CN108363922B - Automatic malicious code simulation detection method and system - Google Patents
Automatic malicious code simulation detection method and system Download PDFInfo
- Publication number
- CN108363922B CN108363922B CN201710974003.9A CN201710974003A CN108363922B CN 108363922 B CN108363922 B CN 108363922B CN 201710974003 A CN201710974003 A CN 201710974003A CN 108363922 B CN108363922 B CN 108363922B
- Authority
- CN
- China
- Prior art keywords
- protocol
- malicious
- special
- family
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an automatic malicious code simulation detection method and system, wherein the method comprises the following steps: the method comprises the steps of establishing a special protocol database, a special protocol knowledge base, a general protocol database and a general protocol knowledge base by performing family classification on a known malicious code sample set and extracting information interaction data; acquiring a network request of a malicious sample, and identifying a family and a special communication protocol of the malicious sample according to a special protocol knowledge base; identifying the communication request type and the universal communication protocol of the malicious sample according to a universal protocol knowledge base; and automatically simulating a general protocol and a special protocol of the malicious codes to trigger the malicious behaviors of the malicious codes. By the technical scheme, a malicious behavior operation execution mechanism can be triggered, the automatic malicious code analysis capability of the sandbox is optimized, and the manual analysis investment is greatly reduced.
Description
Technical Field
The invention relates to the field of computer network security, in particular to an automatic malicious code simulation detection method and system.
Background
The existing malicious code sandbox simulation detection method is used for analyzing and detecting a malicious code structure or monitoring malicious code behaviors, determining behavior characteristics and giving corresponding feedback to realize sandbox detection. For the malicious code sample with inactivated C2, the sandbox detection system can only detect the normal behavior or the malicious behavior of the initial stage of the malicious code without acquiring normal communication with C2, and the core malicious function of the malicious code can be represented only when the malicious code acquires the relevant instruction of C2.
Disclosure of Invention
In order to solve the problems, the invention provides an automatic malicious code simulation detection method and system, which simulate the normal communication of C2 by simulating the response feedback of each communication protocol, further stimulate the behavior of malicious codes and carry out deep detection on the malicious codes.
The invention firstly provides an automatic malicious code simulation detection method, which comprises the following steps:
carrying out family classification on a known malicious code sample set, extracting information interaction data, and establishing a special protocol database, a special protocol knowledge base, a general protocol database and a general protocol knowledge base;
acquiring a network request of a malicious sample, and identifying a family and a special communication protocol of the malicious sample according to a special protocol knowledge base;
identifying the communication request type and the universal communication protocol of the malicious sample according to a universal protocol knowledge base;
automatic simulation of a general protocol of malicious codes: according to the identified communication request type and the general communication protocol, response information is fed back to the malicious sample, and malicious behaviors of malicious codes are triggered;
automatically simulating a protocol special for malicious codes: and according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the malicious behavior of the malicious code is further triggered.
The method further comprises the following steps of automatically simulating the malicious code application layer protocol: the network access request is customized according to known malicious codes, a customized network access request knowledge base is established, an application layer protocol of a malicious sample is identified, the network access request is customized according to the identified application layer protocol, and response information is fed back to the malicious codes.
In the method, the family classification of the known malicious code sample set and the extraction of the information interaction data specifically include:
screening out samples which can normally communicate with a control terminal in each malicious code family for interaction, and acquiring communication interaction data and network behavior response data; the communication interaction data is used for establishing a special protocol database and a special protocol knowledge base; the network behavior response data is used for establishing a universal protocol database and a universal protocol knowledge base.
In the method, according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the method comprises the following steps: the automatic CRC32 special protocol checking simulation specifically comprises the following steps:
and judging whether the malicious code family to which the malicious sample belongs carries out CRC32 special protocol check, if so, simulating to respond to a CRC32 special protocol check request to complete the check.
In the method, according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the method further comprises the following steps: the automatic first package special protocol verification simulation specifically comprises the following steps:
judging the malicious code family to which the malicious sample belongs, and determining the corresponding first packet request family according to the protocol format of the first packet special protocol corresponding to the malicious code family and the special protocol knowledge base.
In the method, after the automatic first packet special protocol verification simulation, the method further comprises the following steps: the verification simulation of the special protocol for the automatic confirmation packet specifically comprises the following steps:
and after determining the corresponding first packet request family, sending corresponding special protocol data of the confirmation packet to the malicious sample.
In the method, after the verification simulation of the protocol dedicated for the automatic acknowledgement packet is completed, the method further comprises the following steps: the automatic heartbeat request verification simulation specifically comprises the following steps:
and identifying a special protocol in the heartbeat request sent by the malicious sample, finishing the identification of the special protocol, making a corresponding response, and sending various remote control request instructions which conform to the special protocol format to the malicious sample.
The invention also provides an automatic malicious code simulation detection system, which comprises:
the database module is used for establishing a special protocol database, a special protocol knowledge base, a general protocol database and a general protocol knowledge base by carrying out family classification on a known malicious code sample set and extracting information interaction data;
the special communication protocol identification module is used for identifying the family and the special communication protocol of the malicious sample according to the special protocol knowledge base by acquiring the network request of the malicious sample;
the universal communication protocol identification module is used for identifying the communication request type and the universal communication protocol of the malicious sample according to the universal protocol knowledge base;
the general protocol simulation module automatically simulates the general protocol of the malicious code: according to the identified communication request type and the general communication protocol, response information is fed back to the malicious sample, and malicious behaviors of malicious codes are triggered;
the special protocol simulation module automatically simulates the special protocol of the malicious code: and according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the malicious behavior of the malicious code is further triggered.
The system also comprises an application protocol simulation module which automatically simulates the malicious code application layer protocol: the network access request is customized according to known malicious codes, a customized network access request knowledge base is established, an application layer protocol of a malicious sample is identified, the network access request is customized according to the identified application layer protocol, and response information is fed back to the malicious codes.
In the system, the family classification of the known malicious code sample set and the extraction of the information interaction data specifically include:
screening out samples which can normally communicate with a control terminal in each malicious code family for interaction, and acquiring communication interaction data and network behavior response data; the communication interaction data is used for establishing a special protocol database and a special protocol knowledge base; the network behavior response data is used for establishing a universal protocol database and a universal protocol knowledge base.
In the system, according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the method comprises the following steps: the automatic CRC32 special protocol checking simulation specifically comprises the following steps:
and judging whether the malicious code family to which the malicious sample belongs carries out CRC32 special protocol check, if so, simulating to respond to a CRC32 special protocol check request to complete the check.
In the system, according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the method further comprises the following steps: the automatic first package special protocol verification simulation specifically comprises the following steps:
judging the malicious code family to which the malicious sample belongs, and determining the corresponding first packet request family according to the protocol format of the first packet special protocol corresponding to the malicious code family and the special protocol knowledge base.
In the system, after the automatic first packet special protocol verification simulation, the method further comprises the following steps: the verification simulation of the special protocol for the automatic confirmation packet specifically comprises the following steps:
and after determining the corresponding first packet request family, sending corresponding special protocol data of the confirmation packet to the malicious sample.
In the system, after the verification and simulation of the protocol dedicated for the automatic acknowledgement packet is completed, the method further comprises the following steps: the automatic heartbeat request verification simulation specifically comprises the following steps:
and identifying a special protocol in the heartbeat request sent by the malicious sample, finishing the identification of the special protocol, making a corresponding response, and sending various remote control request instructions which conform to the special protocol format to the malicious sample.
The invention has the advantages that: triggering a malicious behavior operation execution mechanism of the malicious code, inducing the malicious code to execute the malicious operation, and comprehensively triggering a core function of the malicious code; the automatic malicious code analysis capability of the sandbox is optimized, and the automatic sample analysis capability, accuracy and comprehensiveness of the sandbox are improved; the automatic simulation system can automatically interact with the malicious codes and trigger the core behaviors of the malicious codes, so that the automatic analysis of the comprehensive malicious codes is realized, and the manual analysis investment can be greatly reduced.
The technical scheme provided by the invention mainly aims at perfecting the deep culture and dynamic analysis of the malicious codes, and further excavates the potential information value of the deep culture of the malicious codes. The method comprises the steps of simulating normal communication interaction with a Server end by establishing a Client end (Commandand Control, hereinafter referred to as C2) of a simulation botnet, triggering more execution mechanisms of the simulation botnet, executing more malicious behaviors, prompting a sandbox to monitor and obtain more malicious code behavior analysis results, and further improving the detection rate and accuracy of the sandbox on malicious codes. For the malicious code sample with inactivated C2, the sandbox detection system can only detect the normal/malicious behaviors of the initial stage of the malicious code without acquiring normal communication with C2, and the core malicious function of the malicious code can be represented only if the malicious code acquires the relevant instructions of C2.
The invention aims to simulate the communication interaction between the C2 and the malicious code, activate the malicious code, send the response of the related protocol instruction request to the malicious code, meet the communication type and the universal and special protocol requests of the malicious code, trigger the malicious behavior operation execution mechanism of the malicious code, and induce the malicious code to execute the malicious operation, so as to optimize the automatic malicious code analysis capability of the sandbox and greatly reduce the manual analysis investment.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart of an embodiment of an automated malicious code detection method according to the present invention;
FIG. 2 is a schematic structural diagram of an embodiment of an automated malicious code simulation detection system according to the present invention;
fig. 3 is a schematic structural diagram of an embodiment of a computer device according to the present invention.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the present invention more comprehensible, the technical solutions of the present invention are described in further detail below with reference to the accompanying drawings.
The invention provides an automatic malicious code simulation detection method and system, which simulate C2 normal communication by simulating response feedback of each communication protocol, further stimulate malicious code behaviors and carry out deep detection on malicious codes.
The invention firstly provides an automatic malicious code simulation detection method, as shown in fig. 1, comprising:
s101: carrying out family classification on a known malicious code sample set, extracting information interaction data, and establishing a special protocol database, a special protocol knowledge base, a general protocol database and a general protocol knowledge base;
the malicious code samples are subjected to family classification, because the classification of the malicious code families is generally consistent with the classification of the malicious code through a network protocol, in order to improve the working efficiency and avoid the waste of working resources caused by multiple analyses of the malicious codes of the same family, a large number of malicious samples are required to be subjected to family classification before the reverse analysis of the network protocol of the malicious codes.
S102: acquiring a network request of a malicious sample, and identifying a family and a special communication protocol of the malicious sample according to a special protocol knowledge base;
the method is used for realizing the automatically identified family name in the simulation of the later-period special protocol, and feeds back accurate family protocol response request data to provide a knowledge basis.
S103: identifying the communication request type and the universal communication protocol of the malicious sample according to a universal protocol knowledge base;
for common communication requests such as DNS (domain name system) requests, HTTP (hyper text transport protocol) requests, FTP (file transfer protocol) requests, GET (GET) requests and the like, various request types need to be identified in detail for automatic identification according to the request types and protocols in a later-stage universal layer protocol environment simulation stage, preset IP (internet protocol) or file data are accurately returned, an execution mechanism of malicious codes is triggered, and the malicious codes are induced to interact with a simulated system to provide knowledge bases.
S104: automatic simulation of a general protocol of malicious codes: according to the identified communication request type and the general communication protocol, response information is fed back to the malicious sample, and malicious behaviors of malicious codes are triggered;
aiming at the common network access requests of the malicious codes, the simulation subsystem needs to realize automation and timely and accurately respond to various common access requests of the malicious codes. By taking the automatic identification of the prior general protocol and the knowledge base as the basis, the request type of the malicious code is automatically identified, the response information conforming to the network logic and the malicious code function logic is automatically fed back according to the request type, and the C2 role of the malicious code can be replaced.
S105: automatically simulating a malicious code application layer protocol: customizing a network access request according to a known malicious code, establishing a customized network access request knowledge base, identifying an application layer protocol of a malicious sample, customizing the network access request according to the identified application layer protocol, and feeding back response information to the malicious code;
in a general protocol, there may be a configurable request different from a common general network access, in which case, using a common general protocol emulation feedback cannot satisfy an execution mechanism for triggering a later malicious behavior of a malicious code, and therefore, it is necessary to implement an automated application layer protocol customization emulation. By quantitatively researching the common customization parameter form of the network protocol layer of the malicious code, various customization network access request knowledge is accumulated, and a customization network access request knowledge base is established, so that the simulation subsystem realizes accurate response to the application layer protocol customization request.
S106: automatically simulating a protocol special for malicious codes: and according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the malicious behavior of the malicious code is further triggered.
The above is merely an example of the flow according to the technical solution of the present application, and the execution order is not limited, and the execution order of the related steps may be changed.
In the method, the family classification of the known malicious code sample set and the extraction of the information interaction data specifically include:
screening out samples which can normally communicate with a control terminal in each malicious code family for interaction, and acquiring communication interaction data and network behavior response data; the communication interaction data is used for establishing a special protocol database and a special protocol knowledge base; the network behavior response data is used for establishing a universal protocol database and a universal protocol knowledge base.
The communication interaction data may include, for example: the method comprises the following steps of carrying out remote instruction requests such as OpenHeart requests of malicious codes, Sure response requests of C2 to the malicious codes, Ping requests, C2 attack issuing to the malicious codes and the like; the network behavior response data may include, for example: response data obtained by common network behaviors such as DNS (domain name system) requests, HTTP (hyper text transport protocol) requests and FTP (file transfer protocol) requests of malicious codes;
in the method, according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the method comprises the following steps: the automatic CRC32 special protocol checking simulation specifically comprises the following steps:
and judging whether the malicious code family to which the malicious sample belongs carries out CRC32 special protocol check, if so, simulating to respond to a CRC special protocol check request to complete the check.
In a small part of malicious code families, after the malicious code establishes network communication with the C2 handshake three times, a protocol check special for CRC32, which is generally called a Hello request, needs to be performed, and only after the two parties are checked by the Hello request protocol, the malicious code sends an OpenHeart request to C2. For example, in XorDDoS, Mirai, and other families, malicious code sends a Hello specific protocol check request to C2 first, and sends an OpenHeart request to C2 after successful check.
In the method, according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the method further comprises the following steps: the automatic first package special protocol verification simulation specifically comprises the following steps:
judging the malicious code family to which the malicious sample belongs, and determining the corresponding first packet request family according to the protocol format of the first packet special protocol corresponding to the malicious code family and the special protocol knowledge base.
After establishing network communication with the C2 handshake three times, common malicious codes send OpenHeart dedicated protocol requests to the C2, but OpenHeart requests of malicious codes of each family have their own proprietary protocol format, and the corresponding C2 also has an OpenHeart protocol format checking mechanism that is matched with the OpenHeart request, and is used to check whether the malicious codes of the OpenHeart request belong to the family. In the OpenHeart special protocol verification stage, the simulation subsystem needs to establish an OpenHeart special protocol verification mechanism through a protocol knowledge base, so that the OpenHeart request family can be quickly and accurately identified.
In the method, after the automatic first packet special protocol verification simulation, the method further comprises the following steps: the verification simulation of the special protocol for the automatic confirmation packet specifically comprises the following steps:
and after determining the corresponding first packet request family, sending corresponding special protocol data of the confirmation packet to the malicious sample.
C2 sends the Sure special protocol data as the response to the OpenHeart special protocol request of the malicious code after the OpenHeart protocol format verification is successful, the malicious code also checks the Sure special protocol format after receiving the feedback data Sure responded by C2, and the two parties can normally carry out communication interaction only after the Sure verification is successful. Sure-specific protocol checks are common in large-scale botnet families, and both Mayday, Xor, Gates, Dofloo, Gafgyt, Mirai, Gh0st and the like exist.
In the method, after the verification simulation of the protocol dedicated for the automatic acknowledgement packet is completed, the method further comprises the following steps: the automatic heartbeat request verification simulation specifically comprises the following steps:
and identifying a special protocol in the heartbeat request sent by the malicious sample, finishing the identification of the special protocol, making a corresponding response, and sending various remote control request instructions which conform to the special protocol format to the malicious sample.
After the protocol is checked, normal communication interaction is realized, malicious codes can send network requests with data such as memory utilization rate, CPU utilization rate, network bandwidth and the like to the C2 at specified time intervals, which are generally called heartbeat/Ping requests, the C2 can also send instruction requests such as remote desktop control, CMD, file download, DDoS start/stop attack, file update and the like to the malicious codes at any time, and the communication phase can trigger more malicious behaviors of the malicious codes. However, Ping and various remote control command requests of each family are different, the request protocols of the two parties can trigger various behaviors only through proprietary protocol verification, and if the request protocols are not verified successfully, protocol analysis exception occurs, so that the serious consequence that a target behavior is not triggered, and even a process or a system is triggered to crash due to exception is caused. Therefore, in order to find more malicious behaviors of the malicious code, the emulation subsystem is required to be capable of accurately identifying various proprietary protocol requests of each malicious code family, making corresponding proprietary protocol responses, and then sending various instruction requests conforming to the proprietary protocol format of the malicious code family to the malicious code, so that the malicious code is induced to trigger more comprehensive core malicious behaviors.
The present invention further provides an automated malicious code simulation detection system, as shown in fig. 2, including:
the database module 201 is used for establishing a special protocol database, a special protocol knowledge base, a general protocol database and a general protocol knowledge base by carrying out family classification on a known malicious code sample set and extracting information interaction data;
the special communication protocol identification module 202 is used for identifying the family and the special communication protocol of the malicious sample according to the special protocol knowledge base by acquiring the network request of the malicious sample;
the universal communication protocol identification module 203 identifies the communication request type and the universal communication protocol of the malicious sample according to the universal protocol knowledge base;
the generic protocol simulation module 204 automatically simulates the generic protocol of the malicious code: according to the identified communication request type and the general communication protocol, response information is fed back to the malicious sample, and malicious behaviors of malicious codes are triggered;
the special protocol simulation module 205 automatically simulates the special protocol of the malicious code: and according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the malicious behavior of the malicious code is further triggered.
The system further comprises an application protocol simulation module 206, which is used for automatically simulating the malicious code application layer protocol: the network access request is customized according to known malicious codes, a customized network access request knowledge base is established, an application layer protocol of a malicious sample is identified, the network access request is customized according to the identified application layer protocol, and response information is fed back to the malicious codes.
In the system, the family classification of the known malicious code sample set and the extraction of the information interaction data specifically include:
screening out samples which can normally communicate with a control terminal in each malicious code family for interaction, and acquiring communication interaction data and network behavior response data; the communication interaction data is used for establishing a special protocol database and a special protocol knowledge base; the network behavior response data is used for establishing a universal protocol database and a universal protocol knowledge base.
In the system, according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the method comprises the following steps: the automatic CRC32 special protocol checking simulation specifically comprises the following steps:
and judging whether the malicious code family to which the malicious sample belongs carries out CRC32 special protocol check, if so, simulating to respond to a CRC special protocol check request to complete the check.
In the system, according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the method further comprises the following steps: the automatic first package special protocol verification simulation specifically comprises the following steps:
judging the malicious code family to which the malicious sample belongs, and determining the corresponding first packet request family according to the protocol format of the first packet special protocol corresponding to the malicious code family and the special protocol knowledge base.
In the system, after the automatic first packet special protocol verification simulation, the method further comprises the following steps: the verification simulation of the special protocol for the automatic confirmation packet specifically comprises the following steps:
and after determining the corresponding first packet request family, sending corresponding special protocol data of the confirmation packet to the malicious sample.
In the system, after the verification and simulation of the protocol dedicated for the automatic acknowledgement packet is completed, the method further comprises the following steps: the automatic heartbeat request verification simulation specifically comprises the following steps:
and identifying a special protocol in the heartbeat request sent by the malicious sample, finishing the identification of the special protocol, making a corresponding response, and sending various remote control request instructions which conform to the special protocol format to the malicious sample.
In addition, the present invention further provides a schematic structural diagram of a computer device according to an embodiment, as shown in fig. 3, the computer device includes a memory 301, a processor 302, and a computer program that is stored in the memory 301 and can be run on the processor 302, and when the processor 302 executes the computer program, the automatic malicious code simulation detection method according to the embodiment is implemented; it may also include a communication interface for communicating between the memory 301 and the processor 302; the memory may comprise RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory; the processor 302 may be a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement embodiments of the present invention; the memory 301 and the processor 302 may be disposed independently, or may be integrated on one chip.
In order to implement the above embodiments, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by the processor 302, implements the automated malicious code simulation detection method in the above embodiments.
The invention has the advantages that: triggering a malicious behavior operation execution mechanism of the malicious code, inducing the malicious code to execute the malicious operation, and comprehensively triggering a core function of the malicious code; the automatic malicious code analysis capability of the sandbox is optimized, and the automatic sample analysis capability, accuracy and comprehensiveness of the sandbox are improved; the automatic simulation system can automatically interact with the malicious codes and trigger the core behaviors of the malicious codes, so that the automatic analysis of the comprehensive malicious codes is realized, and the manual analysis investment can be greatly reduced.
The technical scheme provided by the invention mainly aims at perfecting the deep culture and dynamic analysis of the malicious codes, and further excavates the potential information value of the deep culture of the malicious codes. The method comprises the steps of simulating normal communication interaction with a Server end by establishing a Client end (Commandand Control, hereinafter referred to as C2) of a simulation botnet, triggering more execution mechanisms of the simulation botnet, executing more malicious behaviors, prompting a sandbox to monitor and obtain more malicious code behavior analysis results, and further improving the detection rate and accuracy of the sandbox on malicious codes. For the malicious code sample with inactivated C2, the sandbox detection system can only detect the normal/malicious behaviors of the initial stage of the malicious code without acquiring normal communication with C2, and the core malicious function of the malicious code can be represented only if the malicious code acquires the relevant instructions of C2.
The invention aims to simulate the communication interaction between the C2 and the malicious code, activate the malicious code, send the response of the related protocol instruction request to the malicious code, meet the communication type and the universal and special protocol requests of the malicious code, trigger the malicious behavior operation execution mechanism of the malicious code, and induce the malicious code to execute the malicious operation, so as to optimize the automatic malicious code analysis capability of the sandbox and greatly reduce the manual analysis investment.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. While the present invention has been described with respect to the embodiments, those skilled in the art will appreciate that there are numerous variations and permutations of the present invention without departing from the spirit of the invention, and it is intended that the appended claims cover such variations and modifications as fall within the true spirit of the invention.
Claims (16)
1. An automated malicious code emulation detection method, comprising:
carrying out family classification on a known malicious code sample set, extracting information interaction data, and establishing a special protocol database, a special protocol knowledge base, a general protocol database and a general protocol knowledge base;
acquiring a network request of a malicious sample, and identifying a family and a special communication protocol of the malicious sample according to a special protocol knowledge base;
identifying the communication request type and the universal communication protocol of the malicious sample according to a universal protocol knowledge base;
automatic simulation of a general protocol of malicious codes: according to the identified communication request type and the general communication protocol, response information is fed back to the malicious sample, and malicious behaviors of malicious codes are triggered;
automatically simulating a protocol special for malicious codes: and according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the malicious behavior of the malicious code is further triggered.
2. The method of claim 1, further comprising automatically emulating malicious code application layer protocols: the network access request is customized according to known malicious codes, a customized network access request knowledge base is established, an application layer protocol of a malicious sample is identified, the network access request is customized according to the identified application layer protocol, and response information is fed back to the malicious codes.
3. The method of claim 1, wherein the family classification of the known malicious code sample set and the extraction of the information interaction data specifically include:
screening out samples which can normally communicate with a control terminal in each malicious code family for interaction, and acquiring communication interaction data and network behavior response data; the communication interaction data is used for establishing a special protocol database and a special protocol knowledge base; the network behavior response data is used for establishing a universal protocol database and a universal protocol knowledge base.
4. The method of claim 1, wherein feeding back response information to the malicious samples according to the identified malicious sample family and the proprietary communication protocol comprises: the automatic CRC32 special protocol checking simulation specifically comprises the following steps:
and judging whether the malicious code family to which the malicious sample belongs carries out CRC32 special protocol check, if so, simulating to respond to a CRC32 special protocol check request to complete the check.
5. The method of any one of claims 1-4, wherein feeding back response information to the malicious sample based on the identified malicious sample family and the proprietary communication protocol, further comprising: the automatic first package special protocol verification simulation specifically comprises the following steps:
judging the malicious code family to which the malicious sample belongs, and determining the corresponding first packet request family according to the protocol format of the first packet special protocol corresponding to the malicious code family and the special protocol knowledge base.
6. The method of claim 5, wherein after the automated header specific protocol check emulation, further comprising: the verification simulation of the special protocol for the automatic confirmation packet specifically comprises the following steps:
and after determining the corresponding first packet request family, sending corresponding special protocol data of the confirmation packet to the malicious sample.
7. The method of claim 6, wherein after the completion of the automated acknowledgement packet specific protocol check emulation, further comprising: the automatic heartbeat request verification simulation specifically comprises the following steps:
and identifying a special protocol in the heartbeat request sent by the malicious sample, finishing the identification of the special protocol, making a corresponding response, and sending various remote control request instructions which conform to the special protocol format to the malicious sample.
8. An automated malicious code emulation detection system, comprising:
the database module is used for establishing a special protocol database, a special protocol knowledge base, a general protocol database and a general protocol knowledge base by carrying out family classification on a known malicious code sample set and extracting information interaction data;
the special communication protocol identification module is used for identifying the family and the special communication protocol of the malicious sample according to the special protocol knowledge base by acquiring the network request of the malicious sample;
the universal communication protocol identification module is used for identifying the communication request type and the universal communication protocol of the malicious sample according to the universal protocol knowledge base;
the general protocol simulation module automatically simulates the general protocol of the malicious code: according to the identified communication request type and the general communication protocol, response information is fed back to the malicious sample, and malicious behaviors of malicious codes are triggered;
the special protocol simulation module automatically simulates the special protocol of the malicious code: and according to the identified malicious sample family and the special communication protocol, response information is fed back to the malicious sample, and the malicious behavior of the malicious code is further triggered.
9. The system of claim 8, further comprising an application protocol emulation module that automates emulation of malicious code application layer protocols by: the network access request is customized according to known malicious codes, a customized network access request knowledge base is established, an application layer protocol of a malicious sample is identified, the network access request is customized according to the identified application layer protocol, and response information is fed back to the malicious codes.
10. The system of claim 8, wherein the family classification of the known malicious code sample set and the extraction of the information interaction data specifically include:
screening out samples which can normally communicate with a control terminal in each malicious code family for interaction, and acquiring communication interaction data and network behavior response data; the communication interaction data is used for establishing a special protocol database and a special protocol knowledge base; the network behavior response data is used for establishing a universal protocol database and a universal protocol knowledge base.
11. The system of claim 8, wherein feeding back response information to the malicious samples according to the identified malicious sample family and the proprietary communication protocol comprises: the automatic CRC32 special protocol checking simulation specifically comprises the following steps:
and judging whether the malicious code family to which the malicious sample belongs carries out CRC32 special protocol check, if so, simulating to respond to a CRC32 special protocol check request to complete the check.
12. The system according to any one of claims 8-11, wherein the feedback of response information to the malicious sample based on the identified malicious sample family and the proprietary communication protocol further comprises: the automatic first package special protocol verification simulation specifically comprises the following steps:
judging the malicious code family to which the malicious sample belongs, and determining the corresponding first packet request family according to the protocol format of the first packet special protocol corresponding to the malicious code family and the special protocol knowledge base.
13. The system of claim 12, wherein after the automated first-packet-specific protocol verification emulation, further comprising: the verification simulation of the special protocol for the automatic confirmation packet specifically comprises the following steps:
and after determining the corresponding first packet request family, sending corresponding special protocol data of the confirmation packet to the malicious sample.
14. The system of claim 13, wherein after completion of the automated acknowledgement packet specific protocol verification emulation, further comprising: the automatic heartbeat request verification simulation specifically comprises the following steps:
and identifying a special protocol in the heartbeat request sent by the malicious sample, finishing the identification of the special protocol, making a corresponding response, and sending various remote control request instructions which conform to the special protocol format to the malicious sample.
15. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing an automated malicious code emulation detection method according to any one of claims 1 to 7 when executing the program.
16. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the automated malicious code emulation detection method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710974003.9A CN108363922B (en) | 2017-10-19 | 2017-10-19 | Automatic malicious code simulation detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710974003.9A CN108363922B (en) | 2017-10-19 | 2017-10-19 | Automatic malicious code simulation detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108363922A CN108363922A (en) | 2018-08-03 |
| CN108363922B true CN108363922B (en) | 2020-02-07 |
Family
ID=63010106
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710974003.9A Active CN108363922B (en) | 2017-10-19 | 2017-10-19 | Automatic malicious code simulation detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108363922B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112261029B (en) * | 2020-10-16 | 2023-05-02 | 北京锐驰信安技术有限公司 | DDoS malicious code detection and tracing method based on cultivation |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9497213B2 (en) * | 2013-03-15 | 2016-11-15 | Fireeye, Inc. | System and method to manage sinkholes |
| US20140344931A1 (en) * | 2013-05-17 | 2014-11-20 | Arbor Networks, Inc. | Systems and methods for extracting cryptographic keys from malware |
| CN106529291B (en) * | 2016-10-19 | 2019-10-29 | 北京海杭通讯科技有限公司 | Malware detection method |
| CN106603521A (en) * | 2016-12-09 | 2017-04-26 | 北京安天电子设备有限公司 | Network control node detection method and system |
-
2017
- 2017-10-19 CN CN201710974003.9A patent/CN108363922B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN108363922A (en) | 2018-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106886494B (en) | Automatic interface testing method and system | |
| US10250483B2 (en) | System and method thereof for dynamically testing networked target systems through simulation by a mobile device | |
| KR102199054B1 (en) | Apparatus for serial port based cyber security vulnerability assessment and method for the same | |
| CN104506484A (en) | Proprietary protocol analysis and identification method | |
| EP3547121B1 (en) | Combining device, combining method and combining program | |
| CN109063486B (en) | Safety penetration testing method and system based on PLC equipment fingerprint identification | |
| CN104980421B (en) | Batch request processing method and system | |
| CN106650425A (en) | Method and device for controlling security sandbox | |
| CN104468265A (en) | Method and device for detecting online states of local area network terminals | |
| CN107168844B (en) | Performance monitoring method and device | |
| CN111327636B (en) | S7-300PLC private protocol reverse method relating to network security | |
| CN111211934A (en) | Cluster remote communication test method and system | |
| CN111198797A (en) | Operation monitoring method and device and operation analysis method and device | |
| CN112887333A (en) | Abnormal equipment detection method and device, electronic equipment and readable storage medium | |
| CN112671605A (en) | Test method and device and electronic equipment | |
| CN102136964B (en) | Website testing method and system | |
| CN108363922B (en) | Automatic malicious code simulation detection method and system | |
| CN112235300B (en) | Cloud virtual network vulnerability detection method, system, device and electronic equipment | |
| US20150370675A1 (en) | Methods, systems, and computer readable media for utilizing abstracted user-defined data to conduct network protocol testing | |
| CN105099822A (en) | Method and physical machine for measuring network performance | |
| CN103731315A (en) | Server failure detecting method | |
| KR101625890B1 (en) | Test automation system and test automation method for detecting change for signature of internet application traffic protocol | |
| CN111245800A (en) | Network security testing method and device of industrial control network based on application scene | |
| CN106055571A (en) | Method and system for website identification | |
| CN106326419B (en) | Network automata processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |