CN103997489B - Method and device for recognizing DDoS bot network communication protocol - Google Patents

Method and device for recognizing DDoS bot network communication protocol Download PDF

Info

Publication number
CN103997489B
CN103997489B CN201410196838.2A CN201410196838A CN103997489B CN 103997489 B CN103997489 B CN 103997489B CN 201410196838 A CN201410196838 A CN 201410196838A CN 103997489 B CN103997489 B CN 103997489B
Authority
CN
China
Prior art keywords
attack
message
byte
bot
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410196838.2A
Other languages
Chinese (zh)
Other versions
CN103997489A (en
Inventor
周大
刘亚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201410196838.2A priority Critical patent/CN103997489B/en
Publication of CN103997489A publication Critical patent/CN103997489A/en
Application granted granted Critical
Publication of CN103997489B publication Critical patent/CN103997489B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention relates to the technical field of computer network security, in particular to a method and device for recognizing a DDoS bot network communication protocol. The method for recognizing the DDoS bot network communication protocol includes the steps that command messages and communication messages communicated between a bot operating in a host and a server are acquired; attack attribute information of all classes of attacks conducted every time is determined from the acquired communication messages; attack command messages are determined from the acquired command messages according to the attack attribute information of all the classes of attacks conducted every time; characteristic information of the attack command messages is determined according to the attack command messages and/or the attack attribute information. The technical complexity is low, and the goal of giving an early warning for the emerging C&C protocol in time can be achieved.

Description

A kind of method and device of identification DDoS Botnet communication protocol
Technical field
The present invention relates to computer network security technology field, more particularly, to a kind of identification DDoS Botnet communication protocol Method and device.
Background technology
Botnet namely our described Botnets, refer to using one or more communication means, by a large amount of main frames Infection bot (bot program), thus formed between effector and infected main frame one can one-to-many control network. Control the botnet that the attacker of Botnet is generally had using it with DDoS (Distribution Denial of Service, distributed denial of service) attack, the attacker such as bank card password is stolen, spam sends, sensitive information is stolen Formula is made profit.
In order to find the DDoS type attack based on botnet early, frequently with active tracking technology to based on botnet's DDoS type is attacked and is studied.Active tracing refers to pretend to be the bot of certain DDoS botnet, is actively connected to its C&C (Control&Command, control command) server, receives and parses the instruction that it sends but actual execution, but will Instruction after parsing is preserved with daily record form and exports.
If necessary to be tracked it is to be understood that its C&C agreement to certain botnet, and write corresponding trace routine, Make it actively connect C&C server, can receive, parse and preserve the instruction of other side.Existing frequently-used parses C&C agreement automatically Method have two kinds, a kind of method is to emulate to realize based on virtual machine, and this method shortcoming is that technology is extremely complex, and And captured based on command simulation mode and the execution of bot sample can be led in bot action process to slow it is possible to quilt Botnet effector detects, and therefore actual feasibility is poor, leads to not emerging C&C agreement is made pre- in time Alert.
The method that another parses C&C agreement automatically be Direct Analysis C&C communication message we by bot and C&C Communication between server is referred to as C&C communication, automatically to analyze C&C agreement with statistics and machine learning means.This skill The shortcoming of art is to need substantial amounts of C&C communication message to be used as machine learning foundation, is difficult in practice meet, leads to not to new The C&C agreement occurring makes timely early warning.
In sum, there is the technical sophistication degree height of parsing C&C agreement in prior art, may be controlled by botnet The problems such as person detects and needs substantial amounts of C&C communication message to be used as machine learning foundation, thus lead to not to newly going out Existing C&C agreement makes the problem of timely early warning.
Content of the invention
The embodiment of the present invention provides a kind of method and device of identification DDoS Botnet communication protocol, existing in order to solve Emerging C&C agreement can not be made in technical scheme with the problem of timely early warning.
Concrete technical scheme provided in an embodiment of the present invention is as follows:
A kind of method of identification DDoS Botnet communication protocol, including:
Obtain the command message communicating between the bot program bot running in main frame and server and communication message;
The attack attribute information that in attacking every time, every class is attacked is determined from the communication message obtaining;
The attack attribute information attacked according to every class in described each attack, determines attack life from the command message obtaining Make message;
According to described strike order message and described attack attribute information, determine and attack instruction message characteristic information.
If it is preferred that not occurring C&C to communicate, and having determined that C&C server, will pass between described bot and C&C server Defeated message as command message, using the message of transmission between described bot and non-C&C server as communication message;
If not occurring C&C to communicate, and do not determine C&C server, using the server of described bot and present communications as C& C server, and using the message of transmission between described bot and described C&C server as command message, by described bot and non-C&C Between server, the message of transmission is as communication message;
If having occurred and that C&C communicates, by the internet association of purpose in the message of transmission between presently described bot and server In view IP address and destination interface and C&C communication message, purpose Internet protocol IP address and destination interface identical message are as life Make message, by purpose Internet protocol IP address and destination interface and C&C in the message of transmission between presently described bot and server The message that in communication message, purpose Internet protocol IP address and destination interface differ is as communication message.
It is preferred that it is last before attack being started according to the attack attribute information that class every in each attack is attacked The described command message receiving is defined as attacking sign on;
Receive for the last time before attack being stopped according to the attack attribute information that class every in each attack is attacked Described command message is defined as attacking halt instruction;
Using described attack sign on and described attack halt instruction as strike order message.
It is preferred that described attack instruction message characteristic information include part or all of in following message:
The skew of type of message field and coding;
The skew of attack type field and coding;
The skew of target of attack and peer-port field and coding;
The skew of particular attack type parameter and coding.
It is preferred that determine identical byte content in same byte offset in all attack sign on messages, and will really Fixed identical byte content and corresponding byte offset are divided in attack and start in set, and determine that all attack stoppings refer to Make identical byte content in same byte offset in message, and by the identical byte content determining and corresponding byte offset It is divided in attack Stopping set;
Determine that described attack starts to gather and attack different byte content in same byte offset in Stopping set with described And the byte number of described different byte content, and by the described different byte content determining, described different byte The byte offset of the byte number of appearance and described different byte content is as the skew of type of message field.
It is preferred that determine different byte content in same byte offset in all attack sign on messages, and will be really Fixed different byte content and corresponding byte offset are divided in attack and start in supplementary set;
Will be identical but target of attack difference is sorted out according to attack type for described attack attribute information, determine that every class is attacked Corresponding attack sign on and described attack start identical byte content in same byte offset in supplementary set, from described identical Byte content in determine attack type field, the attack type field that will determine, the byte offset of attack type field with And the byte number of attack type field is as the skew of attack type field and coding.
It is preferred that determining target of attack and port in the described byte offset attacked in sign on and the byte comprising Number, using the described target of attack determining and the byte offset of port and the byte number that comprises is as target of attack and peer-port field Skew and coding;
Described target of attack and port include following partly or entirely:
Purpose internet protocol address;Destination interface;Source internet protocol address;Source port.
A kind of device of identification DDoS Botnet communication protocol provided in an embodiment of the present invention, including:
Network behavior trapping module, for obtain between the bot running in main frame and server the command message that communicates and Communication message, determines the attack attribute information that in attacking every time, every class is attacked from the communication message obtaining;
Relating module, the attack attribute information attacked according to every class in described each attack, from the command message obtaining Determine strike order message, according to described strike order message and described attack attribute information, determine and attack instruction message feature Information.
It is preferred that described network behavior trapping module specifically for:If not occurring C&C to communicate, and have determined that C&C services Device, using the message of transmission between described bot and C&C server as command message, by between described bot and non-C&C server The message of transmission is as communication message;
If not occurring C&C to communicate, and do not determine C&C server, using the server of described bot and present communications as C& C server, and using the message of transmission between described bot and described C&C server as command message, by described bot and non-C&C Between server, the message of transmission is as communication message;
If having occurred and that C&C communicates, by the internet association of purpose in the message of transmission between presently described bot and server In view IP address and destination interface and C&C communication message, purpose Internet protocol IP address and destination interface identical message are as life Make message, by purpose Internet protocol IP address and destination interface and C&C in the message of transmission between presently described bot and server The message that in communication message, purpose Internet protocol IP address and destination interface differ is as communication message.
It is preferred that described network behavior trapping module specifically for:According to the communication message obtaining, determining described bot The quantity of the described specific communications message sending in the duration setting exceedes threshold value it is determined that attacking, and is attacking knot Shu Hou, according to the specific communications message obtaining during attacking, determines the message attribute parameter of described specific communications message, wherein institute Stating specific communications message is that in the communication message obtaining, source Internet protocol IP address is not currently to run the IP address of bot main frame Communication message;
According to the message attribute parameter of described specific communications message, determine the attack attribute letter that in attacking every time, every class is attacked Breath.
It is preferred that described relating module specifically for:To be attacked according to the attack attribute information that class every in each attack is attacked The described command message that the behavior of hitting receives before starting for the last time is defined as attacking sign on;
Receive for the last time before attack being stopped according to the attack attribute information that class every in each attack is attacked Described command message is defined as attacking halt instruction;
Using described attack sign on and described attack halt instruction as strike order message.
It is preferred that described attack instruction message characteristic information include part or all of in following message:
The skew of type of message field and coding;The skew of attack type field and coding;Target of attack and peer-port field Skew and coding;The skew of particular attack type relevant parameter and coding.
It is preferred that described relating module specifically for:Determine in same byte offset in all attack sign on messages Identical byte content, and by the identical byte content of determination and corresponding byte offset be divided in attack start set in, And determine identical byte content in same byte offset in all attack halt instruction messages, and the identical word that will determine Section content and corresponding byte offset are divided in attack Stopping set;
Determine that described attack starts to gather and attack different byte content in same byte offset in Stopping set with described And the byte number of described different byte content, and by the described different byte content determining, described different byte The byte offset of the byte number of appearance and described different byte content is as the skew of type of message field.
It is preferred that described relating module specifically for:Determine in same byte offset in all attack sign on messages Different byte content, and the different byte content determining and corresponding byte offset are divided in attack beginning supplementary set;
Will be identical but target of attack difference is sorted out according to attack type for described attack attribute information, determine that every class is attacked Corresponding attack sign on and described attack start identical byte content in same byte offset in supplementary set, from described identical Byte content in determine attack type field, the attack type field that will determine, the byte offset of attack type field with And the byte number of attack type field is as the skew of attack type field and coding.
It is preferred that described relating module specifically for:Determine target of attack and port in described attack sign on Byte offset and the byte number comprising, by the byte offset of the described target of attack determining and port and the byte number comprising Skew as target of attack and peer-port field and coding;
Described target of attack and port include following partly or entirely:
Purpose internet protocol address;Destination interface;Source internet protocol address;Source port.
The method providing according to embodiments of the present invention, because the network behavior that bot shows always is tied up with C&C instruction presence Determine relation, that is, bot network behavior embodies the semanteme of C&C instruction, then the semantic understanding of C&C instruction can be converted into bot The understanding of network behavior, by understanding the network behavior of bot, and then understands the semanteme that C&C instructs, thus exporting C&C order report Civilian format character.In order to obtain the network behavior of bot, main frame runs bot, the then communication to bot and external server Behavior is controlled.When bot and C&C server communication, record command message;When bot and non-C&C server communication, right The communication message being defined as with attack in bot and the communication message of non-C&C server communication is analyzed, thus confirming When what kind of attack is under fire performed to which, lead to attack after attack terminates simultaneously Letter message is counted, the attack attribute information that in being attacked every time, every class is attacked.The attack attribute letter attacked according to every class Breath determines that the strike order message in command message is last, associates strike order message and attacks attribute information, difference analysis Different strike order messages find its feature, the feature interpretation to command message form for the output.
Brief description
A kind of method flow diagram of identification DDoS Botnet communication protocol that Fig. 1 provides for the embodiment of the present invention one;
A kind of acquisition command message and the flow chart of communication message method that Fig. 2 provides for the embodiment of the present invention two;
A kind of structure drawing of device of identification DDoS Botnet communication protocol that Fig. 3 provides for the embodiment of the present invention three.
Specific embodiment
The embodiment of the present invention provides a kind of method and device of identification DDoS Botnet communication protocol, in order to realize passing through The command message of acquisition bot and extraneous server communication and communication message, will carry aggressive specific communications in communication message Message is counted, and obtains the attack attribute information of every class attack message, in the attack attribute information by every class attack message Confirm the strike order message in command message, associate the attack attribute information of strike order message and every class attack message, real The now feature interpretation to command message form.
With reference to Figure of description, the embodiment of the present invention is described in further detail.
As shown in figure 1, a kind of method flow graph of identification DDoS Botnet communication protocol of the embodiment of the present invention one offer, The method includes:
Step 101:Obtain the command message communicating between the bot program bot running in main frame and server and communication report Literary composition;
Step 102:The attack attribute information in attacking every time is determined from the communication message obtaining;
Step 103:The attack attribute information attacked according to every class in described each attack, from the command message obtaining really Determine strike order message;
Step 104:According to described strike order message and/or described attack attribute information, determine and attack instruction message spy Reference ceases.
The command message communicating between the bot program bot running in obtaining main frame and server and communication message process In, because meeting obtains substantial amounts of message, and wherein segment message is normal message it is not necessary to record, and therefore obtains to reduce The invalid packet quantity got, can arrange a white list list, thus can be pre-configured with clothes in white list list Business device address, the domain name of the website such as input Google, Sohu, Sina is it is ensured that bot can access them before C&C communication starts. When not detecting that bot and C&C server occurs communication, the communication message of bot and server in white list list is directly let pass, And the behavior let pass is kept a record.Server address quantity in white list list can be self-defined, in certain white list list Server address quantity can be zero.General, 500 can be pre-configured with white list list and normally commonly use website ground Location.
Simultaneously in order to better control over the communication behavior of bot, bot can be operated in virtual machine so that bot can not be with There is communication behavior in meaning and extraneous server.Do so have the advantages that one very big, after bot receives strike order, permissible Control the communication of bot, do not allow bot externally send attack message, it is possible to reduce victim loses.There are two kinds in the message obtaining Message:Command message and communication message.During the message obtaining, bot and clothes can be determined according to condition set in advance Between business device, the message of transmission should be classified as command message or communication message.
It is preferred that the command message communicating between the bot program bot running in acquisition main frame and server and communication report Literary composition, including:
If not occurring C&C to communicate, and have determined that C&C server, by the report of transmission between described bot and C&C server Literary composition as command message, using the message of transmission between described bot and non-C&C server as communication message;
If not occurring C&C to communicate, and do not determine C&C server, using the server of described bot and present communications as C& C server, and using the message of transmission between described bot and described C&C server as command message, by described bot and non-C&C Between server, the message of transmission is as communication message;
If having occurred and that C&C communicates, by the internet association of purpose in the message of transmission between presently described bot and server In view IP address and destination interface and C&C communication message, purpose Internet protocol IP address and destination interface identical message are as life Make message, by purpose Internet protocol IP address and destination interface and C&C in the message of transmission between presently described bot and server The message that in communication message, purpose Internet protocol IP address and destination interface differ is as communication message.
Among the communication message obtaining, it is not the message that each communication message is needs utilize, the present invention is implemented Need using the message with attack in example it is therefore desirable to will utilize from the communication message obtaining goes with attacking For message determine.
Filter out the specific communications message with attack in the communication message obtaining, ddos attack row can be adopted It is characterized storehouse that all communication messages are judged.Ddos attack behavioural characteristic storehouse contains known various types of DDoS Attack feature, so just can fast and accurately determine specific with attack according to ddos attack behavioural characteristic storehouse Communication message.In order to obtain the specific communications message with attack, it would however also be possible to employ self-defining mode is gone to determine specific Communication message.It is directed to the feature-set Rule of judgment of ddos attack behavior using self-defining mode, such as detection bot sends Whether the source IP address of message is consistent with the IP address running bot main frame, and whether the message amount sending in the unit interval exceedes Certain threshold value etc..These are all prior arts, and therefore this is no longer going to repeat them.
The attack attribute information that in attacking every time, every class is attacked is determined from the communication message obtaining, including:
According to the communication message obtaining, in the described specific communications message determining that described bot sends in the duration setting Quantity exceed threshold value it is determined that attacking, and after the attack has ended, according to the specific communications message obtaining during attacking, Determine the message attribute parameter of described specific communications message, wherein said specific communications message is source net in the communication message obtaining Border Protocol IP address is not the communication message currently running the IP address of bot main frame;Message according to described specific communications message Property parameters, determine the attack attribute information that in attacking every time, every class is attacked.
After determining the communication message with attack, by these messages according to not after each attack terminates Same type attacks extracting attack parameter.
It is part or all of during attack parameter is including but not limited to following:The time started of each type attack, every species The letters such as duration, attack type, target of attack IP address, attacked port, the source port using and source IP address that type is attacked Breath.
Some special attacks are also included to the parameter of particular attack, such as, HTTP extensive aggression Average bag length of universal resource identifier uri and UDP extensive aggression etc., above section or whole parameter are entered Row statistics, the attack attribute information that statistical information is attacked as every class.
Specifically, part or all of in described attack attribute information including but not limited to following message:
The attack stream time started;
The attack stream end time;
The time started that every class is attacked;
The duration that every class is attacked;
Attack type;
Purpose IP address and destination interface;
Source port and source IP address;
The universal resource identifier uri of HTTP extensive aggression;
The average bag of UDP extensive aggression is long.
After bot receives attack instruction, can be to target of attack offensive attack message, in order to avoid bot is to attack mesh Mark is attacked, and these attack messages can also be terminated, simulate simultaneously and by attacker, the attack message that bot sends is done The response going out, is thus avoided that the behavior of monitoring bot communication is found.
Also comprise much invalid message in command message it is therefore desirable to true according to specific communications message in communication message What in fixed each attack, every class was attacked attacks attribute information to determine the strike order message in command message, strike order report Literary composition includes attacking sign on and attacks halt instruction.
It is preferred that it is last before attack being started according to the attack attribute information that class every in each attack is attacked The described command message receiving is defined as attacking sign on;To be attacked according to the attack attribute information that class every in each attack is attacked Hit the described command message receiving for the last time before behavior stops to be defined as attacking halt instruction;By described attack sign on With described attack halt instruction as strike order message.
The transmitting-receiving time of command message when recording command message, can be recorded, according to specific communications in communication message simultaneously The attack attribute information that in each attack that message determines, every class is attacked can comprise to attack the time started and attack the end time, just Can be defined as attacking sign on according to hitting the command message finally receiving before the time started, same terminates according to attack The command message finally receiving before time is defined as attacking halt instruction.
According to described strike order message and/or described attack attribute information, determine and attack instruction message characteristic information, bag Include:
Associate Command message after obtaining attacking attribute information, differentiation parsing different command message simultaneously finds its feature, Thus obtaining the description to command message format character.
It is preferred that attack instruction message characteristic information include part or all of in following message:
The skew of type of message field and coding;The skew of attack type field and coding;Target of attack and peer-port field Skew and coding;The skew of particular attack type relevant parameter and coding.
It is possible to analyze the feature of command message after obtaining command message and each attack attribute information attacked, Specific analytical procedure is as follows:
To all of message content attacking sign on, it is compared to last byte from first character section, looks for Go out identical byte, this byte byte offset in messages is recorded by identical byte content.To all messages Structure relatively is counted, and to byte content in the statistics obtaining, byte number and byte offset are defeated with certain format Go out, preferably to comprise:Skew, byte number in messages and the isoparametric tabular form of content in messages in messages Output, is designated as range_list1.
To all of message content attacking halt instruction, it is compared to last byte from first character section, looks for Go out identical byte, this byte byte offset in messages is recorded by identical byte content.To all messages Structure relatively is counted, and to byte content in the statistics obtaining, byte number and byte offset are defeated with certain format Go out, preferably to comprise:Skew, byte number in messages and the isoparametric tabular form of content in messages in messages Output, is designated as range_list2.
Mate using to range_list1 and range_list2, the scope matching their byte offset identical but The different part of byte content, using this partial content as " type of message " field, is exported with certain format to the result obtaining, Preferably to comprise:Skew in messages, byte number in messages, value in messages and the isoparametric row of type of message Sheet form exports, and is designated as skew and the coding of type of message field.
It is preferred that determine identical byte content in same byte offset in all attack sign on messages, and will really Fixed identical byte content and corresponding byte offset are divided in attack and start in set, and determine that all attack stoppings refer to Make identical byte content in same byte offset in message, and by the identical byte content determining and corresponding byte offset It is divided in attack Stopping set;
Determine that described attack starts to gather and attack different byte content in same byte offset in Stopping set with described And the byte number of described different byte content, and by the described different byte content determining, described different byte The byte offset of the byte number of appearance and described different byte content is as the skew of type of message field.
To all of message content attacking sign on, from first character section to last byte, find out and differ Part, to obtain result with certain format export, preferably to comprise:Displacement in messages, byte in messages Number and the output of content isoparametric tabular form in messages, are designated as range_list3.
The attack attribute information that the every class obtaining is attacked is according to the point-score of " attack type is identical but target of attack is different " Sorted out, then the attack sign on that every class is attacked search out that byte offset is identical in range_list3 and byte in Hold identical part as common factor, from the common factor of all classification, then find out " attack type " field, to obtain result with Certain format exports, preferably to comprise:Skew in messages, byte number in messages, value in messages and attack The isoparametric tabular form of type exports, and is designated as skew and the coding of attack type field.
It is preferred that determine different byte content in same byte offset in all attack sign on messages, and will be really Fixed different byte content and corresponding byte offset are divided in attack and start in supplementary set;
Will be identical but target of attack difference is sorted out according to attack type for described attack attribute information, determine that every class is attacked Corresponding attack sign on and described attack start identical byte content in same byte offset in supplementary set, from described identical Byte content in determine attack type field, the attack type field that will determine, the byte offset of attack type field with And the byte number of attack type field is as the skew of attack type field and coding.
To all of ddos attack, attack statistics purpose IP, destination interface, source IP, source port etc. sign on from it Appearance situation, to obtain result with certain format export, preferably to comprise:Displacement in messages, in messages Byte number and the isoparametric tabular form of field type in messages output target_list, then to all ddos attacks Target_list list is collected, and is designated as skew and the coding of target of attack and peer-port field.
It is preferred that determining target of attack and port in the described byte offset attacked in sign on and the byte comprising Number, using the described target of attack determining and the byte offset of port and the byte number that comprises is as target of attack and peer-port field Skew and coding;
Described target of attack and port include following partly or entirely:
Purpose internet protocol address;Destination interface;Source internet protocol address;Source port.
To ddos attack known to application layer payload payload form, continue to determine system in attacking sign on Field field in the particular attack type relevant parameter counted, such as uri, http head etc., fixes with one to the result obtaining Formula exports, preferably to comprise:The parameters such as displacement in messages, byte number in messages and field type in messages Tabular form output, be designated as skew and the coding of particular attack type relevant parameter.
Finally by the skew of the type of message field obtaining and coding, the skew of attack type field and coding, attack mesh The skew of the skew of mark and peer-port field and coding and particular attack type relevant parameter and coding are as command message form The description of feature, exports above-mentioned part or all of result.
As shown in Fig. 2 the embodiment of the present invention two provides a kind of method determining command message and communication message.In order to Command message required for obtaining in the message of bot and extraneous server transport and communication message, need according to different conditions Carry out judging that bot is command message or communication message with the message of extraneous server transport.When there is not C&C communication, Message under different situations is carried out with screening is command message or communication message, and once occurring C&C to communicate, then judges this time Whether communication objective IP is identical with C&C communication with destination interface, if the same using this communication as command message, otherwise will This time communication is as communication message.
Idiographic flow is as follows:
Step 201:Bot is detected and initiate the new, communication with extraneous server;
Step 202:Whether having occurred and that C&C communicates before judging this time to communicate, if not occurring C&C to communicate, going to step Rapid 203, otherwise go to step 204;
Step 203:When there is not C&C communication before this communication, judge whether to have determined C&C server, if not Determine C&C server, then go to step 205, otherwise go to step 206;
Step 204:Using the message between bot and C&C server as command message, using remaining message as communication report Literary composition;
Step 205:When not determining C&C server, using the server with bot present communications as C&C server, and will Message between bot and C&C server as command message, using remaining message as communication message;
Step 206:When having determined C&C server, judge whether bot communication target is C&C server, if bot Present communications target is not C&C server, then go to step 207, otherwise goes to step 208;
Step 207:When bot present communications target is not C&C server, this message communicating is defined as communication report Literary composition;
Step 208:When bot present communications target is C&C server, and will pass between described bot and described C&C server Defeated message is as command message.
In the embodiment of the present invention, bot is detected and initiate the new, communication with extraneous server and refer to bot and extraneous initiate New communication connection, such as bot initiate TCP connect, set up connect beginning when need message is detected, work as TCP Connection establishment terminates until TCP connects after rising, and the message during this does not need to be detected again, is defaulted as bot and C&C The communication of server.A white list list can also be set up simultaneously, in white list list, be pre-configured with server address, defeated Enter the domain name of the websites such as Google, Sohu, Sina it is ensured that bot can access them before C&C communication starts, white list list The quantity of middle server address may be greater than null arbitrary integer.Meanwhile, detect bot initiate new, with the external world During the communication of server, be not detected by C&C communication and current bot with server communication in white list list, can be direct The communication of bot and server in white list list is let pass, thus can reduce the invalid packet of capture.
For said method flow process, the embodiment of the present invention also provides a kind of dress of identification DDoS Botnet communication protocol Put, the particular content of this device is referred to said method to be implemented, and will not be described here.
As shown in figure 3, a kind of device of identification DDoS Botnet communication protocol of the embodiment of the present invention three offer, bag Include:
Network behavior trapping module 301, for obtaining the command message communicating between the bot running in main frame and server And communication message, determine the attack attribute information that in attacking every time, every class is attacked from the communication message obtaining;
Relating module 302, the attack attribute information attacked according to every class in described each attack, from the command message obtaining Middle determination strike order message, according to described strike order message and described attack attribute information, determines and attacks instruction message spy Reference ceases.
It is preferred that network behavior trapping module 301 specifically for:If not occurring C&C to communicate, and have determined that C&C services Device, using the message of transmission between described bot and C&C server as command message, by between described bot and non-C&C server The message of transmission is as communication message;
If not occurring C&C to communicate, and do not determine C&C server, using the server of described bot and present communications as C& C server, and using the message of transmission between described bot and described C&C server as command message, by described bot and non-C&C Between server, the message of transmission is as communication message;
If having occurred and that C&C communicates, by the internet association of purpose in the message of transmission between presently described bot and server In view IP address and destination interface and C&C communication message, purpose Internet protocol IP address and destination interface identical message are as life Make message, by purpose Internet protocol IP address and destination interface and C&C in the message of transmission between presently described bot and server The message that in communication message, purpose Internet protocol IP address and destination interface differ is as communication message.
It is preferred that described relating module 302 specifically for:Will according to the attack attribute information that class every in each attack is attacked The described command message that attack receives before starting for the last time is defined as attacking sign on;
Receive for the last time before attack being stopped according to the attack attribute information that class every in each attack is attacked Described command message is defined as attacking halt instruction;
Using described attack sign on and described attack halt instruction as strike order message.
It is preferred that described attack instruction message characteristic information include part or all of in following message:
The skew of type of message field and coding;The skew of attack type field and coding;Target of attack and peer-port field Skew and coding;The skew of particular attack type relevant parameter and coding.
It is preferred that described relating module 302 specifically for:Determine same byte offset in all attack sign on messages Upper identical byte content, and by the identical byte content of determination and corresponding byte offset be divided in attack start gather In, and determine identical byte content in same byte offset in all attack halt instruction messages, and identical by determine Byte content and corresponding byte offset be divided in attack Stopping set in;
Determine that described attack starts to gather and attack different byte content in same byte offset in Stopping set with described And the byte number of described different byte content, and by the described different byte content determining, described different byte The byte offset of the byte number of appearance and described different byte content is as the skew of type of message field.
It is preferred that described relating module 302 specifically for:Determine same byte offset in all attack sign on messages Upper different byte content, and the different byte content determining and corresponding byte offset are divided in attack beginning supplementary set In;
Will be identical but target of attack difference is sorted out according to attack type for described attack attribute information, determine that every class is attacked Corresponding attack sign on and described attack start identical byte content in same byte offset in supplementary set, from described identical Byte content in determine attack type field, the attack type field that will determine, the byte offset of attack type field with And the byte number of attack type field is as the skew of attack type field and coding.
It is preferred that described relating module 302 specifically for:Determine target of attack and port in described attack sign on Byte offset and the byte number comprising, by the described target of attack determining and the byte offset of port and the byte comprising Count the skew as target of attack and peer-port field and coding;
Described target of attack and port include following partly or entirely:
Purpose internet protocol address;Destination interface;Source internet protocol address;Source port.
In sum, because the network behavior that bot shows always has binding relationship with C&C instruction, i.e. bot network row For embodying the semanteme of C&C instruction, then the understanding to bot network behavior can be converted into the semantic understanding of C&C instruction, pass through Understand the network behavior of bot, and then understand the semanteme that C&C instructs, thus exporting C&C message format feature.In order to obtain bot's Network behavior, runs bot in main frame, then the communication behavior of bot and external server is controlled.When bot and C&C takes During business device communication, record the transmission time of each C&C communication message, using C&C communication message content record as command message;When When bot and non-C&C server communication, it is defined as with attack in the communication message with non-C&C server communication for the bot Communication message is analyzed, thus determining when which under fire performs what kind of attack to, is attacking row simultaneously For after terminating, the communication message with attack is counted, time started of every class attack in being attacked every time, hold The other specifications such as continuous time, attack type, target of attack IP address, attacked port, the source port using and source IP address, according to These parameters attack attribute information that in being attacked every time, every class is attacked.True according to the attack attribute information that every class is attacked The strike order message determined in command message is last, associates strike order message and attacks attribute information, difference analysis are different Strike order message finds its feature, the feature interpretation to command message form for the output.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or computer program Product.Therefore, the present invention can be using complete hardware embodiment, complete software embodiment or the reality combining software and hardware aspect Apply the form of example.And, the present invention can be using in one or more computers wherein including computer usable program code The shape of the upper computer program implemented of usable storage medium (including but not limited to magnetic disc store and optical memory etc.) Formula.
The present invention is the flow process with reference to method according to embodiments of the present invention, equipment (system) and computer program Figure and/or block diagram are describing.It should be understood that can be by each stream in computer program instructions flowchart and/or block diagram Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided The processor instructing all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device is to produce A raw machine is so that produced for reality by the instruction of computer or the computing device of other programmable data processing device The device of the function of specifying in present one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device with spy Determine in the computer-readable memory that mode works so that the instruction generation inclusion being stored in this computer-readable memory refers to Make the manufacture of device, this command device realize in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The function of specifying in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that counting On calculation machine or other programmable devices, execution series of operation steps to be to produce computer implemented process, thus in computer or On other programmable devices, the instruction of execution is provided for realizing in one flow process of flow chart or multiple flow process and/or block diagram one The step of the function of specifying in individual square frame or multiple square frame.
Obviously, those skilled in the art can carry out the various changes and modification essence without deviating from the present invention to the present invention God and scope.So, if these modifications of the present invention and modification belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprise these changes and modification.

Claims (14)

1. a kind of method of identification DDoS Botnet communication protocol is it is characterised in that the method includes:
Obtain the command message communicating between the bot program bot running in main frame and server and communication message;Specifically, such as Fruit does not occur C&C to communicate, and has determined that C&C server, using the message of transmission between described bot and C&C server as order Message, using the message of transmission between described bot and non-C&C server as communication message;
The attack attribute information attacked every time is determined from the communication message obtaining;
The attack attribute information attacked according to every class in described each attack, determines strike order report from the command message obtaining Literary composition;
According to described strike order message and/or described attack attribute information, determine and attack instruction message characteristic information.
2. the method for claim 1 is it is characterised in that methods described also includes:
If not occurring C&C to communicate, and do not determine C&C server, the server of described bot and present communications is taken as C&C Business device, and using the message of transmission between described bot and described C&C server as command message, by described bot and non-C&C clothes Between business device, the message of transmission is as communication message;
If having occurred and that C&C communicates, by purpose Internet protocol IP in the message of transmission between presently described bot and server In address and destination interface and C&C communication message, purpose Internet protocol IP address and destination interface identical message are as order report Literary composition, purpose Internet protocol IP address and destination interface and C&C in the message of transmission between presently described bot and server are communicated The message that in message, purpose Internet protocol IP address and destination interface differ is as communication message.
3. the method for claim 1 is it is characterised in that described belong to according to the attack that every class in described each attack is attacked Property information, from obtain command message determine strike order message, including:
According to receive for the last time before attack is started by the attack attribute information that class every in each attack is attacked Command message is defined as attacking sign on;
According to receive for the last time before attack is stopped by the attack attribute information that class every in each attack is attacked Command message is defined as attacking halt instruction;
Using described attack sign on and described attack halt instruction as strike order message.
4. method as claimed in claim 3 is it is characterised in that described attack instruction message characteristic information is included in following message Part or all of:
The skew of type of message field and coding;
The skew of attack type field and coding;
The skew of target of attack and peer-port field and coding;
The skew of particular attack type parameter and coding.
5. method as claimed in claim 4 it is characterised in that described according to described strike order message and/or described attack Attribute information, determines and attacks instruction message characteristic information, including:
Determine identical byte content in same byte offset in all attack sign on messages, and the identical word that will determine Section content and corresponding byte offset are divided in attack and start in set, and determine same in all attack halt instruction messages Identical byte content in byte offset, and the identical byte content of determination and corresponding byte offset are divided in attack stop In only gathering;
Determine described attack start in set and described attack Stopping set in same byte offset different byte content and The byte number of described different byte content, and by the described different byte content determining, described different byte content The byte offset of byte number and described different byte content is as the skew of type of message field.
6. method as claimed in claim 4 it is characterised in that described according to described strike order message and/or described attack Attribute information, determines and attacks instruction message characteristic information, including:
Determine different byte content in same byte offset in all attack sign on messages, and the different word that will determine Section content and corresponding byte offset are divided in attack and start in supplementary set;
Will be identical but target of attack difference is sorted out according to attack type for described attack attribute information, determine that every class is attacked and correspond to Attack sign on and described attack start identical byte content in same byte offset in supplementary set, from described identical word Attack type field is determined in section content, the attack type field that will determine, the byte offset of attack type field and attacking Hit the byte number of type field as the skew of attack type field and coding.
7. method as claimed in claim 4 it is characterised in that described according to described strike order message and/or described attack Attribute information, determines and attacks instruction message characteristic information, including:
Determine target of attack and port in the described byte offset attacked in sign on and the byte number comprising, by determine The byte offset of described target of attack and port and the byte number that comprises are as the skew of target of attack and peer-port field and volume Code;
Described target of attack and port include following partly or entirely:
Purpose internet protocol address;Destination interface;Source internet protocol address;Source port.
8. a kind of device of identification DDoS Botnet communication protocol is it is characterised in that this device includes:
Network behavior trapping module, for obtaining the command message communicating between the bot running in main frame and server and communication Message, specifically, if not occurring C&C to communicate, and has determined that C&C server, will transmit between described bot and C&C server Message as command message, using the message of transmission between described bot and non-C&C server as communication message;From obtain The attack attribute information that in attacking every time, every class is attacked is determined in communication message;
Relating module, the attack attribute information attacked according to every class in described each attack, determine from the command message obtaining Strike order message, according to described strike order message and described attack attribute information, determines and attacks instruction message characteristic information.
9. device as claimed in claim 8 is it is characterised in that described network behavior trapping module is additionally operable to:
If not occurring C&C to communicate, and do not determine C&C server, the server of described bot and present communications is taken as C&C Business device, and using the message of transmission between described bot and described C&C server as command message, by described bot and non-C&C clothes Between business device, the message of transmission is as communication message;
If having occurred and that C&C communicates, by purpose Internet protocol IP in the message of transmission between presently described bot and server In address and destination interface and C&C communication message, purpose Internet protocol IP address and destination interface identical message are as order report Literary composition, purpose Internet protocol IP address and destination interface and C&C in the message of transmission between presently described bot and server are communicated The message that in message, purpose Internet protocol IP address and destination interface differ is as communication message.
10. device as claimed in claim 8 is it is characterised in that described relating module is used for:
According to receive for the last time before attack is started by the attack attribute information that class every in each attack is attacked Command message is defined as attacking sign on;
According to receive for the last time before attack is stopped by the attack attribute information that class every in each attack is attacked Command message is defined as attacking halt instruction;
Using described attack sign on and described attack halt instruction as strike order message.
11. devices as claimed in claim 10 are it is characterised in that described attack instruction message characteristic information includes following message In part or all of:
The skew of type of message field and coding;The skew of attack type field and coding;Target of attack is inclined with peer-port field Move and encode;The skew of particular attack type relevant parameter and coding.
12. devices as claimed in claim 11 are it is characterised in that described relating module is used for:
Determine identical byte content in same byte offset in all attack sign on messages, and the identical word that will determine Section content and corresponding byte offset are divided in attack and start in set, and determine same in all attack halt instruction messages Identical byte content in byte offset, and the identical byte content of determination and corresponding byte offset are divided in attack stop In only gathering;
Determine described attack start in set and described attack Stopping set in same byte offset different byte content and The byte number of described different byte content, and by the described different byte content determining, described different byte content The byte offset of byte number and described different byte content is as the skew of type of message field.
13. devices as claimed in claim 11 are it is characterised in that described relating module is used for:
Determine different byte content in same byte offset in all attack sign on messages, and the different word that will determine Section content and corresponding byte offset are divided in attack and start in supplementary set;
Will be identical but target of attack difference is sorted out according to attack type for described attack attribute information, determine that every class is attacked and correspond to Attack sign on and described attack start identical byte content in same byte offset in supplementary set, from described identical word Attack type field is determined in section content, the attack type field that will determine, the byte offset of attack type field and attacking Hit the byte number of type field as the skew of attack type field and coding.
14. devices as claimed in claim 11 are it is characterised in that described relating module is used for:
Determine target of attack and port in the described byte offset attacked in sign on and the byte number comprising, by determine The byte offset of described target of attack and port and the byte number that comprises are as the skew of target of attack and peer-port field and volume Code;
Described target of attack and port include following partly or entirely:
Purpose internet protocol address;Destination interface;Source internet protocol address;Source port.
CN201410196838.2A 2014-05-09 2014-05-09 Method and device for recognizing DDoS bot network communication protocol Active CN103997489B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410196838.2A CN103997489B (en) 2014-05-09 2014-05-09 Method and device for recognizing DDoS bot network communication protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410196838.2A CN103997489B (en) 2014-05-09 2014-05-09 Method and device for recognizing DDoS bot network communication protocol

Publications (2)

Publication Number Publication Date
CN103997489A CN103997489A (en) 2014-08-20
CN103997489B true CN103997489B (en) 2017-02-22

Family

ID=51311496

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410196838.2A Active CN103997489B (en) 2014-05-09 2014-05-09 Method and device for recognizing DDoS bot network communication protocol

Country Status (1)

Country Link
CN (1) CN103997489B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105635067B (en) 2014-11-04 2019-11-15 华为技术有限公司 File transmitting method and device
CN106921612A (en) * 2015-12-24 2017-07-04 阿里巴巴集团控股有限公司 It was found that the method and device of ddos attack
CN107306266B (en) * 2016-04-25 2020-08-04 阿里巴巴集团控股有限公司 Method and device for scanning central control server
CN105827630B (en) * 2016-05-03 2019-11-12 国家计算机网络与信息安全管理中心 Botnet attribute recognition approach, defence method and device
CN107454043A (en) * 2016-05-31 2017-12-08 阿里巴巴集团控股有限公司 The monitoring method and device of a kind of network attack
CN108289084B (en) * 2017-01-10 2021-11-30 阿里巴巴集团控股有限公司 Access traffic blocking method and apparatus, and non-transitory computer-readable storage medium
CN107547547B (en) * 2017-09-05 2020-06-02 成都知道创宇信息技术有限公司 TCP CC identification method based on edit distance
CN108200041A (en) * 2017-12-28 2018-06-22 贵阳忆联网络有限公司 A kind of method and system for protecting DDOS attack
CN109600362B (en) * 2018-11-26 2022-10-18 平安科技(深圳)有限公司 Zombie host recognition method, device and medium based on recognition model
CN109743310B (en) * 2018-12-28 2021-11-16 阿波罗智联(北京)科技有限公司 Method and device for analyzing message
CN112398781B (en) * 2019-08-14 2022-04-08 大唐移动通信设备有限公司 Attack testing method, host server and control server
CN110740144B (en) * 2019-11-27 2022-09-16 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for determining attack target

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101360019A (en) * 2008-09-18 2009-02-04 华为技术有限公司 Detection method, system and apparatus of zombie network
CN101741862A (en) * 2010-01-22 2010-06-16 西安交通大学 System and method for detecting IRC bot network based on data packet sequence characteristics
CN101753377A (en) * 2009-12-29 2010-06-23 吉林大学 p2p_botnet real-time detection method and system
CN101924757A (en) * 2010-07-30 2010-12-22 中国电信股份有限公司 Method and system for reviewing Botnet
CN102546298A (en) * 2012-01-06 2012-07-04 北京大学 Botnet family detection method based on active probing

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080229149A1 (en) * 2007-03-14 2008-09-18 Clifford Penton Remote testing of computer devices

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101360019A (en) * 2008-09-18 2009-02-04 华为技术有限公司 Detection method, system and apparatus of zombie network
CN101753377A (en) * 2009-12-29 2010-06-23 吉林大学 p2p_botnet real-time detection method and system
CN101741862A (en) * 2010-01-22 2010-06-16 西安交通大学 System and method for detecting IRC bot network based on data packet sequence characteristics
CN101924757A (en) * 2010-07-30 2010-12-22 中国电信股份有限公司 Method and system for reviewing Botnet
CN102546298A (en) * 2012-01-06 2012-07-04 北京大学 Botnet family detection method based on active probing

Also Published As

Publication number Publication date
CN103997489A (en) 2014-08-20

Similar Documents

Publication Publication Date Title
CN103997489B (en) Method and device for recognizing DDoS bot network communication protocol
US10721244B2 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
KR102135024B1 (en) Method and apparatus for identifying category of cyber attack aiming iot devices
CN105681250B (en) A kind of Botnet distribution real-time detection method and system
CN112383538B (en) Hybrid high-interaction industrial honeypot system and method
CN107360145B (en) Multi-node honeypot system and data analysis method thereof
CN112769821A (en) Threat response method and device based on threat intelligence and ATT & CK
CN103607399A (en) Special IP network safety monitor system and method based on hidden network
CN105554016A (en) Network attack processing method and device
CN104168272A (en) Trojan horse detection method based on communication behavior clustering
CN101605074A (en) The method and system of communication behavioural characteristic monitoring wooden horse Network Based
JP6174520B2 (en) Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program
CN103916288B (en) A kind of Botnet detection methods and system based on gateway with local
CN106685984A (en) Network threat analysis system and method based on data pocket capture technology
CN108270722A (en) A kind of attack detection method and device
CN109600362A (en) Zombie host recognition methods, identification equipment and medium based on identification model
CN110933111A (en) DDoS attack identification method and device based on DPI
CN112671759A (en) DNS tunnel detection method and device based on multi-dimensional analysis
CN111049784A (en) Network attack detection method, device, equipment and storage medium
CN106911665B (en) Method and system for identifying malicious code weak password intrusion behavior
CN109995716A (en) Behavior exciting method and device based on high interaction honey pot system
CN112788065B (en) Internet of things zombie network tracking method and device based on honeypots and sandboxes
WO2019043804A1 (en) Log analysis device, log analysis method, and computer-readable recording medium
CN107395597A (en) A kind of fictitious host computer defends optimization method
CN111049780A (en) Network attack detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.

CP01 Change in the name or title of a patent holder