CN112887307A - Malicious web infrastructure detection method - Google Patents
Malicious web infrastructure detection method Download PDFInfo
- Publication number
- CN112887307A CN112887307A CN202110104911.9A CN202110104911A CN112887307A CN 112887307 A CN112887307 A CN 112887307A CN 202110104911 A CN202110104911 A CN 202110104911A CN 112887307 A CN112887307 A CN 112887307A
- Authority
- CN
- China
- Prior art keywords
- malicious
- servers
- redirection
- graph data
- visible
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 38
- 238000000034 method Methods 0.000 claims abstract description 11
- 238000005111 flow chemistry technique Methods 0.000 claims abstract description 10
- 101150014732 asnS gene Proteins 0.000 claims description 3
- 230000000694 effects Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of computer network security, and particularly relates to a malicious web infrastructure detection method, which comprises the following steps: and (3) flow processing: processing the HTTP traffic into a graph data form, wherein the nodes represent servers found in the HTTP traffic, and the edges represent redirection among the servers; visibility detection: carrying out visibility detection on the obtained graph data, marking visible nodes and invisible nodes, and obtaining graph data with marked visible and invisible nodes; malicious entrance detection: a malicious web infrastructure portal is determined using a rule-based decision method. The invention obtains the redirection relation between the web infrastructures by analyzing and processing the HTTP flow, judges the relation between the visible and invisible servers in the graph data by means of cooperative detection of various rules, finds out the entrance of the malicious web infrastructures therein, and enriches the characteristics of the malicious web infrastructures. The invention is used for detecting the malicious web infrastructure.
Description
Technical Field
The invention belongs to the technical field of computer network security, and particularly relates to a malicious web infrastructure detection method.
Background
Currently, cyber crimes are implemented by constructing a web infrastructure instead of a single server, and in order to make malicious activities undetected, the cyber crimes hide core services on the malicious web infrastructure to make them invisible, thereby circumventing detection.
Cause of problems or defects: the traditional method uses a port scanning or blacklisting mode for detection, and the detection means has difficulty in detecting malicious web infrastructures which are intentionally hidden, and lacks new detection means of the malicious web infrastructures and characteristics of the malicious web infrastructures.
Disclosure of Invention
Aiming at the technical problem that the traditional method is difficult to detect the malicious web infrastructure which is intentionally hidden, the invention provides the malicious web infrastructure detection method which is high in accuracy, small in error and high in efficiency.
In order to solve the technical problems, the invention adopts the technical scheme that:
a malicious web infrastructure detection method comprising the steps of:
s1, flow processing: processing the HTTP traffic into a graph data form, wherein the nodes represent servers found in the HTTP traffic, and the edges represent redirection among the servers;
s2, visibility detection: carrying out visibility detection on the obtained graph data, marking visible nodes and invisible nodes, and obtaining graph data with marked visible and invisible nodes;
s3, malicious entrance detection: a malicious web infrastructure portal is determined using a rule-based decision method.
The flow processing method in the step S1 includes: the input is HTTP flow, the HTTP flow is subjected to flow processing to obtain redirection graph data, and a plurality of redirection relations exist among the nodes.
The visibility detection method in S2 includes: the input redirected graph data is used for marking whether a web infrastructure is visible or not, and the judgment rule of the marking is as follows: a domain name is considered visible if it is highly popular; for the remaining domain names, the domain names are considered invisible if they are not present in the search engine; if the website owner blocks access to the content, then it is considered invisible; if the request result is not inside the top100, the request result is considered invisible; all IP addresses are not visible.
The method for detecting the malicious entry in S3 includes: inputting marked graph data, and finding out a malicious web infrastructure entrance therein, wherein the use rules are as follows:
rules based on geographic location: by using IP addresses, Whois information and autonomous system numbers to describe location differences, redirection between different locations, if its visible and invisible servers are not located under the same IP subnet, do not share the same Whois information, do not have the same ASNs, then the two servers are located at the same location;
rules based on graph structure: using the node in-degree and out-degree judgment of the graph structure, if the result of the in-degree ratio to the out-degree ratio is less than 1, the situation that the node is malicious is larger;
role-based decision rules: some redirection behavior results from legitimate situations;
relationship-based rules: judging whether a CDN exists, wherein the CDN is usually non-malicious, judging the number of times of redirection, if the number of times of redirection between two servers is large and occurs stably, considering the two servers to be non-malicious, simultaneously inquiring two servers related to redirection in a search engine, and if the two servers are both in the same search result, considering the redirection between the two servers to be non-malicious.
Compared with the prior art, the invention has the following beneficial effects:
the invention obtains the redirection relation between the web infrastructures by analyzing and processing the HTTP flow, judges the relation between the visible and invisible servers in the graph data by means of cooperative detection of various rules, finds out the entrance of the malicious web infrastructures therein, provides a new detection means and enriches the characteristics of the malicious web infrastructures.
Drawings
FIG. 1 is a flow chart of the main system of the present invention;
FIG. 2 is a graph of the redirection relationships between nodes of the present invention;
FIG. 3 is a flow diagram of visibility detection of the present invention;
fig. 4 is a visibility detection marker map of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A malicious web infrastructure detection method, as shown in fig. 1, comprising the steps of:
s1, flow processing: processing the HTTP traffic into a graph data form, wherein the nodes represent servers found in the HTTP traffic, and the edges represent redirection among the servers;
s2, visibility detection: carrying out visibility detection on the obtained graph data, marking visible nodes and invisible nodes, and obtaining graph data with marked visible and invisible nodes;
s3, malicious entrance detection: a malicious web infrastructure portal is determined using a rule-based decision method.
Further, as shown in fig. 2, the flow processing method in S1 includes: the input is HTTP flow, the HTTP flow is subjected to flow processing to obtain redirection graph data, and a plurality of redirection relations exist among the nodes.
Further, in S3, as shown in fig. 3, the input redirected graph data may be used to mark whether a web infrastructure is visible, and the graph data is subjected to visibility detection to obtain a marked graph, as shown in fig. 4, where the visibility determination rule is as follows: com, by means of white lists, identifying highly popular domain names, such as Alexa, which provides a ranking of popularity of domain names across the globe, and EasyList, which provides a popular advertising network and a list of tracked domain names, hit white lists only represent popularity, and not their non-malicious; for the remaining domain names, the domain names are considered invisible if they are not present in the search engine; txt, is considered invisible if the website owner blocks access to the content, i.e., if blocked by robot.txt; if the request result is not inside the top100, the request result is considered invisible; all IP addresses are not visible.
Further, in S4, malicious entry detection, inputting labeled graph data, and finding out a malicious web infrastructure entry therein, the rules used by the malicious entry detection are as follows:
rules based on geographic location: in general, an attacker cannot control the location of an intruding benign server, so a visible intruded server and an invisible malicious server will be located in different locations, the redirection between different locations by describing the location differences using IP addresses, Whois information and autonomous system numbers, and if its visible and invisible servers are not located under the same IP subnet, do not share the same Whois information, and do not have the same ASNs, then the two servers are likely to be located in the same location;
rules based on graph structure: in order to avoid detection, a malicious server only allows a few attacked servers to be redirected to the malicious servers, so that the condition of being malicious is more large if the in-degree and out-degree results are less than 1 by using the node in-degree and out-degree judgment of the graph structure;
role-based decision rules: some redirection activities result from legitimate situations, such as redirection between ad networks, and thus are non-malicious if the redirection domain name hits an ad list, such as EasyList;
relationship-based rules: benign redirections are typically purposeful, e.g., moving a web site to another server, load balancing, delivering content from a local data center, etc., determining if there is a CDN, which is typically not malicious; judging the redirection times, and if the redirection times between the two servers are many and stably occur, considering that the two servers are not malicious; two servers involved in redirection are queried in the search engine at the same time, for example, google is searched for visible.
Although only the preferred embodiments of the present invention have been described in detail, the present invention is not limited to the above embodiments, and various changes can be made without departing from the spirit of the present invention within the knowledge of those skilled in the art, and all changes are encompassed in the scope of the present invention.
Claims (4)
1. A malicious web infrastructure detection method, characterized by: comprises the following steps:
s1, flow processing: processing the HTTP traffic into a graph data form, wherein the nodes represent servers found in the HTTP traffic, and the edges represent redirection among the servers;
s2, visibility detection: carrying out visibility detection on the obtained graph data, marking visible nodes and invisible nodes, and obtaining graph data with marked visible and invisible nodes;
s3, malicious entrance detection: a malicious web infrastructure portal is determined using a rule-based decision method.
2. A malicious web infrastructure detection method according to claim 1, characterized by: the flow processing method in the step S1 includes: the input is HTTP flow, the HTTP flow is subjected to flow processing to obtain redirection graph data, and a plurality of redirection relations exist among the nodes.
3. A malicious web infrastructure detection method according to claim 1, characterized by: the visibility detection method in S2 includes: the input redirected graph data is used for marking whether a web infrastructure is visible or not, and the judgment rule of the marking is as follows: a domain name is considered visible if it is highly popular; for the remaining domain names, the domain names are considered invisible if they are not present in the search engine; if the website owner blocks access to the content, then it is considered invisible; if the request result is not inside the top100, the request result is considered invisible; all IP addresses are not visible.
4. A malicious web infrastructure detection method according to claim 1, characterized by: the method for detecting the malicious entry in S3 includes: inputting marked graph data, and finding out a malicious web infrastructure entrance therein, wherein the use rules are as follows:
rules based on geographic location: by using IP addresses, Whois information and autonomous system numbers to describe location differences, redirection between different locations, if its visible and invisible servers are not located under the same IP subnet, do not share the same Whois information, do not have the same ASNs, then the two servers are located at the same location;
rules based on graph structure: using the node in-degree and out-degree judgment of the graph structure, if the result of the in-degree ratio to the out-degree ratio is less than 1, the situation that the node is malicious is larger;
role-based decision rules: some redirection behavior results from legitimate situations;
relationship-based rules: judging whether a CDN exists, wherein the CDN is usually non-malicious, judging the number of times of redirection, if the number of times of redirection between two servers is large and occurs stably, considering the two servers to be non-malicious, simultaneously inquiring two servers related to redirection in a search engine, and if the two servers are both in the same search result, considering the redirection between the two servers to be non-malicious.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110104911.9A CN112887307A (en) | 2021-01-26 | 2021-01-26 | Malicious web infrastructure detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110104911.9A CN112887307A (en) | 2021-01-26 | 2021-01-26 | Malicious web infrastructure detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112887307A true CN112887307A (en) | 2021-06-01 |
Family
ID=76052072
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110104911.9A Pending CN112887307A (en) | 2021-01-26 | 2021-01-26 | Malicious web infrastructure detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112887307A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105938531A (en) * | 2015-03-06 | 2016-09-14 | 国际商业机器公司 | Identifying malicious web infrastructures |
| CN107786575A (en) * | 2017-11-11 | 2018-03-09 | 北京信息科技大学 | A kind of adaptive malice domain name detection method based on DNS flows |
| CN110431817A (en) * | 2017-03-10 | 2019-11-08 | 维萨国际服务协会 | Identify malicious network device |
| WO2021154114A1 (en) * | 2020-01-27 | 2021-08-05 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | Method and system for detecting an infrastructure of malware or a cybercriminal |
-
2021
- 2021-01-26 CN CN202110104911.9A patent/CN112887307A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105938531A (en) * | 2015-03-06 | 2016-09-14 | 国际商业机器公司 | Identifying malicious web infrastructures |
| CN110431817A (en) * | 2017-03-10 | 2019-11-08 | 维萨国际服务协会 | Identify malicious network device |
| CN107786575A (en) * | 2017-11-11 | 2018-03-09 | 北京信息科技大学 | A kind of adaptive malice domain name detection method based on DNS flows |
| WO2021154114A1 (en) * | 2020-01-27 | 2021-08-05 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | Method and system for detecting an infrastructure of malware or a cybercriminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110719291B (en) | Network threat identification method and identification system based on threat information | |
| US20090249480A1 (en) | Mining user behavior data for ip address space intelligence | |
| Çeker et al. | Deception-based game theoretical approach to mitigate DoS attacks | |
| CN113783896A (en) | Network attack path tracking method and device | |
| US20090254989A1 (en) | Clustering botnet behavior using parameterized models | |
| CN111786966A (en) | Method and device for browsing webpage | |
| CN107566390B (en) | Industrial control system network security analysis system and method based on threat information | |
| WO2013048125A2 (en) | Device and method for detecting bypass access and account theft | |
| CN105938531B (en) | Identify hostile network infrastructure | |
| Pomorova et al. | Anti-evasion technique for the botnets detection based on the passive DNS monitoring and active DNS probing | |
| US20170180402A1 (en) | Detection of Coordinated Cyber-Attacks | |
| CN114205128B (en) | Network attack analysis method, device, electronic equipment and storage medium | |
| CN111818055B (en) | Network attack path analysis method based on dynamic feedback | |
| Zhao et al. | A Classification Detection Algorithm Based on Joint Entropy Vector against Application‐Layer DDoS Attack | |
| CN111314379B (en) | Attacked domain name identification method and device, computer equipment and storage medium | |
| Fang et al. | A proactive discovery and filtering solution on phishing websites | |
| CN112583827B (en) | Data leakage detection method and device | |
| CN111314370B (en) | Method and device for detecting service vulnerability attack behavior | |
| Asadian et al. | Identification of Sybil attacks on social networks using a framework based on user interactions | |
| CN112887307A (en) | Malicious web infrastructure detection method | |
| Kuyama et al. | Method for detecting a malicious domain by using only well-known information | |
| AlRoum et al. | Detecting malware domains: A cyber-threat alarm system | |
| Kaminsky | Explorations in namespace: white-hat hacking across the domain name system | |
| CN111031068B (en) | DNS analysis method based on complex network | |
| CN114372269A (en) | Risk assessment method based on system network topological structure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210601 |
|
| RJ01 | Rejection of invention patent application after publication |