Nothing Special   »   [go: up one dir, main page]

CN110535886B - Method, apparatus, system, device and medium for detecting man-in-the-middle attacks - Google Patents

Method, apparatus, system, device and medium for detecting man-in-the-middle attacks Download PDF

Info

Publication number
CN110535886B
CN110535886B CN201910939280.5A CN201910939280A CN110535886B CN 110535886 B CN110535886 B CN 110535886B CN 201910939280 A CN201910939280 A CN 201910939280A CN 110535886 B CN110535886 B CN 110535886B
Authority
CN
China
Prior art keywords
man
middle attack
configuration information
exists
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910939280.5A
Other languages
Chinese (zh)
Other versions
CN110535886A (en
Inventor
金驰
牟天宇
姚飞宇
周京
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN201910939280.5A priority Critical patent/CN110535886B/en
Publication of CN110535886A publication Critical patent/CN110535886A/en
Application granted granted Critical
Publication of CN110535886B publication Critical patent/CN110535886B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The method comprises the steps of obtaining static configuration information and dynamic configuration information of the terminal equipment, determining whether the terminal equipment has man-in-the-middle attack risk or not based on the static configuration information and the dynamic configuration information, establishing communication connection based on a preset identifier if the man-in-the-middle attack risk exists, obtaining return data, and determining whether the man-in-the-middle attack exists or not based on the return data. The present disclosure also provides an apparatus, system, electronic device, and medium for detecting man-in-the-middle attacks.

Description

Method, apparatus, system, device and medium for detecting man-in-the-middle attacks
Technical Field
The present disclosure relates to the field of network security, and in particular, to a method, an apparatus, a system, a device, and a medium for detecting man-in-the-middle attacks.
Background
The APP man-in-the-middle hijacking attack belongs to man-in-the-middle hijacking attacks (hereinafter referred to as man-in-the-middle attacks), and the technology is used for obtaining a data request and a connection request sent by a mobile phone APP to a background server in a packet capturing mode so as to steal or modify key information in the data request and the connection request. For example, when inquiring customer information, when the APP sends an inquiry request to the server, the APP intercepts the request, and modifies the customer number and the card number of the inquiry, thereby realizing the inquiry of card information of other customers. Especially when some account transactions involve account moving, payment can be carried out by using accounts of other people, and if the necessary verification is lacked in the server at the moment or the verification is carried out by placing the verification in the APP front-end code, illegal data unauthorized inquiry or tampering can be possibly carried out by bypassing through man-in-the-middle attack. Therefore, man-in-the-middle attack protection against APP is essential.
In the existing technical system, the protection of APP man-in-the-middle hijacking is mainly realized through certificate chain verification, root certificate locking and other means, but the current man-in-the-middle attack protection is mostly realized through a system standard function, lacks protection and is easily bypassed by a malicious attack method.
Disclosure of Invention
One aspect of the present disclosure provides a method for detecting man-in-the-middle attacks, which is applied to a terminal device, the method including obtaining static configuration information and dynamic configuration information of the terminal device, determining whether the terminal device has a man-in-the-middle attack risk based on the static configuration information and the dynamic configuration information, if the man-in-the-middle attack risk exists, establishing a communication connection based on a predetermined identifier, obtaining return data, and determining whether the man-in-the-middle attack exists based on the return data.
Optionally, the static configuration information includes a super administrator authority state and local certificate information, the dynamic configuration information includes agent configuration information, and determining whether the terminal device has a man-in-the-middle attack risk based on the static configuration information and the dynamic configuration information includes at least one of: if the user obtains the super administrator authority, determining that the man-in-the-middle attack risk exists; if the agent configuration condition exists, determining that man-in-the-middle attack risk exists; and if the local certificate is found to have the unsafe certificate, determining that the man-in-the-middle attack risk exists.
Optionally, the determining whether the man-in-the-middle attack exists based on the return data includes verifying a root certificate, a certificate chain, and certificate information based on the return data, and determining that the man-in-the-middle attack exists if any one of the root certificate, the certificate chain, and the certificate information is not trusted.
Optionally, the method further comprises, in the event that it is determined that a man-in-the-middle attack is present, ending the application process.
Optionally, the method further includes obtaining identification information of the terminal device, where the identification information includes device fingerprint information, and reporting a man-in-the-middle attack condition to a backend server based on the identification information when it is determined that the man-in-the-middle attack exists.
Optionally, the obtaining of the dynamic configuration information of the terminal device includes periodically collecting the dynamic information of the terminal device, and the method further includes, in response to receiving a control instruction from a background server, changing a frequency of collecting the dynamic information.
Another aspect of the present disclosure provides a system for detecting man-in-the-middle attacks, including a static configuration information collecting module, a risk monitoring module, a man-in-the-middle attack identifying module, and a monitoring result processing module. And the static configuration information acquisition module is used for acquiring the static configuration information of the terminal equipment and the fingerprint information of the terminal equipment. And the risk monitoring module is used for acquiring the dynamic configuration information of the terminal equipment and determining whether the man-in-the-middle attack risk exists or not based on the static configuration information and the dynamic configuration information. And the man-in-the-middle attack identification module is used for establishing communication connection based on a preset identifier under the condition that the man-in-the-middle attack risk exists, obtaining return data and determining whether the man-in-the-middle attack exists or not based on the return data. And the monitoring result processing module is used for sending the man-in-the-middle attack condition to the background server based on the fingerprint information under the condition that the man-in-the-middle attack exists.
Another aspect of the disclosure provides an apparatus for detecting a man-in-the-middle attack, comprising a first obtaining module, a first determining module, a second obtaining module, and a second determining module. A first obtaining module, configured to obtain static configuration information and dynamic configuration information of the terminal device. And the first determining module is used for determining whether the terminal equipment has man-in-the-middle attack risk or not based on the static configuration information and the dynamic configuration information. And the second obtaining module is used for establishing communication connection based on the preset identification and obtaining the return data if the man-in-the-middle attack risk exists. And the second determination module is used for determining whether man-in-the-middle attack exists or not based on the return data.
Another aspect of the present disclosure provides an electronic device comprising a processor and a memory, the memory having stored thereon computer-readable instructions, which, when executed by the processor, cause the processor to perform the above-mentioned method.
Another aspect of the disclosure provides a computer-readable storage medium having computer-readable instructions stored thereon, which, when executed by a processor, cause the processor to perform the method as described above.
The method of the embodiment of the disclosure realizes identification and discovery of hijack behavior of a man in the middle by checking the running state of the mobile phone and collecting related data, protects the information security of the APP system, solves the problem of insufficient robustness through static dynamic data collection, and avoids hackers from bypassing the check through simple parameter modification.
Drawings
Fig. 1 schematically shows a schematic diagram of an application scenario of a method for detecting a man-in-the-middle attack according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a method for detecting man-in-the-middle attacks in accordance with an embodiment of the present disclosure;
FIG. 3 schematically illustrates a block diagram of a system for detecting man-in-the-middle attacks, in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram of a method for detecting a man-in-the-middle attack, according to another embodiment of the present disclosure;
FIG. 5 schematically illustrates a block diagram of an apparatus for detecting man-in-the-middle attacks in accordance with an embodiment of the disclosure; and
fig. 6 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flowcharts are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system.
The embodiment of the disclosure provides a method for detecting man-in-the-middle attack, which is applied to a terminal device and comprises the steps of obtaining static configuration information and dynamic configuration information of the terminal device, determining whether the terminal device has man-in-the-middle attack risk or not based on the static configuration information and the dynamic configuration information, if the man-in-the-middle attack risk exists, establishing communication connection based on a preset identifier, obtaining return data, and determining whether the man-in-the-middle attack exists or not based on the return data.
Fig. 1 schematically shows a schematic diagram of an application scenario of a method for detecting a man-in-the-middle attack according to an embodiment of the present disclosure.
As shown in fig. 1, the scenario includes user terminal devices such as a user's mobile phone 101, an application server 104 and a background server 105, wherein, in addition to a normal service code, a man-in-the-middle attack monitoring system 103 is further provided in the mobile phone APP 102. The method of the embodiment of the present disclosure may be executed by a terminal device, and may be implemented by a man-in-the-middle attack monitoring system 103 arranged in an APP, for example.
FIG. 2 schematically shows a flow diagram of a method for detecting man-in-the-middle attacks according to an embodiment of the disclosure.
As shown in fig. 2, the method includes operations S210 to S240.
In operation S210, static configuration information and dynamic configuration information of the terminal device are obtained.
According to an embodiment of the present disclosure, the static configuration information includes a super administrator authority state and local certificate information, and the dynamic configuration information includes agent configuration information.
In operation S220, it is determined whether the terminal device has a man-in-the-middle attack risk based on the static configuration information and the dynamic configuration information. For example, if a user obtains super-administrator privileges, or if there is a situation where an agent is configured, or if it is found that there is an insecure certificate in the local certificate, it may be determined that there is a risk of man-in-the-middle attack if at least one of these situations occurs.
In operation S230, if there is a man-in-the-middle attack risk, a communication connection is established based on a predetermined identification, and return data is obtained.
In operation S240, it is determined whether there is a man-in-the-middle attack based on the return data.
According to the embodiment of the present disclosure, the determining whether there is a man-in-the-middle attack based on the return data includes verifying a root certificate, a certificate chain, and certificate information based on the return data, and determining that there is a man-in-the-middle attack if any one of them is not trusted.
According to the embodiment of the disclosure, the method further comprises ending the application program process and controlling the risk in time under the condition that the man-in-the-middle attack is determined to exist.
According to the embodiment of the disclosure, the method further comprises obtaining identification information of the terminal device, wherein the identification information comprises device fingerprint information, and reporting the man-in-the-middle attack condition to a background server based on the identification information under the condition that the man-in-the-middle attack is determined to exist.
According to the embodiment of the present disclosure, the obtaining of the dynamic configuration information of the terminal device includes periodically collecting the dynamic information of the terminal device, and the method further includes changing a frequency of collecting the dynamic information in response to receiving a control instruction from a background server.
The method of the present disclosure is described below with reference to the embodiments illustrated in fig. 3 and 4.
FIG. 3 schematically illustrates a block diagram of a system 300 for detecting man-in-the-middle attacks, in accordance with an embodiment of the present disclosure.
As shown in fig. 3, the system 300 for detecting man-in-the-middle attacks includes a static configuration information collection module 310, a risk monitoring module 320, a man-in-the-middle attack identification module 330, and a monitoring result processing module 340.
The static configuration information collecting module 310 is configured to obtain static configuration information of the terminal device and fingerprint information of the terminal device, and is configured to subsequently assist in determining whether there is a risk of hijacking a man in the middle.
And the risk monitoring module 320 is configured to obtain dynamic configuration information of the terminal device, and determine whether a man-in-the-middle attack risk exists based on the static configuration information and the dynamic configuration information.
According to the embodiment of the present disclosure, after receiving the result provided by the static configuration information collecting module 310, the risk monitoring module 320 periodically and circularly executes the result, dynamically collects the dynamic information in the mobile phone, and determines, according to the obtained static configuration information, whether the current mobile phone and the current protected application program have the risk of man-in-the-middle attack according to the preset rule, if the overall environment of the system is determined to be safe, the subsequent operation is not executed, and if the mobile phone system and the application program are determined to have the possibility of being attacked by the man-in-the-middle, the man-in-the-middle attack identifying module 330 is invoked.
According to the embodiment of the disclosure, in order to optimize accuracy, the monitoring rules can be updated through a management system of the background server. In order to reduce the influence of the monitoring module on the system performance, the management system of the background server can configure the frequency of the circular check, and the module can improve the check frequency aiming at the mobile phone terminal which is attacked by a man-in-the-middle.
The man-in-the-middle attack recognition module 330 is configured to, in the presence of a risk of man-in-the-middle attack, establish a communication connection based on a predetermined identifier, obtain return data, and determine whether the man-in-the-middle attack is present based on the return data.
After the man-in-the-middle attack recognition module is started, the simulation application program launches an HTTPS link, the safety of the simulation HTTPS link is analyzed, linked site information, certificate information, an encryption algorithm and other contents are collected, the information and static configuration information are integrated for analysis, and whether man-in-the-middle attack exists in the operating system and the application program in the current state or not is judged in real time. If man-in-the-middle attacks exist, the related information is sent to the monitoring result processing module 340, and the result is fed back to the risk monitoring module 320 for subsequent adjustment of the detection frequency. If no man-in-the-middle attack is found, the flow ends.
And the monitoring result processing module 340 is configured to send a man-in-the-middle attack situation to the background server based on the fingerprint information in the presence of the man-in-the-middle attack.
According to the embodiment of the disclosure, the management system of the background server may include, for example, a data receiving module, an information analysis and presentation module, an alarm module, a configuration management module, and the like. The data receiving module is configured to receive and store various types of data uploaded by the monitoring result processing module 340. The information analysis display module reads the data stored by the data receiving module, performs statistical analysis, and the statistical content comprises the total number of the discovered man-in-the-middle attacks, the number of the man-in-the-middle attacks occurring on each IP and equipment, statistical information such as the distribution of the man-in-the-middle attack APP and the like, and displays the analysis result through a UI interface. And after the alarm attack reaches the alarm rule threshold value, the alarm module sends an alarm to the user through the modes of mails, short messages and website notification. The configuration management module is used for configuring and adjusting the judgment rule or the alarm threshold value and the like.
FIG. 4 schematically shows a flow diagram of a method for detecting man-in-the-middle attacks, in accordance with an embodiment of the present disclosure.
As shown in FIG. 4, the method includes steps 1201-1215.
In step 1201, the user normally opens the application program, and the man-in-the-middle attack monitoring system is loaded to the application program at this time;
in step 1202, the static configuration collecting module 310 extracts the device fingerprint of the mobile phone, and is used for uniquely positioning the device, so as to perform statistical display on the man-in-the-middle attack situation in the following;
in step 1203, the static configuration collecting module 310 collects the static configurations of the mobile phone and the application program for subsequent risk analysis;
in step 1204, the risk monitoring module 320 periodically collects dynamic information on the phone;
in step 1205, the risk monitoring module 320 analyzes the collected static configuration and dynamic configuration to determine whether the current operating system and application program are attacked by a man-in-the-middle, and the determination rule includes;
(1) checking whether the system is in a prison crossing scene or not, and if the system is in the prison crossing scene or not, the risk of man-in-the-middle attack exists;
(2) under the situation that jail crossing and ROOT are not detected, whether the condition of configuring the agent exists or not is detected, and if the agent is detected, the risk of man-in-the-middle attack exists;
(3) under the condition that the prison crossing scene and the ROOT scene are not detected and the agent is not detected, the condition of a local certificate of the client is checked, and if an unsafe certificate is found, the risk of man-in-the-middle attack exists;
(4) when the scenes do not exist, the current state is considered to have no man-in-the-middle attack risk.
In step 1206, the man-in-the-middle attack recognition module 330 establishes an application HTTPS link if the risk monitoring module considers that there is a risk.
In step 1207, the man-in-the-middle attack recognition module 330 checks the link reply established in step 1206, and obtains a series of parameters including the root certificate of the opposite party, the certificate chain of the opposite party, the certificate information of the opposite party, and the like, and the judgment sequence is as follows;
(1) the existence of the root certificate is not credible, which indicates that man-in-the-middle attack exists;
(2) the existence of the certificate chain is not credible, which indicates that man-in-the-middle attack exists;
(3) the existing certificate information is not credible, which indicates that man-in-the-middle attack exists;
(4) and checking that no problem is found, which shows that the man-in-the-middle attack does not exist.
In step 1208, if the man-in-the-middle attack recognition module 330 finds that there is man-in-the-middle attack, it will send an alarm to the application program, or it may protect the application program data by ending the mode of the application program process, and at the same time, send the found information to the detection processing module.
In step 1209, the monitoring result processing module 340 is responsible for receiving the exception information submitted by the man-in-the-middle attack module.
In step 1210, the monitoring result processing module 340 uploads the received exception information to the management system of the backend server.
In step 1211, the data receiving module of the management system of the backend server receives the abnormal data sent by the monitoring result processing module 340.
In step 1212, the data receiving module performs persistent storage on the message after receiving the exception.
In step 1213, the information analysis and presentation module analyzes and summarizes the abnormal messages, and generates a statistical chart from dimensions such as IP and device.
In step 1214, the statistical chart generated in step 1213 is UI-displayed.
Step 1215, the alarm module monitors the abnormal information condition, and when the abnormal information index reaches the threshold value, alarms the administrator through the modes of mails, information and the like.
The method of the embodiment of the disclosure solves the problem of insufficient robustness in the prior art through dynamic collection of static and dynamic data, avoids hackers from bypassing the inspection through simple parameter modification, and improves the coverage of protection. After the hijacking behavior of the man-in-the-middle is found, the result is recorded and sent to the background monitoring server, the risk that the application program is hijacked by the man-in-the-middle is reduced, the application program is used by a regular user without interference, and the system information safety is protected. By combining the equipment fingerprint technology, the background server performs unified summary analysis on the attack condition, so that security personnel can perform targeted protection and response conveniently.
Based on the same inventive concept, the embodiment of the present disclosure further provides an apparatus for detecting a man-in-the-middle attack, and the apparatus for detecting a man-in-the-middle attack according to the embodiment of the present disclosure is described below with reference to fig. 5.
Fig. 5 schematically shows a block diagram of an apparatus 500 for detecting man-in-the-middle attacks according to an embodiment of the present disclosure.
As shown in fig. 5, the apparatus 500 for detecting a man-in-the-middle attack includes a first obtaining module 510, a first determining module 520, a second obtaining module 530, and a second determining module 540. The apparatus 500 for detecting man-in-the-middle attacks may perform various methods described above with reference to FIGS. 1-4.
The first obtaining module 510, for example, performs operation S210 described with reference to fig. 2 above, to obtain the static configuration information and the dynamic configuration information of the terminal device.
The first determining module 520, for example, performs operation S220 described with reference to fig. 2 above, and is configured to determine whether the terminal device is at risk of man-in-the-middle attack based on the static configuration information and the dynamic configuration information.
A second obtaining module 530, for example, performs operation S230 described with reference to fig. 2 above, and is configured to establish a communication connection based on the predetermined identifier and obtain the return data if there is a man-in-the-middle attack risk.
The second determining module 540, for example, performs operation S240 described with reference to fig. 2 above, for determining whether there is a man-in-the-middle attack based on the return data.
According to an embodiment of the present disclosure, the static configuration information includes a super administrator authority status and local certificate information, the dynamic configuration information includes agent configuration information, and the first determining module 520 is configured to perform at least one of the following: if the user obtains the super administrator authority, determining that the man-in-the-middle attack risk exists; if the agent configuration condition exists, determining that man-in-the-middle attack risk exists; and if the local certificate is found to have the unsafe certificate, determining that the man-in-the-middle attack risk exists.
According to the embodiment of the present disclosure, the second determining module 540 is configured to verify a root certificate, a certificate chain, and certificate information based on the returned data, and determine that a man-in-the-middle attack exists if any one of the root certificate, the certificate chain, and the certificate information is not trusted.
According to an embodiment of the present disclosure, the apparatus further includes an end module configured to end the application process in a case where it is determined that the man-in-the-middle attack exists.
According to the embodiment of the present disclosure, the apparatus further includes a reporting module, configured to obtain identification information of the terminal device, and report a man-in-the-middle attack situation to a backend server based on the identification information when it is determined that the man-in-the-middle attack exists, where the identification information includes device fingerprint information.
According to the embodiment of the present disclosure, the first obtaining module 510 is configured to periodically collect dynamic information of the terminal device, and the apparatus further includes a control module configured to change a frequency of collecting the dynamic information in response to receiving a control instruction from the background server.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, a plurality of the first obtaining module 510, the first determining module 520, the second obtaining module 530, the second determining module 540, the ending module, the reporting module, and the control module may be combined and implemented in one module, or any one of the modules may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to the embodiment of the present disclosure, at least one of the first obtaining module 510, the first determining module 520, the second obtaining module 530, the second determining module 540, the ending module, the reporting module, and the controlling module may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three manners of software, hardware, and firmware, or by a suitable combination of any several manners of them. Alternatively, at least one of the first obtaining module 510, the first determining module 520, the second obtaining module 530, the second determining module 540, the ending module, the reporting module and the control module may be at least partially implemented as a computer program module, which, when executed, may perform a corresponding function.
FIG. 6 schematically shows a block diagram of a computer system suitable for implementing the above described method according to an embodiment of the present disclosure. The computer system illustrated in FIG. 6 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.
As shown in fig. 6, a computer system 600 according to an embodiment of the present disclosure includes a processor 601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 603. Processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 601 may also include on-board memory for caching purposes. The processor 1001 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the present disclosure.
In the RAM603, various programs and data necessary for the operation of the system 600 are stored. The processor 601, the ROM602, and the RAM603 are connected to each other via a bus 1004. The processor 601 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM602 and/or RAM 603. It is to be noted that the programs may also be stored in one or more memories other than the ROM602 and RAM 603. The processor 1001 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, system 600 may also include an input/output (I/O) interface 605, input/output (I/O) interface 605 also connected to bus 604. The system 600 may also include one or more of the following components connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program, when executed by the processor 601, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be embodied in the device/apparatus/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM602 and/or RAM603 described above and/or one or more memories other than the ROM602 and RAM 603.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (9)

1. A method for detecting man-in-the-middle attack, which is applied to a terminal device, comprises the following steps:
obtaining static configuration information and dynamic configuration information of the terminal equipment;
determining whether the terminal equipment has man-in-the-middle attack risk or not based on the static configuration information and the dynamic configuration information;
if the man-in-the-middle attack risk exists, establishing communication connection based on a preset identifier to obtain return data; and
determining whether a man-in-the-middle attack is present based on the return data,
wherein the static configuration information includes a super administrator authority state and local certificate information, the dynamic configuration information includes agent configuration information, and the determining whether the terminal device has man-in-the-middle attack risk based on the static configuration information and the dynamic configuration information includes at least one of the following:
if the user obtains the super administrator authority, determining that the man-in-the-middle attack risk exists;
if the agent configuration condition exists, determining that man-in-the-middle attack risk exists; and
if the local certificate is found to have unsafe certificates, determining that the risk of man-in-the-middle attack exists,
wherein, the establishing communication connection based on the predetermined identification and obtaining the return data comprises: establishing communication connection based on the predetermined identification, obtaining a counterpart root certificate, a counterpart certificate chain and counterpart certificate information,
wherein determining whether a man-in-the-middle attack exists based on the return data comprises:
if the root certificate is not credible, the man-in-the-middle attack exists;
if the certificate chain is not credible, the man-in-the-middle attack exists;
if the certificate information is not credible, the man-in-the-middle attack exists; and
and checking that no problem is found, which shows that the man-in-the-middle attack does not exist.
2. The method of claim 1, wherein the determining whether a man-in-the-middle attack is present based on the return data comprises:
and verifying the root certificate, the certificate chain and the certificate information based on the returned data, and determining that man-in-the-middle attack exists if any one of the root certificate, the certificate chain and the certificate information is not trusted.
3. The method of claim 1, further comprising:
in the event that it is determined that a man-in-the-middle attack is present, the application process is ended.
4. The method of claim 1, further comprising:
acquiring identification information of the terminal equipment, wherein the identification information comprises equipment fingerprint information; and
and reporting the man-in-the-middle attack condition to a background server based on the identification information under the condition that the man-in-the-middle attack exists.
5. The method of claim 1, wherein obtaining dynamic configuration information for the terminal device comprises:
the dynamic information of the terminal equipment is periodically collected,
the method further comprises the step of enabling the user to select the target,
and changing the frequency of acquiring the dynamic information in response to receiving a control instruction from the background server.
6. An apparatus for detecting man-in-the-middle attack, applied to a terminal device, comprises:
a first obtaining module, configured to obtain static configuration information and dynamic configuration information of the terminal device;
the first determining module is used for determining whether the terminal equipment has man-in-the-middle attack risk or not based on the static configuration information and the dynamic configuration information;
the second obtaining module is used for establishing communication connection based on the preset identification and obtaining return data if the man-in-the-middle attack risk exists; and
a second determination module to determine whether a man-in-the-middle attack is present based on the return data,
wherein the static configuration information includes a super administrator authority state and local certificate information, the dynamic configuration information includes agent configuration information, and the determining whether the terminal device has man-in-the-middle attack risk based on the static configuration information and the dynamic configuration information includes at least one of the following:
if the user obtains the super administrator authority, determining that the man-in-the-middle attack risk exists;
if the agent configuration condition exists, determining that man-in-the-middle attack risk exists; and
if the local certificate is found to have the unsafe certificate, determining that the risk of man-in-the-middle attack exists,
wherein the establishing of the communication connection based on the predetermined identifier and the obtaining of the return data comprise: establishing communication connection based on the predetermined identification, obtaining a counterpart root certificate, a counterpart certificate chain and counterpart certificate information,
wherein determining whether a man-in-the-middle attack exists based on the return data comprises:
if the root certificate is not credible, the man-in-the-middle attack exists;
if the certificate chain is not credible, the man-in-the-middle attack exists;
if the certificate information is not credible, the man-in-the-middle attack exists; and
and checking that no problem is found, which shows that the man-in-the-middle attack does not exist.
7. An electronic device, comprising:
a processor; and
a memory having computer-readable instructions stored thereon that, when executed by the processor, cause the processor to perform the method of any of claims 1-5.
8. A computer readable storage medium having computer readable instructions stored thereon which, when executed by a processor, cause the processor to perform the method of any of claims 1 to 5.
9. A system for detecting man-in-the-middle attacks, comprising:
the static configuration information acquisition module is used for acquiring the static configuration information of the terminal equipment and the fingerprint information of the terminal equipment;
the risk monitoring module is used for acquiring the dynamic configuration information of the terminal equipment and determining whether a man-in-the-middle attack risk exists or not based on the static configuration information and the dynamic configuration information;
the man-in-the-middle attack recognition module is used for establishing communication connection based on a preset identifier under the condition that the man-in-the-middle attack risk exists, obtaining return data and determining whether man-in-the-middle attack exists or not based on the return data;
a monitoring result processing module for sending the man-in-the-middle attack condition to the background server based on the fingerprint information under the condition that the man-in-the-middle attack exists,
wherein the static configuration information includes a super administrator authority state and local certificate information, the dynamic configuration information includes agent configuration information, and the determining whether the terminal device has man-in-the-middle attack risk based on the static configuration information and the dynamic configuration information includes at least one of the following:
if the user obtains the super administrator authority, determining that the man-in-the-middle attack risk exists;
if the agent configuration condition exists, determining that man-in-the-middle attack risk exists; and
if the local certificate is found to have unsafe certificates, determining that the risk of man-in-the-middle attack exists,
wherein the establishing of the communication connection based on the predetermined identifier and the obtaining of the return data comprise: establishing communication connection based on the predetermined identification, obtaining a counterpart root certificate, a counterpart certificate chain and counterpart certificate information,
wherein determining whether a man-in-the-middle attack exists based on the return data comprises:
if the root certificate is not credible, the man-in-the-middle attack exists;
if the certificate chain is not credible, the man-in-the-middle attack exists;
if the certificate information is not credible, the man-in-the-middle attack exists; and
and checking that no problem is found, which shows that the man-in-the-middle attack does not exist.
CN201910939280.5A 2019-09-30 2019-09-30 Method, apparatus, system, device and medium for detecting man-in-the-middle attacks Active CN110535886B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910939280.5A CN110535886B (en) 2019-09-30 2019-09-30 Method, apparatus, system, device and medium for detecting man-in-the-middle attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910939280.5A CN110535886B (en) 2019-09-30 2019-09-30 Method, apparatus, system, device and medium for detecting man-in-the-middle attacks

Publications (2)

Publication Number Publication Date
CN110535886A CN110535886A (en) 2019-12-03
CN110535886B true CN110535886B (en) 2022-09-16

Family

ID=68671328

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910939280.5A Active CN110535886B (en) 2019-09-30 2019-09-30 Method, apparatus, system, device and medium for detecting man-in-the-middle attacks

Country Status (1)

Country Link
CN (1) CN110535886B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116186718B (en) * 2023-04-27 2023-07-25 杭州大晚成信息科技有限公司 Reinforcing test method based on kernel protection server data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102957704A (en) * 2012-11-09 2013-03-06 北京神州绿盟信息安全科技股份有限公司 Method, device and system for determining MITM (Man-In-The-Middle) attack
CN104519042A (en) * 2013-09-30 2015-04-15 瞻博网络公司 Detecting and preventing man-in-the-middle attacks on encrypted connection
CN106161453A (en) * 2016-07-21 2016-11-23 南京邮电大学 A kind of SSLstrip defence method based on historical information
CN107864159A (en) * 2017-12-21 2018-03-30 有米科技股份有限公司 Communication means and device based on certificate and trust chain
CN108769086A (en) * 2018-08-31 2018-11-06 连尚(新昌)网络科技有限公司 A kind of method and apparatus for detecting man-in-the-middle attack by user equipment

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100088766A1 (en) * 2008-10-08 2010-04-08 Aladdin Knoweldge Systems Ltd. Method and system for detecting, blocking and circumventing man-in-the-middle attacks executed via proxy servers
GB2537154B (en) * 2015-04-09 2021-09-08 Wandera Ltd Detecting "man-in-the-middle" attacks
US10218734B2 (en) * 2015-05-08 2019-02-26 Citrix Systems, Inc. Systems and methods for improving security of secure socket layer (SSL) communications
US9781150B1 (en) * 2016-09-30 2017-10-03 Cylance Inc. Man in the middle attack detection using active learning
CN107508682A (en) * 2017-08-16 2017-12-22 努比亚技术有限公司 Browser certificate authentication method and mobile terminal
CN108650236B (en) * 2018-04-13 2021-04-16 上海连尚网络科技有限公司 Method and equipment for detecting ssl man-in-the-middle attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102957704A (en) * 2012-11-09 2013-03-06 北京神州绿盟信息安全科技股份有限公司 Method, device and system for determining MITM (Man-In-The-Middle) attack
CN104519042A (en) * 2013-09-30 2015-04-15 瞻博网络公司 Detecting and preventing man-in-the-middle attacks on encrypted connection
CN106161453A (en) * 2016-07-21 2016-11-23 南京邮电大学 A kind of SSLstrip defence method based on historical information
CN107864159A (en) * 2017-12-21 2018-03-30 有米科技股份有限公司 Communication means and device based on certificate and trust chain
CN108769086A (en) * 2018-08-31 2018-11-06 连尚(新昌)网络科技有限公司 A kind of method and apparatus for detecting man-in-the-middle attack by user equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"A survey on MITM and its countermeasures in the TLS handshake protocol";Seung-Woo Han;《2016 Eighth International Conference on Ubiquitous and Future Networks (ICUFN)》;20160811;全文 *

Also Published As

Publication number Publication date
CN110535886A (en) 2019-12-03

Similar Documents

Publication Publication Date Title
US10334083B2 (en) Systems and methods for malicious code detection
CN111510453B (en) Business system access method, device, system and medium
US9282116B1 (en) System and method for preventing DOS attacks utilizing invalid transaction statistics
US8949995B2 (en) Certifying server side web applications against security vulnerabilities
WO2015149663A1 (en) System and method for trapping network attack on embedded device in smart power grid
US20170063557A1 (en) Detection of fraudulent certificate authority certificates
WO2016133662A1 (en) Systems and methods for determining trustworthiness of the signaling and data exchange between network systems
KR20200103643A (en) Systems and methods for providing security to in-vehicle networks
KR20140113705A (en) Method and System for Ensuring Authenticity of IP Data Served by a Service Provider
CN115147956B (en) Data processing method, device, electronic equipment and storage medium
CN114598540A (en) Access control system, method, device and storage medium
CN116708210A (en) Operation and maintenance processing method and terminal equipment
US20170026184A1 (en) Detection of fraudulent digital certificates
CN113382076A (en) Internet of things terminal security threat analysis method and protection method
US8763121B2 (en) Mitigating multiple advanced evasion technique attacks
CN115883170A (en) Network flow data monitoring and analyzing method and device, electronic equipment and storage medium
CN110535886B (en) Method, apparatus, system, device and medium for detecting man-in-the-middle attacks
CN107888576B (en) Anti-collision library safety risk control method using big data and equipment fingerprints
JP4437410B2 (en) Security management apparatus and program
CN115694866A (en) Interactive attack confirmation method, device, system, equipment and medium
CN116996238A (en) Processing method and related device for network abnormal access
CN111064731B (en) Identification method and identification device for access authority of browser request and terminal
CN114726579A (en) Method, apparatus, device, storage medium and program product for defending against network attacks
CN113709136A (en) Access request verification method and device
CN114257405A (en) Method, device, computer equipment and storage medium for preventing illegal external connection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant