CN-116155748-B - Network tracing method, system and device

Abstract

The invention relates to the technical field of network security, in particular to a network tracing method, a system and a device, which are used for extracting data information in first/second TCP SYN message data to obtain first/second data information, matching the first and second data information by acquiring the first TCP SYN message data of a TCP request initiator and the second TCP SYN message data of a TCP request receiver, the invention has the technical scheme that when the TCP request initiator and the TCP request receiver are matched, only TCP SYN message data of the TCP request sender and the TCP SYN message data of the TCP request receiver are processed and data information is extracted according to the message data, network topology and NAT conversion processes in a network path are not needed to be concerned, the difficulty and complexity of network tracing are greatly reduced, and the user experience is good.

Inventors

• SHU GE

Assignees

• 北京从云科技有限公司

Dates

Publication Date

20260508

Application Date

20230223

Claims (10)

1. 1. The network tracing method is characterized by comprising the following steps: Acquiring first TCP SYN message data of a TCP request initiator and second TCP SYN message data of a TCP request receiver; extracting data information in the first TCP SYN message data to obtain first data information; extracting data information in the second TCP SYN message data to obtain second data information; Matching the first data information with the second data information to obtain an actual IP and an actual port of a TCP request initiator, and an actual IP and an actual port of a TCP request receiver; The first data information at least comprises a TCP sequence number of a TCP SYN message, the second data information at least comprises a TCP sequence number of the TCP SYN message, and the matching of the first data information and the second data information comprises matching based on the TCP sequence number in the first data information and the TCP sequence number in the second data information; the second TCP SYN message data is the TCP SYN message subjected to address conversion by the NAT equipment.
2. 2. The method of claim 1, wherein the first data information further comprises at least an initiator IP, an initiator port, a receiver IP, and a receiver port; The second data information at least comprises a converted initiator IP, a converted initiator port, a receiver IP and a receiver port.
3. 3. The method of claim 2, wherein the initiator is an access machine and the recipient is a server.
4. 4. A method according to claim 3, wherein the matching the first data information with the second data information obtains a TCP request initiator IP and an initiator port, and the TCP request receiver IP and a receiver port are specifically: the first data information and the second data information are sent to a network behavior analysis platform to match TCP serial numbers; And if the matching is successful, taking the IP of the access machine and the port of the access machine in the first data information as the actual IP and the actual port of the TCP access machine, and taking the server IP and the server port in the second data information as the actual IP and the actual port of the TCP server.
5. 5. The method according to claim 1, wherein before obtaining the first TCP SYN message data of the TCP request initiator and the second TCP SYN message data of the TCP request receiver, the method comprises: The connection between the TCP request initiator and the TCP request receiver is established according to the TCP protocol.
6. 6. The method according to any one of claims 1-5, wherein the second TCP SYN message data is a TCP SYN message after address translation by the NAT device.
7. 7. A network tracing apparatus, applying the method of any one of claims 1-6, comprising: Accessing a machine, a server and a network behavior analysis platform; The access machine comprises a first acquisition plug-in which is used for acquiring first TCP SYN message data of a TCP request initiator; the server comprises a second acquisition plug-in which is used for acquiring second TCP SYN message data of a TCP request receiver; The network behavior analysis platform is used for matching the data information acquired by the first acquisition plug-in and the second acquisition plug-in to obtain the actual IP and the actual port of the TCP request initiator and the actual IP and the actual port of the TCP request receiver.
8. 8. The apparatus of claim 7, wherein the first collection plug-in includes at least a TCP sequence number of an initiator IP, an initiator port, a receiver IP, a receiver port, and a TCP SYN message; The second acquisition plug-in at least comprises a converted initiator IP, a converted initiator port, a converted receiver IP, a converted receiver port and a TCP serial number of a TCP SYN message.
9. 9. The apparatus of claim 8, wherein the network behavior analysis platform is configured to match the data information collected by the first collecting plug-in and the second collecting plug-in to obtain a TCP request initiator IP and an initiator port, and the TCP request receiver IP and a receiver port are specifically: The data information acquired by the first acquisition plug-in and the second acquisition plug-in is sent to a network behavior analysis platform to match TCP serial numbers; And if the matching is successful, taking the access machine IP and the access machine port acquired in the first acquisition plug-in as the actual IP and the actual port of the TCP access machine, and taking the server IP and the server port acquired in the second acquisition plug-in as the actual IP and the actual port of the TCP server.
10. 10. A network tracing system, comprising: the acquisition module is used for acquiring the first TCP SYN message data of the TCP request initiator and the second TCP SYN message data of the TCP request receiver; The first extraction module is used for extracting the data information in the first TCP SYN message data to obtain first data information; The second extraction module is used for extracting the data information in the second TCP SYN message data to obtain second data information; The matching module is used for matching the first data information with the second data information to obtain an actual IP and an actual port of a TCP request initiator, and an actual IP and an actual port of a TCP request receiver; The first data information at least comprises a TCP sequence number of a TCP SYN message, the second data information at least comprises a TCP sequence number of the TCP SYN message, and the matching of the first data information and the second data information comprises matching based on the TCP sequence number in the first data information and the TCP sequence number in the second data information; the second TCP SYN message data is the TCP SYN message subjected to address conversion by the NAT equipment.

Description

Network tracing method, system and device Technical Field The invention relates to the technical field of network security, in particular to a network tracing method, system and device. Background Network tracing is a fundamental means of network behavior analysis. Network tracing generally comprises two steps: 1. the server reports an access log to the network behavior analysis platform, wherein the access log comprises an access machine IP, an access machine port, a server IP and a server port. 2. The network behavior analysis platform draws an access relation view based on an access machine and an access relation view based on a server through data analysis on the access log, and provides pre-judging and tracing assistance for a network manager. However, network Address Translation (NAT) technology causes trouble for network tracing, if there is a NAT device between the access machine and the server, when the access machine accesses the server, the access machine IP and the access machine port will be replaced by a new access machine IP and a new access machine port by the NAT device, and when the server reports the access log, the new access machine IP and the new access machine port will be reported, which is not real information, so that the network tracing cannot accurately locate the access machine. In order to solve the problem, the following method is adopted in the prior art: The NAT device is required to report the NAT conversion log to a network behavior analysis platform, and the network behavior analysis platform combines the access log of the server with the NAT conversion log of the NAT device to restore the access machine IP and the access machine port. However, the method greatly increases the calculation difficulty of the network behavior analysis platform, if a plurality of NAT devices exist on the access path, the network behavior analysis is more complex, the recovery can be completed only by sequentially and reversely searching according to the network topology, the efficiency is low, and the user experience is poor. Disclosure of Invention In view of the above, the present invention aims to provide a network tracing method, system and device, so as to solve the problems in the prior art that the calculation difficulty of a network behavior analysis platform is high, if a plurality of NAT devices exist on an access path, the network behavior analysis will be more complex, the restoration can be completed only by sequentially and reversely searching according to the network topology, the efficiency is low, and the user experience is poor. According to a first aspect of an embodiment of the present invention, there is provided a network tracing method, including: Acquiring first TCP SYN message data of a TCP request initiator and second TCP SYN message data of a TCP request receiver; extracting data information in the first TCP SYN message data to obtain first data information; extracting data information in the second TCP SYN message data to obtain second data information; and matching the first data information with the second data information to obtain the actual IP and the actual port of the TCP request initiator and the actual IP and the actual port of the TCP request receiver. Preferably, the first data information at least comprises a TCP serial number of an initiator IP, an initiator port, a receiver IP, a receiver port and a TCP SYN message; the second data information at least comprises a converted initiator IP, a converted initiator port, a converted receiver IP, a converted receiver port and a TCP sequence number of a TCP SYN message. Preferably, the initiator is an access machine and the receiver is a server. Preferably, the matching the first data information with the second data information obtains a TCP request initiator IP and an initiator port, and the TCP request receiver IP and a receiver port specifically are: the first data information and the second data information are sent to a network behavior analysis platform to match TCP serial numbers; And if the matching is successful, taking the IP of the access machine and the port of the access machine in the first data information as the actual IP and the actual port of the TCP access machine, and taking the server IP and the server port in the second data information as the actual IP and the actual port of the TCP server. Preferably, before the step of obtaining the first TCP SYN message data of the TCP request initiator and the second TCP SYN message data of the TCP request receiver, the method includes: The connection between the TCP request initiator and the TCP request receiver is established according to the TCP protocol. Preferably, the second TCP SYN message data is a TCP SYN message after address translation by the NAT device. According to a second aspect of an embodiment of the present invention, there is provided a network tracing apparatus, including: Accessing a machine, a server and a network behavior an