TW202103030A - Method and device for finding amalicious encrypted connection fingerprint - Google Patents
Method and device for finding amalicious encrypted connection fingerprint Download PDFInfo
- Publication number
- TW202103030A TW202103030A TW108124068A TW108124068A TW202103030A TW 202103030 A TW202103030 A TW 202103030A TW 108124068 A TW108124068 A TW 108124068A TW 108124068 A TW108124068 A TW 108124068A TW 202103030 A TW202103030 A TW 202103030A
- Authority
- TW
- Taiwan
- Prior art keywords
- encrypted
- fingerprint
- malicious
- specific
- frequency
- Prior art date
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本發明是有關於一種網路資安技術,且特別是有關於一種找出惡意加密連線指紋的方法及裝置。The present invention relates to a network information security technology, and more particularly to a method and device for finding out fingerprints of malicious encrypted connections.
隨著網路通訊加密技術的應用範圍日漸擴展,惡意攻擊也會受到加密機制的保護而增加偵測的困難。根據思科白皮書,目前大多數組織沒有解決方案可偵測加密流量中的惡意內容的解決方案。更具體來說,這些組織缺少資安工具和資源,來實施可在整個網路基礎架構中部署,且不會減慢網路速度的解決方案。With the increasing application of network communication encryption technology, malicious attacks will also be protected by encryption mechanisms and increase the difficulty of detection. According to the Cisco white paper, most organizations currently have no solution to detect malicious content in encrypted traffic. More specifically, these organizations lack information security tools and resources to implement solutions that can be deployed across the entire network infrastructure without slowing down the network speed.
有鑑於此,本發明提供一種找出惡意加密連線指紋的方法及裝置,其可用於解決上述技術問題。In view of this, the present invention provides a method and device for finding fingerprints of malicious encrypted connections, which can be used to solve the above technical problems.
本發明提供一種找出惡意加密連線指紋的方法,包括:取得網路流量中的多筆網路連線資料;基於前述網路連線資料取得多個加密指紋;對於前述加密指紋中的一特定加密指紋而言,計算特定加密指紋的一黑名單匹配頻率;計算特定加密指紋的一逆向目標地址頻率;基於黑名單匹配頻率及逆向目標地址頻率計算特定加密指紋的一惡意程度權重值;反應於惡意程度權重值高於一預設門限值,判定特定加密指紋為一潛在惡意指紋。The present invention provides a method for finding malicious encrypted connection fingerprints, including: obtaining multiple network connection data in network traffic; obtaining multiple encrypted fingerprints based on the aforementioned network connection data; and for one of the aforementioned encrypted fingerprints For specific encrypted fingerprints, calculate a blacklist matching frequency of the specific encrypted fingerprint; calculate a reverse target address frequency of the specific encrypted fingerprint; calculate a malicious degree weight value of the specific encrypted fingerprint based on the blacklist matching frequency and reverse target address frequency; When the malicious degree weight value is higher than a predetermined threshold, the specific encrypted fingerprint is determined to be a potentially malicious fingerprint.
本發明提供一種找出惡意加密連線指紋的裝置,包括網路流量側錄模組、加密指紋生成模組、黑名單匹配頻率模組、逆向目標地址頻率模組及惡意程度判斷模組。網路流量側錄模組取得網路流量中的多筆網路連線資料。加密指紋生成模組基於前述網路連線資料取得多個加密指紋。黑名單匹配頻率模組對於前述加密指紋中的一特定加密指紋而言,計算特定加密指紋的一黑名單匹配頻率。逆向目標地址頻率模組計算特定加密指紋的一逆向目標地址頻率。惡意程度判斷模組基於黑名單匹配頻率及逆向目標地址頻率計算特定加密指紋的一惡意程度權重值。反應於惡意程度權重值高於一預設門限值,惡意程度判斷模組判定特定加密指紋為一潛在惡意指紋。The invention provides a device for finding malicious encrypted connection fingerprints, which includes a network traffic profile module, an encrypted fingerprint generation module, a blacklist matching frequency module, a reverse target address frequency module, and a malicious degree judgment module. The network traffic recording module obtains multiple network connection data in the network traffic. The encrypted fingerprint generation module obtains a plurality of encrypted fingerprints based on the aforementioned network connection data. The blacklist matching frequency module calculates a blacklist matching frequency of the specific encrypted fingerprint for a specific encrypted fingerprint among the aforementioned encrypted fingerprints. The reverse target address frequency module calculates a reverse target address frequency of a specific encrypted fingerprint. The malicious degree judgment module calculates a malicious degree weight value of the specific encrypted fingerprint based on the blacklist matching frequency and the reverse target address frequency. In response to the malicious degree weight value being higher than a preset threshold, the malicious degree judgment module determines that the specific encrypted fingerprint is a potentially malicious fingerprint.
基於上述,本發明的裝置及方法可在取得各加密指紋的黑名單匹配頻率及逆向目標地址頻率之後,據以求得各加密指紋的惡意程度權重值,進而判斷各加密指紋是否為潛在惡意指紋。Based on the above, the device and method of the present invention can obtain the malicious degree weight value of each encrypted fingerprint after obtaining the blacklist matching frequency and reverse target address frequency of each encrypted fingerprint, and then determine whether each encrypted fingerprint is a potentially malicious fingerprint .
為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.
概略而言,本發明提出一種利用資訊檢索技術從加密網路流量中找出惡意加密連線指紋的方法與裝置,目的是從使用者的網路閘道口擷取網路流量之後,搭配利用本發明提出之資訊檢索技術演算法,擷取出惡意加密連線的指紋,進而取得使用惡意加密流量進行連線的網際網路目標地址。本發明提出之資訊檢索技術演算法可稱為黑名單匹配頻率-逆向目標地址頻率(BF-IDF; Blacklist Matching Frequency - Inverse Destination Frequency)演算法,可以計算出傳輸層安全性協定/安全通訊協定(Transport Layer Security/Secure Sockets Layer; SSL/TLS)客戶端指紋的BF-IDF權重,不需要解密加密的網路流量即可進行惡意偵測。經資安人員確認為惡意的網際網路目標地址可以新增進威脅情資資料庫,下次塑模時產生的分類器就會因為情資的增加而分類的越來越精準。並且由於本專利的資料來源可以鎖定受害主機,能夠對於後續數位鑑識的活動帶來助益。具體說明如下。In summary, the present invention proposes a method and device for using information retrieval technology to find malicious encrypted connection fingerprints from encrypted network traffic. The purpose is to retrieve network traffic from a user’s network gateway and use this The information retrieval technology algorithm proposed by the invention extracts the fingerprint of the malicious encrypted connection, and then obtains the Internet target address that uses the malicious encrypted traffic to connect. The information retrieval technology algorithm proposed by the present invention can be called the blacklist matching frequency-inverse destination address frequency (BF-IDF; Blacklist Matching Frequency-Inverse Destination Frequency) algorithm, which can calculate the transport layer security protocol/secure communication protocol ( Transport Layer Security/Secure Sockets Layer; SSL/TLS) The BF-IDF weight of the client's fingerprint. Malicious detection can be carried out without decrypting the encrypted network traffic. Internet target addresses identified as malicious by information security personnel can be added to the threat intelligence database, and the classifier generated during the next molding process will be more and more accurate due to the increase in intelligence. And because the data source of this patent can lock the victim host, it can be helpful for subsequent digital forensic activities. The specific description is as follows.
請參照圖1A及圖1B,其中圖1A是依據本發明之一實施例繪示的找出惡意加密連線指紋的系統示意圖,而圖1B是依據圖1A繪示的系統使用情境示意圖。Please refer to FIGS. 1A and 1B, where FIG. 1A is a schematic diagram of a system for finding fingerprints of malicious encrypted connections according to an embodiment of the present invention, and FIG. 1B is a schematic diagram of a system usage scenario according to FIG. 1A.
在圖1A中,系統100包括威脅情資資料庫120、情資收集模組130、情資分享模組140、情資驗證模組160及找出惡意加密連線指紋的裝置170。In FIG. 1A, the
在不同的實施例中,威脅情資資料庫120可用於接收不同來源的網路情資,如網址「http://www.malware-traffic-analysis.net/」、VirusTotal網站、Bluecoat網站…等來源提供的網路威脅情資資訊。情資收集模組130可用於整合新產生的網路威脅情資,豐富威脅情資資料庫,進而讓分類越來越準確。情資分享模組140可用於分享系統100的網路威脅情資給第三方協防系統或設備。情資驗證模組160可用於驗證新產生之惡意威脅情資的可靠性,但不限於此。In different embodiments, the
在一實施例中,本發明的裝置170可視為一種網路流量側錄系統,其可設置於某機構的網路閘道口,以進行相關的監控。如圖1A所示,裝置170可包括網路流量收集模組110、加密指紋生成模組150、黑名單匹配頻率模組171、逆向目標地址頻率模組173及惡意程度判斷模組172。In one embodiment, the
如圖1B所示,攻擊者可能會將惡意程式植入被害主機後使其成為殭屍電腦(Bots),進而藉此進行竊取機敏資料等惡意行為。為了提高殭屍網路(Botnet)的存活率,攻擊者將會使用加密網路連線而避免被查獲與封鎖。As shown in Figure 1B, the attacker may implant malicious programs into the victim host and turn it into bots, thereby performing malicious activities such as stealing smart data. In order to improve the survival rate of botnets, attackers will use encrypted network connections to avoid detection and blockade.
在此情況下,當企業欲藉由本發明提出之系統搭配內部網路流量辨認企業內部加密流量是否有惡意威脅的存在時,可以在企業內部的網路閘道口架設系統100,以藉由網路流量側錄模組接收由流量產生的網路資料,將此資料導入系統100之後就會開始進行加密指紋及其目標地址的惡意程度分析。基此,本發明的裝置170即可透過所提出的方法提取惡意程式與其中繼站連線時的交握資訊轉換成加密指紋,搭配惡意網際網路目標地址黑名單,取出符合使用惡意且罕見加密連線行為的惡意加密指紋,比對使用的惡意加密指紋的未知網際網路目標地址,即可找出惡意加密指紋與潛在惡意網際網路目標地址。以下將作進一步說明。In this case, when an enterprise wants to use the system provided by the present invention with internal network traffic to identify whether there is a malicious threat to the internal encrypted traffic of the enterprise, the
請參照圖2,其是依據本發明之一實施例繪示的找出惡意加密連線指紋的方法流程圖。本實施例的方法可由圖1的裝置170執行,以下即搭配圖1所示的內容說明圖2各步驟的細節。Please refer to FIG. 2, which is a flowchart of a method for finding fingerprints of malicious encrypted connections according to an embodiment of the present invention. The method of this embodiment can be executed by the
首先,在步驟S210中,網路流量收集模組110可取得網路流量中的多筆網路連線資料。在一實施例中,網路流量收集模組110可用於接收網路流量產生的資料。以圖1B為例,網路流量收集模組110可如所示地側錄企業閘道口網路流量產生的封包截取(packet capture,PCAP)網路連線資料,但可不限於此。First, in step S210, the network
接著,在步驟S220中,加密指紋生成模組150可基於前述網路連線資料取得多個加密指紋。具體而言,在一實施例中,前述網路連線中可包括對應於多筆加密連線的多筆第一網路連線資料。亦即,前述網路連線資料中有一部分係透過加密連線進行傳送。Then, in step S220, the encrypted
在一實施例中,在客戶端與伺服器端(例如圖1B的企業內部網路)欲建立一第一加密連線以傳送網路連線資料時,需進行三方交握的程序。在此程序中,客戶端需發送一客戶端交握訊息至伺服器端。此外,加密指紋生成模組150可取得此第一加密連線在建立時所對應的客戶端交握訊息。In one embodiment, when the client and the server (such as the corporate intranet in FIG. 1B) want to establish a first encrypted connection to transmit network connection data, a three-party handshake process is required. In this procedure, the client needs to send a client handshaking message to the server. In addition, the encrypted
之後,加密指紋生成模組150可從第一加密連線的客戶端交握訊息中取得多個訊息特徵。在一實施例中,前述客戶端交握訊息例如是一ClientHello訊息,其可包括SSLVersion、CipherSuite、SSLExtension、EllipticCurve和EllipticCurvePointFormat的至少其中之一等訊息特徵,但不限於此。After that, the encrypted
接著,加密指紋生成模組150可基於該第一加密連線的前述訊息特徵產生前述加密指紋中的第一加密指紋。在一實施例中,加密指紋生成模組150可計算上述訊息特徵的雜湊值,以作為第一加密連線的第一加密指紋(例如是JA3指紋)。Then, the encrypted
在取得各加密連線對應的加密指紋之後,對於所取得的各個加密指紋(其具有多個目標連線地址)而言,本發明的裝置170可透過步驟S230~S260來判定各加密指紋的惡意程度。為便於說明,以下將以加密指紋中的第i個加密指紋(下稱特定加密指紋)為例進行說明,而本領域具通常知識者應可據以推得裝置170對其他加密指紋所進行的操作。After obtaining the encrypted fingerprint corresponding to each encrypted connection, for each obtained encrypted fingerprint (which has multiple target connection addresses), the
具體而言,在步驟S230中,對於前述加密指紋中的特定加密指紋而言,黑名單匹配頻率模組171可計算特定加密指紋的黑名單匹配頻率bfi
。Specifically, in step S230, for the specific encrypted fingerprint among the aforementioned encrypted fingerprints, the blacklist
具體而言,黑名單匹配頻率模組171可取得包括多個惡意網路目標地址的黑名單。在一實施例中,前述黑名單可取自於威脅情資資料庫120(其收集例如VirusTotal、Bluecoast等來源提供的網路威脅情資資訊)。之後,黑名單匹配頻率模組171可在特定加密指紋的目標連線地址中找出匹配於上述惡意網路目標地址的特定數量,並以此特定數量除以特定加密指紋的目標連線地址的總數,以取得特定加密指紋的黑名單匹配頻率bfi
。Specifically, the blacklist
在本發明的實施例中,黑名單匹配頻率bfi 可用來表達特定加密指紋可能為潛在惡意加密連線指紋的程度。亦即,當一個加密指紋連線的目標連線地址中,有越多是屬於惡意網路目標地址時,黑名單匹配頻率bfi 就會越高。In an embodiment of the present invention, the matching frequency bf i blacklist used to express encrypted fingerprint of the particular connection may be encrypted fingerprint is potentially malicious. That is, when there are more malicious network target addresses among the target connection addresses of an encrypted fingerprint connection, the higher the blacklist matching frequency bf i will be.
此外,在步驟S240中,逆向目標地址頻率模組172可計算特定加密指紋的一逆向目標地址頻率idfi
。具體而言,逆向目標地址頻率模組172可將各加密指紋的目標連線地址的數量加總為目標地址總數,並基於此目標地址總數及特定加密指紋的目標連線地址的總數取得特定加密指紋的逆向目標地址頻率idfi
。In addition, in step S240, the reverse target
在一實施例中,逆向目標地址頻率模組172可以目標地址總數除以特定加密指紋的目標連線地址的總數,並取對數值,以產生特定加密指紋的逆向目標地址頻率idfi
。In one embodiment, the reverse target
在本發明的實施例中,逆向目標地址頻率idfi 可用來表達特定加密指紋罕見程度的度量。與正常的應用程式不同,惡意的應用程式會傾向較少客戶端主機擁有,且觸發網際網路連線的次數也會比一般正常的應用程式少。此時,逆向目標地址頻率idfi 會把此類罕見的加密指紋予以揭露。In the embodiment of the present invention, the reverse target address frequency idf i can be used to express a measure of the rarity of a specific encrypted fingerprint. Unlike normal applications, malicious applications tend to be owned by fewer client hosts and trigger Internet connections less frequently than normal applications. At this time, the reverse target address frequency idf i will expose such rare encrypted fingerprints.
在取得特定加密指紋的黑名單匹配頻率bfi
及逆向目標地址頻率idfi
之後,在步驟S250中,惡意程度判斷模組173可基於黑名單匹配頻率bfi
及逆向目標地址頻率idfi
計算特定加密指紋的一惡意程度權重值BF-IDFi
。在一實施例中,惡意程度判斷模組173可將黑名單匹配頻率bfi
乘以逆向目標地址頻率idfi
,以取得特定加密指紋的惡意程度權重值BF-IDFi
,但可不限於此。After obtaining the particular encrypted blacklist fingerprint matching frequency bf i destination address and reverse frequency idf i, in step S250, the degree of malice is determined based on a
在本發明的實施例中,上述算法即是結合特定加密指紋可能為潛在惡意加密連線指紋的程度(即黑名單匹配頻率bfi )以及特定加密指紋罕見程度的度量(即逆向目標地址頻率idfi ),如以一來就可以突顯出罕見而且可能為潛在惡意加密連線指紋程度高的加密指紋。另一方面,惡意程度權重值亦傾向於過濾掉常見的加密指紋,而保留少見且具有潛在威脅的加密指紋。In the embodiment of the present invention, the above algorithm is a measure of the degree to which a specific encrypted fingerprint may be a potentially malicious encrypted connection fingerprint (that is, the blacklist matching frequency bf i ) and the rare degree of a specific encrypted fingerprint (that is, the reverse target address frequency idf i ). If this is the case, it can highlight the rare and potentially malicious encrypted fingerprints with a high degree of connection fingerprints. On the other hand, the malicious degree weight value also tends to filter out common encrypted fingerprints, while retaining the rare and potentially threatening encrypted fingerprints.
之後,在步驟S260中,反應於惡意程度權重值BF-IDFi
高於一預設門限值,惡意程度判斷模組173可判定特定加密指紋為潛在惡意指紋。在不同的實施例中,上述預設門限值可由設計者依需求而設定。例如,裝置170可先將所考慮的全部加密指紋的惡意程度權重值求出,再基於這些惡意程度權重值的統計特性來決定上述預設門限值。例如,裝置170可基於這些惡意程度權重值的平均值、標準差來設定預設門限值,但可不限於此。Afterwards, in step S260, in response to the malicious degree weight value BF-IDF i being higher than a preset threshold, the malicious
在一實施例中,裝置170可在從前述加密指紋中找出具有較高惡意程度權重值的潛在惡意指紋之後,藉由相關的數位鑑識技術來對這些潛在惡意指紋對應的客戶端主機進行後續的鑑識調查。In one embodiment, the
為使本發明的概念更為清楚,以下另佐以一實例進行具體說明。具體而言,本實施例收集實際企業場域的網路閘道口流量,流量大小為28.6 GB,並統計其JA3指紋個數為870個、連線的目標連線地址共有132,008個。在此情況下,經比對所得到的匹配於黑名單的目標連線地址有176筆,而得到具有大於零的惡意程度權重值的JA3指紋有75筆。In order to make the concept of the present invention clearer, another example is provided below for specific description. Specifically, this embodiment collects the network gateway traffic of the actual enterprise field, the traffic size is 28.6 GB, and the number of JA3 fingerprints is 870, and the target connection address of the connection is 132,008. In this case, there are 176 target connection addresses matching the blacklist obtained by the comparison, and there are 75 JA3 fingerprints with a malicious degree weight value greater than zero.
請參照圖3,其是依據本發明之一實施例繪示的一部分JA3指紋的資訊。在圖3中,其列出上述75筆JA3指紋的前5筆,且其中的一筆JA3指紋(即,e295e403d94506afa5b2031b211dba10)的惡意程度權重值明顯高於其他JA3指紋。在此情況下,即可判定此JA3指紋為潛在惡意指紋,並可接續使用以下使用數位鑑識技術來證實本發明偵測加密惡意威脅的能力。Please refer to FIG. 3, which is a part of JA3 fingerprint information drawn according to an embodiment of the present invention. In Figure 3, it lists the first 5 of the above 75 JA3 fingerprints, and one of the JA3 fingerprints (ie, e295e403d94506afa5b2031b211dba10) has a malicious degree weight value significantly higher than other JA3 fingerprints. In this case, it can be determined that the JA3 fingerprint is a potentially malicious fingerprint, and the following digital authentication technology can be used to verify the ability of the present invention to detect encrypted malicious threats.
依據本發明本實施例進一步取得上述加密指紋(即,e295e403d94506afa5b2031b211dba10)的兩筆目標連線地址如下表一所示。
在基於上述兩個目標連線地址查詢VirusTotal之後,得知其中一筆IP(1.1.1.1)已被VirusTotal認定為惡意IP,而另一個IP(1.0.0.1)是無查詢結果的。After querying VirusTotal based on the above two target connection addresses, it is learned that one of the IPs (1.1.1.1) has been identified as malicious by VirusTotal, and the other IP (1.0.0.1) has no query results.
為了確認本發明提出之系統的偵測能力,還可再進一步建構IP(1.0.0.1)的視覺化網路拓樸關係圖。請參照圖4,其是依據圖3繪示的網路拓樸關係圖。由圖4可看出,表1中的待驗證IP、網域和惡意檔案之間的關聯,以及是否有直接或間接的關係。以待驗證IP 1.0.0.1為例,此IP在VirusTotal查詢結果中並未有任何一家防毒業者檢測為惡意的,但是透過二分圖的建立與圖形分析的過程,可找到此IP與網域和惡意檔案之間的關聯。具體來說,如圖4所示,可以發現上述IP 1.0.0.1 (即,中心點)除了與多個惡意檔案有關聯行為之外,也和6個網域有解析和托管的關係,分別是0jf[.]net、10000[.]rhelper[.]com、39768[.]rhelper[.]com、00000[.]rhelper[.]com、18504[.]rhelper[.]com和95841[.]rhelper[.]com。並且,這些網域向外關聯或是解析出的IP也可以發現與惡意檔案有關聯行為。再者,這些被關聯的檔案在VirusTotal查詢中至少都有一家防毒業者判定為惡意檔案。有鑑於此,經由一連串的向外關聯,即可判定1.0.0.1確實為潛在的惡意IP。除此之外,可再進一步利用Threatminer可以找到與該IP(1.0.0.1)相關威脅情資報告。In order to confirm the detection capability of the system proposed by the present invention, a visual network topology diagram of IP (1.0.0.1) can be further constructed. Please refer to FIG. 4, which is based on the network topology diagram shown in FIG. 3. As can be seen from Figure 4, the relationship between the IP to be verified, the domain and the malicious file in Table 1, and whether there is a direct or indirect relationship. Take the IP 1.0.0.1 to be verified as an example. This IP was not detected as malicious by any antivirus company in the results of VirusTotal's query, but through the creation of the bipartite graph and the process of graphical analysis, the IP and the domain and malicious can be found Association between files. Specifically, as shown in Figure 4, it can be found that the above IP 1.0.0.1 (ie, the central point) is not only associated with multiple malicious files, but also has a parsing and hosting relationship with 6 domains, which are: 0jf[.]net, 10000[.]rhelper[.]com, 39768[.]rhelper[.]com, 00000[.]rhelper[.]com, 18504[.]rhelper[.]com, and 95841[.] rhelper[.]com. In addition, these domains can also be found to be associated with malicious files by externally associated or resolved IPs. Furthermore, at least one of these related files was judged as malicious by at least one antivirus company in the VirusTotal query. In view of this, through a series of outward associations, it can be determined that 1.0.0.1 is indeed a potentially malicious IP. In addition, Threatminer can be further used to find threat information reports related to the IP (1.0.0.1).
請參照圖5,其是依據圖4繪示的相關威脅情資報告。如圖5所示,IP 1.0.0.1確實是潛在的惡意IP。藉由本實驗結果證明,本發明可以在加密流量中萃取出可疑的加密指紋及其目標地址,而以上的驗證程序可以證實本發明之可用性及技術效果。Please refer to Figure 5, which is based on the related threat information report shown in Figure 4. As shown in Figure 5, IP 1.0.0.1 is indeed a potentially malicious IP. The experimental results prove that the present invention can extract suspicious encrypted fingerprints and their target addresses from encrypted traffic, and the above verification procedures can prove the usability and technical effects of the present invention.
由上可知,利用本發明提出之系統與方法,就可以在巨量的網路流量中過濾出潛在的加密網路威脅,不僅有助公司內部資安人員更新網際網路目標地址黑名單資訊,還可以進一步對於使用可疑加密指紋的客戶端主機進行後續的鑑識調查。It can be seen from the above that the system and method proposed by the present invention can filter out potential encrypted network threats from the huge amount of network traffic, which not only helps the company’s internal security personnel to update the Internet target address blacklist information, but also It is also possible to further conduct a follow-up forensic investigation on the client host using suspicious encrypted fingerprints.
綜上所述,本發明本專利提出一個專注於分析加密網路流量的系統,藉由收容長天期網路流量,計算其加密連線指紋和威脅情資分析資訊,並搭配資訊檢索與文字挖掘常用的加權演算法來偵測惡意的加密網路連線。實驗結果顯示,本發明提出的系統可以發現其他外部威脅情資提供者無法識別的潛在惡意加密連線指紋和惡意網際網路目標地址相關情資,毋須進行網路封包解密即可協助釐清資安事件的全貌,並提供數位鑑識上的判斷依據,並可進一步運用於組織間的區域聯防或情資交換。To sum up, this patent of the present invention proposes a system that focuses on analyzing encrypted network traffic, by containing long-term network traffic, calculating its encrypted connection fingerprint and threat intelligence analysis information, and combining it with information retrieval and text Mining commonly used weighted algorithms to detect malicious encrypted network connections. Experimental results show that the system proposed by the present invention can find potential malicious encrypted connection fingerprints and malicious Internet target addresses that cannot be identified by other external threat intelligence providers, and can help clarify information security without the need for network packet decryption. It provides a comprehensive picture of the incident, and provides a basis for digital forensic judgment, and can be further used for regional joint defense or intelligence exchange between organizations.
此外,本發明提出之系統屬於離線型(Offline-based)網路封包分析系統(例如流量及日誌分析系統、網管系統等),其主要優點是不會影響原來系統的運作,對大量封包或分析費時的偵測,可以有效降低系統因負荷過重而當機的機率及減少處理費時所造成的延遲。從另一觀點而言,傳統線上型的防火牆及入侵偵測系統由於位於網路進出口,容易遭受到直接的攻擊和破壞而喪失功能或影響網路連線。然而,本發明確可因不易被駭客偵測到而不容易遭受攻擊。In addition, the system proposed in the present invention is an offline-based network packet analysis system (such as a traffic and log analysis system, a network management system, etc.). Its main advantage is that it will not affect the operation of the original system, and it does not affect the large number of packets or analysis. Time-consuming detection can effectively reduce the probability of system crash due to overload and reduce the delay caused by time-consuming processing. From another point of view, traditional online firewalls and intrusion detection systems are located at the entrance and exit of the network, and are prone to direct attacks and destruction, which can lose their functions or affect network connections. However, it is clear that it is not easy to be attacked because it is not easy to be detected by hackers.
並且,本發明在實務上的例子係將系統部署在企業的網路閘道口,利用側錄取得其網路流量。經過本發明提出的系統分析後,即可定期產生出惡意網域情資。可疑的連線主機資訊亦可迅速地進行數位鑑識或主機隔離等事後恢復工作。In addition, the practical example of the present invention is to deploy the system at the network gateway of the enterprise, and obtain its network traffic by using the snippet. After analyzing the system proposed by the present invention, malicious network domain information can be generated regularly. Suspicious connected host information can also be quickly recovered afterwards such as digital forensics or host isolation.
進一步而言,本發明在實務上的另一個例子是在可以得知受害主機(藉由Client-IP),因此可以在第一時間進行設備隔離與數位鑑識等受害後續恢復程序,減少企業損失。Furthermore, another practical example of the present invention is that the victim host can be known (via Client-IP), so that subsequent recovery procedures such as device isolation and digital forensics can be performed in the first time, thereby reducing enterprise losses.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the relevant technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be determined by the scope of the attached patent application.
100:系統 110:網路流量收集模組 120:威脅情資資料庫 130:情資收集模組 140:情資分享模組 150:加密指紋生成模組 160:情資驗證模組 170:裝置 171:黑名單匹配頻率模組 173:逆向目標地址頻率模組 172:惡意程度判斷模組 S210~S260:步驟bfi :黑名單匹配頻率idfi :逆向目標地址頻率 BF-IDFi:惡意程度權重值100: System 110: Network traffic collection module 120: Threat information database 130: Information collection module 140: Information sharing module 150: Encrypted fingerprint generation module 160: Information verification module 170: Device 171 : Blacklist matching frequency module 173: Reverse target address frequency module 172: Malicious degree judgment module S210~S260: Step bf i : Blacklist matching frequency idf i : Reverse target address frequency BF-IDF i : Malicious degree weight value
圖1A是依據本發明之一實施例繪示的找出惡意加密連線指紋的系統示意圖。 圖1B是依據圖1A繪示的系統使用情境示意圖。 圖2是依據本發明之一實施例繪示的找出惡意加密連線指紋的方法流程圖。 圖3是依據本發明之一實施例繪示的一部分JA3指紋的資訊。 圖4是依據圖3繪示的網路拓樸關係圖。 圖5是依據圖4繪示的相關威脅情資報告。FIG. 1A is a schematic diagram of a system for finding fingerprints of malicious encrypted connections according to an embodiment of the present invention. Fig. 1B is a schematic diagram of a system usage scenario shown in Fig. 1A. FIG. 2 is a flowchart of a method for finding fingerprints of malicious encrypted connections according to an embodiment of the present invention. Fig. 3 is a part of JA3 fingerprint information according to an embodiment of the present invention. Fig. 4 is a network topology diagram based on Fig. 3. Figure 5 is a related threat information report based on Figure 4.
S210~S260:步驟 S210~S260: steps
Claims (11)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108124068A TWI702510B (en) | 2019-07-09 | 2019-07-09 | Method and device for finding amalicious encrypted connection fingerprint |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108124068A TWI702510B (en) | 2019-07-09 | 2019-07-09 | Method and device for finding amalicious encrypted connection fingerprint |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI702510B TWI702510B (en) | 2020-08-21 |
TW202103030A true TW202103030A (en) | 2021-01-16 |
Family
ID=73002897
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW108124068A TWI702510B (en) | 2019-07-09 | 2019-07-09 | Method and device for finding amalicious encrypted connection fingerprint |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI702510B (en) |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8161155B2 (en) * | 2008-09-29 | 2012-04-17 | At&T Intellectual Property I, L.P. | Filtering unwanted data traffic via a per-customer blacklist |
CN101789940A (en) * | 2010-01-28 | 2010-07-28 | 联想网御科技(北京)有限公司 | Method for preventing flood attack of DNS request message and device thereof |
US8856545B2 (en) * | 2010-07-15 | 2014-10-07 | Stopthehacker Inc. | Security level determination of websites |
US10516671B2 (en) * | 2015-02-20 | 2019-12-24 | Nippon Telegraph And Telephone Corporation | Black list generating device, black list generating system, method of generating black list, and program of generating black list |
-
2019
- 2019-07-09 TW TW108124068A patent/TWI702510B/en active
Also Published As
Publication number | Publication date |
---|---|
TWI702510B (en) | 2020-08-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10298610B2 (en) | Efficient and secure user credential store for credentials enforcement using a firewall | |
US10425387B2 (en) | Credentials enforcement using a firewall | |
Ghafir et al. | Botdet: A system for real time botnet command and control traffic detection | |
US9942270B2 (en) | Database deception in directory services | |
US9762596B2 (en) | Heuristic botnet detection | |
Patsakis et al. | Encrypted and covert DNS queries for botnets: Challenges and countermeasures | |
EP2147390B1 (en) | Detection of adversaries through collection and correlation of assessments | |
Wilson et al. | Trust but verify: Auditing the secure Internet of things | |
Kumar et al. | Review on security and privacy concerns in Internet of Things | |
Guerber et al. | Machine Learning and Software Defined Network to secure communications in a swarm of drones | |
Patgiri et al. | Preventing ddos using bloom filter: A survey | |
US20210144172A1 (en) | Early detection of dedicated denial of service attacks through metrics correlation | |
Jiang et al. | Novel intrusion prediction mechanism based on honeypot log similarity | |
Swedan et al. | Detection and prevention of malicious cryptocurrency mining on internet-connected devices | |
Hindy et al. | A taxonomy of malicious traffic for intrusion detection systems | |
US9961091B2 (en) | Apparatus and method for characterizing the risk of a user contracting malicious software | |
Nasser et al. | Provably curb man-in-the-middle attack-based ARP spoofing in a local network | |
van der Toorn et al. | A first look at HTTP (S) intrusion detection using NetFlow/IPFIX | |
Farook et al. | Implementation of Intrusion Detection Systems for High Performance Computing Environment Applications | |
Auliar et al. | Security in iot-based smart homes: A taxonomy study of detection methods of mirai malware and countermeasures | |
TWI702510B (en) | Method and device for finding amalicious encrypted connection fingerprint | |
Moure-Garrido et al. | Detecting malicious use of doh tunnels using statistical traffic analysis | |
Habibi Gharakheili et al. | Cyber‐Securing IoT Infrastructure by Modeling Network Traffic | |
Hananto et al. | Detecting network security threats using domain name system and NetFlow traffic | |
Gutierrez et al. | An attack-based filtering scheme for slow rate denial-of-service attack detection in cloud environment |