CN114513331B - Mining Trojan detection method, device and equipment based on application layer communication protocol - Google Patents

Mining Trojan detection method, device and equipment based on application layer communication protocol Download PDF

Info

Publication number
CN114513331B
CN114513331B CN202210013293.1A CN202210013293A CN114513331B CN 114513331 B CN114513331 B CN 114513331B CN 202210013293 A CN202210013293 A CN 202210013293A CN 114513331 B CN114513331 B CN 114513331B
Authority
CN
China
Prior art keywords
network
mining
suspicious
trojan
application layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210013293.1A
Other languages
Chinese (zh)
Other versions
CN114513331A (en
Inventor
张晓坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Serval Technology Co ltd
Original Assignee
Hangzhou Serval Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Serval Technology Co ltd filed Critical Hangzhou Serval Technology Co ltd
Priority to CN202210013293.1A priority Critical patent/CN114513331B/en
Publication of CN114513331A publication Critical patent/CN114513331A/en
Application granted granted Critical
Publication of CN114513331B publication Critical patent/CN114513331B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a detection method, a detection device and detection equipment for a Trojan horse based on an application layer communication protocol, relates to the technical field of communication, and can solve the technical problems of low detection efficiency and low detection accuracy of the conventional Trojan horse. The method comprises the following steps: acquiring network traffic data comprising a plurality of encrypted TCP network links; analyzing network flow data based on a first preset feature of an application layer communication protocol of the mining program, and extracting suspicious network links from the network flow data, wherein the suspicious network links carry suspicious remote network service addresses; sending a communication message conforming to an application layer communication protocol of the mining program to a suspicious remote network service address, and receiving a network response message fed back by the suspicious remote network service address; judging whether the message characteristics of the network response message are matched with second preset characteristics of an application layer communication protocol of the mining program, if so, determining that the suspicious network link is a mining Trojan communication network link, and determining mining Trojan information according to the mining Trojan communication network link.

Description

Mining Trojan detection method, device and equipment based on application layer communication protocol
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, and a device for detecting a Trojan horse in mining based on an application layer communication protocol.
Background
In recent years, due to the development of technologies such as virtual currency blockchains and the like and the continuous rising of prices of virtual currencies, a new way of changing the botnet originally used for DDoS attack or spam is newly added: virtual currency "digs out" the mine. Some host machines which are subjected to sinking are also often implanted into the mining Trojan horse, and the host machines which are implanted into the mining Trojan horse perform meaningless operation crazy in the mining process, squeeze server resources, influence normal business and consume power resources. So the mining trojan in the system is effectively found to be an important requirement in the current network security industry.
For this purpose, various network security manufacturers develop a plurality of methods and products, and three main ways for finding mining Trojan horse exist in industry, namely, whether a process of continuously occupying too high CPU exists in a system is observed; secondly, observing whether a behavior of communicating with a remote mine pool exists in the system; thirdly, judging the communication content between the mining program and the remote service. However, all three methods have the defects that false alarm is caused by excessively high occupation of continuous hardware resources, and the situation of high occupation of the continuous hardware resources is possible to occur in normal service; the method for observing whether the communication with the mine pool exists is easy to cause missing information, because whether the remote service is the mine pool is judged according to threat information, and the threat information is time-efficient and is easy to bypass by a mode of building a proxy server; almost all mining trojans encrypt network communications, so judgment by the content of the communications is also basically not feasible. In summary, the detection accuracy and the efficiency are low when the detection of the mining Trojan are performed at present, so that more effective means are still required to be searched to accurately find the mining Trojan existing in the system.
Disclosure of Invention
In view of the above, the application provides a method, a device and equipment for detecting an ore-mining Trojan based on an application layer communication protocol, which can solve the technical problems of low detection accuracy and low efficiency when the ore-mining Trojan is detected at present.
According to one aspect of the application, there is provided a method for detecting a Trojan horse in mining based on an application layer communication protocol, the method comprising:
acquiring network flow data, wherein the network flow data comprises a plurality of encrypted TCP network links;
analyzing the network flow data based on a first preset feature of an application layer communication protocol of the mining program, and extracting suspicious network links from the network flow data, wherein suspicious network links carry suspicious remote network service addresses;
sending a communication message conforming to an application layer communication protocol of the mining procedure to the suspicious remote network service address, and receiving a network response message fed back by the suspicious remote network service address;
judging whether the second message characteristic of the network response message is matched with the second preset characteristic of the mining program application layer communication protocol, if so, determining that the suspicious network link is a mining Trojan communication network link, and determining mining Trojan information according to the mining Trojan communication network link.
According to another aspect of the present application, there is provided a mining Trojan detection device based on an application layer communication protocol, the device comprising:
the system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for acquiring network flow data, and the network flow data comprises a plurality of encrypted TCP network links;
the analysis module is used for analyzing the network flow data based on a first preset feature of an application layer communication protocol of the mining program, extracting suspicious network links from the network flow data, wherein the suspicious network links carry suspicious remote network service addresses;
the simulation communication module is used for sending communication messages conforming to an application layer communication protocol of the mining procedure to the suspicious remote network service address and receiving network response messages fed back by the suspicious remote network service address;
the determining module is used for judging whether the second message characteristic of the network response message is matched with the second preset characteristic of the mining program application layer communication protocol, if so, determining that the suspicious network link is a mining Trojan communication network link, and determining mining Trojan information according to the mining Trojan communication network link.
According to yet another aspect of the present application, there is provided a non-volatile readable storage medium having stored thereon a computer program which when executed by a processor implements the above-described method of mining Trojan detection based on an application layer communication protocol.
According to still another aspect of the present application, there is provided a computer device including a non-volatile readable storage medium, a processor and a computer program stored on the non-volatile readable storage medium and executable on the processor, the processor implementing the above-mentioned method for detecting a Trojan horse based on an application layer communication protocol when executing the program.
By means of the technical scheme, the mining Trojan detection method, the mining Trojan detection device and the mining Trojan detection equipment based on the application layer communication protocol can firstly acquire network flow data, then analyze the network flow data based on the first preset characteristic of the mining program application layer communication protocol, extract suspicious network links from the network flow data, send communication messages conforming to the mining program application layer communication protocol to suspicious remote network service addresses corresponding to the suspicious network links, and receive network response messages fed back by the suspicious remote network service addresses; and finally, judging whether the second message characteristic of the network response message is matched with the second preset characteristic of the mining program application layer communication protocol or not by analyzing the network response message, further determining a mining Trojan communication network link from the suspicious network link, and determining mining Trojan information according to the mining Trojan communication network link. Through the technical scheme in this application, can screen out the suspicious network link that accords with the network behavior characteristic after the encryption of mining Trojan earlier, carry out analog communication to suspicious network link and detect, can improve detection efficiency greatly, and correspond the communication behavior simulation of mining Trojan to suspicious distal end network service address in the suspicious network link, can acquire the truest network response message of suspicious distal end network service address, and then can realize the accurate location to mining Trojan through the analysis to network response message, so can guarantee the detection accuracy of mining Trojan.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the present application. In the drawings:
fig. 1 shows a flow diagram of a method for detecting a Trojan horse in mining based on an application layer communication protocol according to an embodiment of the present application;
fig. 2 is a schematic flow chart of another method for detecting a Trojan horse in mining based on an application layer communication protocol according to an embodiment of the present application;
fig. 3 shows a schematic structural diagram of an application layer communication protocol-based mining Trojan horse detection device according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of another mining Trojan horse detection device based on an application layer communication protocol according to an embodiment of the present application.
Detailed Description
The present application will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that, without conflict, the embodiments and features of the embodiments in the present application may be combined with each other.
Aiming at the technical problems of low detection accuracy and low efficiency when the detection of the Trojan horse is carried out at present, the embodiment provides a detection method of the Trojan horse based on an application layer communication protocol, as shown in fig. 1, which comprises the following steps:
101. network traffic data is obtained, the network traffic data comprising a plurality of encrypted TCP network links.
Because the communication between the mining Trojan and the mining pool uses an application layer communication protocol based on plaintext and the protocol is public, but network communication is usually encrypted through a TLS protocol, the prior art cannot realize decryption processing of the encryption protocol under the condition of no encryption key, so that communication contents cannot be viewed from the perspective of a third party observer, but the communication contents can be observed from the identity of a participant of one of the two parties. In view of this, in this application, network links with stable network receiving and transmitting message frequency and TCP message length conforming to the general characteristics of the mining communication protocol may be screened first, a suspicious remote network service address in the link may be obtained, then a program may be used to simulate the communication behavior of the mining Trojan, and communication conforming to the mining Trojan protocol may be sent to the suspicious remote network service address.
In a specific scenario, for the present embodiment, network traffic data may be first acquired to extract a suspicious network link based on the network traffic data, and a suspicious remote network service address corresponding to the suspicious network link. When acquiring network traffic data, any method for acquiring traffic data, such as serial, mirror image, off-line pcap packet, etc., may be used. In this embodiment, the technical aspects in the present application can be described by taking the example of obtaining the network traffic data by performing traffic mirror (Mirroring/traffic-shadow) processing, but the technical aspects in the present application are not limited specifically. When the flow mirror image processing is carried out, the real flow on the line can be copied into mirror image service through a certain configuration, and the purpose of carrying out specific analysis on the flow or the request content under the condition of not influencing the on-line service is achieved by setting up an environment similar to the original environment, so that the flow mirror image (Traffic Mirroring) is further obtained, namely, network flow data is obtained, wherein the network flow data comprises a plurality of encrypted TCP network links. The aim of acquiring network traffic data is that the daily network traffic is huge, suspicious network links possibly related to mining trojans are determined through analysis of TCP network links in the network traffic data, and then simulated communication detection is carried out on the suspicious network links, so that the detection efficiency can be greatly improved.
The execution main body of the mining Trojan detection device based on the application layer communication protocol can be configured at the server side, the suspicious network links can be screened out through analysis of network traffic data, suspicious remote network service addresses in the suspicious network links are obtained, then communication messages conforming to the mining program application layer communication protocol can be sent to the suspicious remote network service addresses, network response messages fed back by the suspicious remote network service addresses are received, and as the identity of one participant of the two communication parties can observe communication content, the mining Trojan communication network links can be accurately determined through characteristic judgment of the network response message content, and mining Trojan information is determined according to the mining Trojan communication network links.
102. Analyzing network traffic data based on a first preset feature of an application layer communication protocol of the mining program, and extracting suspicious network links from the network traffic data, wherein the suspicious network links carry suspicious remote network service addresses.
The first preset features may include a network message transceiving frequency feature and a message length feature. In a specific application scenario, the application layer communication protocol of the mining Trojan horse is in a plaintext, and the request, the return format and the message length of each protocol instruction are all fixed, and network transmission is carried out through the TCP protocol with TLS encryption. When an ore mining program communicates with an ore pool, although the content of an application layer communication protocol cannot be directly obtained from the traffic, the message length of the protocol instruction can be obtained, so that the message length can be used as a judging feature of suspicious network links, and whether the corresponding message length in each TCP network link accords with the ore mining protocol communication feature can be judged. In addition, because of the characteristics of the mining Trojan horse, communication needs to be established with the mining pool at regular time, the corresponding network message receiving and transmitting frequency is stable, and for this purpose, the network message receiving and transmitting frequency can be used as another judging feature of the suspicious network links, and whether the network message receiving and transmitting frequency corresponding to each TCP network link accords with the mining protocol communication feature can be judged. When the message length and the network receiving and transmitting message frequency of the TCP network link are judged to be in accordance with the mining protocol communication characteristics, the TCP network link can be marked as a suspicious network link. For example, the task issuing instruction of the door coin communication protocol is 449 bytes in length of the TCP message encrypted by the TLS and is issued continuously, so that when the traffic meeting the characteristics is suspicious communication traffic, the corresponding TCP network link is determined as suspicious network link.
103. And sending a communication message conforming to the mining program application layer communication protocol to the suspicious remote network service address, and receiving a network response message fed back by the suspicious remote network service address.
For this embodiment, a suspicious remote network service address in a suspicious network link may be obtained, and then a software program is used to simulate a communication behavior of an mining Trojan, and send a communication conforming to the mining Trojan protocol to the remote service, where if a network response message conforming to the mining Trojan protocol can be obtained, it may be determined accurately that the mining Trojan exists in the system. In a specific application scenario, if the suspicious network link is a mining Trojan communication network link, whether the content of a communication message which accords with the mining program application layer communication protocol is sent to the suspicious remote network service address or not is correct (for example, an address field in the sent communication message can be a built false address), and a network response message fed back by the suspicious remote network service address can meet the mining application layer communication protocol message format requirement; otherwise, if the suspicious network link is not the mining Trojan communication network link or the mining Trojan communication network link fails to be established, the network response message fed back by the corresponding suspicious remote network service address often does not meet the requirements of the mining application layer communication protocol message format. Therefore, for this embodiment, by creating a simulated communication with the suspicious remote network service address, a network response message fed back by the suspicious remote network service address may be obtained, so as to determine, through analysis of the network response message, whether the suspicious network link is a mining Trojan communication network link.
104. Judging whether the second message characteristic of the network response message is matched with a second preset characteristic of the mining program application layer communication protocol, if so, determining that the suspicious network link is a mining Trojan communication network link, and determining mining Trojan information according to the mining Trojan communication network link.
The second preset feature may include a preset message format feature. For this embodiment, the network response message may be matched with the preset message format feature corresponding to the application layer communication protocol of the mining program, if it is determined that the network response message is in the preset message format corresponding to the mining Trojan, the suspicious network link may be determined to be the mining Trojan communication network link, further, a target host machine and a used local port that are connected to the mining machine by the network may be determined according to the mining Trojan communication network link, and it is determined that the mining program is implanted in the target host machine by the Trojan program.
According to the mining Trojan horse detection method based on the application layer communication protocol, network flow data can be acquired firstly, then the network flow data is analyzed based on the first preset feature of the mining program application layer communication protocol, suspicious network links are extracted from the network flow data, communication messages conforming to the mining program application layer communication protocol are sent to suspicious remote network service addresses corresponding to the suspicious network links, and network response messages fed back by the suspicious remote network service addresses are received; and finally, judging whether the second message characteristic of the network response message is matched with the second preset characteristic of the mining program application layer communication protocol or not by analyzing the network response message, further determining a mining Trojan communication network link from the suspicious network link, and determining mining Trojan information according to the mining Trojan communication network link. Through the technical scheme in this application, can screen out the suspicious network link that accords with the network behavior characteristic after the encryption of mining Trojan earlier, carry out analog communication to suspicious network link and detect, can improve detection efficiency greatly, and correspond the communication behavior simulation of mining Trojan to suspicious distal end network service address in the suspicious network link, can acquire the truest network response message of suspicious distal end network service address, and then can realize the accurate location to mining Trojan through the analysis to network response message, so can guarantee the detection accuracy of mining Trojan.
Further, as a refinement and extension of the specific implementation manner of the foregoing embodiment, in order to fully describe the specific implementation process in this embodiment, another method for detecting a Trojan horse in mining based on an application layer communication protocol is provided, as shown in fig. 2, where the method includes:
201. network traffic data is obtained, the network traffic data comprising a plurality of encrypted TCP network links.
202. Analyzing network traffic data based on a first preset feature of an application layer communication protocol of the mining program, and extracting suspicious network links from the network traffic data, wherein the suspicious network links carry suspicious remote network service addresses.
For the embodiment, because the daily intra-network traffic is huge, if the mining Trojan communication behavior simulation is performed on the remote services of all network links, the execution cost is huge, so that the network traffic acquisition and analysis program is required to screen out suspicious network links which accord with the mining Trojan encrypted network behavior characteristics, and then the simulation communication detection is performed on the suspicious network links, so that the detection efficiency can be greatly improved. The network traffic data includes a plurality of TCP network links, the TCP network links are in an encrypted form, and an application layer communication protocol corresponding to the TCP network links is clear and public, so for this embodiment, the suspicious network links may be extracted from the network traffic data by performing feature analysis on the application layer communication protocol corresponding to the TCP network links. Specifically, the existing network traffic collection and analysis program can be applied to analyze the network traffic data, and suspicious network links which can be mining Trojan communication network links established between mining Trojan and a mining pool and meet the first preset characteristics are extracted from the network traffic data. Specifically, the network traffic data of the whole network can be received by utilizing a network traffic acquisition and analysis program, the network traffic data is analyzed and restored into a structured log, the structured log is analyzed through a preset rule, and the analysis result is output according to configuration. Note that, in this embodiment and the above embodiments, the encryption manner used in the TCP network link in the encrypted form may include TLS encryption manner and any other available encryption manner, which is not limited in detail herein.
The principle of screening suspicious network links by the network traffic acquisition and analysis program is as follows: the mining program application layer communication protocol is in a clear text, the request and return formats of each protocol instruction are fixed, the data length is also fixed, and the network transmission is carried out through the encrypted TCP protocol. When an ore mining program communicates with an ore pool, although the content of the application layer communication protocol cannot be directly obtained from the traffic, whether the length of each message accords with the communication characteristics of the ore mining protocol can be observed, for example, the length of a TCP message after the TLS encryption of a task issuing instruction of a door coin communication protocol is 449 bytes and is continuously issued, so that the traffic meeting the characteristics is suspicious communication traffic when the traffic exists. Accordingly, for the present embodiment, the embodiment step 202 may specifically include: analyzing and restoring the network traffic data into a structured log, and analyzing a first message characteristic based on a TCP layer according to the structured log; calculating a first feature similarity of the first message feature and a first preset feature corresponding to an application layer communication protocol of the mining program; extracting target message characteristics corresponding to the first characteristic similarity equal to a first preset threshold value from the first message characteristics, and marking the TCP network link corresponding to the target message characteristics as suspicious network link. The first preset threshold is a value greater than 0 and less than or equal to 1, and the specific value can be set according to an actual application scenario, for example, for this embodiment, the first preset threshold can be set to 1, that is, a TCP network link with a higher matching degree between the corresponding first message feature and the first preset feature of the mining program application layer communication protocol is screened out through calculation of the feature similarity, and is marked as a suspicious network link.
When calculating the first feature similarity between the first message feature and the first preset feature corresponding to the mining program application layer communication protocol, a preset feature distance calculation formula can be utilized for calculation. The preset feature Distance calculation formula may be any Distance function formula suitable for measurement, for example, may include euclidean Distance formula (Euclidean Distance), manhattan Distance formula (Manhattan Distance), jaccard Distance formula (Jaccard Distance), mahalanobis Distance formula (Mahalanobis Distance), and the like, and may be specifically selected according to practical application scenarios, which are not limited herein.
It should be noted that, when extracting the suspicious network link from the TCP network link, the calculation mode of the feature similarity is only used as a preferred mode, and may include other alternative modes, for example, whether the network message receiving and transmitting frequency features are arranged according to any period and whether the message length is the same as the preset message length, where the preset message length is the TCP message length after the task issuing instruction of the mining procedure application layer communication protocol is encrypted; if yes, the TCP network link is marked as a suspicious network link.
203. And creating encrypted TCP links with suspicious remote network service addresses by using communication behavior simulation programs of the mining Trojan corresponding to each preset virtual currency type in the simulation program set, sending communication messages conforming to the mining program application layer communication protocol to the suspicious remote network service addresses based on the encrypted TCP links, and receiving network response messages fed back by the suspicious remote network service addresses.
In a specific application scenario, before executing the steps of this embodiment, the steps of this embodiment specifically further include: respectively packaging corresponding communication behavior simulation programs aiming at different preset virtual currency types corresponding to the mining Trojan, wherein the communication behavior simulation programs are used for sending communication messages conforming to the mining program application layer communication protocol under the corresponding preset virtual currency types; a simulator set is constructed containing the respective communication behavior simulators. The communication behavior simulation program can be specifically a Trojan horse communication behavior simulation program, the Trojan horse communication behavior simulation program is a program which is used for intercepting part of source codes of network communication in a certain virtual currency mining program (the mining program is basically all open source), packaging the part of codes into communication only but not mining, and packaging a corresponding Trojan horse communication behavior simulation program for different types of virtual currencies, wherein a plurality of simulation programs form a Trojan horse communication behavior simulation program set.
For this embodiment, since the entire detection process is completed by a network traffic collection analysis program and a plurality of mining Trojan communication behavior simulation programs together in cooperation, a program responsible for managing scheduling is required. When the network traffic collection analysis program screens out suspicious network links, suspicious network link information can be sent to the mining Trojan detection scheduling program, the scheduling program is used for calling all the mining Trojan communication behavior simulation programs to start mining Trojan communication simulation on remote service addresses of the suspicious network links, specifically, communication behavior simulation programs of mining Trojan corresponding to each preset virtual currency type in a simulation program set can be used for respectively creating TCP links with the suspicious remote network service addresses, sending communication messages conforming to an application layer communication protocol of the mining program to the suspicious remote network service addresses based on the TCP links with encryption, and receiving network response messages fed back by the suspicious remote network service addresses so as to determine whether the suspicious network links are mining Trojan communication network links or not through analysis on the corresponding content formats of the network response messages.
204. Judging whether the message characteristics of the network response message are matched with second preset characteristics of the mining program application layer communication protocol, if so, determining that the suspicious network link is a mining Trojan communication network link.
For the present embodiment, in a specific application scenario, the embodiment step 204 may specifically include: extracting second message features of network response messages received by each communication behavior simulation program, calculating second feature similarity of each second message feature and a second preset feature, judging whether target network response messages with the second feature similarity larger than a second preset threshold value exist in the network response messages, if so, judging that the message features of the target network response messages are matched with the second preset feature of the mining program application layer communication protocol, and determining that suspicious network links are mining Trojan horse communication network links. When the second feature similarity between each second message feature and the second preset feature is calculated, the calculation can be performed by using a preset feature distance calculation formula. The preset feature Distance calculation formula may be any Distance function formula suitable for measurement, for example, may include euclidean Distance formula (Euclidean Distance), manhattan Distance formula (Manhattan Distance), jaccard Distance formula (Jaccard Distance), mahalanobis Distance formula (Mahalanobis Distance), and the like, and may be specifically selected according to practical application scenarios, which are not limited herein.
In a specific application scenario, if a message format feature of a network response message received by a communication behavior simulation program in the simulation program set is matched with a preset message format feature, that is, accords with an application layer communication protocol of an mining program, the suspicious network link can be determined to be a mining Trojan communication network link.
For example, the mining Trojan communication behavior simulation program first establishes a TCP link based on TLS encryption with the suspicious remote service, and sends an instruction of a mining communication protocol, such as a subscription instruction of the Stratum protocol, to the suspicious remote service:
JSON
{"id":1,"method":"mining.subscribe","params":[]}
if the response message of the suspicious remote service meets the mining communication protocol, that is, the message format feature of the received network response message is matched with the preset message format feature, for example:
JSON
{"id":1,"result":[["mining.notify","ae6812eb4cd7735a302a8a9dd95cf71f"],"08000002",4],"error":null}
the remote service is deemed to be a mine pool and it is determined that the host corresponding to the local address of the suspected network link contains a mine-digger.
205. And determining the information of the mining Trojan according to the link of the mining Trojan communication network.
In a specific application scenario, corresponding to embodiment step 204, the steps of this embodiment may specifically include: determining a target communication behavior simulation program for receiving a target network response message in a simulation program set, determining a preset virtual currency type corresponding to the target communication behavior simulation program as a virtual currency type corresponding to the mining Trojan, extracting sender information in a mining Trojan communication network link, and determining a host computer where the mining Trojan is located and a used local port according to the sender information.
In a specific application scenario, as a preferable mode, the mine pool address can be extracted according to the determined mine digging Trojan communication network link, and the mine pool address library is constructed by utilizing the mine pool address. Furthermore, in addition to determining the information of the Trojan in the manner, the suspicious remote network service address of each TCP network link in the network flow data can be matched with the pool address library, the TCP network link successfully matched is determined to be the Trojan communication network link, and further, the host corresponding to the local address of the Trojan communication network link can be confirmed to contain the Trojan. Correspondingly, the steps of the embodiment specifically may further include: marking suspicious remote network service addresses corresponding to the mining Trojan communication network links as mine pool addresses; updating the mine pool address to a mine pool address library to determine mine excavation Trojan information based on the mine pool address library.
By means of the mining Trojan horse detection method based on the application layer communication protocol, network flow data can be obtained firstly, then the network flow data is analyzed based on the first preset characteristic of the mining program application layer communication protocol, suspicious network links are extracted from the network flow data, communication messages conforming to the mining program application layer communication protocol are sent to suspicious remote network service addresses corresponding to the suspicious network links, and network response messages fed back by the suspicious remote network service addresses are received; and finally, judging whether the second message characteristic of the network response message is matched with the second preset characteristic of the mining program application layer communication protocol or not by analyzing the network response message, further determining a mining Trojan communication network link from the suspicious network link, and determining mining Trojan information according to the mining Trojan communication network link. Through the technical scheme in this application, can screen out the suspicious network link that accords with the network behavior characteristic after the encryption of mining Trojan TLS earlier, carry out analog communication to suspicious network link and detect, can improve detection efficiency greatly, and correspond the communication behavior simulation of mining Trojan to suspicious distal end network service address in the suspicious network link, can acquire the truest network response message of suspicious distal end network service address, and then can realize the accurate location to mining Trojan through the analysis to network response message, so can guarantee the detection accuracy of mining Trojan.
Further, as a specific implementation of the method shown in fig. 1 and fig. 2, an embodiment of the present application provides a detection device for a Trojan horse in mining based on an application layer communication protocol, as shown in fig. 3, where the device includes: an acquisition module 31, an analysis module 32, an analog communication module 33, and a determination module 34;
the obtaining module 31 is configured to obtain network traffic data, where the network traffic data includes a plurality of encrypted TCP network links;
the analysis module 32 is configured to analyze network traffic data based on a first preset feature of an application layer communication protocol of the mining program, and extract a suspicious network link from the network traffic data, where the suspicious network link carries a suspicious remote network service address;
the analog communication module 33 is configured to send a communication message conforming to an application layer communication protocol of the mining procedure to a suspicious remote network service address, and receive a network response message fed back by the suspicious remote network service address;
the determining module 34 may be configured to determine whether a second message characteristic of the network response message matches a second preset characteristic of the application layer communication protocol of the mining procedure, if so, determine that the suspicious network link is a mining Trojan communication network link, and determine mining Trojan information according to the mining Trojan communication network link.
In a specific application scenario, the first preset features include a network message receiving and transmitting frequency feature and a message length feature; correspondingly, the analysis module 32 is specifically configured to parse and restore the network traffic data into a structured log, and obtain a first message characteristic based on the TCP layer according to the structured log analysis; calculating a first feature similarity of the first message feature and a first preset feature corresponding to an application layer communication protocol of the mining program; extracting target message characteristics corresponding to the first characteristic similarity equal to a first preset threshold value from the first message characteristics, and marking the TCP network link corresponding to the target message characteristics as suspicious network link.
In a specific application scenario, when sending a communication message conforming to an application layer communication protocol of the mining procedure to a suspicious remote network service address and receiving a network response message fed back by the suspicious remote network service address, the simulation communication module 33 may be configured to create a TCP link with encryption with the suspicious remote network service address by using a communication behavior simulation program of a mining Trojan corresponding to each preset virtual currency type in the simulation program set, and send the communication message conforming to the application layer communication protocol of the mining procedure to the suspicious remote network service address based on the TCP link with encryption, and receive the network response message fed back by the suspicious remote network service address.
In a specific application scenario, the second preset feature includes a preset message format feature, and when judging whether the second message feature of the network response message matches the second preset feature of the mining procedure application layer communication protocol, the determining module 34 is specifically configured to extract the second message feature of the network response message received by each communication behavior simulation procedure; calculating second feature similarity between each second message feature and a second preset feature; judging whether a target network response message with the second characteristic similarity larger than a second preset threshold exists in the network response message; if yes, judging that the message characteristics of the target network response message are matched with the second preset characteristics of the mining program application layer communication protocol.
In a specific application scenario, the information of the mining Trojan includes a virtual currency type corresponding to the mining Trojan, a host computer where the mining Trojan is located and a used local port, and when determining the information of the mining Trojan according to the link of the mining Trojan communication network, the determining module 34 is specifically configured to determine a target communication behavior simulation program for receiving the target network response message in the simulation program set, and determine a preset virtual currency type corresponding to the target communication behavior simulation program as the virtual currency type corresponding to the mining Trojan; extracting sender information from the communication network link of the mining Trojan, and determining a host computer where the mining Trojan is located and a used local port according to the sender information.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a packaging module 35 and a construction module 36;
the packaging module 35 is configured to separately package corresponding communication behavior simulation programs for different preset virtual currency types corresponding to the mining Trojan, where the communication behavior simulation programs are configured to send communication messages corresponding to the mining program application layer communication protocol under the corresponding preset virtual currency types;
a construction module 36 is operable to construct a simulator set containing respective communication behavior simulators.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a marking module 37, an updating module 38;
the marking module 37 may be configured to mark a suspicious remote network service address corresponding to the communication network link of the mining Trojan as a mine pool address;
an update module 38 is operable to update the pool address into the pool address library to determine mine excavation Trojan information based on the pool address library.
It should be noted that, other corresponding descriptions of each functional unit related to the device for detecting the mining Trojan horse based on the application layer communication protocol provided in this embodiment may refer to corresponding descriptions of fig. 1 to 2, and are not repeated here.
Based on the above-mentioned method shown in fig. 1 to 2, correspondingly, the present embodiment further provides a nonvolatile storage medium, on which computer readable instructions are stored, where the readable instructions, when executed by a processor, implement the above-mentioned method for detecting a Trojan horse based on an application layer communication protocol shown in fig. 1 to 2.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.), and includes several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to perform the method of each implementation scenario of the present application.
Based on the method shown in fig. 1 to 2 and the virtual device embodiments shown in fig. 3 and 4, in order to achieve the above object, the present embodiment further provides a computer device, where the computer device includes a storage medium and a processor; a nonvolatile storage medium storing a computer program; and the processor is used for executing a computer program to realize the mining Trojan horse detection method based on the application layer communication protocol shown in the figures 1-2.
Optionally, the computer device may also include a user interface, a network interface, a camera, radio Frequency (RF) circuitry, sensors, audio circuitry, WI-FI modules, and the like. The user interface may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
It will be appreciated by those skilled in the art that the architecture of a computer device provided in this embodiment is not limited to this physical device, but may include more or fewer components, or may be combined with certain components, or may be arranged in a different arrangement of components.
The nonvolatile storage medium may also include an operating system, network communication modules. An operating system is a program that manages the computer device hardware and software resources described above, supporting the execution of information handling programs and other software and/or programs. The network communication module is used for realizing communication among all components in the nonvolatile storage medium and communication with other hardware and software in the information processing entity equipment.
From the above description of the embodiments, it will be apparent to those skilled in the art that the present application may be implemented by means of software plus necessary general hardware platforms, or may be implemented by hardware.
By applying the technical scheme, compared with the prior art, the method and the device can firstly acquire network flow data, then analyze the network flow data based on the first preset characteristic of the mining program application layer communication protocol, extract suspicious network links from the network flow data, send communication messages conforming to the mining program application layer communication protocol to suspicious remote network service addresses corresponding to the suspicious network links, and receive network response messages fed back by the suspicious remote network service addresses; and finally, judging whether the second message characteristic of the network response message is matched with the second preset characteristic of the mining program application layer communication protocol or not by analyzing the network response message, further determining a mining Trojan communication network link from the suspicious network link, and determining mining Trojan information according to the mining Trojan communication network link. Through the technical scheme in this application, can screen out the suspicious network link that accords with the network behavior characteristic after the encryption of mining Trojan TLS earlier, carry out analog communication to suspicious network link and detect, can improve detection efficiency greatly, and correspond the communication behavior simulation of mining Trojan to suspicious distal end network service address in the suspicious network link, can acquire the truest network response message of suspicious distal end network service address, and then can realize the accurate location to mining Trojan through the analysis to network response message, so can guarantee the detection accuracy of mining Trojan.
Those skilled in the art will appreciate that the drawings are merely schematic illustrations of one preferred implementation scenario, and that the modules or flows in the drawings are not necessarily required to practice the present application. Those skilled in the art will appreciate that modules in an apparatus in an implementation scenario may be distributed in an apparatus in an implementation scenario according to an implementation scenario description, or that corresponding changes may be located in one or more apparatuses different from the implementation scenario. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The foregoing application serial numbers are merely for description, and do not represent advantages or disadvantages of the implementation scenario. The foregoing disclosure is merely a few specific implementations of the present application, but the present application is not limited thereto and any variations that can be considered by a person skilled in the art shall fall within the protection scope of the present application.

Claims (8)

1. The mining Trojan horse detection method based on the application layer communication protocol is characterized by comprising the following steps of:
acquiring network flow data, wherein the network flow data comprises a plurality of encrypted TCP network links;
analyzing the network flow data based on a first preset feature of an application layer communication protocol of the mining program, and extracting suspicious network links from the network flow data, wherein suspicious network links carry suspicious remote network service addresses;
Sending a communication message conforming to an application layer communication protocol of the mining procedure to the suspicious remote network service address, and receiving a network response message fed back by the suspicious remote network service address;
judging whether the second message characteristic of the network response message is matched with a second preset characteristic of the mining program application layer communication protocol, if so, determining that the suspicious network link is a mining Trojan communication network link, and determining mining Trojan information according to the mining Trojan communication network link;
the sending the communication message conforming to the mining procedure application layer communication protocol to the suspicious remote network service address, and receiving the network response message fed back by the suspicious remote network service address, includes:
establishing a TCP link with encryption with the suspicious remote network service address by using a communication behavior simulation program of the mining Trojan corresponding to each preset virtual currency type in the simulation program set, sending a communication message conforming to the mining program application layer communication protocol to the suspicious remote network service address based on the TCP link with encryption, and receiving a network response message fed back by the suspicious remote network service address;
The determining whether the second message feature of the network response message matches the second preset feature of the mining program application layer communication protocol includes:
extracting second message characteristics of network response messages received by the communication behavior simulation programs;
calculating second feature similarity between each second message feature and the second preset feature;
judging whether a target network response message with the second feature similarity larger than a second preset threshold exists in the network response message;
if yes, judging that the message characteristics of the target network response message are matched with the second preset characteristics of the mining program application layer communication protocol.
2. The method of claim 1, wherein the first predetermined characteristic includes a network messaging frequency characteristic and a message length characteristic;
the first preset feature analysis of the mining program application layer communication protocol based on the network traffic data, and the suspicious network link extraction in the network traffic data comprises the following steps:
analyzing and restoring the network flow data into a structured log, and analyzing and obtaining a first message characteristic based on a TCP layer according to the structured log;
Calculating a first feature similarity of the first message feature and a first preset feature corresponding to an application layer communication protocol of the mining program;
extracting target message characteristics corresponding to the first characteristic similarity equal to a first preset threshold value from the first message characteristics, and marking the TCP network link corresponding to the target message characteristics as a suspicious network link.
3. The method of claim 1, wherein the information of the Trojan includes a virtual currency type corresponding to the Trojan, a host computer where the Trojan is located, and a local port used, and determining the information of the Trojan according to the Trojan communication network link includes:
determining a target communication behavior simulation program for receiving the target network response message in the simulation program set, and determining a preset virtual currency type corresponding to the target communication behavior simulation program as a virtual currency type corresponding to a mining Trojan;
and extracting sender information from the communication network link of the mining Trojan horse, and determining a host machine where the mining Trojan horse is located and a used local port according to the sender information.
4. The method of claim 1, wherein prior to sending a communication message conforming to an mining procedure application layer communication protocol to the suspicious remote network service address and receiving a network response message fed back by the suspicious remote network service address, the method further comprises:
Respectively packaging corresponding communication behavior simulation programs aiming at different preset virtual currency types corresponding to the mining Trojan, wherein the communication behavior simulation programs are used for sending communication messages which accord with the mining program application layer communication protocol under the corresponding preset virtual currency types;
and constructing a simulation program set containing each communication behavior simulation program.
5. The method according to claim 1, wherein the method further comprises:
marking a suspicious remote network service address corresponding to the mining Trojan communication network link as a mine pool address;
updating the mine pool address into a mine pool address library to determine the mining Trojan horse information based on the mine pool address library.
6. Dig ore wooden horse detection device based on application layer communication protocol, characterized by comprising:
the system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for acquiring network flow data, and the network flow data comprises a plurality of encrypted TCP network links;
the analysis module is used for analyzing the network flow data based on a first preset feature of an application layer communication protocol of the mining program, extracting suspicious network links from the network flow data, wherein the suspicious network links carry suspicious remote network service addresses;
The simulation communication module is used for sending communication messages conforming to an application layer communication protocol of the mining procedure to the suspicious remote network service address and receiving network response messages fed back by the suspicious remote network service address;
the determining module is used for judging whether the second message characteristic of the network response message is matched with the second preset characteristic of the mining program application layer communication protocol, if so, determining that the suspicious network link is a mining Trojan communication network link, and determining mining Trojan information according to the mining Trojan communication network link;
the simulation communication module is specifically configured to create a TCP link with encryption with the suspicious remote network service address by using a communication behavior simulation program of a mining Trojan corresponding to each preset virtual currency type in a simulation program set, send a communication message conforming to an application layer communication protocol of the mining program to the suspicious remote network service address based on the TCP link with encryption, and receive a network response message fed back by the suspicious remote network service address;
the determining module may be specifically configured to extract a second message characteristic of a network response message received by each communication behavior simulation program; calculating second feature similarity between each second message feature and the second preset feature; judging whether a target network response message with the second feature similarity larger than a second preset threshold exists in the network response message; if yes, judging that the message characteristics of the target network response message are matched with the second preset characteristics of the mining program application layer communication protocol.
7. A non-transitory readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the application layer communication protocol based mining Trojan detection method of any of claims 1 to 5.
8. A computer device comprising a non-volatile readable storage medium, a processor and a computer program stored on the non-volatile readable storage medium and executable on the processor, characterized in that the processor implements the application layer communication protocol based mining Trojan detection method according to any of claims 1 to 5 when executing the program.
CN202210013293.1A 2022-01-06 2022-01-06 Mining Trojan detection method, device and equipment based on application layer communication protocol Active CN114513331B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210013293.1A CN114513331B (en) 2022-01-06 2022-01-06 Mining Trojan detection method, device and equipment based on application layer communication protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210013293.1A CN114513331B (en) 2022-01-06 2022-01-06 Mining Trojan detection method, device and equipment based on application layer communication protocol

Publications (2)

Publication Number Publication Date
CN114513331A CN114513331A (en) 2022-05-17
CN114513331B true CN114513331B (en) 2023-06-09

Family

ID=81550418

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210013293.1A Active CN114513331B (en) 2022-01-06 2022-01-06 Mining Trojan detection method, device and equipment based on application layer communication protocol

Country Status (1)

Country Link
CN (1) CN114513331B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115189954A (en) * 2022-07-12 2022-10-14 北京天融信网络安全技术有限公司 Mining message processing method and device, electronic equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111245787A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 Method and device for equipment defect identification and equipment defect degree evaluation

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190215335A1 (en) * 2014-10-30 2019-07-11 Ironscales Ltd. Method and system for delaying message delivery to users categorized with low level of awareness to suspicius messages
CN108829829A (en) * 2018-06-15 2018-11-16 深信服科技股份有限公司 Detect method, system, device and storage medium that ideal money digs mine program
CN108900496A (en) * 2018-06-22 2018-11-27 杭州安恒信息技术股份有限公司 A kind of quick detection website is implanted the detection method and device of digging mine wooden horse
CN109347882B (en) * 2018-11-30 2021-12-21 深信服科技股份有限公司 Webpage Trojan horse monitoring method, device, equipment and storage medium
US11316880B2 (en) * 2019-09-16 2022-04-26 Avast Software, S.R.O. Cryptocurrency mining detection using network traffic
CN111314367A (en) * 2020-02-27 2020-06-19 广东安创信息科技开发有限公司 Method and system for identifying ore excavation program based on flow characteristics
CN111600850B (en) * 2020-04-26 2021-09-07 武汉思普崚技术有限公司 Method, equipment and storage medium for detecting mine digging virtual currency
CN111953693A (en) * 2020-08-13 2020-11-17 北京计算机技术及应用研究所 Tor network communication flow identification and analysis method
CN113177791A (en) * 2021-04-23 2021-07-27 杭州安恒信息技术股份有限公司 Malicious mining behavior identification method, device, equipment and storage medium
CN113868088A (en) * 2021-09-29 2021-12-31 杭州默安科技有限公司 Detection method and system for mining excavation behavior and computer readable storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111245787A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 Method and device for equipment defect identification and equipment defect degree evaluation

Also Published As

Publication number Publication date
CN114513331A (en) 2022-05-17

Similar Documents

Publication Publication Date Title
CN107124278B (en) Service processing method and device and data sharing system
Xu et al. Am I eclipsed? A smart detector of eclipse attacks for Ethereum
CN112543176A (en) Abnormal network access detection method, device, storage medium and terminal
CN111182525B (en) Method and device for storing data
CN111447204B (en) Weak password detection method, device, equipment and medium
US20210357510A1 (en) Vulnerability assessment
US20210256126A1 (en) Privacy-preserving content classification
CN111885007B (en) Information tracing method, device, system and storage medium
CN113472791B (en) Attack detection method and device, electronic equipment and readable storage medium
CN111224834B (en) Simulation test method, simulation test device, server and storage medium
CN110149318B (en) Mail metadata processing method and device, storage medium and electronic device
CN111049786A (en) Network attack detection method, device, equipment and storage medium
CN111049784B (en) Network attack detection method, device, equipment and storage medium
US20220141252A1 (en) System and method for data filtering in machine learning model to detect impersonation attacks
CN111049781A (en) Detection method, device, equipment and storage medium for rebound network attack
CN114513331B (en) Mining Trojan detection method, device and equipment based on application layer communication protocol
CN112532605A (en) Network attack tracing method and system, storage medium and electronic device
WO2019043804A1 (en) Log analysis device, log analysis method, and computer-readable recording medium
CN113098852B (en) Log processing method and device
CN108092947A (en) A kind of method and device that identity discriminating is carried out to third-party application
CN113079157A (en) Method and device for acquiring network attacker position and electronic equipment
CN113364766B (en) APT attack detection method and device
CN114006701A (en) Method, device and equipment for sharing name list and storage medium
Khurana et al. A systematic analysis on mobile application software vulnerabilities: Issues and challenges
CN113839948A (en) DNS tunnel traffic detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant