because it closed links with security holes. This paper presents the remote OS detection based on TCP/IP stack fingerprinting, and gives emphasis on describing and analyzing two newl implemening techniques: fingerprinting via RTO sampling and fingerprinting via ICMP responses.

SHI Yan,JIANG Dongxing,FENG Ke,LI Wei

DOI: https://doi.org/10.3321/j.issn:1000-0054.1999.04.034

1999-01-01

Abstract:IP address embezzlement is a universal problem in TCP/IP network, especially in CERNET. This paper first analyzed the way of IP address embezzlement, provided relevant ways in different level of TCP/IP protocol to prevent it, and emphasized in a new resolution and its implementation. The new way can make use of information in data link level, IP level and application level of TCP/IP network. It can use some measures to avoid IP address embezzlement, such as ARP truncation, static routing, packet filtration and user register. By system running, the way can solve the problem of IP address embezzlement in campus network.

Wang Jilong,Sun Mingmin

2012-01-01

China Communications

Abstract:In order to discover more detailed topology information of a certain network, a lightweight approach is proposed, in which only one probe source is required. In this approach, a heuristic method in using the "traceroute" tool is introduced to collect more topology pieces. Based on those traces, subnets (or point-to-point links) in the backbone can be identified. With those identified information, a set of rules is developed to resolve router IP aliases. Experiments with both this approach and existing topology discovery methods are carried out on two real networks, i.e., TUNET, the Tsinghua University campus network, and CERNET (AS4538), the third largest ISP network of China. According to the comparison, the approach in this paper can get much higher quality information about IP addresses, links, and routers. In conclusion, a more complete and accurate topology can be gained with this approach.

ZHAO Xin,CHEN Dao-xu,XIE Li

2000-01-01

Journal of Software

Abstract:There is a kind of active attack based on TCP over the Internet, which is called IP Hijack. This kind of attack is different from the passive attack based on network sniffing. It can bypass the protection of system password and S/KEY, and get full control of the link between two end points. This can cause great harm to the network system. In this paper, the principle of this kind of attack is analyzed, the attack detecting technology and the protecting measures against IP Hijack are also given.

Huaping Hu

2007-01-01

Abstract:Operating system detection is an important research aspect in network security. This information is useful for security analysis, and can also be used for the basis of network attacks. According to the shortcomings of the existing OS detection tools, based on the deep research of the structure of TCP packets, a method through TCP packets alteration is put forward, and the OS detection based on this method is implemented. The system can detect the host directly, and analyze the basic information such as OS types,and open services.

LI Zizhu,NI Chunsheng,WANG Jilong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.02.037

2006-01-01

Abstract:Traditional topology discovering algorithms are based on SNMP, which is restricted by deployment and authorization. This paper discusses the architecture and some key techniques in constructing a topology discovering system based on ICMP. This system is developed targeted at campus network. The results of experimentation are presented on a map. It shows that the methods and discovery principles taken by the topology discovering system are feasible and general.

Feng Yan,Shufen Liu

DOI: https://doi.org/10.1109/sws.2011.6101289

2011-01-01

Abstract:With the growing number of domestic and international computer crime, remote monitoring for suspicious computers is becoming an important means to prevent computer crime and computer forensics. At the same time, remote monitoring technology plays an important role in information confrontation and cyber warfare of military. Such remote monitoring program must not be found by security defense or network monitoring software run on monitored computer, and then hide operation and communication. Hiding technology for remote monitoring is discussed in depth and implemented in this paper. The security defense soft- ware run on monitored computer captures the user access to sensitive information by intercepting system calls. In windows operating system, the interception is achieved by replacing system function entry addresses in SSDT (system service dispatch table) with own function addresses. In order not to be found by security defense program, remote monitoring must first recover function entry addresses in SSDT before it accesses to sensitive resources. This paper provides the method of SSDT recovering which recalculates and recovers the original addresses in function entry address table. The security defense software can capture network packets on the TDI(Transport Driver Interface) layer and NDIS(Network Driver Interface Specification) layer so as to monitor communication. To enable the communication between the monitored computer and the monitoring computer not to be found, it is necessary to penetrate through monitoring on TDI layer and the NDIS layer. This paper describes windows network architecture and network packet disposal process on NDIS and TDI layer, analyses the theory of security defense software capturing network communication, and puts forward the method for penetrating through the network monitoring on NDIS layer and TDI layer.

Xiaorong Lu,Liusheng Huang,Wei Yang,Yao Shen

DOI: https://doi.org/10.1109/uic-atc-scalcom-cbdcom-iop-smartworld.2016.0060

2016-01-01

Abstract:Covert channel in network protocols has been an area absorbing great interests for many years in secret transmission. Recently, covert channels based on packet length have become a new preference among researchers in this field because of their excellent performance in simulating statistical features of network packets in real world. However, few approaches which can embed secret information with great security ensured has been worked out by so far. Therefore, in this paper, we analyze the traffic stream of UDP packets, several storage features of data files, then propose a novel network steganography scheme based on IP address, UDP packet length in order to overcome the drawbacks of existing schemes. A comprehensive set of corresponding experiment results show that the proposed covert channel follows the normal traffic statistical features well, thus ensures more security than that of the existing algorithms.

DONG Cheng-gen,WU Jin-pei,ZHANG Qi-shan

DOI: https://doi.org/10.3969/j.issn.1004-373x.2011.11.015

2011-01-01

Abstract:With the operator′s business gradually IP,the IP network management should be paid more and more attention,IP network topology discovery is the basis of IP network management.For carrying on the IP network topology discovery completely and accurately,using the SNMP topology discovery as nodes and three techniques to a combination of SNMP and ICMP as a technical layer topology discovery,based on the experimental verification of the operator′s current network,all nodes and links can be found 100%,this method can completely and accurately discover IP network topology.

KANG Zhi-ping,XIANG Hong,HU Hai-bo

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.14.017

2007-01-01

Abstract:Rootkit is a collection of tools that allows a hacker to provide a backdoor into a system,collect information on other systems on the network,mask the fact that the system is compromised,and much more.It makes more damage to computer information resources in the network,compared with the usual Trojan horse.Researching Rootkit is significant to defend Trojan horse attacking,reduce the loss of network,and protect the kernel information system.Based on the study of the concealing technology of Rootkit on Windows system,it presents an idea of cooperative concealment between Rootkit's components,and also gives its formal model.Finally,a Rootkit prototype on the windows is proposed.The experiment shows that it owns a satisfied concealing,and can avoid most of current real-time detection.

SHE Hua-jun,JIANG Kai-da,HUANG Bao-qing

DOI: https://doi.org/10.3321/j.issn:0438-0479.2007.z2.017

2007-01-01

Abstract:We monitor the three-way handshake states of the net flow at the boundary of campus network and intervene the TCP sessions of the users who have network security problems.We achieve this goal by using TCP hijack,and construct the TCP packets elaborately and send them to client computer who is on the blacklist.Through this way we can redirect all HTTP requests to the network security alarm webpage of Computer Emergency Response Team of Shanghai Jiao Tong University or we can break off the TCP connection immediately if the destination port is not 80.This research gives a new way of building an effective network security warning system.It will also have a splendid future on applications of identity authentication and bad webpage filtering.